76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b

Analysis

max time kernel
149s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
Size

60KB
MD5

050297b7a0881653bd1106f8dcb26b52
SHA1

7fe98acf18ccbebf6bfe94de85d27d7892c06b93
SHA256

76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b
SHA512

60961e8d4712d926a945a10811d6ba8eca6919d65457ff85d38a04dfa38efb9ddc17d9431a62b942fb2945f304fdc3e77c10d6a014792009ccf55773b62b0585
SSDEEP

768:vvw9816vhKQLroCA4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVd:nEGh0oCAlwWMZQcpmgDagIyS1loL7Wr

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b6d-2.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023b6e-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000023b73-8.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000023b76-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000023b82-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023b76-22.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023b82-27.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000c000000023b76-30.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000c000000023b82-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000d000000023b76-37.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000d000000023b82-42.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000e000000023b76-46.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}	{53419195-8247-4671-8989-9088BEEA80A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}\stubpath = "C:\\Windows\\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe"	{53419195-8247-4671-8989-9088BEEA80A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90222799-A086-4524-81A7-8BABA58A510C}	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53419195-8247-4671-8989-9088BEEA80A5}\stubpath = "C:\\Windows\\{53419195-8247-4671-8989-9088BEEA80A5}.exe"	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}\stubpath = "C:\\Windows\\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe"	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53419195-8247-4671-8989-9088BEEA80A5}	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}\stubpath = "C:\\Windows\\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe"	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}\stubpath = "C:\\Windows\\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe"	{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}	{90222799-A086-4524-81A7-8BABA58A510C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E443C2-9049-4920-82A9-B4493CFC372A}\stubpath = "C:\\Windows\\{38E443C2-9049-4920-82A9-B4493CFC372A}.exe"	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}\stubpath = "C:\\Windows\\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe"	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E443C2-9049-4920-82A9-B4493CFC372A}	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C08530-DE63-4722-A994-75D8FFE2F899}\stubpath = "C:\\Windows\\{05C08530-DE63-4722-A994-75D8FFE2F899}.exe"	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}\stubpath = "C:\\Windows\\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe"	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}\stubpath = "C:\\Windows\\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe"	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C08530-DE63-4722-A994-75D8FFE2F899}	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90222799-A086-4524-81A7-8BABA58A510C}\stubpath = "C:\\Windows\\{90222799-A086-4524-81A7-8BABA58A510C}.exe"	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}\stubpath = "C:\\Windows\\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe"	{90222799-A086-4524-81A7-8BABA58A510C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}	{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe

Executes dropped EXE 12 IoCs

pid	Process
2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe
1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe
4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
1360	{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe
4908	{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
File created	C:\Windows\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	{53419195-8247-4671-8989-9088BEEA80A5}.exe
File created	C:\Windows\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe	{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe
File created	C:\Windows\{90222799-A086-4524-81A7-8BABA58A510C}.exe	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
File created	C:\Windows\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	{90222799-A086-4524-81A7-8BABA58A510C}.exe
File created	C:\Windows\{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
File created	C:\Windows\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
File created	C:\Windows\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
File created	C:\Windows\{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
File created	C:\Windows\{53419195-8247-4671-8989-9088BEEA80A5}.exe	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
File created	C:\Windows\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
File created	C:\Windows\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
Token: SeIncBasePriorityPrivilege	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe
Token: SeIncBasePriorityPrivilege	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
Token: SeIncBasePriorityPrivilege	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
Token: SeIncBasePriorityPrivilege	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
Token: SeIncBasePriorityPrivilege	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
Token: SeIncBasePriorityPrivilege	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
Token: SeIncBasePriorityPrivilege	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
Token: SeIncBasePriorityPrivilege	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe
Token: SeIncBasePriorityPrivilege	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
Token: SeIncBasePriorityPrivilege	516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
Token: SeIncBasePriorityPrivilege	1360	{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2320	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	86
PID 2912 wrote to memory of 2320	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	86
PID 2912 wrote to memory of 2320	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	86
PID 2912 wrote to memory of 4972	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	87
PID 2912 wrote to memory of 4972	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	87
PID 2912 wrote to memory of 4972	2912	76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe	87
PID 2320 wrote to memory of 1476	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	88
PID 2320 wrote to memory of 1476	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	88
PID 2320 wrote to memory of 1476	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	88
PID 2320 wrote to memory of 1452	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	89
PID 2320 wrote to memory of 1452	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	89
PID 2320 wrote to memory of 1452	2320	{90222799-A086-4524-81A7-8BABA58A510C}.exe	89
PID 1476 wrote to memory of 3868	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	92
PID 1476 wrote to memory of 3868	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	92
PID 1476 wrote to memory of 3868	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	92
PID 1476 wrote to memory of 3468	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	93
PID 1476 wrote to memory of 3468	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	93
PID 1476 wrote to memory of 3468	1476	{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe	93
PID 3868 wrote to memory of 5100	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	98
PID 3868 wrote to memory of 5100	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	98
PID 3868 wrote to memory of 5100	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	98
PID 3868 wrote to memory of 1416	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	99
PID 3868 wrote to memory of 1416	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	99
PID 3868 wrote to memory of 1416	3868	{38E443C2-9049-4920-82A9-B4493CFC372A}.exe	99
PID 5100 wrote to memory of 1324	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	101
PID 5100 wrote to memory of 1324	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	101
PID 5100 wrote to memory of 1324	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	101
PID 5100 wrote to memory of 4136	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	102
PID 5100 wrote to memory of 4136	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	102
PID 5100 wrote to memory of 4136	5100	{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe	102
PID 1324 wrote to memory of 400	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	105
PID 1324 wrote to memory of 400	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	105
PID 1324 wrote to memory of 400	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	105
PID 1324 wrote to memory of 1960	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	106
PID 1324 wrote to memory of 1960	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	106
PID 1324 wrote to memory of 1960	1324	{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe	106
PID 400 wrote to memory of 5012	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	107
PID 400 wrote to memory of 5012	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	107
PID 400 wrote to memory of 5012	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	107
PID 400 wrote to memory of 64	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	108
PID 400 wrote to memory of 64	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	108
PID 400 wrote to memory of 64	400	{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe	108
PID 5012 wrote to memory of 4540	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	109
PID 5012 wrote to memory of 4540	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	109
PID 5012 wrote to memory of 4540	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	109
PID 5012 wrote to memory of 780	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	110
PID 5012 wrote to memory of 780	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	110
PID 5012 wrote to memory of 780	5012	{05C08530-DE63-4722-A994-75D8FFE2F899}.exe	110
PID 4540 wrote to memory of 4336	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	111
PID 4540 wrote to memory of 4336	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	111
PID 4540 wrote to memory of 4336	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	111
PID 4540 wrote to memory of 3212	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	112
PID 4540 wrote to memory of 3212	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	112
PID 4540 wrote to memory of 3212	4540	{53419195-8247-4671-8989-9088BEEA80A5}.exe	112
PID 4336 wrote to memory of 516	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	113
PID 4336 wrote to memory of 516	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	113
PID 4336 wrote to memory of 516	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	113
PID 4336 wrote to memory of 1556	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	114
PID 4336 wrote to memory of 1556	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	114
PID 4336 wrote to memory of 1556	4336	{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe	114
PID 516 wrote to memory of 1360	516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe	115
PID 516 wrote to memory of 1360	516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe	115
PID 516 wrote to memory of 1360	516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe	115
PID 516 wrote to memory of 4524	516	{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe	116

C:\Users\Admin\AppData\Local\Temp\76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe
"C:\Users\Admin\AppData\Local\Temp\76caebcdd20f38d2571928812ac08b4addbbb52a54fbe9778aacd203c7f3fe0b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\{90222799-A086-4524-81A7-8BABA58A510C}.exe
  C:\Windows\{90222799-A086-4524-81A7-8BABA58A510C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
    C:\Windows\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
      C:\Windows\{38E443C2-9049-4920-82A9-B4493CFC372A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
        
        C:\Windows\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
        
        C:\Windows\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
        
        C:\Windows\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
        
        C:\Windows\{05C08530-DE63-4722-A994-75D8FFE2F899}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{53419195-8247-4671-8989-9088BEEA80A5}.exe
        
        C:\Windows\{53419195-8247-4671-8989-9088BEEA80A5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
        
        C:\Windows\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
        
        C:\Windows\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe
        
        C:\Windows\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe
        
        C:\Windows\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDDAC~1.EXE > nul
        13⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{746F0~1.EXE > nul
        12⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0214D~1.EXE > nul
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53419~1.EXE > nul
        10⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C08~1.EXE > nul
        9⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DDFB~1.EXE > nul
        8⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B55~1.EXE > nul
        7⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{705E7~1.EXE > nul
        6⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38E44~1.EXE > nul
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{865BA~1.EXE > nul
      4⤵
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90222~1.EXE > nul
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76CAEB~1.EXE > nul
  2⤵
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0214D1DD-A6E5-41d4-8C04-1CB3F0E76ED8}.exe

Filesize
60KB

MD5
09088ea876d609f0cb5e59885eb0968b

SHA1
7a5fb2c63eb7e58e0d555ad5f5c3435ac95a02d9

SHA256
15e8fdef13d1c75ad0a2cb1b6e5d436f93233013cf86613ff30873a66ac16ba7

SHA512
c433e87737c495833595353ad1675d91d65d2ea638dc9e1743ef6acf23067b2df772a3204b5bd90900b0eaa92066f4efce9872a283df17bf8b1d1a826e07176f

Download Submit
C:\Windows\{05C08530-DE63-4722-A994-75D8FFE2F899}.exe

Filesize
60KB

MD5
fde69549c45588b37fa76183b81e4429

SHA1
c6928c5fe5f6f91d6b29f5b2eaff77ae38383d77

SHA256
c605f76e28cf9018dc9026d470ddb37a52ad23149df1d7ea47881d057d8a52ec

SHA512
f43359a031fdf2415184d838753ba08ff7a66d8c8819c6c81f7f2f5e8ebd54a94c85d5867783df54ffd8b697fd1763284f2a06c04ca86ed576a2932ede73c4e9

Download Submit
C:\Windows\{0DDFBCC5-F9EB-41dd-A69B-362D23B3DB79}.exe

Filesize
60KB

MD5
f4c030fcd5109c640c163a422d6480b6

SHA1
99eeef92704c5335839b4354e4cd8c2b66fb6425

SHA256
37a2869a23172b810bba2abd28446fb2751da2295ec4a5b6e895f804e9382e44

SHA512
14ed1e88c1b4ff606fa4a8fcb39e004be737c5cc0884d187778da75a58cb3ce34c5450b661ff73123beb6724fdc850cf7cea1996135cae1beb26808d57634318

Download Submit
C:\Windows\{38E443C2-9049-4920-82A9-B4493CFC372A}.exe

Filesize
60KB

MD5
c477f7da689e63df5b0a2bb501d73e09

SHA1
c907379fc1ed5dfad060c41b933873afa3ac4f86

SHA256
4cd27b470ff9d92e38dfe9f6897046a577b0b6e6abf9be5f6e710d0bf26e1ac2

SHA512
611f7e9cef30dede0deb166ffec901c5d451cd88d7eda025c7f7a8a086c36ab63c3d4ae986f86be8a49ebec2c9525d67daed4739b66da78ef2d90a6677a19844

Download Submit
C:\Windows\{53419195-8247-4671-8989-9088BEEA80A5}.exe

Filesize
60KB

MD5
dbfe5da59e9e3ebe9d74eefb77b06130

SHA1
84b6f8757a4b14b2a3af55980533869e11bc1cc3

SHA256
87e3c14ce374832c869a08c17da566be7a247fac9c1ea195051514da128dd6fe

SHA512
4aa523db68a819a71ae31513d2b6559f7caaca71f0287a7ef20750c405a6031ff5df2f676acec4ff819611c7afe13494374ad3c43b42c64689b1e01febf289c0

Download Submit
C:\Windows\{705E7873-EDDF-4f92-B64D-54AEC497FFAC}.exe

Filesize
60KB

MD5
36d8ca06c8966c8bd890a78b4abd8c5c

SHA1
a94d883056bb597457a3b8b61290d1ee156562a5

SHA256
7c5938e5c02afa322bdd34bda01311ff8cb1c68344d7b6ae0e04ba58db591111

SHA512
4558c24aadc386f283a5ece96282a47b7eebd87ca0710b0cf75abe2fb3d8fe832ba6cd13804928c844f77608fe48294a17b77b330054ca8dc3a0b66c5ad1d848

Download Submit
C:\Windows\{746F0F75-A647-44e3-ACB0-1CDEBA66E611}.exe

Filesize
60KB

MD5
5ed1ac32a89254cbb46504688f1607b0

SHA1
ed72523e90f2ecfb5582066aaaf6d7d6913572f1

SHA256
21fbd98f0f41ad7ef4b73a0b2b051589dcf596f54379498dca5880867aa11539

SHA512
2bdd526eb984dc57bd6455d8043764d84f80d7c0452661be907ac22759682d4fc85f7ec98bbf7729e26287a2461221851edf8c6f221562194dbd93476850a1bf

Download Submit
C:\Windows\{865BAB5D-DC51-40ec-B0B9-CC06EFE01A8C}.exe

Filesize
60KB

MD5
df4e7cc2815281de82b6862ca0e85099

SHA1
e9cf0859df9e36fd80b2e29fc32ddb9d6a8d949e

SHA256
14613561fde3d09230cc990601d058f47e3275bbf0fc834ba1fb7a74850dc19b

SHA512
d5b14c8869dbd4ae3603532eafc812c750ef8030be64d49236fbe4b909e77761207721c1c3cb0a568c45a5af4fbfbadb052621c022035867e284c1089acbb104

Download Submit
C:\Windows\{90222799-A086-4524-81A7-8BABA58A510C}.exe

Filesize
60KB

MD5
94177840632836fdebeab4efa87750f3

SHA1
aa12de1e9bd2f3dd1f8817bcc9531058b63e21d8

SHA256
3873c5e3a47fec29df6c85c317f6e68ae90b219174edf5a45126b73c4c9b1b40

SHA512
fc908a79b028fac140236d4929513d3bae9d9838ea5da10759b699dc5f6bc15864a98f1ecd27dd0081115c82a3080b658c92a68c43fa016768ce0ea157106e7a

Download Submit
C:\Windows\{B7B555C8-8C7F-4f13-954A-51DBBB670F7B}.exe

Filesize
60KB

MD5
0713de550100c749a1c029ab56e27b20

SHA1
eb2bd2ab1d356860b293d36fa825465da96abac9

SHA256
c298e04d1bae3db7bc9cbe3695994008ee2b80c39362f0c4571a2ce783dbc85d

SHA512
493773f960792450b70e4b98f6f306c049ccc659d62e6908e8f6df5bafc521f3228686d483673ae224468d95a91040e335a5ff0d32b70bb953ca90fb8dcdba7e

Download Submit
C:\Windows\{CDDAC749-90E2-47fe-BAB9-C45AE41D6625}.exe

Filesize
60KB

MD5
5b7c9dd662f7e52c2a48e7beb7c7e4b7

SHA1
a855f7103fbb8892ca0cb8272244bf70717c004b

SHA256
e9097e4edb6673e952e0196835dbcf07d5175d7bb621fda537e18aaa67557b04

SHA512
6ca8ae13c0ada9121e071f77aab4bec7234e90bbb84dc5722b6a9989a56c4214b604a26c706647e4502d33b44b3bc333b9f2fcea468acf7e65a35f6551f905ee

Download Submit
C:\Windows\{D3B7D3D7-5DB1-466a-A8DA-99AC552DCBDA}.exe

Filesize
60KB

MD5
08f4c85b244fd471ff3618dadd57f322

SHA1
63d71b0dd9f671282a134bdbf370ae96c0b51450

SHA256
20ab230f1919b9946f92a96307f4d11a97cb66f7f5756f66a4a6ecaec353e5c4

SHA512
5c4c0fede5fc48e17b9983c84e7294c5720e0ea2df0d9800199af5ad4036302e0a0539f26534d0008581a45622fe6da44559e64c8ed7f06998c5f19b7976a975

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads