5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
Size

92KB
MD5

145287a9d2ed3bb99d287125cf01bbce
SHA1

8275b57a10eb723511b7b22c8c0caae854c7a89f
SHA256

5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355
SHA512

26bdf8bf1a9822f34cd66d13cc156025c855b2528e8e9a8538cf3b1bc2523915d2de20f06b0b614baa026132ed064a9143778550c49726525a4dff720627c906
SSDEEP

192:ubOzawOs81elJHsc45CcRZOqtShcWaOT2QLrCqwEMY04/CFxyNhoy5tH:ubLwOs8AHsc4sMtwhKQLroT4/CFsrdH

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803CAA16-0147-4847-B2A7-60D2BA155457}\stubpath = "C:\\Windows\\{803CAA16-0147-4847-B2A7-60D2BA155457}.exe"	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB497387-3440-4235-B013-B45802A4D5F9}	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}\stubpath = "C:\\Windows\\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe"	{FB497387-3440-4235-B013-B45802A4D5F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E5C31F-62AA-414e-AC5F-95B770843064}	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0CDB29B-4829-4286-B952-C01C10275814}\stubpath = "C:\\Windows\\{F0CDB29B-4829-4286-B952-C01C10275814}.exe"	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}	{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}\stubpath = "C:\\Windows\\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe"	{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E800BDD-2075-476b-B15A-65106F16DBD8}	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E800BDD-2075-476b-B15A-65106F16DBD8}\stubpath = "C:\\Windows\\{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe"	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}\stubpath = "C:\\Windows\\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe"	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803CAA16-0147-4847-B2A7-60D2BA155457}	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}	{FB497387-3440-4235-B013-B45802A4D5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E5C31F-62AA-414e-AC5F-95B770843064}\stubpath = "C:\\Windows\\{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe"	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0CDB29B-4829-4286-B952-C01C10275814}	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}\stubpath = "C:\\Windows\\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe"	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}\stubpath = "C:\\Windows\\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe"	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB497387-3440-4235-B013-B45802A4D5F9}\stubpath = "C:\\Windows\\{FB497387-3440-4235-B013-B45802A4D5F9}.exe"	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B45E757-5388-4b30-9FEE-6CBE984A6526}	{F0CDB29B-4829-4286-B952-C01C10275814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}\stubpath = "C:\\Windows\\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe"	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B45E757-5388-4b30-9FEE-6CBE984A6526}\stubpath = "C:\\Windows\\{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe"	{F0CDB29B-4829-4286-B952-C01C10275814}.exe

Executes dropped EXE 12 IoCs

pid	Process
2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe
1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe
4728	{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe
4268	{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F0CDB29B-4829-4286-B952-C01C10275814}.exe	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
File created	C:\Windows\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
File created	C:\Windows\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
File created	C:\Windows\{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
File created	C:\Windows\{FB497387-3440-4235-B013-B45802A4D5F9}.exe	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
File created	C:\Windows\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	{FB497387-3440-4235-B013-B45802A4D5F9}.exe
File created	C:\Windows\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
File created	C:\Windows\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
File created	C:\Windows\{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
File created	C:\Windows\{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
File created	C:\Windows\{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe	{F0CDB29B-4829-4286-B952-C01C10275814}.exe
File created	C:\Windows\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe	{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
Token: SeIncBasePriorityPrivilege	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
Token: SeIncBasePriorityPrivilege	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
Token: SeIncBasePriorityPrivilege	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
Token: SeIncBasePriorityPrivilege	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
Token: SeIncBasePriorityPrivilege	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
Token: SeIncBasePriorityPrivilege	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
Token: SeIncBasePriorityPrivilege	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe
Token: SeIncBasePriorityPrivilege	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
Token: SeIncBasePriorityPrivilege	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
Token: SeIncBasePriorityPrivilege	3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe
Token: SeIncBasePriorityPrivilege	4728	{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2524	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	88
PID 4084 wrote to memory of 2524	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	88
PID 4084 wrote to memory of 2524	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	88
PID 4084 wrote to memory of 4416	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	89
PID 4084 wrote to memory of 4416	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	89
PID 4084 wrote to memory of 4416	4084	5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe	89
PID 2524 wrote to memory of 3216	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	90
PID 2524 wrote to memory of 3216	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	90
PID 2524 wrote to memory of 3216	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	90
PID 2524 wrote to memory of 4120	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	91
PID 2524 wrote to memory of 4120	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	91
PID 2524 wrote to memory of 4120	2524	{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe	91
PID 3216 wrote to memory of 1680	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	94
PID 3216 wrote to memory of 1680	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	94
PID 3216 wrote to memory of 1680	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	94
PID 3216 wrote to memory of 1152	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	95
PID 3216 wrote to memory of 1152	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	95
PID 3216 wrote to memory of 1152	3216	{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe	95
PID 1680 wrote to memory of 3124	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	100
PID 1680 wrote to memory of 3124	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	100
PID 1680 wrote to memory of 3124	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	100
PID 1680 wrote to memory of 3572	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	101
PID 1680 wrote to memory of 3572	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	101
PID 1680 wrote to memory of 3572	1680	{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe	101
PID 3124 wrote to memory of 4620	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	103
PID 3124 wrote to memory of 4620	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	103
PID 3124 wrote to memory of 4620	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	103
PID 3124 wrote to memory of 1328	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	104
PID 3124 wrote to memory of 1328	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	104
PID 3124 wrote to memory of 1328	3124	{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe	104
PID 4620 wrote to memory of 4468	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	107
PID 4620 wrote to memory of 4468	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	107
PID 4620 wrote to memory of 4468	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	107
PID 4620 wrote to memory of 4396	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	108
PID 4620 wrote to memory of 4396	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	108
PID 4620 wrote to memory of 4396	4620	{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe	108
PID 4468 wrote to memory of 3948	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	109
PID 4468 wrote to memory of 3948	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	109
PID 4468 wrote to memory of 3948	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	109
PID 4468 wrote to memory of 4440	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	110
PID 4468 wrote to memory of 4440	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	110
PID 4468 wrote to memory of 4440	4468	{803CAA16-0147-4847-B2A7-60D2BA155457}.exe	110
PID 3948 wrote to memory of 1344	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	111
PID 3948 wrote to memory of 1344	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	111
PID 3948 wrote to memory of 1344	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	111
PID 3948 wrote to memory of 2820	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	112
PID 3948 wrote to memory of 2820	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	112
PID 3948 wrote to memory of 2820	3948	{FB497387-3440-4235-B013-B45802A4D5F9}.exe	112
PID 1344 wrote to memory of 4084	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	113
PID 1344 wrote to memory of 4084	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	113
PID 1344 wrote to memory of 4084	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	113
PID 1344 wrote to memory of 1588	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	114
PID 1344 wrote to memory of 1588	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	114
PID 1344 wrote to memory of 1588	1344	{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe	114
PID 4084 wrote to memory of 3956	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	115
PID 4084 wrote to memory of 3956	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	115
PID 4084 wrote to memory of 3956	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	115
PID 4084 wrote to memory of 4488	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	116
PID 4084 wrote to memory of 4488	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	116
PID 4084 wrote to memory of 4488	4084	{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe	116
PID 3956 wrote to memory of 4728	3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe	117
PID 3956 wrote to memory of 4728	3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe	117
PID 3956 wrote to memory of 4728	3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe	117
PID 3956 wrote to memory of 4724	3956	{F0CDB29B-4829-4286-B952-C01C10275814}.exe	118

C:\Users\Admin\AppData\Local\Temp\5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe
"C:\Users\Admin\AppData\Local\Temp\5fe26c6535fd68d89441b8113441f97e5a0dadffcd4c541e8d71d4d72cb8e355.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
  C:\Windows\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
    C:\Windows\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
      C:\Windows\{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
        
        C:\Windows\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
        
        C:\Windows\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
        
        C:\Windows\{803CAA16-0147-4847-B2A7-60D2BA155457}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{FB497387-3440-4235-B013-B45802A4D5F9}.exe
        
        C:\Windows\{FB497387-3440-4235-B013-B45802A4D5F9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
        
        C:\Windows\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
        
        C:\Windows\{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{F0CDB29B-4829-4286-B952-C01C10275814}.exe
        
        C:\Windows\{F0CDB29B-4829-4286-B952-C01C10275814}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe
        
        C:\Windows\{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe
        
        C:\Windows\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B45E~1.EXE > nul
        13⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0CDB~1.EXE > nul
        12⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E5C~1.EXE > nul
        11⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F55BC~1.EXE > nul
        10⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB497~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{803CA~1.EXE > nul
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D48~1.EXE > nul
        7⤵
        
        PID:4396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7A0B~1.EXE > nul
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E800~1.EXE > nul
        5⤵
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CCCF~1.EXE > nul
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B98F1~1.EXE > nul
    3⤵
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5FE26C~1.EXE > nul
  2⤵
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CE734EA-ACF7-492b-9FBB-AFB45F7E9DA8}.exe

Filesize
92KB

MD5
4c1b8c77a13f01e12f5f5f2b14034f7b

SHA1
192bc623436064fd3ddd44feea49bb2e7b97fc5f

SHA256
8a5cf7f7d230fe5f1938896e858a488b2f53fa8c75093701f0187bbdf805e51c

SHA512
09c36c1e1e90f5933922e5f613401fd6b501b111a3f543e5d3e3900d3ce62c4d1b24b15975fed15d8a159f6a049b760d7f6e57802ee323a876ec34853aeb65dd

Download Submit
C:\Windows\{3CCCF3A3-F75F-49f9-8CB5-ACAF711E7E91}.exe

Filesize
92KB

MD5
985fa62a4b9c7bc4f228c13cc3758ccc

SHA1
9c5b541898b34e6fa4642d0177c36d466f222ed2

SHA256
952fcaef6ac249bbe09805fa13cb2646b2f9d1b371beedb39abde515fed4370e

SHA512
7804983eadfcc25a8d027863a4aabcf9b32ef558a6688d4a1378e6eb189133599d98c0c75568aabeca0949ba8f74c8b819beb77bcc8560a3d0d1ad151140e640

Download Submit
C:\Windows\{6B45E757-5388-4b30-9FEE-6CBE984A6526}.exe

Filesize
92KB

MD5
52d8268b95083a5310a0b872b319aace

SHA1
c80c7c37960373ceb0eef5aac437fcaf7807b4ab

SHA256
bdecdf20e3ec7afae650752b15e5355de50a1bc233655be575115579b50a5a32

SHA512
bd3e14812fda1b270105a34c5bbf0bc296a2941484992110794a196b7a04359d28ccad3b61a7a22613ed8dbaabc79fef5db618de70be77881885fa13793dab05

Download Submit
C:\Windows\{6E800BDD-2075-476b-B15A-65106F16DBD8}.exe

Filesize
92KB

MD5
bb90bf11027363db3dac7f3f90067b58

SHA1
f64a42b26808e8c133d9c824097b1c92e117ed1f

SHA256
a840b332c51c9e87716830c2df9c56b36da8f21b309eea935f5451cf8aa73345

SHA512
8513dc13cba248d8da32e43988b98701ba58e9dd8f0e571696d407debe8a49f9093bc0aaf53654ed56c5124b2e276a24f659c23d14c829ca3a706085d800a2e0

Download Submit
C:\Windows\{803CAA16-0147-4847-B2A7-60D2BA155457}.exe

Filesize
92KB

MD5
6dfaa125bed5b23e60fbef131db0bebd

SHA1
448e15fa4b5a0979ccb16dd7a04d10ab7fc4109b

SHA256
ed47729570d4b6b50d533ee70106baf105f33b6b043b7045dd4c4b2de5a40ff2

SHA512
51b64c39599db9d3215d7cc95d72db179854852bd4b941a42153b243f899f47ab29538c25dbf2244952c709032f3cc7bae3d97695bad8abc66cd79c0b26b212c

Download Submit
C:\Windows\{B98F12D3-CC4A-4786-80A5-8A715FCCAB57}.exe

Filesize
92KB

MD5
8a4688e0c459336359514c42c554620b

SHA1
d36809cf326926ff82787aa3d18495520b88a69a

SHA256
9a84d2a557e854b84fd9b1067306d5d65cf528bcc6582ddc9b21d98e87b7e9e7

SHA512
87e04075428977e7d4c89f693dd858f30518dbdd2a76e3988bc1eb8735d55dfed8ce651718c564e747375ca3741e095268d217f24be59250d90d9452724284ca

Download Submit
C:\Windows\{C6E5C31F-62AA-414e-AC5F-95B770843064}.exe

Filesize
92KB

MD5
14c0ad9b180a5f9bb4fe8bfbb2eb30ff

SHA1
1d3468ceccdd06d2d5ab2193ba28c545e87b4c1a

SHA256
d4cc248fad12547a855dc8c7b458c5d37966407e58d656091afcd1a0bc256e51

SHA512
e193ea42fd0d7065f182b038f6880ab2db17486aea3b67ad420d65a661f0e6be7913f5534b106975a137d598d2a4caa6af33501eff5c916019dfe736422dbd8a

Download Submit
C:\Windows\{D7A0B1C5-7AB0-4590-8250-67792D48A0CF}.exe

Filesize
92KB

MD5
4a56c758ea3f97e41f2c45026d0c0793

SHA1
b65dfbe5ac78d8f838b29d98daa5a58a2a60b478

SHA256
cfc9cb5c7898a29ce3bbfbbf0878992cbf62c4921c0be4412e618860876aeb17

SHA512
84dc9f356c58f8c042e03346e382a7214aae19ef430f08aa5474c3b82c3638d191c07509434e2961c7d192727e12a322acbd297e10ddd612e3f9d0eec6671a47

Download Submit
C:\Windows\{E4D4842D-DAAE-4d39-B4E3-86F5DD87DED2}.exe

Filesize
92KB

MD5
6268a10062af6c75203c8b8594ddbef4

SHA1
09ce2e3cc8e8cb5c1ac650cf199ca14dd1c091fa

SHA256
4c80a32d82b7fa03d0c5cd533df0f053dcc34d46efd538dc1b1bb2a157750cbc

SHA512
1c512f45dfb93cfac4acff792ae5d56f1c5efb1821d1bcb8e6bcaec96bff873367520ea3e64d9d6b877c008c7a62ec752c34b0c9eb437947ce3475fb0728e4e7

Download Submit
C:\Windows\{F0CDB29B-4829-4286-B952-C01C10275814}.exe

Filesize
92KB

MD5
2c35ec865ecdcf3f39a3ba8c33240c91

SHA1
fcb8cbf4e96c84ae8c8dfc06b58bfa0c3d209830

SHA256
5374a663ce25a85066a37219a0be5145af7567d5963c81729a0b992272fbea75

SHA512
3c228732a96abbaefbc6275b7e9d6c24e8ef725ac37e4e730a54903e4f595c77c7666eadbb19bd192cb758c6b1243463ef2f75b604aa042002870f477dc6f204

Download Submit
C:\Windows\{F55BC408-EA7D-42bc-9236-C0BF96D62EF0}.exe

Filesize
92KB

MD5
0b7e96cdcb410415aa05ee999d23d1f8

SHA1
27feab005973be1c44ad109777840d521593a5b4

SHA256
1f16703eda314f5db978a66ab704494b3d60d559329f2a85ab43e84a8539f1b8

SHA512
62db37e2ed45e7cfd4d6db15c568c8030e44ded80fec047c6b7022f6029796181c814634d74597977d9770d8f85fddc22cfbec7d5af5ffd6631a39f494ef32fa

Download Submit
C:\Windows\{FB497387-3440-4235-B013-B45802A4D5F9}.exe

Filesize
92KB

MD5
2b2ccdd8a782f80b9ab0d7804f0f4346

SHA1
4075aa2f08d947392f4de1767cad277779860fde

SHA256
7f2809e95432b1e5a191f042bd077e20ee7027cd565b20dd1b422d894343a550

SHA512
ea5c72c0c43f2e33a506a4e3ca273e23994523a54955c29ecad4e61f489db08dd59596d7d6e4fba222501448305f4592e3094a0921909981db4ba9ef1e4fd9c9

Download Submit
memory/1344-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1680-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1680-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2524-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2524-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3124-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3124-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3216-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3216-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4084-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4268-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4468-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4620-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4620-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads