7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 00:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
Size

116KB
MD5

0558906a2a125963f672a8e80d8feb93
SHA1

4e393dd45d1d2cd8c8cae417ad261a08943ce8c7
SHA256

7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4
SHA512

d8962bee20847ffddfb2fa1141caeb621daff9c8580ff763227914ff43dcab939826a63a1e77c5c517ef32b975a17a809b59ed7b8846286ab3e1d811cb336a57
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0ovl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D6F65F-78BE-4771-9588-6C89F96F01C8}	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92EE237-9B33-4c94-8429-E48265F99D44}\stubpath = "C:\\Windows\\{A92EE237-9B33-4c94-8429-E48265F99D44}.exe"	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92A2827-709E-4854-9122-630F3CB34F25}\stubpath = "C:\\Windows\\{A92A2827-709E-4854-9122-630F3CB34F25}.exe"	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF3929F-646B-4441-843C-8C757CA6F83D}	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94383684-D79E-420b-AED3-04991C5DFC7D}	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94383684-D79E-420b-AED3-04991C5DFC7D}\stubpath = "C:\\Windows\\{94383684-D79E-420b-AED3-04991C5DFC7D}.exe"	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}\stubpath = "C:\\Windows\\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe"	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}\stubpath = "C:\\Windows\\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe"	{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92A2827-709E-4854-9122-630F3CB34F25}	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D14793F4-7E0C-49b3-926C-80BABA86084C}\stubpath = "C:\\Windows\\{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe"	{A92A2827-709E-4854-9122-630F3CB34F25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}\stubpath = "C:\\Windows\\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe"	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}\stubpath = "C:\\Windows\\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe"	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D6F65F-78BE-4771-9588-6C89F96F01C8}\stubpath = "C:\\Windows\\{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe"	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D14793F4-7E0C-49b3-926C-80BABA86084C}	{A92A2827-709E-4854-9122-630F3CB34F25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF3929F-646B-4441-843C-8C757CA6F83D}\stubpath = "C:\\Windows\\{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe"	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}\stubpath = "C:\\Windows\\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe"	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}	{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92EE237-9B33-4c94-8429-E48265F99D44}	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}\stubpath = "C:\\Windows\\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe"	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe
1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
3780	{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe
3436	{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
File created	C:\Windows\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
File created	C:\Windows\{A92A2827-709E-4854-9122-630F3CB34F25}.exe	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
File created	C:\Windows\{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
File created	C:\Windows\{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
File created	C:\Windows\{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	{A92A2827-709E-4854-9122-630F3CB34F25}.exe
File created	C:\Windows\{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
File created	C:\Windows\{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
File created	C:\Windows\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
File created	C:\Windows\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
File created	C:\Windows\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
File created	C:\Windows\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe	{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
Token: SeIncBasePriorityPrivilege	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
Token: SeIncBasePriorityPrivilege	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
Token: SeIncBasePriorityPrivilege	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
Token: SeIncBasePriorityPrivilege	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe
Token: SeIncBasePriorityPrivilege	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
Token: SeIncBasePriorityPrivilege	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
Token: SeIncBasePriorityPrivilege	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
Token: SeIncBasePriorityPrivilege	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
Token: SeIncBasePriorityPrivilege	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
Token: SeIncBasePriorityPrivilege	1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
Token: SeIncBasePriorityPrivilege	3780	{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4784	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	87
PID 3952 wrote to memory of 4784	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	87
PID 3952 wrote to memory of 4784	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	87
PID 3952 wrote to memory of 1440	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	88
PID 3952 wrote to memory of 1440	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	88
PID 3952 wrote to memory of 1440	3952	7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe	88
PID 4784 wrote to memory of 2012	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	89
PID 4784 wrote to memory of 2012	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	89
PID 4784 wrote to memory of 2012	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	89
PID 4784 wrote to memory of 5004	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	90
PID 4784 wrote to memory of 5004	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	90
PID 4784 wrote to memory of 5004	4784	{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe	90
PID 2012 wrote to memory of 1744	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	93
PID 2012 wrote to memory of 1744	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	93
PID 2012 wrote to memory of 1744	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	93
PID 2012 wrote to memory of 1920	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	94
PID 2012 wrote to memory of 1920	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	94
PID 2012 wrote to memory of 1920	2012	{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe	94
PID 1744 wrote to memory of 4760	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	96
PID 1744 wrote to memory of 4760	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	96
PID 1744 wrote to memory of 4760	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	96
PID 1744 wrote to memory of 3864	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	97
PID 1744 wrote to memory of 3864	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	97
PID 1744 wrote to memory of 3864	1744	{A92EE237-9B33-4c94-8429-E48265F99D44}.exe	97
PID 4760 wrote to memory of 1432	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	98
PID 4760 wrote to memory of 1432	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	98
PID 4760 wrote to memory of 1432	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	98
PID 4760 wrote to memory of 1452	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	99
PID 4760 wrote to memory of 1452	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	99
PID 4760 wrote to memory of 1452	4760	{A92A2827-709E-4854-9122-630F3CB34F25}.exe	99
PID 1432 wrote to memory of 2888	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	100
PID 1432 wrote to memory of 2888	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	100
PID 1432 wrote to memory of 2888	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	100
PID 1432 wrote to memory of 3476	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	101
PID 1432 wrote to memory of 3476	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	101
PID 1432 wrote to memory of 3476	1432	{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe	101
PID 2888 wrote to memory of 1472	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	102
PID 2888 wrote to memory of 1472	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	102
PID 2888 wrote to memory of 1472	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	102
PID 2888 wrote to memory of 4608	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	103
PID 2888 wrote to memory of 4608	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	103
PID 2888 wrote to memory of 4608	2888	{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe	103
PID 1472 wrote to memory of 1344	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	104
PID 1472 wrote to memory of 1344	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	104
PID 1472 wrote to memory of 1344	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	104
PID 1472 wrote to memory of 1072	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	105
PID 1472 wrote to memory of 1072	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	105
PID 1472 wrote to memory of 1072	1472	{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe	105
PID 1344 wrote to memory of 1788	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	106
PID 1344 wrote to memory of 1788	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	106
PID 1344 wrote to memory of 1788	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	106
PID 1344 wrote to memory of 4252	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	107
PID 1344 wrote to memory of 4252	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	107
PID 1344 wrote to memory of 4252	1344	{94383684-D79E-420b-AED3-04991C5DFC7D}.exe	107
PID 1788 wrote to memory of 1880	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	108
PID 1788 wrote to memory of 1880	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	108
PID 1788 wrote to memory of 1880	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	108
PID 1788 wrote to memory of 3816	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	109
PID 1788 wrote to memory of 3816	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	109
PID 1788 wrote to memory of 3816	1788	{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe	109
PID 1880 wrote to memory of 3780	1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe	110
PID 1880 wrote to memory of 3780	1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe	110
PID 1880 wrote to memory of 3780	1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe	110
PID 1880 wrote to memory of 2728	1880	{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe	111

C:\Users\Admin\AppData\Local\Temp\7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe
"C:\Users\Admin\AppData\Local\Temp\7aee5fb9924a4b21148b1fbf87ef0aa71113948ee19c4f37d698777fdd53e6d4.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
  C:\Windows\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
    C:\Windows\{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
      C:\Windows\{A92EE237-9B33-4c94-8429-E48265F99D44}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\{A92A2827-709E-4854-9122-630F3CB34F25}.exe
        
        C:\Windows\{A92A2827-709E-4854-9122-630F3CB34F25}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
        
        C:\Windows\{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
        
        C:\Windows\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
        
        C:\Windows\{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
        
        C:\Windows\{94383684-D79E-420b-AED3-04991C5DFC7D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
        
        C:\Windows\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
        
        C:\Windows\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe
        
        C:\Windows\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe
        
        C:\Windows\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F6C6~1.EXE > nul
        13⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{544CF~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F70~1.EXE > nul
        11⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94383~1.EXE > nul
        10⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF39~1.EXE > nul
        9⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB571~1.EXE > nul
        8⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1479~1.EXE > nul
        7⤵
        
        PID:3476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A92A2~1.EXE > nul
        6⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A92EE~1.EXE > nul
        5⤵
        
        PID:3864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96D6F~1.EXE > nul
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FEB5F~1.EXE > nul
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7AEE5F~1.EXE > nul
  2⤵
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F6C6438-F25B-4830-9BDD-7604EA9FF7E8}.exe

Filesize
116KB

MD5
138c16f80833f85cd78944262e779709

SHA1
ec308033db07332608e01ce7d5f558e4ebeca453

SHA256
13fdd2cc400bfdc66a62145fcd929454da2b47149ef3c8b4eec9f67322ff6cf8

SHA512
4b2f44d6091e6d2fd28375203b30a362b94f8145770914fd3750c638da459850725146666788148221a45ec82052eed5bce4016505caff016ce97cf8ba4d6c09

Download Submit
C:\Windows\{27D56E99-FBCD-4a0d-A57B-976B88EB7A3F}.exe

Filesize
116KB

MD5
40a7acbdf9eb49cdef13dd92c5c8b8e6

SHA1
87beb77701758b5c8afc3fb0ed2b7fb8c1870847

SHA256
2608b16b49c4f93b5f365f183eda9fac9cfcb11973952191b3e9136ea14bf8f6

SHA512
b4c38b8fc6baf847d91bca3f88309a09f0f971b5d222a226589ae9b7f80d498d94b5b111eadedfa03fed77a2af704279afd3060206f9a353bbd5e0013e670d05

Download Submit
C:\Windows\{2EF3929F-646B-4441-843C-8C757CA6F83D}.exe

Filesize
116KB

MD5
4e5336fb74f63f11bb315ea961aff906

SHA1
3417c1f00e7519104926a998dcb7eb9b90d595d3

SHA256
24f1f3949ecba77c751f42b154123ed65140e443676d365b996791ecfadf1d47

SHA512
85acc2ebe0a64a341ba73c52ac798245dd6c12c392d3d0253d92e844e8a5f6bea688615ac3105abfc3263d02abeab4e0829ae16c0d66ecf45424716a80999adf

Download Submit
C:\Windows\{544CF4C6-4E70-4f29-A5DD-54DD6628E31F}.exe

Filesize
116KB

MD5
596a2ec25612a8e4178d349d542f5ee6

SHA1
a490e093c87c96884fdac5940c4ffd784eaf332d

SHA256
9b41aac3629e75b2282069db30001dc3544d44bd91e120af8d7915aa3fbccffd

SHA512
384dbbea9cac91a1ecfcf9de2c5b54d9be96e3ef9f4b229b33b7bf586f3405a952c89a4c0a4842b8e5afa138881013420d832da3f24ecb57df2c7898fd922ff9

Download Submit
C:\Windows\{94383684-D79E-420b-AED3-04991C5DFC7D}.exe

Filesize
116KB

MD5
e413656855c667e1850b1edcee7e4091

SHA1
3688336c2fa52ec09740040f53745ec60409a9dd

SHA256
0c43d05907cd15fd73fa763afd971cfca482b6e1fda233c917652131f5b35bc6

SHA512
803f1c4f9e466d9fe9b460a67f94ba8c11ce93f0c56d37b0f5ed2c8155467b5bd3c53b1a79ce8020b9d63ebe7514499b8c80dbe26e452ed8421cbcd47abd5b00

Download Submit
C:\Windows\{96D6F65F-78BE-4771-9588-6C89F96F01C8}.exe

Filesize
116KB

MD5
4528baa622ea26068ef1ba63552740f6

SHA1
a62aa0b11a764b9d7e49e03a6c5e2c14b9b0e0b9

SHA256
36346a8aab66a342af8ad3639f8b59355fb6eacbb9a355577c64b07e97cd41b2

SHA512
a9521c6b0cb3d132730c5356582be0de3095583e89def0e7f89b66db3abdd53f31d3b26c6293c77b36ef749b9a7f5ffcb04f77d33d31ab691b4848df5c71e9cc

Download Submit
C:\Windows\{A92A2827-709E-4854-9122-630F3CB34F25}.exe

Filesize
116KB

MD5
4adad865063152ac9bb2949935ce9313

SHA1
6b1e684821101347680f77a0f8216def671b44bc

SHA256
d7cd93e4026ee05daca33c6e896a5e6ce304471fc785c5202fb85cbc664d952b

SHA512
aabed69a1596450e826516106c40d37fdb6874f142f094462696a67b25993bb84f67b2cfb2fbbb3bb221a533e73ea4d3552d192113e9f759cffca08d3d6e9d58

Download Submit
C:\Windows\{A92EE237-9B33-4c94-8429-E48265F99D44}.exe

Filesize
116KB

MD5
7368fce41cf909b45c082ffcd15e38a5

SHA1
5dc4d1d40837448629f73de4dca80d39340e3987

SHA256
758ecdd391d2610817eb2d247c2cf9864951d19bceb798c9a4e05ea36e1ed258

SHA512
64435866c58f4f24a8a35f35bb1281e87572717017b7774950876a064cb2f2cff5c6e9a2918515b10ce49d97869adacf3a8569177473a30a01db14ac71c29f4b

Download Submit
C:\Windows\{B7F707ED-7F41-46ec-80BC-C42812D1BA83}.exe

Filesize
116KB

MD5
45cacd882730d377d277084828be030d

SHA1
a786e666a53cbc9ae9a8b8a5f83621995bf11e3e

SHA256
feacdb4f67963117fae9417c6f78dff74f5913faba8e595250c89b804673cd34

SHA512
55a4916b786f9c970894351f97e34396c23ff8a5c1d40775a1a253ffe4bdac9e762ce07734685106aff2a86970d809e0ff9c6f0fb3ecb6c1a8c85554267c597a

Download Submit
C:\Windows\{D14793F4-7E0C-49b3-926C-80BABA86084C}.exe

Filesize
116KB

MD5
7eddfb5698ea8667beb81582ed68dbba

SHA1
b864f2e4e0b564293277b32d5469a40b84b1e978

SHA256
50735029035998e8da1367fe78759353bd322a6d2137e64fac68b0d446ba503e

SHA512
7dbea1160dc4b4154682fad5a8cb9631f4ef7d165a3d30d4bda556affd5ff4961839f0878ace8dc4e0bf6cb27c03da2176ce0e933960c207ef66ac4b48da648b

Download Submit
C:\Windows\{DB571C64-182C-43ab-8DCF-0D290FFC5DB4}.exe

Filesize
116KB

MD5
e731d0fd93bc576a1ae274c044f91a14

SHA1
bf63dc1bba9f425f22f994203fa1a59a1ad069b7

SHA256
e963fd1b494ccf6225b734c3d643da3a3b71ebdd125aa49f16f5e850c516827a

SHA512
c347d94e08c2c2eb6590341689b6d7f16348cf9521baec64564136e4280db46e8ff7d92654bf6a62dd461922ffba09d568cd083f1dfd28942d9b44c9df9ecd4c

Download Submit
C:\Windows\{FEB5F772-8C3A-4e45-B233-03F5D5EC6181}.exe

Filesize
116KB

MD5
2ce1c1037472e98b4d8bd628404e424c

SHA1
f92ca0e7ab6874f2e35f759db4ba59c0f13b6145

SHA256
3653a83174a6338bd7fa1f2027ff3003368e530cddded72e7b7b9afb5e1cd2ad

SHA512
d0a19342e3ca2a0d9288e68f2009e895d3d8048608eb31c478e116df4e2cf583c64e4d700ffd071f2f5399ac7e88bd631fdb9edda93e355603951cccad52c0a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads