0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
Size

98KB
MD5

a08ac532b726c2382de64606aea5f934
SHA1

ff72d074a0cd322618c77d85e897cebe3574f4f6
SHA256

0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887
SHA512

fc1a6cb4617c93958f84225e4f34a04c46d6ceaa147f790cf12c82c7b732ef6610e4de235453d4ef040cfb802f88039a870f46c1abbd6a632a4305765b29d64b
SSDEEP

768:5vw98169hKjros4/wQCNrfrunMxVFA3b7glw6:lEG/HoslxunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160E4A70-6477-4c80-8756-AF69E8D5863A}	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9558CBC7-734F-457e-A957-5C54D032DA8D}	{F5429530-F623-4af9-A344-1A254784C482}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}\stubpath = "C:\\Windows\\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe"	{6AD5118F-CF19-44a9-8874-43F488895546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F278BC-2906-4990-8854-CD187B1A4CF5}	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}	{6AD5118F-CF19-44a9-8874-43F488895546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160E4A70-6477-4c80-8756-AF69E8D5863A}\stubpath = "C:\\Windows\\{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe"	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5429530-F623-4af9-A344-1A254784C482}	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9558CBC7-734F-457e-A957-5C54D032DA8D}\stubpath = "C:\\Windows\\{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe"	{F5429530-F623-4af9-A344-1A254784C482}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760B4003-9498-4b86-9CD3-32B4086094FC}	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}\stubpath = "C:\\Windows\\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe"	{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}\stubpath = "C:\\Windows\\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe"	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}\stubpath = "C:\\Windows\\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe"	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760B4003-9498-4b86-9CD3-32B4086094FC}\stubpath = "C:\\Windows\\{760B4003-9498-4b86-9CD3-32B4086094FC}.exe"	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F278BC-2906-4990-8854-CD187B1A4CF5}\stubpath = "C:\\Windows\\{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe"	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5429530-F623-4af9-A344-1A254784C482}\stubpath = "C:\\Windows\\{F5429530-F623-4af9-A344-1A254784C482}.exe"	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}\stubpath = "C:\\Windows\\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe"	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}\stubpath = "C:\\Windows\\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe"	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD5118F-CF19-44a9-8874-43F488895546}	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD5118F-CF19-44a9-8874-43F488895546}\stubpath = "C:\\Windows\\{6AD5118F-CF19-44a9-8874-43F488895546}.exe"	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}	{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
2164	{F5429530-F623-4af9-A344-1A254784C482}.exe
2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe
5096	{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe
3992	{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
File created	C:\Windows\{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
File created	C:\Windows\{F5429530-F623-4af9-A344-1A254784C482}.exe	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
File created	C:\Windows\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
File created	C:\Windows\{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
File created	C:\Windows\{6AD5118F-CF19-44a9-8874-43F488895546}.exe	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
File created	C:\Windows\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe	{6AD5118F-CF19-44a9-8874-43F488895546}.exe
File created	C:\Windows\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe	{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe
File created	C:\Windows\{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	{F5429530-F623-4af9-A344-1A254784C482}.exe
File created	C:\Windows\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
File created	C:\Windows\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
File created	C:\Windows\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
Token: SeIncBasePriorityPrivilege	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
Token: SeIncBasePriorityPrivilege	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe
Token: SeIncBasePriorityPrivilege	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
Token: SeIncBasePriorityPrivilege	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
Token: SeIncBasePriorityPrivilege	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
Token: SeIncBasePriorityPrivilege	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
Token: SeIncBasePriorityPrivilege	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
Token: SeIncBasePriorityPrivilege	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
Token: SeIncBasePriorityPrivilege	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
Token: SeIncBasePriorityPrivilege	5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe
Token: SeIncBasePriorityPrivilege	5096	{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2068	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	81
PID 4624 wrote to memory of 2068	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	81
PID 4624 wrote to memory of 2068	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	81
PID 4624 wrote to memory of 1368	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	82
PID 4624 wrote to memory of 1368	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	82
PID 4624 wrote to memory of 1368	4624	0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe	82
PID 2068 wrote to memory of 2164	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	83
PID 2068 wrote to memory of 2164	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	83
PID 2068 wrote to memory of 2164	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	83
PID 2068 wrote to memory of 2884	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	84
PID 2068 wrote to memory of 2884	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	84
PID 2068 wrote to memory of 2884	2068	{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe	84
PID 2164 wrote to memory of 2628	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	87
PID 2164 wrote to memory of 2628	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	87
PID 2164 wrote to memory of 2628	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	87
PID 2164 wrote to memory of 2900	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	88
PID 2164 wrote to memory of 2900	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	88
PID 2164 wrote to memory of 2900	2164	{F5429530-F623-4af9-A344-1A254784C482}.exe	88
PID 2628 wrote to memory of 3740	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	89
PID 2628 wrote to memory of 3740	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	89
PID 2628 wrote to memory of 3740	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	89
PID 2628 wrote to memory of 4880	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	90
PID 2628 wrote to memory of 4880	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	90
PID 2628 wrote to memory of 4880	2628	{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe	90
PID 3740 wrote to memory of 3672	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	91
PID 3740 wrote to memory of 3672	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	91
PID 3740 wrote to memory of 3672	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	91
PID 3740 wrote to memory of 4944	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	92
PID 3740 wrote to memory of 4944	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	92
PID 3740 wrote to memory of 4944	3740	{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe	92
PID 3672 wrote to memory of 1548	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	93
PID 3672 wrote to memory of 1548	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	93
PID 3672 wrote to memory of 1548	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	93
PID 3672 wrote to memory of 2420	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	94
PID 3672 wrote to memory of 2420	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	94
PID 3672 wrote to memory of 2420	3672	{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe	94
PID 1548 wrote to memory of 2860	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	95
PID 1548 wrote to memory of 2860	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	95
PID 1548 wrote to memory of 2860	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	95
PID 1548 wrote to memory of 5064	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	96
PID 1548 wrote to memory of 5064	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	96
PID 1548 wrote to memory of 5064	1548	{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe	96
PID 2860 wrote to memory of 2216	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	97
PID 2860 wrote to memory of 2216	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	97
PID 2860 wrote to memory of 2216	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	97
PID 2860 wrote to memory of 432	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	98
PID 2860 wrote to memory of 432	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	98
PID 2860 wrote to memory of 432	2860	{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe	98
PID 2216 wrote to memory of 1436	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	99
PID 2216 wrote to memory of 1436	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	99
PID 2216 wrote to memory of 1436	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	99
PID 2216 wrote to memory of 3216	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	100
PID 2216 wrote to memory of 3216	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	100
PID 2216 wrote to memory of 3216	2216	{760B4003-9498-4b86-9CD3-32B4086094FC}.exe	100
PID 1436 wrote to memory of 5044	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	101
PID 1436 wrote to memory of 5044	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	101
PID 1436 wrote to memory of 5044	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	101
PID 1436 wrote to memory of 2668	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	102
PID 1436 wrote to memory of 2668	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	102
PID 1436 wrote to memory of 2668	1436	{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe	102
PID 5044 wrote to memory of 5096	5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe	103
PID 5044 wrote to memory of 5096	5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe	103
PID 5044 wrote to memory of 5096	5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe	103
PID 5044 wrote to memory of 4276	5044	{6AD5118F-CF19-44a9-8874-43F488895546}.exe	104

C:\Users\Admin\AppData\Local\Temp\0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe
"C:\Users\Admin\AppData\Local\Temp\0e73d8a624433feeba87f19ef28cd6cf06d3d18159a638dff5071eb91ee8d887.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
  C:\Windows\{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\{F5429530-F623-4af9-A344-1A254784C482}.exe
    C:\Windows\{F5429530-F623-4af9-A344-1A254784C482}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
      C:\Windows\{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
        
        C:\Windows\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
        
        C:\Windows\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
        
        C:\Windows\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
        
        C:\Windows\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
        
        C:\Windows\{760B4003-9498-4b86-9CD3-32B4086094FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
        
        C:\Windows\{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{6AD5118F-CF19-44a9-8874-43F488895546}.exe
        
        C:\Windows\{6AD5118F-CF19-44a9-8874-43F488895546}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe
        
        C:\Windows\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe
        
        C:\Windows\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe
        13⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E108~1.EXE > nul
        13⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD51~1.EXE > nul
        12⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15F27~1.EXE > nul
        11⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{760B4~1.EXE > nul
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C75~1.EXE > nul
        9⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D6C0~1.EXE > nul
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FEC2~1.EXE > nul
        7⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D6F4~1.EXE > nul
        6⤵
        
        PID:4944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9558C~1.EXE > nul
        5⤵
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5429~1.EXE > nul
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{160E4~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0E73D8~1.EXE > nul
  2⤵
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D6F4FE4-BC30-4ae8-8C7B-F4EF36856826}.exe

Filesize
98KB

MD5
68fd075df23830c13b58452e6dcf3e88

SHA1
09cd9d4c3fbdb40d63ee912321bb2d8dbe25978b

SHA256
999a755771444cb0f229860d051db229fac32f62f1442f112cae2fbc00ed8889

SHA512
b57f07c668a2e393ffbb8497191066b987f47784c764ed79af638d278857af28e898adb42c79da8a86b58737961942fb9929f7ebca3b428df14b3af3ae109ce1

Download Submit
C:\Windows\{15F278BC-2906-4990-8854-CD187B1A4CF5}.exe

Filesize
98KB

MD5
211ec68671a9b9a5a84cc59ecfec32f8

SHA1
28698a8f96b0da447b1cf3db87aedfe3db6ada14

SHA256
b711947369e13a04e54ad36cac36b554a7dd3aeb021aab0dc6d626947a25df9c

SHA512
7d67c169ee6aad667a2288308c1ba8386ea2338e404de8dcbdc305453feb25642146ae9007d15a2b4ed826d49e0dc9e42c1f9963529dd99be92260290842252f

Download Submit
C:\Windows\{160E4A70-6477-4c80-8756-AF69E8D5863A}.exe

Filesize
98KB

MD5
607b6f9dd627067d6d0510d0d224f8bb

SHA1
44b3b6b78dfc00ad0ed9d7247c6718738d207f47

SHA256
6626812fb259737b20d746a5e4eda1c424ad5f1f1ab6ce2365e426d2cfd45312

SHA512
98bfa31cca04ca8e9d1b239a202da3403bf546608b7bb21df5b711a01a7422f6b39faee5c2c2ba9a517e9c1843a685d7203ce69c8ac9da06fecd5b7552861427

Download Submit
C:\Windows\{24FABDE8-FCFE-42ac-B37C-EBA676EDBB1B}.exe

Filesize
98KB

MD5
3f3472e8ce31fae3a8233882456ab33c

SHA1
b17117ea9f86dc550bbc40f5ad15942a569c1e47

SHA256
55643712210ff7807396f02fdecc823b9d095f6809be1e81e3abf332398fdd0e

SHA512
d1ffc8a379246cd8ac1f1eec10befa7ff1b18927810afa87abcb20d5e29af91ea28fd307d0f7953fdeb2bfa13f1800a53dad539ea55693173c268269e9753fc1

Download Submit
C:\Windows\{2D6C02EC-BFFA-4bf8-8D60-0D56313CCB8F}.exe

Filesize
98KB

MD5
c53bc693401947f8ef442892f38018e0

SHA1
3c4664c4c6576b64f55acdb34e4af8a15d327337

SHA256
68835e51c327b555c642bf363e018c58e1333581f6e31e6b26fa0b324fb3f00b

SHA512
ff81282d89d781a5a52e3d5251a613258d080af14edf554dffb083c7bc430e9b64bef7bad27f52f0e8f04874587b5df43330ca28e1deea6920bced9642d6e307

Download Submit
C:\Windows\{5E1086D9-8D9C-4830-A846-B485BAE3CC8F}.exe

Filesize
98KB

MD5
9ecce9c1651beec0edc3f2f4e747348d

SHA1
84e11a55dd50a293983e2814f78d90d6f182bfd0

SHA256
2382cccf3daf67f985518f51a810ebf26d18f8d8c94d2b88715ba3d5e5228507

SHA512
c9a7eae96ca9db4f6acc94b622f8d4aa8d6614eafada36af4357125e3faa93bac7975c046c8632f80400fc2646900d6d275e86c8b78bc260434cdef414c57487

Download Submit
C:\Windows\{5FEC26A9-43DC-4980-9A60-7C4B556F6F20}.exe

Filesize
98KB

MD5
4fe105c3a4e3026aa58e1dcbf87e713c

SHA1
6ac46e8982f973b7d68b8a3a93a0b1f35ce69476

SHA256
d5bf9e9a92834ea46fe48a5cb11d3418a4223d0c59fc49e42bb0afd41aa37a71

SHA512
095c64ad9252dba49c36f3be2d2aff44e664b49514be4daaf5faf3d0b8770ad4be6dc501abce6204a46871823b7ca3df7bcd07989f4a2807eaaeb5f23f5e907d

Download Submit
C:\Windows\{6AD5118F-CF19-44a9-8874-43F488895546}.exe

Filesize
98KB

MD5
893bb03e92d445802851a3cf967a5f15

SHA1
1d82c01a63423564391f4914afa3ac646456840a

SHA256
ccabb2cb24e4d4eb4da976b55f46bfd77013d2b3ee4be6d256ba4f3e5249b3ac

SHA512
4580971d99dbee787e03715ba7c7d4daa45a062467c6b2a16629cb72591158ae4559c465294835845fadd15464c5da32c5bfe6f7303537f8f206aa8c424dc252

Download Submit
C:\Windows\{760B4003-9498-4b86-9CD3-32B4086094FC}.exe

Filesize
98KB

MD5
3a397fa281fea66745f1f3c45560967e

SHA1
e0d9fdcd66467dcf09556bfa557bc0b9290c628c

SHA256
a49685a2a9ffad1217df315f963444148cbc0ed8a80dd8ea944db36f97bfc93c

SHA512
4db3460670e9fe05b280b1f329c3b572ef2b59df41e3abf4b150f8a2f0a7e7a6c2909e198f589232b82f2fac6b8761c593e8fbab28008d19b8fa036fe09b7fee

Download Submit
C:\Windows\{9558CBC7-734F-457e-A957-5C54D032DA8D}.exe

Filesize
98KB

MD5
92f9a2a27db648475fcd424e7dd6e848

SHA1
b8d61ef872375fb0f215503202d7c874fd8207dd

SHA256
bdb9ddc5d5bdb412406b7ba0e8a1fd61d2abc01f2ffd90422207c4f16a1653e5

SHA512
23c2d3e8aa586d244d1a90e3dde8e1313cb89a8b7336906aea0179c16823e2c9ec1be44da65fa3a35accb3e89ded025cc053e3dc48b3b4e1c0c230c6132c90f6

Download Submit
C:\Windows\{D3C75EE7-CAEC-4b30-A5B1-EC710E1FE72C}.exe

Filesize
98KB

MD5
bd1e66eb551a4944bfb9ad8bb18820f1

SHA1
bf6ce5853492d5c46c250caa0a629aec021e1604

SHA256
c6d474634da7781c53977185defb4e4a9b773b3a08c1edf38c8923a44159df2a

SHA512
8d0b2f8677bfacfdc635fbc4361836f5d48339c3fb8ce7c329d2da4060728bae709be70dfe7c811063c28c33e18a545c31d2ebdb71d024d01c61a4bd96a6f99f

Download Submit
C:\Windows\{F5429530-F623-4af9-A344-1A254784C482}.exe

Filesize
98KB

MD5
f46c27ba2f51e8eea6f49b5e5a62027e

SHA1
f762dfb225991753dcb4176472e738faffe74a7e

SHA256
74b1e82115ecdccdf7673deea02760ce1451908a8ebf34e7bc776dcdcf2b9a01

SHA512
9497484cc486602487130d9a1b9239fc7c94192d8f1c1ea1ce83f8dd6e783381b22bf4bb8c9ef78affb72fc3518f3289261f766859b32f2de78a3b6f22bddccf

Download Submit
memory/1436-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1436-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1548-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1548-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2216-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2216-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2628-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2860-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2860-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3672-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3672-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3740-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3992-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5096-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5096-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads