be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Size

90KB
MD5

1a11173afa8106ee2f9c3835d5182100
SHA1

0eba04ad8484d9aaf4185ea1765cb761ac4008d4
SHA256

be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1
SHA512

87b9505d3651af47fe91fe76cf2ce4c51bfce49eee202d7a97c6740287e84584f6bf071471e87027aa3958e9791847e148887e8a7f29c23a9b4aab10e7d62dae
SSDEEP

768:50w981IshKQLroW4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:CEGI0oWlVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B7D586-62C3-46a9-A69F-7256541D27CD}\stubpath = "C:\\Windows\\{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe"	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}\stubpath = "C:\\Windows\\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe"	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6EC1635-A7E2-49a1-B83D-2EDAE5F62663}	{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}\stubpath = "C:\\Windows\\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe"	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9576F279-AA70-43d8-A4AD-4595ECC104F4}\stubpath = "C:\\Windows\\{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe"	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}\stubpath = "C:\\Windows\\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe"	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93007235-8E33-47af-A1F1-0CE060E8289E}	{69A85315-A17F-426b-BECF-4A58A212295D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}\stubpath = "C:\\Windows\\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe"	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388D3677-2B9E-4c92-B388-3F78CEF67147}\stubpath = "C:\\Windows\\{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe"	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69A85315-A17F-426b-BECF-4A58A212295D}	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}\stubpath = "C:\\Windows\\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe"	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}\stubpath = "C:\\Windows\\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe"	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B7D586-62C3-46a9-A69F-7256541D27CD}	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388D3677-2B9E-4c92-B388-3F78CEF67147}	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9576F279-AA70-43d8-A4AD-4595ECC104F4}	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69A85315-A17F-426b-BECF-4A58A212295D}\stubpath = "C:\\Windows\\{69A85315-A17F-426b-BECF-4A58A212295D}.exe"	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93007235-8E33-47af-A1F1-0CE060E8289E}\stubpath = "C:\\Windows\\{93007235-8E33-47af-A1F1-0CE060E8289E}.exe"	{69A85315-A17F-426b-BECF-4A58A212295D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6EC1635-A7E2-49a1-B83D-2EDAE5F62663}\stubpath = "C:\\Windows\\{D6EC1635-A7E2-49a1-B83D-2EDAE5F62663}.exe"	{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe

Executes dropped EXE 11 IoCs

pid	Process
4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe
1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
2792	{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
File created	C:\Windows\{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
File created	C:\Windows\{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
File created	C:\Windows\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
File created	C:\Windows\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
File created	C:\Windows\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
File created	C:\Windows\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
File created	C:\Windows\{69A85315-A17F-426b-BECF-4A58A212295D}.exe	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
File created	C:\Windows\{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	{69A85315-A17F-426b-BECF-4A58A212295D}.exe
File created	C:\Windows\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
File created	C:\Windows\{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Token: SeIncBasePriorityPrivilege	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
Token: SeIncBasePriorityPrivilege	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
Token: SeIncBasePriorityPrivilege	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
Token: SeIncBasePriorityPrivilege	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe
Token: SeIncBasePriorityPrivilege	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
Token: SeIncBasePriorityPrivilege	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
Token: SeIncBasePriorityPrivilege	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
Token: SeIncBasePriorityPrivilege	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
Token: SeIncBasePriorityPrivilege	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
Token: SeIncBasePriorityPrivilege	1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4388	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	84
PID 1060 wrote to memory of 4388	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	84
PID 1060 wrote to memory of 4388	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	84
PID 1060 wrote to memory of 4784	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	85
PID 1060 wrote to memory of 4784	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	85
PID 1060 wrote to memory of 4784	1060	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	85
PID 4388 wrote to memory of 5028	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	86
PID 4388 wrote to memory of 5028	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	86
PID 4388 wrote to memory of 5028	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	86
PID 4388 wrote to memory of 4908	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	87
PID 4388 wrote to memory of 4908	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	87
PID 4388 wrote to memory of 4908	4388	{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe	87
PID 5028 wrote to memory of 2760	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	91
PID 5028 wrote to memory of 2760	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	91
PID 5028 wrote to memory of 2760	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	91
PID 5028 wrote to memory of 4592	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	92
PID 5028 wrote to memory of 4592	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	92
PID 5028 wrote to memory of 4592	5028	{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe	92
PID 2760 wrote to memory of 3272	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	93
PID 2760 wrote to memory of 3272	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	93
PID 2760 wrote to memory of 3272	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	93
PID 2760 wrote to memory of 1432	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	94
PID 2760 wrote to memory of 1432	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	94
PID 2760 wrote to memory of 1432	2760	{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe	94
PID 3272 wrote to memory of 1812	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	95
PID 3272 wrote to memory of 1812	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	95
PID 3272 wrote to memory of 1812	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	95
PID 3272 wrote to memory of 3020	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	96
PID 3272 wrote to memory of 3020	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	96
PID 3272 wrote to memory of 3020	3272	{69A85315-A17F-426b-BECF-4A58A212295D}.exe	96
PID 1812 wrote to memory of 3324	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	97
PID 1812 wrote to memory of 3324	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	97
PID 1812 wrote to memory of 3324	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	97
PID 1812 wrote to memory of 852	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	98
PID 1812 wrote to memory of 852	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	98
PID 1812 wrote to memory of 852	1812	{93007235-8E33-47af-A1F1-0CE060E8289E}.exe	98
PID 3324 wrote to memory of 784	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	99
PID 3324 wrote to memory of 784	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	99
PID 3324 wrote to memory of 784	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	99
PID 3324 wrote to memory of 1680	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	100
PID 3324 wrote to memory of 1680	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	100
PID 3324 wrote to memory of 1680	3324	{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe	100
PID 784 wrote to memory of 4048	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	101
PID 784 wrote to memory of 4048	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	101
PID 784 wrote to memory of 4048	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	101
PID 784 wrote to memory of 3236	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	102
PID 784 wrote to memory of 3236	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	102
PID 784 wrote to memory of 3236	784	{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe	102
PID 4048 wrote to memory of 3008	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	103
PID 4048 wrote to memory of 3008	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	103
PID 4048 wrote to memory of 3008	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	103
PID 4048 wrote to memory of 1380	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	104
PID 4048 wrote to memory of 1380	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	104
PID 4048 wrote to memory of 1380	4048	{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe	104
PID 3008 wrote to memory of 1340	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	105
PID 3008 wrote to memory of 1340	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	105
PID 3008 wrote to memory of 1340	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	105
PID 3008 wrote to memory of 3308	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	106
PID 3008 wrote to memory of 3308	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	106
PID 3008 wrote to memory of 3308	3008	{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe	106
PID 1340 wrote to memory of 2792	1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe	107
PID 1340 wrote to memory of 2792	1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe	107
PID 1340 wrote to memory of 2792	1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe	107
PID 1340 wrote to memory of 4412	1340	{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe	108

C:\Users\Admin\AppData\Local\Temp\be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
"C:\Users\Admin\AppData\Local\Temp\be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
  C:\Windows\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
    C:\Windows\{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
      C:\Windows\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{69A85315-A17F-426b-BECF-4A58A212295D}.exe
        
        C:\Windows\{69A85315-A17F-426b-BECF-4A58A212295D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
        
        C:\Windows\{93007235-8E33-47af-A1F1-0CE060E8289E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
        
        C:\Windows\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
        
        C:\Windows\{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
        
        C:\Windows\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
        
        C:\Windows\{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
        
        C:\Windows\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe
        
        C:\Windows\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\{D6EC1635-A7E2-49a1-B83D-2EDAE5F62663}.exe
        
        C:\Windows\{D6EC1635-A7E2-49a1-B83D-2EDAE5F62663}.exe
        13⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A4E9~1.EXE > nul
        13⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01B09~1.EXE > nul
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{388D3~1.EXE > nul
        11⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F528~1.EXE > nul
        10⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B7D~1.EXE > nul
        9⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C36C~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93007~1.EXE > nul
        7⤵
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69A85~1.EXE > nul
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{217F9~1.EXE > nul
        5⤵
        
        PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9576F~1.EXE > nul
      4⤵
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC025~1.EXE > nul
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE9AEE~1.EXE > nul
  2⤵
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01B09CBF-8611-4577-B09A-8D93ADB9AE29}.exe

Filesize
90KB

MD5
ceb14afbd4f866df44ed617d4b67986a

SHA1
0834ad3b2794319d95281ad64d227c886ed3abf5

SHA256
2b438bd94af6194a4013c130336a9227a2b21e19c28414302c2909f8189d383a

SHA512
9330669100362315479b06a17d0189b59ddb2d17b769cf4d8f8a4152e35b0f26bac85b5f5f38b8a27ced7991badca5b145bd803d29d0ed0277f6aa5bb668ae53

Download Submit
C:\Windows\{217F9E13-6F61-4f5d-BB67-D166FA1E2A28}.exe

Filesize
90KB

MD5
69d803107dae068e8dbfaaf09e4b76b3

SHA1
84dbad6da2ba6f0bd23535103308f219a40b990f

SHA256
0847438876375cd3b5577a3f04622ea756d766df62955726dc08190c636c104b

SHA512
9196172e5d12a50035a244b69e5198694c7dd6a656a936791e270b7ff792ebdeed67dbf25461ccbd17fd2775bc84db8aba8c8ef580eb8d890be21560da4f09e5

Download Submit
C:\Windows\{388D3677-2B9E-4c92-B388-3F78CEF67147}.exe

Filesize
90KB

MD5
89644234917fe5c6aee32dc3a4f09bae

SHA1
78a375399ac73db0a4b0b7f5a0d54ca7ede8d659

SHA256
2ec6b176f6a8dc664acaaede89fd20832e6fdbff59f7ea20d8080e6a565c7a50

SHA512
6fa340836cafa21140c1abce360700a4abf333b315c46aaa9e7a7036a6b830c59e5f2198cd05adee43d69e611da9bebbf1820507f9908cb37a08c18f5cc15765

Download Submit
C:\Windows\{5A4E9ED5-3EFD-4d0e-A2C9-075F6FFE8EBA}.exe

Filesize
90KB

MD5
43182a212cc4387612bb9b4371950187

SHA1
c116da61e4b07e822c75bda5da7c0362ecfa5b52

SHA256
a582716913153e303ac5447c45a93642c1996784807f2624ba932cc80b241225

SHA512
a6a9d6b656a718043d53aae7a31a7aa7945c7b5530f8367edebee9112e4997bc1dfd43bdff0f2b60402706a4a74a18a50f9206c0dc94055a9e1c21eee2695343

Download Submit
C:\Windows\{69A85315-A17F-426b-BECF-4A58A212295D}.exe

Filesize
90KB

MD5
ec50ce601c27546e69d0af702cca998a

SHA1
db9b7cae435e40fc0de4e59e896d4e87dbd37a3a

SHA256
f227474741a80b1837dc6c27640cd44f1982a3d7c39901954884d593ffd0224d

SHA512
da390b1b1769f3a3efd4df61a2c697b87423dd542fe3253562e44d6ec1fe6fe77b3327770530b142eb189c08cd4e0323e39944493b41997a4e7d079e6d61815c

Download Submit
C:\Windows\{7C36C0F2-36F7-4e38-8D75-2FCD788B84A2}.exe

Filesize
90KB

MD5
49098a0dc07f24548d250bd01b994986

SHA1
3bf9b654401e9dbc5bb3cc4cfc46924cd7a0cd3c

SHA256
ec6e5f3baa9a0aec9400c42733bbbc963e88f230ea3fbb86a40dceedc65a93fd

SHA512
5f743abe48e9cfd3693eca01afa7b854b145325e5b4446e084a187519ac9f0d122ae8ea420f3d88812c72d705f3d9f43ee5061a53d96cbfb4a5efeb0e4d174ba

Download Submit
C:\Windows\{7F528CE3-6E86-4209-9F1B-EA36D0F5F931}.exe

Filesize
90KB

MD5
ab7349ae54d3d4829bd5f86adfa47334

SHA1
bfee11a7a1d48e59d1e391fab18393efb62b4aac

SHA256
7eae11e35e00f55ad6aaa1b0493a17e407166a25ab1b24d41821ba063c53f428

SHA512
062d51e27248795e7e31fef3363b883837451b3b78e22c1b408134c589dfd030e9d313d4a5c170f2f968e88818e3649e5fecd7c41432df5c38ad73541da46853

Download Submit
C:\Windows\{93007235-8E33-47af-A1F1-0CE060E8289E}.exe

Filesize
90KB

MD5
5eec29f35e924fca4502a39c4a2af84b

SHA1
2bc2442b8b0a46d23a58f0faa03ce546a3c935c3

SHA256
cc1bf904f5751d51ad09a66b7d899d51e98397b93d91bd717279b88402c72691

SHA512
148649279a2e63f60630d1ed98a2e6f75fe2079d484b8eb359042f199327b625c229b2a1fc36cc5b6e6daa9559b3c524b467afa2c4cee2dcdf2f0cddfe14a0f8

Download Submit
C:\Windows\{9576F279-AA70-43d8-A4AD-4595ECC104F4}.exe

Filesize
90KB

MD5
98a215aa3a204a67d037a3d85db9429b

SHA1
35990498a889e82ed240d389cf5f00aadc97b9ca

SHA256
9a0b382943be7eee452dd023d4f9eccb8b02a92e298713930c05f7db7f0533f3

SHA512
2b3d0cecf8e20c9a1e4ab7fb54b05c276c033ea7a5d028021734596b7dce77774d7f0c5db3aa335d65e6f3575935c2bb5ccdd2205c2001382c73e1124cc87aac

Download Submit
C:\Windows\{F7B7D586-62C3-46a9-A69F-7256541D27CD}.exe

Filesize
90KB

MD5
4412b31a66a78ef303d49e31c6d69ccd

SHA1
fdf1bf8dfbc08d6cc6acbdfaf7676eea96b5f833

SHA256
c266a977cc3c1721b3ab0ea15e26308124c0f8a6c0c05e71392057cf284a532b

SHA512
ee085ec23ec2b20efb00591b9a5774db818d1049c894f9a1c580a899ce9426d973e14bf863882c635b6957c5fc86cf80c9a7eb8b113f262c9dbe410bab6a3aaf

Download Submit
C:\Windows\{FC025D9C-8487-408c-8F1C-DFB3EBE84DA2}.exe

Filesize
90KB

MD5
1b77acfbae5b504d6921160b3cfba69a

SHA1
9c6fb02fae84310a29f4e7baa418bd2db14f9106

SHA256
07871cce3315a22cb81ada41ad8276a6d91a98b3e609218576f62474b275c459

SHA512
f048c8b5c0a86cdc3b903ee39b176a85d33f1aeb52e269ce0576a4dcf2df254e6c6038455a466f3665646adc98a482b74fd0def6b8fb5f45abac25861bd9ef92

Download Submit
memory/784-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/784-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1060-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1060-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1812-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2304-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2792-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3272-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3272-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3324-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4048-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4048-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4388-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4388-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5028-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5028-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads