de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
Size

90KB
MD5

1d1ebda591674909cc13e057c74d8ff5
SHA1

558e151074927aaff5562579e529709ac2ac4a8d
SHA256

de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0
SHA512

ccf6c7dd01b4ac136dd4a6824bb9b65f29eefb9fae67b1242c03e05ee27b95f6dc0dcb0465a70fe65dcab7189c08f33de098aea75eed354b3090ee421e9bceaa
SSDEEP

768:50w981IshKQLroa4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oalVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7255A0-24F9-4309-882E-D1FF59836BE0}\stubpath = "C:\\Windows\\{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe"	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}\stubpath = "C:\\Windows\\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe"	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}\stubpath = "C:\\Windows\\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe"	{46122DD4-908F-405d-B078-60C62F788067}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7255A0-24F9-4309-882E-D1FF59836BE0}	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}\stubpath = "C:\\Windows\\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe"	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}\stubpath = "C:\\Windows\\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe"	{2152205C-4649-4586-9478-21CD171E3F32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46122DD4-908F-405d-B078-60C62F788067}	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}	{46122DD4-908F-405d-B078-60C62F788067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}\stubpath = "C:\\Windows\\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe"	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2152205C-4649-4586-9478-21CD171E3F32}	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}	{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}\stubpath = "C:\\Windows\\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe"	{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}	{2152205C-4649-4586-9478-21CD171E3F32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}\stubpath = "C:\\Windows\\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe"	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}\stubpath = "C:\\Windows\\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe"	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46122DD4-908F-405d-B078-60C62F788067}\stubpath = "C:\\Windows\\{46122DD4-908F-405d-B078-60C62F788067}.exe"	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}\stubpath = "C:\\Windows\\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe"	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2152205C-4649-4586-9478-21CD171E3F32}\stubpath = "C:\\Windows\\{2152205C-4649-4586-9478-21CD171E3F32}.exe"	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
3472	{46122DD4-908F-405d-B078-60C62F788067}.exe
4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe
2828	{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
2536	{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe	{2152205C-4649-4586-9478-21CD171E3F32}.exe
File created	C:\Windows\{46122DD4-908F-405d-B078-60C62F788067}.exe	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
File created	C:\Windows\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
File created	C:\Windows\{2152205C-4649-4586-9478-21CD171E3F32}.exe	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
File created	C:\Windows\{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
File created	C:\Windows\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
File created	C:\Windows\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
File created	C:\Windows\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
File created	C:\Windows\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe	{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
File created	C:\Windows\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
File created	C:\Windows\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
File created	C:\Windows\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	{46122DD4-908F-405d-B078-60C62F788067}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
Token: SeIncBasePriorityPrivilege	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
Token: SeIncBasePriorityPrivilege	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
Token: SeIncBasePriorityPrivilege	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe
Token: SeIncBasePriorityPrivilege	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
Token: SeIncBasePriorityPrivilege	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
Token: SeIncBasePriorityPrivilege	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
Token: SeIncBasePriorityPrivilege	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
Token: SeIncBasePriorityPrivilege	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
Token: SeIncBasePriorityPrivilege	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
Token: SeIncBasePriorityPrivilege	4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe
Token: SeIncBasePriorityPrivilege	2828	{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2724	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	81
PID 4456 wrote to memory of 2724	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	81
PID 4456 wrote to memory of 2724	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	81
PID 4456 wrote to memory of 1812	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	82
PID 4456 wrote to memory of 1812	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	82
PID 4456 wrote to memory of 1812	4456	de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe	82
PID 2724 wrote to memory of 400	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	83
PID 2724 wrote to memory of 400	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	83
PID 2724 wrote to memory of 400	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	83
PID 2724 wrote to memory of 4008	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	84
PID 2724 wrote to memory of 4008	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	84
PID 2724 wrote to memory of 4008	2724	{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe	84
PID 400 wrote to memory of 3472	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	87
PID 400 wrote to memory of 3472	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	87
PID 400 wrote to memory of 3472	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	87
PID 400 wrote to memory of 4108	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	88
PID 400 wrote to memory of 4108	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	88
PID 400 wrote to memory of 4108	400	{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe	88
PID 3472 wrote to memory of 4880	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	89
PID 3472 wrote to memory of 4880	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	89
PID 3472 wrote to memory of 4880	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	89
PID 3472 wrote to memory of 5080	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	90
PID 3472 wrote to memory of 5080	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	90
PID 3472 wrote to memory of 5080	3472	{46122DD4-908F-405d-B078-60C62F788067}.exe	90
PID 4880 wrote to memory of 5032	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	91
PID 4880 wrote to memory of 5032	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	91
PID 4880 wrote to memory of 5032	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	91
PID 4880 wrote to memory of 4184	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	92
PID 4880 wrote to memory of 4184	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	92
PID 4880 wrote to memory of 4184	4880	{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe	92
PID 5032 wrote to memory of 2420	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	93
PID 5032 wrote to memory of 2420	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	93
PID 5032 wrote to memory of 2420	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	93
PID 5032 wrote to memory of 4260	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	94
PID 5032 wrote to memory of 4260	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	94
PID 5032 wrote to memory of 4260	5032	{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe	94
PID 2420 wrote to memory of 5064	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	95
PID 2420 wrote to memory of 5064	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	95
PID 2420 wrote to memory of 5064	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	95
PID 2420 wrote to memory of 3044	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	96
PID 2420 wrote to memory of 3044	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	96
PID 2420 wrote to memory of 3044	2420	{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe	96
PID 5064 wrote to memory of 1056	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	97
PID 5064 wrote to memory of 1056	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	97
PID 5064 wrote to memory of 1056	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	97
PID 5064 wrote to memory of 644	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	98
PID 5064 wrote to memory of 644	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	98
PID 5064 wrote to memory of 644	5064	{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe	98
PID 1056 wrote to memory of 1012	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	99
PID 1056 wrote to memory of 1012	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	99
PID 1056 wrote to memory of 1012	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	99
PID 1056 wrote to memory of 2072	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	100
PID 1056 wrote to memory of 2072	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	100
PID 1056 wrote to memory of 2072	1056	{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe	100
PID 1012 wrote to memory of 4908	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	101
PID 1012 wrote to memory of 4908	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	101
PID 1012 wrote to memory of 4908	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	101
PID 1012 wrote to memory of 1760	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	102
PID 1012 wrote to memory of 1760	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	102
PID 1012 wrote to memory of 1760	1012	{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe	102
PID 4908 wrote to memory of 2828	4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe	103
PID 4908 wrote to memory of 2828	4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe	103
PID 4908 wrote to memory of 2828	4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe	103
PID 4908 wrote to memory of 2876	4908	{2152205C-4649-4586-9478-21CD171E3F32}.exe	104

C:\Users\Admin\AppData\Local\Temp\de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe
"C:\Users\Admin\AppData\Local\Temp\de36e15d3d7e1fad2d7ae316e78baaaadc205c44b8c39978eb19418643836dc0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
  C:\Windows\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
    C:\Windows\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\{46122DD4-908F-405d-B078-60C62F788067}.exe
      C:\Windows\{46122DD4-908F-405d-B078-60C62F788067}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
        
        C:\Windows\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
        
        C:\Windows\{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
        
        C:\Windows\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
        
        C:\Windows\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
        
        C:\Windows\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
        
        C:\Windows\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{2152205C-4649-4586-9478-21CD171E3F32}.exe
        
        C:\Windows\{2152205C-4649-4586-9478-21CD171E3F32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
        
        C:\Windows\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe
        
        C:\Windows\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe
        13⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA31~1.EXE > nul
        13⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21522~1.EXE > nul
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A3C~1.EXE > nul
        11⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5787~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDEBB~1.EXE > nul
        9⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEFC~1.EXE > nul
        8⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF725~1.EXE > nul
        7⤵
        
        PID:4260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA05A~1.EXE > nul
        6⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46122~1.EXE > nul
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A92F2~1.EXE > nul
      4⤵
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5432F~1.EXE > nul
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DE36E1~1.EXE > nul
  2⤵
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AEFC933-8335-4cb6-ADAD-DB938864BFD7}.exe

Filesize
90KB

MD5
0dfa4e5f5126f3aa6c37c389257d6035

SHA1
8e13a2c9cb64173024bff72ab2ffcd3d5526a562

SHA256
9dbd20d7cd72ce457768d4f933390639278a6b038a927d85a4ecce901bf84992

SHA512
95fcb092ce589f0000d70e1b2b44df264f1d347c9af4800f7dbfa8caf231de2bd535f3ad17f8e03d04af24b502bc26a3f2e19f1c5786c7d13ac98e3860473b25

Download Submit
C:\Windows\{2152205C-4649-4586-9478-21CD171E3F32}.exe

Filesize
90KB

MD5
3ddbbfdf321830b51c75e1c182261808

SHA1
82b5db555adcebbb6abc851604b5afd6bc6f04b2

SHA256
de33f7740a6d769eb1d93e5816cbea0246474dbc87b72e108c0da935567e430a

SHA512
736bc0df07b1fe1e5851d20b2c40286044607d975f8b49c6961ef8cfcca44172451ea62a13876312abfa9cf5eeadefdbce0cbd40f53c85b9975da2d06b775c3a

Download Submit
C:\Windows\{46122DD4-908F-405d-B078-60C62F788067}.exe

Filesize
90KB

MD5
cafdb4ed81c23e78623b5c36cdde55a0

SHA1
9ebcea4c8994709b72cf99d5decee39c92d697f1

SHA256
f11a2b3f856e82be1890074d668bf3dc1b12a1a64c343aebadb14ae32e152e7c

SHA512
babd11217e81cb1fd474a952e48a6eb1509a4958a13d5451f41f896f8e43276abd058fd9d81397489c0ee009598aee6d5caa1de11653a17f646ef01ef3a43715

Download Submit
C:\Windows\{5432F81A-9546-4b8b-8AD2-9F219B0AA75F}.exe

Filesize
90KB

MD5
64f21a29b2a8d0257178a189891b4468

SHA1
b2dc2ca5959e4a31c9f2406fcc8f56e160c607b0

SHA256
b0406d64e907ea570b638719f2a7ea6853934cdc206e6860bba52b20b3120add

SHA512
968a7f4efc2b1dca0bae8de25bb646b8959f575161f0499fb6c36ce1ea016905bf451bd077481881cb6a25e3a20c7fe41c38985e705632cddcd138b71b964ace

Download Submit
C:\Windows\{A3A3C23A-3186-48dc-B858-5FE1ADF9BD8F}.exe

Filesize
90KB

MD5
bf7fdba5bc1fc45787e2dc51f3a9e177

SHA1
853e46e717698d115ea46f4ffa17c4ec847f09b6

SHA256
4550eb84ce423f82eef5060d91ce5bac39378a64c57dd3b1b8f7edcb3ea8e26a

SHA512
7c035430b355903958746babb9cae5b2435e3ab3c51afae565a55fa7dc527721dfc1c2c365d0613cc7a997310942047d658dd99c95d03b01ea2d9046687e5aa8

Download Submit
C:\Windows\{A92F29E5-10A8-4567-AB69-F4CDC7A9A2F9}.exe

Filesize
90KB

MD5
2a4f135df44e306b518e29af7c9e53c4

SHA1
30ed7ea5387018d2c1e66701ff51ec255fad4314

SHA256
c37e0181cb28b874835744f42d239d6237bec94d296214f97dda34a38374bed9

SHA512
7f4e4e1574532550081c27d567ce50f5a7ff03b8fadf04c3364178a06cd321d58bfcfb80b37e4c0b676a8485328f1fe720a4681e567e174616e77004f8f83f51

Download Submit
C:\Windows\{AA05A615-D54D-4d3f-99AB-848EA764CF3B}.exe

Filesize
90KB

MD5
d79f452abfc5e16ca21a0ef584c07c75

SHA1
a1fcd49d66c6944aac14efef7dcabc7533b110db

SHA256
6a8d6293e5782cbc9563eb5293f3a6f46a14b729568d9359ec81d857694bc670

SHA512
8f2328da7d57ceb79ce3c5d4fed7032aad81b94dcce027612b30df6754dccf346ed3cfaee1aae5361e54d74bdb58d7f0fe48e7da4b1282e417c1fc475fe15ba0

Download Submit
C:\Windows\{B5787CCF-AADC-4579-B6C8-811DD7D59CDA}.exe

Filesize
90KB

MD5
d9bc5f01059b109b918a35d70dbc51fb

SHA1
f4528acc5356de493509ad0461976d8184fbc029

SHA256
acb8ba61850898e723992e75df5854ef13afb2e7af25c683d35dbc025dbcb17a

SHA512
34d52db8107321d7c5f0fae9878cd610ef52fc853537e1d27dd8f162e450d7a7b04dc0a02b5eec50b4299285439f15e45f7197307ed1ca8ce8a38e929d392cc6

Download Submit
C:\Windows\{BD3FD1AB-ECE9-41a2-94B6-AB9BE6E24554}.exe

Filesize
90KB

MD5
4d2402ff7f2ed160e68e059215605ca1

SHA1
b59f62d597c7a3ca7e2fa6bfb28415dd4a805583

SHA256
73bb819b0bdb87617f2706f2f6b77f58a4fd2775f70b4d77d83d0d64117a713c

SHA512
15e0bb53e24162ee83d608539632b5969497045a887d6bffaeff37da0dc6146302c9e396fbf8926d3ce3f01fa4344cfe18dae5acbdaab049395371b7c83f35b2

Download Submit
C:\Windows\{CF7255A0-24F9-4309-882E-D1FF59836BE0}.exe

Filesize
90KB

MD5
d20f294a15fc0340caadc0b299c71a61

SHA1
8a84eb5fb3e912c25c29bd7f9f8cf18b4325cfa4

SHA256
e98e03d28aeed868e57c90bfa3c2a008d584fab9cb65ef68a5d9409c420012a3

SHA512
9d4f2a1e1f659d5118c3bc8b2b0e7a8336b4e1d8e32b4d7026bae835ed36b04a740464f26581906ebdb3de662d2514ff8c1dbb3f11489bfcefad4c2acef1e29e

Download Submit
C:\Windows\{DDEBB236-9A31-4ce9-9819-C8B380CA1E3A}.exe

Filesize
90KB

MD5
ae1914f8df9202f0799abff6fbc5782a

SHA1
8ac26aaf5f8fd08960d33f29d49e701bd515c95a

SHA256
a1937a2aedd11d6d2c6218adbb411e5132b209f20763c4382f3561a78361e655

SHA512
6b9c1457b80614a098c3f29ae914bbd8aac154d193c6686dd94d221c30eb6565a9dd2bf4c0792ede38cfe83cc404de669c4bd14bf0751d508712fc9101c10079

Download Submit
C:\Windows\{FFA310E7-715A-411e-BABC-FEDE51ACF42E}.exe

Filesize
90KB

MD5
337cd9ce1e395279a1f39c4baab3c08e

SHA1
ebaad1f8ca29e6b694021ee3aad6c9ce13726a40

SHA256
cd6d0d0af9a2fd664a232b9ab837f44ed569333ec6214a0f0638a5e3d6b44571

SHA512
3b8b202b1268db71dec0dafcd7d40299571dd155454846ee3c347bfb86b6feb53c3f437489c22431fd3cd62f4aca608465bbedb2233eb77800835b62a27da08b

Download Submit
memory/400-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1012-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1012-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1056-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1056-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2536-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2724-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2724-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3472-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3472-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4456-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4456-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4908-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4908-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5032-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5032-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5064-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads