eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Size

60KB
MD5

0cb26984751b0d13a2f33f6cb5cdbc26
SHA1

5dffcc35558598adab3f1b528835a623b701b416
SHA256

eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449
SHA512

8ab0ed44fc920c15a19dca277ed803c5d1cd14838bbbcdab1f0b4a2797b08777ee2b164ef910f034a15aaab066c71091c6e6feb97b0d75fb93ef0426fa592b70
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro54/CFsrdHWMZ:vvw9816vhKQLro54/wQpWMZ

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233db-2.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00120000000233cf-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00080000000233e1-8.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00130000000233cf-15.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00090000000233e1-19.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00140000000233cf-22.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a0000000233e1-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00150000000233cf-30.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b0000000233e1-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00160000000233cf-39.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000c0000000233e1-42.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00170000000233cf-46.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}\stubpath = "C:\\Windows\\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe"	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD40D60F-ECE7-40d1-B92F-822663707CD4}\stubpath = "C:\\Windows\\{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe"	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522904D7-E09B-415d-9552-95B63B5B3939}\stubpath = "C:\\Windows\\{522904D7-E09B-415d-9552-95B63B5B3939}.exe"	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}	{522904D7-E09B-415d-9552-95B63B5B3939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DCAECD-AADE-415d-B064-A4BC1734302E}	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DCAECD-AADE-415d-B064-A4BC1734302E}\stubpath = "C:\\Windows\\{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe"	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FE7278-B879-4719-8BD8-26E7593786A3}\stubpath = "C:\\Windows\\{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe"	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}\stubpath = "C:\\Windows\\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe"	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}\stubpath = "C:\\Windows\\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe"	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522904D7-E09B-415d-9552-95B63B5B3939}	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{118BABF6-6B3F-4143-80D3-5257360525AB}	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{583011B6-94A0-4aba-83D4-E2D8277F02B7}\stubpath = "C:\\Windows\\{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe"	{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FE7278-B879-4719-8BD8-26E7593786A3}	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70838E33-B156-4b8c-9802-45ACB4989F45}\stubpath = "C:\\Windows\\{70838E33-B156-4b8c-9802-45ACB4989F45}.exe"	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{583011B6-94A0-4aba-83D4-E2D8277F02B7}	{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD40D60F-ECE7-40d1-B92F-822663707CD4}	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}\stubpath = "C:\\Windows\\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe"	{522904D7-E09B-415d-9552-95B63B5B3939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56543878-477B-4cea-B110-0CB0D2D9640D}	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56543878-477B-4cea-B110-0CB0D2D9640D}\stubpath = "C:\\Windows\\{56543878-477B-4cea-B110-0CB0D2D9640D}.exe"	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{118BABF6-6B3F-4143-80D3-5257360525AB}\stubpath = "C:\\Windows\\{118BABF6-6B3F-4143-80D3-5257360525AB}.exe"	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70838E33-B156-4b8c-9802-45ACB4989F45}	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe

Executes dropped EXE 12 IoCs

pid	Process
3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe
2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
1076	{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
1952	{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
File created	C:\Windows\{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
File created	C:\Windows\{70838E33-B156-4b8c-9802-45ACB4989F45}.exe	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
File created	C:\Windows\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
File created	C:\Windows\{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
File created	C:\Windows\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
File created	C:\Windows\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
File created	C:\Windows\{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe	{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
File created	C:\Windows\{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
File created	C:\Windows\{522904D7-E09B-415d-9552-95B63B5B3939}.exe	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
File created	C:\Windows\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	{522904D7-E09B-415d-9552-95B63B5B3939}.exe
File created	C:\Windows\{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Token: SeIncBasePriorityPrivilege	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
Token: SeIncBasePriorityPrivilege	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe
Token: SeIncBasePriorityPrivilege	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
Token: SeIncBasePriorityPrivilege	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
Token: SeIncBasePriorityPrivilege	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
Token: SeIncBasePriorityPrivilege	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
Token: SeIncBasePriorityPrivilege	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
Token: SeIncBasePriorityPrivilege	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
Token: SeIncBasePriorityPrivilege	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
Token: SeIncBasePriorityPrivilege	3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
Token: SeIncBasePriorityPrivilege	1076	{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3284	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	92
PID 3192 wrote to memory of 3284	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	92
PID 3192 wrote to memory of 3284	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	92
PID 3192 wrote to memory of 4776	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	93
PID 3192 wrote to memory of 4776	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	93
PID 3192 wrote to memory of 4776	3192	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	93
PID 3284 wrote to memory of 3560	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	94
PID 3284 wrote to memory of 3560	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	94
PID 3284 wrote to memory of 3560	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	94
PID 3284 wrote to memory of 2232	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	95
PID 3284 wrote to memory of 2232	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	95
PID 3284 wrote to memory of 2232	3284	{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe	95
PID 3560 wrote to memory of 2004	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	98
PID 3560 wrote to memory of 2004	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	98
PID 3560 wrote to memory of 2004	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	98
PID 3560 wrote to memory of 5108	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	99
PID 3560 wrote to memory of 5108	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	99
PID 3560 wrote to memory of 5108	3560	{522904D7-E09B-415d-9552-95B63B5B3939}.exe	99
PID 2004 wrote to memory of 3628	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	100
PID 2004 wrote to memory of 3628	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	100
PID 2004 wrote to memory of 3628	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	100
PID 2004 wrote to memory of 2976	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	101
PID 2004 wrote to memory of 2976	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	101
PID 2004 wrote to memory of 2976	2004	{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe	101
PID 3628 wrote to memory of 3996	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	102
PID 3628 wrote to memory of 3996	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	102
PID 3628 wrote to memory of 3996	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	102
PID 3628 wrote to memory of 1524	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	103
PID 3628 wrote to memory of 1524	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	103
PID 3628 wrote to memory of 1524	3628	{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe	103
PID 3996 wrote to memory of 3240	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	104
PID 3996 wrote to memory of 3240	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	104
PID 3996 wrote to memory of 3240	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	104
PID 3996 wrote to memory of 748	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	105
PID 3996 wrote to memory of 748	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	105
PID 3996 wrote to memory of 748	3996	{56543878-477B-4cea-B110-0CB0D2D9640D}.exe	105
PID 3240 wrote to memory of 1204	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	106
PID 3240 wrote to memory of 1204	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	106
PID 3240 wrote to memory of 1204	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	106
PID 3240 wrote to memory of 1340	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	107
PID 3240 wrote to memory of 1340	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	107
PID 3240 wrote to memory of 1340	3240	{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe	107
PID 1204 wrote to memory of 376	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	108
PID 1204 wrote to memory of 376	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	108
PID 1204 wrote to memory of 376	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	108
PID 1204 wrote to memory of 1096	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	109
PID 1204 wrote to memory of 1096	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	109
PID 1204 wrote to memory of 1096	1204	{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe	109
PID 376 wrote to memory of 2356	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	110
PID 376 wrote to memory of 2356	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	110
PID 376 wrote to memory of 2356	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	110
PID 376 wrote to memory of 4500	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	111
PID 376 wrote to memory of 4500	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	111
PID 376 wrote to memory of 4500	376	{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe	111
PID 2356 wrote to memory of 3372	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	112
PID 2356 wrote to memory of 3372	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	112
PID 2356 wrote to memory of 3372	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	112
PID 2356 wrote to memory of 4964	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	113
PID 2356 wrote to memory of 4964	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	113
PID 2356 wrote to memory of 4964	2356	{118BABF6-6B3F-4143-80D3-5257360525AB}.exe	113
PID 3372 wrote to memory of 1076	3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe	114
PID 3372 wrote to memory of 1076	3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe	114
PID 3372 wrote to memory of 1076	3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe	114
PID 3372 wrote to memory of 1152	3372	{70838E33-B156-4b8c-9802-45ACB4989F45}.exe	115

C:\Users\Admin\AppData\Local\Temp\eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
"C:\Users\Admin\AppData\Local\Temp\eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
  C:\Windows\{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\{522904D7-E09B-415d-9552-95B63B5B3939}.exe
    C:\Windows\{522904D7-E09B-415d-9552-95B63B5B3939}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
      C:\Windows\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
        
        C:\Windows\{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
        
        C:\Windows\{56543878-477B-4cea-B110-0CB0D2D9640D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
        
        C:\Windows\{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
        
        C:\Windows\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
        
        C:\Windows\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
        
        C:\Windows\{118BABF6-6B3F-4143-80D3-5257360525AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
        
        C:\Windows\{70838E33-B156-4b8c-9802-45ACB4989F45}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
        
        C:\Windows\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe
        
        C:\Windows\{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{017F0~1.EXE > nul
        13⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70838~1.EXE > nul
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{118BA~1.EXE > nul
        11⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68243~1.EXE > nul
        10⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE9E~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FE7~1.EXE > nul
        8⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56543~1.EXE > nul
        7⤵
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DCA~1.EXE > nul
        6⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25AF7~1.EXE > nul
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{52290~1.EXE > nul
      4⤵
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD40D~1.EXE > nul
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEE7F8~1.EXE > nul
  2⤵
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{017F0F6F-2E80-49c9-9D6F-ADED1BD43C94}.exe

Filesize
60KB

MD5
c1cb43be7aa59215785b163dd45e3cbd

SHA1
3d2d95555e5a70512bb7184a725eaa3a6b789ce7

SHA256
150462dbec97779f3b8c6cb64993656d42b4a59b6e8fb8e0dc88af2909b1712b

SHA512
135bafbb0606d786fc96dcdcb8408bf1978962bf1bb9cbb392be0597377d00517dbe9b784711e02ef9149a298f2ac54a146885267f5a6b04c6fd9c7668b63101

Download Submit
C:\Windows\{118BABF6-6B3F-4143-80D3-5257360525AB}.exe

Filesize
60KB

MD5
f352ee8b4e0d7bf81d2eea6f02a7d9b1

SHA1
97070eb329a171c6efe25984187cb54b59a3e96e

SHA256
e64cf11b4bbc9d0efc5805509f5a7356b02f3ba41565ea1fdb8d96c7731d213b

SHA512
da6a0f8e05ba5491d0d4c0e9ddd30baebf89cd380581c6791cb203a24880954292f05e436a714ff1899ec77f5e6a1762d81e1d64515eacf989a23b166b516251

Download Submit
C:\Windows\{25AF7BEE-3B7C-44dd-9B3B-DE7D8835A642}.exe

Filesize
60KB

MD5
a2ef37c81d1b5e7ccf0b9fdbeb6272b3

SHA1
cbeb6bec169862166760f30c00e66267e026f128

SHA256
2aca18b803ff2f97036ebbbc8b41f1bfd9a15e5fc46f0bad474be2f3ccab713b

SHA512
95cdc9ca084b7c3187fac2e6a6180ad44cecae91ef1e9dbbbbe128d1561a3b3da32347fe789c97aa69a1e22036397823d64757947900442cebcbf4d4934619fb

Download Submit
C:\Windows\{42DCAECD-AADE-415d-B064-A4BC1734302E}.exe

Filesize
60KB

MD5
10d463f007e6728baa353257b2762333

SHA1
6b543dc99c004d8e6ebb667426c5972b9acdf84f

SHA256
46ea14f0fc61a491f45a9149dfa01a86bbdf413c9ccfa0e1762d09fd448c86ee

SHA512
8ec1d7c589e086abed405cfeb603efb603d12c71482f463f9891fb6d4339e46df7982fbdc61a0245703bf2dcbf455a2c97ac0917b29d6fdb8175f5c6bb9588a1

Download Submit
C:\Windows\{522904D7-E09B-415d-9552-95B63B5B3939}.exe

Filesize
60KB

MD5
01900f6ff7c7a6b64571652b8dbee141

SHA1
fa2c2ceb7a8fcd17f95167ad45b9408eff96fdd6

SHA256
7bc2f578e0671234cb64c5d30a4a162456d59180bdd9cd4638b8e279fbffb58d

SHA512
76890423ddde5095e873aa935d3a1c4a57db1a29fc1fcfe684159298bd321bdc08012d18aa369f6fea52f77c82e05c61a441de292ea455d5f23df5b04deb9030

Download Submit
C:\Windows\{56543878-477B-4cea-B110-0CB0D2D9640D}.exe

Filesize
60KB

MD5
fa363852f4ba8ee41902dbd26180353a

SHA1
fff5e609f5f0837d951cf84bf27626ac8e153425

SHA256
824cac27b0527bd31585c7e26b417a8080b6ae31d7da3236662d3d22249bcf74

SHA512
c5676c0a753d264acd81c99f5fc5e3a51fe17dba200edfe535599afe9fca731147fee5d67426e571e19615aae8a46f0b79c7bbf8d7bfa8dc728af3245dde0e26

Download Submit
C:\Windows\{583011B6-94A0-4aba-83D4-E2D8277F02B7}.exe

Filesize
60KB

MD5
e1d19119645bd5cac0fd8bb10325245b

SHA1
24a696109fbf19206f2c701b3741e1f07898e00d

SHA256
7a3bfb893c7c1d44111bda65befe83934dfd33318012e1465d6e11aab9e234a4

SHA512
dbf6c43292f117888851a83e2a0795ac51639c191dc9474c9f728edffa088726b8bcdc26165370ab43bbb4ed96a6d5f80e659344277e8a1cfd09d5463a295241

Download Submit
C:\Windows\{682431E9-7CB3-40b2-96E0-FBC1079A0DC7}.exe

Filesize
60KB

MD5
24a8a6e0d92c72313aa26b45cdf9c354

SHA1
d2b05efc48a4377be987d8d4d7fb541b9a0343b7

SHA256
673e60ffb080e6e9359db173c2f1cc584c30d35ac4983cc6f2a9b3003049e48f

SHA512
96a8a8032b23c7d3fe208523e57f699c40850d8d70cee4962940dfb1085a6524a22ee474af487fabc3d31771df18bf6ba0c3619467e41cf51be28908824956d6

Download Submit
C:\Windows\{70838E33-B156-4b8c-9802-45ACB4989F45}.exe

Filesize
60KB

MD5
6be11890287fe0c1b9f6dfa6bb859aeb

SHA1
496dc65a09423d3eae446a38c3e1fadb3be41ad4

SHA256
89500548d2cc1c7b212e3c97ccfdd4e39991e8f55b47f806b592a5ce637c23c3

SHA512
9502462f504cbd3e037cdae2206c4d25fb209195988d8fdc91ecbcc795cbde8616af1ac7aacdbbaea916bc94dc97188e06e2d15169fe62f3ba30ce59c39c0b8d

Download Submit
C:\Windows\{8FE9E32A-3DF8-495e-8D6E-5E88919AD400}.exe

Filesize
60KB

MD5
0cd9591d612ae5e571ba6d07f780f55e

SHA1
5776afd292140a87072e766f174154c55744d977

SHA256
ec53d4f12e002adbcf4a2f6e68f15c7820af6bb5182669f3a25a36a3c93cf95e

SHA512
54afd29c95cde1ebd201a341171c3d5554ed96c37ac87aa47d8e696a06624c6c4b5bdf2a5e195e4e50bc50d85621b6e4532d0957d7a49ec4b5e10c1718a72be2

Download Submit
C:\Windows\{C1FE7278-B879-4719-8BD8-26E7593786A3}.exe

Filesize
60KB

MD5
790c4d0507ede91ee32eaf77739f493a

SHA1
c40ed43f1bc92b27a1de39314e826aa36c8e7200

SHA256
4ec9a6e87fbdc9c858f69234afb3a2cb3b44b2dd80d38846215d7fe77bff1f51

SHA512
d3e8fedc51f2aab81dbd104ef73f85312cb1906eea759a52d4fdfb42d82654052e3e9097e71b2ac18ca4671e35aa0cff2769ef509ed794ef8ce33cbed3c284c7

Download Submit
C:\Windows\{DD40D60F-ECE7-40d1-B92F-822663707CD4}.exe

Filesize
60KB

MD5
53dd953285a130913ca047ca1fff0579

SHA1
5dcbe3112f2ce3dd66459d5e19b90201942f6352

SHA256
b5f701f0b2ac51d809b6bceef71dc533ed9f8d4e488a0fb3fd8db7f2d06d9b28

SHA512
1c927a5660b7f444e5fab8c5836da56cc2b588148c7ba4efff0b41c14f3e94bb783586e767adee5aaed06b808b5331ddc5f2f0da0f26a1dd76ecdf6cde2c26df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads