6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
Size

89KB
MD5

5a9f3d1b04e57ce580456215613c2492
SHA1

12fadc9e98b5f26b9cb4bf9a241e770d3b95e02d
SHA256

6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df
SHA512

2e4ecf32e73d5b1d8d3cad2766782c47dfa962bafdb6d0b301375164cdf0bb61aa673840a4e8da39967c398f955e8ad114daab2070dc8dc2c4cc447fcef7e6ae
SSDEEP

768:5vw9816thKQLrop4/wQkNrfrunMxVFA3k:lEG/0oplbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe{E6478081-385C-44c3-AD69-CC95B9B33735}.exe{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe{DF76C3E9-F813-4636-A295-546D7113CF01}.exe{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}\stubpath = "C:\\Windows\\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe"	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18BCE6F-B525-4514-B058-6A31EDCA5981}	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6478081-385C-44c3-AD69-CC95B9B33735}	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}\stubpath = "C:\\Windows\\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe"	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18BCE6F-B525-4514-B058-6A31EDCA5981}\stubpath = "C:\\Windows\\{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe"	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6478081-385C-44c3-AD69-CC95B9B33735}\stubpath = "C:\\Windows\\{E6478081-385C-44c3-AD69-CC95B9B33735}.exe"	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A04496C-B4DB-49d3-B184-180A1A93075F}	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A04496C-B4DB-49d3-B184-180A1A93075F}\stubpath = "C:\\Windows\\{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe"	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF76C3E9-F813-4636-A295-546D7113CF01}	{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}\stubpath = "C:\\Windows\\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe"	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F85D35-AE76-4e76-87DF-2BAA558177FC}	{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB740E4-629F-46df-B2E2-CA7D3513C560}	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}\stubpath = "C:\\Windows\\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe"	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2A34F2-7100-4907-803B-2818EB9230F4}\stubpath = "C:\\Windows\\{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe"	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF76C3E9-F813-4636-A295-546D7113CF01}\stubpath = "C:\\Windows\\{DF76C3E9-F813-4636-A295-546D7113CF01}.exe"	{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F85D35-AE76-4e76-87DF-2BAA558177FC}\stubpath = "C:\\Windows\\{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe"	{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2A34F2-7100-4907-803B-2818EB9230F4}	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB740E4-629F-46df-B2E2-CA7D3513C560}\stubpath = "C:\\Windows\\{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe"	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1720 cmd.exe

pid	process
1720	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe{E6478081-385C-44c3-AD69-CC95B9B33735}.exe{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe{DF76C3E9-F813-4636-A295-546D7113CF01}.exe{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe

pid	process
3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
2412	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
1388	{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
1656	{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
2372	{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe

Drops file in Windows directory 11 IoCs

Processes:

{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe{E6478081-385C-44c3-AD69-CC95B9B33735}.exe{DF76C3E9-F813-4636-A295-546D7113CF01}.exe

description	ioc	process
File created	C:\Windows\{E6478081-385C-44c3-AD69-CC95B9B33735}.exe	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
File created	C:\Windows\{DF76C3E9-F813-4636-A295-546D7113CF01}.exe	{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
File created	C:\Windows\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
File created	C:\Windows\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
File created	C:\Windows\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
File created	C:\Windows\{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
File created	C:\Windows\{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
File created	C:\Windows\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
File created	C:\Windows\{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
File created	C:\Windows\{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
File created	C:\Windows\{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe	{DF76C3E9-F813-4636-A295-546D7113CF01}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe{E6478081-385C-44c3-AD69-CC95B9B33735}.exe{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe{DF76C3E9-F813-4636-A295-546D7113CF01}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
Token: SeIncBasePriorityPrivilege	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
Token: SeIncBasePriorityPrivilege	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
Token: SeIncBasePriorityPrivilege	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
Token: SeIncBasePriorityPrivilege	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
Token: SeIncBasePriorityPrivilege	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
Token: SeIncBasePriorityPrivilege	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
Token: SeIncBasePriorityPrivilege	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
Token: SeIncBasePriorityPrivilege	2412	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
Token: SeIncBasePriorityPrivilege	1388	{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
Token: SeIncBasePriorityPrivilege	1656	{DF76C3E9-F813-4636-A295-546D7113CF01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2884 wrote to memory of 3008	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
PID 2884 wrote to memory of 3008	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
PID 2884 wrote to memory of 3008	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
PID 2884 wrote to memory of 3008	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
PID 2884 wrote to memory of 1720	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	cmd.exe
PID 2884 wrote to memory of 1720	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	cmd.exe
PID 2884 wrote to memory of 1720	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	cmd.exe
PID 2884 wrote to memory of 1720	2884	6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe	cmd.exe
PID 3008 wrote to memory of 2744	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
PID 3008 wrote to memory of 2744	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
PID 3008 wrote to memory of 2744	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
PID 3008 wrote to memory of 2744	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
PID 3008 wrote to memory of 2620	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	cmd.exe
PID 3008 wrote to memory of 2620	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	cmd.exe
PID 3008 wrote to memory of 2620	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	cmd.exe
PID 3008 wrote to memory of 2620	3008	{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe	cmd.exe
PID 2744 wrote to memory of 2800	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
PID 2744 wrote to memory of 2800	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
PID 2744 wrote to memory of 2800	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
PID 2744 wrote to memory of 2800	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
PID 2744 wrote to memory of 2388	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	cmd.exe
PID 2744 wrote to memory of 2388	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	cmd.exe
PID 2744 wrote to memory of 2388	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	cmd.exe
PID 2744 wrote to memory of 2388	2744	{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe	cmd.exe
PID 2800 wrote to memory of 2012	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
PID 2800 wrote to memory of 2012	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
PID 2800 wrote to memory of 2012	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
PID 2800 wrote to memory of 2012	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
PID 2800 wrote to memory of 2392	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	cmd.exe
PID 2800 wrote to memory of 2392	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	cmd.exe
PID 2800 wrote to memory of 2392	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	cmd.exe
PID 2800 wrote to memory of 2392	2800	{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe	cmd.exe
PID 2012 wrote to memory of 1676	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
PID 2012 wrote to memory of 1676	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
PID 2012 wrote to memory of 1676	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
PID 2012 wrote to memory of 1676	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
PID 2012 wrote to memory of 1068	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe	cmd.exe
PID 1676 wrote to memory of 1844	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
PID 1676 wrote to memory of 1844	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
PID 1676 wrote to memory of 1844	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
PID 1676 wrote to memory of 1844	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
PID 1676 wrote to memory of 764	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	cmd.exe
PID 1676 wrote to memory of 764	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	cmd.exe
PID 1676 wrote to memory of 764	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	cmd.exe
PID 1676 wrote to memory of 764	1676	{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe	cmd.exe
PID 1844 wrote to memory of 1140	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
PID 1844 wrote to memory of 1140	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
PID 1844 wrote to memory of 1140	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
PID 1844 wrote to memory of 1140	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
PID 1844 wrote to memory of 1756	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	cmd.exe
PID 1844 wrote to memory of 1756	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	cmd.exe
PID 1844 wrote to memory of 1756	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	cmd.exe
PID 1844 wrote to memory of 1756	1844	{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe	cmd.exe
PID 1140 wrote to memory of 2412	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
PID 1140 wrote to memory of 2412	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
PID 1140 wrote to memory of 2412	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
PID 1140 wrote to memory of 2412	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
PID 1140 wrote to memory of 2904	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	cmd.exe
PID 1140 wrote to memory of 2904	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	cmd.exe
PID 1140 wrote to memory of 2904	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	cmd.exe
PID 1140 wrote to memory of 2904	1140	{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe
"C:\Users\Admin\AppData\Local\Temp\6c610b659e042a366f484e86948af54d0ae947fe26526fcae67db0f3993f02df.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
C:\Windows\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
C:\Windows\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
C:\Windows\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
C:\Windows\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
C:\Windows\{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
C:\Windows\{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
C:\Windows\{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
C:\Windows\{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
C:\Windows\{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
C:\Windows\{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe
C:\Windows\{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe
12⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF76C~1.EXE > nul
12⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A044~1.EXE > nul
11⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6478~1.EXE > nul
10⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F18BC~1.EXE > nul
9⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB74~1.EXE > nul
8⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A2A3~1.EXE > nul
7⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5F4DC~1.EXE > nul
6⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BC3D0~1.EXE > nul
5⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEE4~1.EXE > nul
4⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{886D2~1.EXE > nul
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6C610B~1.EXE > nul
2⤵
- Deletes itself
PID:1720

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A2A34F2-7100-4907-803B-2818EB9230F4}.exe
Filesize
89KB

MD5
0a5f7f84d15c75c08b6c954956fd67b9

SHA1
f766a3ec70fcd55abc3ccf14115058d787435770

SHA256
bc0017baa0c6a134bacec55062c2e19f558a3749265ad1e656f3a1212c2357e6

SHA512
df31a7728e16a1baf3ce3894251f08cdb9647e100e3155fdf2265b21d582f42b9efc99e6538fbce540181aafd88352ce93fc345a4614fe28b5dac576de66db41

Download Submit
C:\Windows\{5F4DC1C5-B306-4a14-B372-6A070EA03FC9}.exe
Filesize
89KB

MD5
fe17cd7124824d22a73b27b62702875e

SHA1
ddeb124ef7f2b85b22cfea09033428f5cb86fb5f

SHA256
d7d87a8cf70e4eb4f9c723fa5b83dc1966c010f0a5cb3c2a4da3180e7a72a606

SHA512
89f0a4aa5485742b8c77efaf2b7751984e71bf84bf48b8695c9ea6bd1be93d74552cff328f0625e6fc52fd859a4a63be4f27638ffaecfc620bb47482711237d3

Download Submit
C:\Windows\{86F85D35-AE76-4e76-87DF-2BAA558177FC}.exe
Filesize
89KB

MD5
e086e2a683df3088a1b44232a0bd8664

SHA1
f4dff11db41f89be95b9da15b72e62b9f06f278b

SHA256
d8337e57cec7238e093acd628776a437bdf54a5660066b599dfc664870400f04

SHA512
79583b8515f72fb69d52d5eafc355d1cf0acf3809de8e661969c033d8902f1847f8e590be713a6b5585460bf4846e1b421e76f8bead69851e5f57101f69b8235

Download Submit
C:\Windows\{886D23B4-5088-4b1a-8BC9-F8FDC81B9421}.exe
Filesize
89KB

MD5
c9b5cbb270bf9e1e54af3c8fce64b341

SHA1
b9ade3fcc887acc10d5a155c8ffc1d20cf2de184

SHA256
8661b142b8de3fde4a5af6463ad3e814d5cca8a9d00e0f1c6b72543c386802af

SHA512
8b0a59ffe2481eac4dbba8dea531f0aee005e4d00b3bd5dc05711e9cc5a3e0da2887109d7d7e6f7b133803eac78082fd78d9118719ca1e991bcfb646f9d855de

Download Submit
C:\Windows\{8A04496C-B4DB-49d3-B184-180A1A93075F}.exe
Filesize
89KB

MD5
c3ce0ab677438e8d77267969f5cbcb74

SHA1
3cc4ea3609205687b745788e241d23a6388e958c

SHA256
c3d3e913418f2037c899b61b1594758bb120c715b04402f1773c7ffd0ca07143

SHA512
92171e4343981af57088ed002e61a452a502d735312aa621fa716801f7efe160c6f3666e1959eae330342da78c66277acd6778eb367233a249fc0fe66faa8299

Download Submit
C:\Windows\{8FB740E4-629F-46df-B2E2-CA7D3513C560}.exe
Filesize
89KB

MD5
c80ea38041be89c07bc88728009fe49d

SHA1
c54c5b17821d3ec65d4225378f95c38e1b79eef4

SHA256
7ca0d6505fb1bff813cdd99083c90cd935e166c57711b328b88eef9ea5838fa0

SHA512
d23c6b2181d149b7f56ea0521d240ee62e1a0b105e453020026707aae5576a6d07811e69c1908f4aa7dc0fdbebbdd31683dfb78d174741f3ccff6005bbe97ee3

Download Submit
C:\Windows\{BC3D004B-C747-408d-99F3-D04E00A8BC4A}.exe
Filesize
89KB

MD5
1da9bae60376cfe198dd8b5d81da8f91

SHA1
9f99e6c9e990b713d437b5941094c025f1f1c184

SHA256
66d665be3c6f8c6ba9f81a0762568b35a7ecc3d5212444722c177c4915a8cf62

SHA512
92439ab9ceaea92e7c4e349100161dbe8ceb848f36a623be1ed981738618ee71295d58c7a8a58a3013789481e2fd6940823f121c962e45173cd21ffa0948bf5d

Download Submit
C:\Windows\{DF76C3E9-F813-4636-A295-546D7113CF01}.exe
Filesize
89KB

MD5
acaa7924e010400ca38489e2ea6c3e52

SHA1
44c20bd9d1ec4085bd5e021bbf2d2a6e1f483e41

SHA256
a25f8672ad93f4e631c87647cc44f75b6813610af403b8574bfac2f2a0541571

SHA512
fb76008b4462971cecaa24b60075329cb0ad4757c6782191dbded93cf9d4f5ba9b4a5e79eab35d1d64b1229e805e937b0b42d855ae0c758561c0c0b5c63198cb

Download Submit
C:\Windows\{E6478081-385C-44c3-AD69-CC95B9B33735}.exe
Filesize
89KB

MD5
81f1bd339ae9561bd7749d0e2b22bab7

SHA1
7f1f13480d2f99bd460206b98ee295b47f548742

SHA256
e0bd83079da64027f4c3102450e00eec4b8ab73d106ef037d451d4108ea81244

SHA512
545dc22b3a0817ae656712c79c49e7f033f1e6bc61264f36ef0af5944237fa852632c41dc011adee323dd7d8bcaf8dc78741e0f1b86ff8c8fd6dad4c092791c6

Download Submit
C:\Windows\{EBEE423B-2F80-4f23-8EB3-52C3ABDFFA4C}.exe
Filesize
89KB

MD5
228cd267685cf42515499e04e24ba347

SHA1
c2c5a3786cadc2dc3cabe7053e401a1a1122371e

SHA256
0a4bc0e6d8879bdb94668ea02186bdf0ba7cc06aef26184706de8a61afa0b18f

SHA512
96945150f8789a60be576510944c0919ce55768bfda2c5eeb11564eda0537d338f6e03e3765b0f0c7be3ab2d5957332d7918bf8211c19bdaaed3456069b44543

Download Submit
C:\Windows\{F18BCE6F-B525-4514-B058-6A31EDCA5981}.exe
Filesize
89KB

MD5
81fe21cef067fc7ee8ce9951ee4ce1a2

SHA1
4206ce39428c9191dbb401534534b42a27182909

SHA256
a16201ef6561d494c89e663de71aa776921be07740746723b7997aab5ef64d26

SHA512
910e607e153708fd616e777c3e537b3f23b35ed8ff5f94069fdac82af422e82223a1f32b74d547c8fc636b85ed04120df0fb2c1f90726ca38cfbd7f5f8581e4e

Download Submit
memory/1140-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1388-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1656-97-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1656-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1844-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-7-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2884-8-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/3008-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-14-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/3008-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads