9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
Size

90KB
MD5

1129c79e13dd0dbdb73c4dbc3e849790
SHA1

e36701f3fa6514ac19cddb009f2599348c597caa
SHA256

9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528
SHA512

a79b7adbb85bce39bcc2b350fcb64585dd67fcd07aac8878e5a50b80c8aa142e59c07af32630449b16faf7f9fa38571c37411101cf9e6ad7265c68ee556a2a2a
SSDEEP

768:50w981IshKQLrom4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0omlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC93573-C000-45f6-B2AD-95365E6D7505}\stubpath = "C:\\Windows\\{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe"	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A33310-A56A-4e51-A574-A136AF5356A3}\stubpath = "C:\\Windows\\{86A33310-A56A-4e51-A574-A136AF5356A3}.exe"	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D858379-A751-45e8-9BB8-944E0E692ED9}\stubpath = "C:\\Windows\\{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe"	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}\stubpath = "C:\\Windows\\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe"	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040CE7AF-49FA-457c-9C46-85CF925CF104}\stubpath = "C:\\Windows\\{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe"	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC93573-C000-45f6-B2AD-95365E6D7505}	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}\stubpath = "C:\\Windows\\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe"	{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D9CE18-4987-428c-A688-A65A5DA76A47}\stubpath = "C:\\Windows\\{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe"	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95162F01-E2C2-4c27-A58A-6404F16B94E8}	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D9CE18-4987-428c-A688-A65A5DA76A47}	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDB4EFB-22C4-4efe-A632-81351905E306}	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A33310-A56A-4e51-A574-A136AF5356A3}	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDB4EFB-22C4-4efe-A632-81351905E306}\stubpath = "C:\\Windows\\{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe"	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}\stubpath = "C:\\Windows\\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe"	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040CE7AF-49FA-457c-9C46-85CF925CF104}	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}\stubpath = "C:\\Windows\\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe"	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}	{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95162F01-E2C2-4c27-A58A-6404F16B94E8}\stubpath = "C:\\Windows\\{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe"	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D858379-A751-45e8-9BB8-944E0E692ED9}	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}\stubpath = "C:\\Windows\\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe"	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe

Executes dropped EXE 12 IoCs

pid	Process
400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
2384	{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
2668	{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
File created	C:\Windows\{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
File created	C:\Windows\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
File created	C:\Windows\{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
File created	C:\Windows\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe	{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
File created	C:\Windows\{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
File created	C:\Windows\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
File created	C:\Windows\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
File created	C:\Windows\{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
File created	C:\Windows\{86A33310-A56A-4e51-A574-A136AF5356A3}.exe	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
File created	C:\Windows\{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
File created	C:\Windows\{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
Token: SeIncBasePriorityPrivilege	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
Token: SeIncBasePriorityPrivilege	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
Token: SeIncBasePriorityPrivilege	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
Token: SeIncBasePriorityPrivilege	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
Token: SeIncBasePriorityPrivilege	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
Token: SeIncBasePriorityPrivilege	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
Token: SeIncBasePriorityPrivilege	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
Token: SeIncBasePriorityPrivilege	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
Token: SeIncBasePriorityPrivilege	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
Token: SeIncBasePriorityPrivilege	4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
Token: SeIncBasePriorityPrivilege	2384	{86A33310-A56A-4e51-A574-A136AF5356A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 400	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	95
PID 2420 wrote to memory of 400	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	95
PID 2420 wrote to memory of 400	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	95
PID 2420 wrote to memory of 948	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	96
PID 2420 wrote to memory of 948	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	96
PID 2420 wrote to memory of 948	2420	9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe	96
PID 400 wrote to memory of 3716	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	97
PID 400 wrote to memory of 3716	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	97
PID 400 wrote to memory of 3716	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	97
PID 400 wrote to memory of 4348	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	98
PID 400 wrote to memory of 4348	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	98
PID 400 wrote to memory of 4348	400	{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe	98
PID 3716 wrote to memory of 4544	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	101
PID 3716 wrote to memory of 4544	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	101
PID 3716 wrote to memory of 4544	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	101
PID 3716 wrote to memory of 2392	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	102
PID 3716 wrote to memory of 2392	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	102
PID 3716 wrote to memory of 2392	3716	{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe	102
PID 4544 wrote to memory of 4604	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	103
PID 4544 wrote to memory of 4604	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	103
PID 4544 wrote to memory of 4604	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	103
PID 4544 wrote to memory of 4452	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	104
PID 4544 wrote to memory of 4452	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	104
PID 4544 wrote to memory of 4452	4544	{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe	104
PID 4604 wrote to memory of 1288	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	105
PID 4604 wrote to memory of 1288	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	105
PID 4604 wrote to memory of 1288	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	105
PID 4604 wrote to memory of 3588	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	106
PID 4604 wrote to memory of 3588	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	106
PID 4604 wrote to memory of 3588	4604	{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe	106
PID 1288 wrote to memory of 3040	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	108
PID 1288 wrote to memory of 3040	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	108
PID 1288 wrote to memory of 3040	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	108
PID 1288 wrote to memory of 4784	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	109
PID 1288 wrote to memory of 4784	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	109
PID 1288 wrote to memory of 4784	1288	{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe	109
PID 3040 wrote to memory of 2932	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	110
PID 3040 wrote to memory of 2932	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	110
PID 3040 wrote to memory of 2932	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	110
PID 3040 wrote to memory of 2336	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	111
PID 3040 wrote to memory of 2336	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	111
PID 3040 wrote to memory of 2336	3040	{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe	111
PID 2932 wrote to memory of 4436	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	119
PID 2932 wrote to memory of 4436	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	119
PID 2932 wrote to memory of 4436	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	119
PID 2932 wrote to memory of 4452	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	120
PID 2932 wrote to memory of 4452	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	120
PID 2932 wrote to memory of 4452	2932	{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe	120
PID 4436 wrote to memory of 3196	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	121
PID 4436 wrote to memory of 3196	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	121
PID 4436 wrote to memory of 3196	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	121
PID 4436 wrote to memory of 3108	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	122
PID 4436 wrote to memory of 3108	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	122
PID 4436 wrote to memory of 3108	4436	{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe	122
PID 3196 wrote to memory of 4604	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	123
PID 3196 wrote to memory of 4604	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	123
PID 3196 wrote to memory of 4604	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	123
PID 3196 wrote to memory of 2192	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	124
PID 3196 wrote to memory of 2192	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	124
PID 3196 wrote to memory of 2192	3196	{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe	124
PID 4604 wrote to memory of 2384	4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe	127
PID 4604 wrote to memory of 2384	4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe	127
PID 4604 wrote to memory of 2384	4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe	127
PID 4604 wrote to memory of 2780	4604	{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe	128

C:\Users\Admin\AppData\Local\Temp\9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe
"C:\Users\Admin\AppData\Local\Temp\9d198e4a42a732e3b7abee26b49d50962ce411a96cd39693cbe8fe17f7cc1528.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
  C:\Windows\{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
    C:\Windows\{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
      C:\Windows\{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
        
        C:\Windows\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
        
        C:\Windows\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
        
        C:\Windows\{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
        
        C:\Windows\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
        
        C:\Windows\{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
        
        C:\Windows\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
        
        C:\Windows\{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
        
        C:\Windows\{86A33310-A56A-4e51-A574-A136AF5356A3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe
        
        C:\Windows\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe
        13⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A33~1.EXE > nul
        13⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CC93~1.EXE > nul
        12⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DD33~1.EXE > nul
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{040CE~1.EXE > nul
        10⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89A90~1.EXE > nul
        9⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCDB4~1.EXE > nul
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{014F6~1.EXE > nul
        7⤵
        
        PID:4784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A2F~1.EXE > nul
        6⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D858~1.EXE > nul
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95162~1.EXE > nul
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2D9C~1.EXE > nul
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D198E~1.EXE > nul
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{014F6CAC-6B75-4610-85E0-3FAAEC2E0563}.exe

Filesize
90KB

MD5
4513ae67605a02c6edff0ea0c0c6714a

SHA1
9fd4d03a355598d09640e91a6a5e2a8a13ec0e03

SHA256
fa51b9235d017ce079d93e86da3683e61b9af9cba1a7fdaf9fb5bb3557f9fd8b

SHA512
0e930d4f5bc735894ca751b830e8dc382493d166efdd52be74c2af864fd31b2bbb2178661279fa84e7f4f4ea6a41b23742534b4c4bf541a498a4123bc78b37ac

Download Submit
C:\Windows\{040CE7AF-49FA-457c-9C46-85CF925CF104}.exe

Filesize
90KB

MD5
4486097557f893f57ddbb0f7dcf58d39

SHA1
b50c277434acb9b36deec90832dbf7dcd24abc5c

SHA256
7d048e7aa959390cae62aff3a6b7062befa75d8c3f82eb4288d79d28ff3c3ff0

SHA512
4caadaa2436f10633bf3b23d62f6744590a63c30ae674c560286bc08bf7696c911650f3cf6db1351f6ca8c1f1d859a982ea916770c7bb29695cff10d045777a9

Download Submit
C:\Windows\{0DD3330D-15D2-4244-8FCC-B332ABDAE626}.exe

Filesize
90KB

MD5
b0ce8d3588836882e1d8208923823f60

SHA1
f3c90ec484e6f79ee4ec97cdbaf14c043ce9d0ce

SHA256
1a503fb247ad6483e2cb29cd5c73eef0638d4f0dede5124bafff4de672b6482c

SHA512
93e375a2bdc605891806e2eda61704464ebb654c9d1a078695c022ead7d2aad437e7a0b78810f3ec4feca01089d418141ef0859a5f09d3d398a985543e6d714e

Download Submit
C:\Windows\{7CC93573-C000-45f6-B2AD-95365E6D7505}.exe

Filesize
90KB

MD5
9b4b86630fe9621fa00b621d324c7d4f

SHA1
ddf5695f03a661b33290f2737986b215d3322ed1

SHA256
ccc7510a998e61875b5dba4ff9843c21aaf0b0aefdc205bc08bf1377ff8b3375

SHA512
547f27b7ac57e8625ab92d91760847fb2eebe18f9a1c7f5f3e39cd8134ce931fa2afae659a17ad44558c4529e3e1dafd53e7c964979322fc014611bb01470569

Download Submit
C:\Windows\{86A33310-A56A-4e51-A574-A136AF5356A3}.exe

Filesize
90KB

MD5
e20f0b7560d77ece7fa50422de7ef13c

SHA1
14326fe379e8ee026510e6f119aec4ef95b0b27e

SHA256
5293ab1235b791f090be41631f0898640ce807e945dd0353f10640ae0590e4f8

SHA512
ad25652d7b74d4ebc1a479be7bd1bbdc1186d141d7cc3afad51c999003634e23497e8218cc1f076c52708e29e5d0bce132f35de4e4aa650014732c2cdddfd83d

Download Submit
C:\Windows\{89A907DB-E5E1-4496-A50D-E7B9B9410B85}.exe

Filesize
90KB

MD5
b9601147453f4c4cf29afeba3d53653e

SHA1
3a8a79971acfe9f4d333fd6cdce97f4ce134bb4e

SHA256
35cdd006de6d3b9a46769a8ca2d7a79935f777cee1002f1d2890b7ef5afab8e3

SHA512
5cf71e4a23e66e15b22b356af71ee1870871b29209842cf1aef5cc627977bfd1f06dd4028d41a94e5c3ea19c1ed6d4df6ea3cee019124dabebf694297bfe2cdb

Download Submit
C:\Windows\{8D858379-A751-45e8-9BB8-944E0E692ED9}.exe

Filesize
90KB

MD5
2913f24c4f19a2c6d3519d5e5bc0f03c

SHA1
41d9d3dab267d22135673a2a588af9068554f428

SHA256
d435e7336fa06b43ba9602c97010629bd611f953ebeccb0aa39f8c2c8809aef5

SHA512
d0a63cead5c9e040e3691b4e466350a5b00268104ca90be46c0ac507db69fedbf7f82a0b6a5b28cf942b3d674d977da6035412bfe4d029389d3c66114d3c6c8a

Download Submit
C:\Windows\{95162F01-E2C2-4c27-A58A-6404F16B94E8}.exe

Filesize
90KB

MD5
42b9e35f2aaaa22ead500319f0de0beb

SHA1
9e8f2c06f7c56e4bfbb5cad1a5295bd4ade4b0e3

SHA256
940dc272f9dcf9b90a296d227b561874a86b445d8e2249fda6d5370171428a3e

SHA512
38baaffc94558ac316f9e7a289be315575199e29084da60353266eba645fb5a5b201c77e1eaa1068a4bee48291d56615aea6472904e12285f4b8cb38e6d24634

Download Submit
C:\Windows\{D2D9CE18-4987-428c-A688-A65A5DA76A47}.exe

Filesize
90KB

MD5
c6b49037a2861f434dd4ae156c3487af

SHA1
ec6994ba8a53504600a29fa06d86b72bbec79027

SHA256
ee191b22189295fa02abf9d8ff653abaa1b26b754001c777f4483a5a5e771f52

SHA512
d10465c3ff93c3ba45f1a9cd2a00cc197ee332e9954d369f60d470f69720a0c34c1c4d7cee41f475541430faf74e86a1610711f339e7cca2261e347a547df8df

Download Submit
C:\Windows\{D8A2F917-9D3A-4c2e-AF1C-0042C62BCC9B}.exe

Filesize
90KB

MD5
8f5fe11938870e458d67ee4b57a76a81

SHA1
62051ba29d723daf8e66ad7d67515f12f1b72526

SHA256
260087dd42369d96a83782bec203e66eb460caa61f95335d667cd599b42790aa

SHA512
d721d8d4bbe23802b01e2a553551caae22d266cf2b67afd03f11883467540aaf46813ebe09d6db748071ec06ebefb05e5836669aaf203f00d8c0f033d47659b2

Download Submit
C:\Windows\{DB0477E3-574A-4fd4-A185-F9E8BEE13245}.exe

Filesize
90KB

MD5
575edaa0262529abffbe72058383ed57

SHA1
1c2b9d5c6584234d3209642c73bedd43d051f6de

SHA256
3fe4ea4ca55fb9fd7ce3d03ebfa5ce4ec585e12cdd77a0d947db75ea32e58d0f

SHA512
4efef9751c0c18d0b6faa5ecb65155420c2430e7122c37efa7dd689d64bd903540c23f068d20d031d533129f72ab1f850d71ca66c0cdedf1645fa2db03264fa6

Download Submit
C:\Windows\{DCDB4EFB-22C4-4efe-A632-81351905E306}.exe

Filesize
90KB

MD5
4907dfd71dc222df179a87b55429732e

SHA1
6aaec43267af5a5955c110957c10b8ed6f4aca4f

SHA256
334c5355daae26c6bae0459eb8846248ec733742575dd3bd81d6b70d85bf6028

SHA512
c7f3d167dc44810f62da98af0182a3f71687159712a2370cd81211e2aedd6e70198436f1d1ef8154c0da9bb52a2655ecbf1d8bc8696f2ccae5e496febc70ffb3

Download Submit
memory/400-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1288-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1288-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2668-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2932-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3196-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3196-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3716-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3716-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4436-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4436-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4544-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4544-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4604-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4604-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4604-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads