1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
Size

90KB
MD5

9f95f67a54504744ffa8c4f36508ab62
SHA1

d32fa8030a8d1723a8fa37967c610647da478c83
SHA256

1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd
SHA512

1027df12ef896d1f6d9c171bb9ca4d808a68c32f84126c6a5d11d35fae29b47e458478c356b09dd696cee37527a19591eefcb44636e17e3ae2d1e56f2e1f681d
SSDEEP

768:Qvw9816vhKQLrob4/wQRNrfrunMxVFA3b7glws:YEGh0obl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}\stubpath = "C:\\Windows\\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe"	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6246E4-3170-4eea-B884-242CEB5D010E}\stubpath = "C:\\Windows\\{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe"	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}\stubpath = "C:\\Windows\\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe"	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}\stubpath = "C:\\Windows\\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe"	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98F4475-E482-4a43-BB48-98130396887C}	{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98F4475-E482-4a43-BB48-98130396887C}\stubpath = "C:\\Windows\\{B98F4475-E482-4a43-BB48-98130396887C}.exe"	{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}\stubpath = "C:\\Windows\\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe"	{B98F4475-E482-4a43-BB48-98130396887C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}\stubpath = "C:\\Windows\\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe"	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}\stubpath = "C:\\Windows\\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe"	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}\stubpath = "C:\\Windows\\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe"	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}\stubpath = "C:\\Windows\\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe"	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE1A8D6E-8719-4c94-9719-366F1637E068}	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE1A8D6E-8719-4c94-9719-366F1637E068}\stubpath = "C:\\Windows\\{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe"	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6246E4-3170-4eea-B884-242CEB5D010E}	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}\stubpath = "C:\\Windows\\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe"	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}	{B98F4475-E482-4a43-BB48-98130396887C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe

Executes dropped EXE 11 IoCs

pid	Process
2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
2304	{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe
3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe
3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
2548	{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
File created	C:\Windows\{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
File created	C:\Windows\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
File created	C:\Windows\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
File created	C:\Windows\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
File created	C:\Windows\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
File created	C:\Windows\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	{B98F4475-E482-4a43-BB48-98130396887C}.exe
File created	C:\Windows\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
File created	C:\Windows\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
File created	C:\Windows\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
File created	C:\Windows\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
Token: SeIncBasePriorityPrivilege	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
Token: SeIncBasePriorityPrivilege	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
Token: SeIncBasePriorityPrivilege	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
Token: SeIncBasePriorityPrivilege	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
Token: SeIncBasePriorityPrivilege	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe
Token: SeIncBasePriorityPrivilege	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
Token: SeIncBasePriorityPrivilege	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
Token: SeIncBasePriorityPrivilege	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe
Token: SeIncBasePriorityPrivilege	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
Token: SeIncBasePriorityPrivilege	3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2472	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	94
PID 1984 wrote to memory of 2472	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	94
PID 1984 wrote to memory of 2472	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	94
PID 1984 wrote to memory of 3996	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	95
PID 1984 wrote to memory of 3996	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	95
PID 1984 wrote to memory of 3996	1984	1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe	95
PID 2472 wrote to memory of 532	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	96
PID 2472 wrote to memory of 532	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	96
PID 2472 wrote to memory of 532	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	96
PID 2472 wrote to memory of 3592	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	97
PID 2472 wrote to memory of 3592	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	97
PID 2472 wrote to memory of 3592	2472	{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe	97
PID 532 wrote to memory of 4552	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	100
PID 532 wrote to memory of 4552	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	100
PID 532 wrote to memory of 4552	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	100
PID 532 wrote to memory of 1352	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	101
PID 532 wrote to memory of 1352	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	101
PID 532 wrote to memory of 1352	532	{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe	101
PID 4552 wrote to memory of 1800	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	102
PID 4552 wrote to memory of 1800	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	102
PID 4552 wrote to memory of 1800	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	102
PID 4552 wrote to memory of 1532	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	103
PID 4552 wrote to memory of 1532	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	103
PID 4552 wrote to memory of 1532	4552	{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe	103
PID 1800 wrote to memory of 2304	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	104
PID 1800 wrote to memory of 2304	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	104
PID 1800 wrote to memory of 2304	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	104
PID 1800 wrote to memory of 4436	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	105
PID 1800 wrote to memory of 4436	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	105
PID 1800 wrote to memory of 4436	1800	{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe	105
PID 3940 wrote to memory of 3360	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	109
PID 3940 wrote to memory of 3360	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	109
PID 3940 wrote to memory of 3360	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	109
PID 3940 wrote to memory of 2488	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	110
PID 3940 wrote to memory of 2488	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	110
PID 3940 wrote to memory of 2488	3940	{B98F4475-E482-4a43-BB48-98130396887C}.exe	110
PID 3360 wrote to memory of 640	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	113
PID 3360 wrote to memory of 640	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	113
PID 3360 wrote to memory of 640	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	113
PID 3360 wrote to memory of 4420	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	114
PID 3360 wrote to memory of 4420	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	114
PID 3360 wrote to memory of 4420	3360	{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe	114
PID 640 wrote to memory of 4900	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	119
PID 640 wrote to memory of 4900	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	119
PID 640 wrote to memory of 4900	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	119
PID 640 wrote to memory of 4704	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	120
PID 640 wrote to memory of 4704	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	120
PID 640 wrote to memory of 4704	640	{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe	120
PID 4900 wrote to memory of 3008	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	121
PID 4900 wrote to memory of 3008	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	121
PID 4900 wrote to memory of 3008	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	121
PID 4900 wrote to memory of 4700	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	122
PID 4900 wrote to memory of 4700	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	122
PID 4900 wrote to memory of 4700	4900	{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe	122
PID 3008 wrote to memory of 3236	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	125
PID 3008 wrote to memory of 3236	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	125
PID 3008 wrote to memory of 3236	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	125
PID 3008 wrote to memory of 3040	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	126
PID 3008 wrote to memory of 3040	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	126
PID 3008 wrote to memory of 3040	3008	{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe	126
PID 3236 wrote to memory of 2548	3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe	127
PID 3236 wrote to memory of 2548	3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe	127
PID 3236 wrote to memory of 2548	3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe	127
PID 3236 wrote to memory of 1088	3236	{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe	128

C:\Users\Admin\AppData\Local\Temp\1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe
"C:\Users\Admin\AppData\Local\Temp\1d22410257146fef40d225cbb48cc6aa1ad8e88d74b7597c83e885c8d4cba7dd.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
  C:\Windows\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
    C:\Windows\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
      C:\Windows\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
        
        C:\Windows\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe
        
        C:\Windows\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\{B98F4475-E482-4a43-BB48-98130396887C}.exe
        
        C:\Windows\{B98F4475-E482-4a43-BB48-98130396887C}.exe
        7⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
        
        C:\Windows\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
        
        C:\Windows\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe
        
        C:\Windows\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
        
        C:\Windows\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
        
        C:\Windows\{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe
        
        C:\Windows\{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE1A8~1.EXE > nul
        13⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDCB5~1.EXE > nul
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1AA4~1.EXE > nul
        11⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5D67~1.EXE > nul
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE943~1.EXE > nul
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B98F4~1.EXE > nul
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76F83~1.EXE > nul
        7⤵
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC29~1.EXE > nul
        6⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E992~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A5C~1.EXE > nul
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8A8D5~1.EXE > nul
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1D2241~1.EXE > nul
  2⤵
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F6246E4-3170-4eea-B884-242CEB5D010E}.exe

Filesize
90KB

MD5
3b2c59022a5ac6c2acb4ca3e09166a4a

SHA1
1b9179e01d8fb5ee1ee322010999ec0dd836a606

SHA256
4dc7a36041b8c17e40544f3f357ec22c1b711b235f0cbfcd708a2856bc5f9100

SHA512
f0868587f10050e8aa12a1db42338a780c742875c8966d78d3e9da882eb6bbad15b99b6bb9ca4a7e8558eabb6559c0fb5d50fe155cf44861b5d28ddf70a57cf2

Download Submit
C:\Windows\{2E9929D4-BFAC-492f-927D-74CBC8A5F283}.exe

Filesize
90KB

MD5
d02486626e1190deeb91d61c92643414

SHA1
0fc08ea6fc87dbd35efd2048e017f0348919d9b6

SHA256
70c0fee7606252dba05b15decf8df9ff3266cdfbf559bdf810aead7ec584d881

SHA512
6dbbc6fcaa4859a3716ade6ab3397787d2d0cc2ef27d458f62bf5340851d670499753aadb07ee958e0e54d939ce88d36ba4611b3ad273440827529f0be0d4e11

Download Submit
C:\Windows\{76F83AB0-BE47-43f7-B4E4-18A1185FD7F3}.exe

Filesize
90KB

MD5
717b2a7b34340cd2496eec7c65426a6e

SHA1
12eff7479b1e9316c1717eed309046dc51957e69

SHA256
c58014fadbfa6b47cfa71db049dfa0e8c5590826de23530883752e126e4d347f

SHA512
10b289d4bac6161e648954a51182eb612a3c34cfcc0a825f40a2576f78419fa0f0b54e4e776055db3662ca1d543efb71be16e3365144f6be92b1c291ce9c4bd8

Download Submit
C:\Windows\{8A8D5930-9308-4ca8-A01C-146374C0FD9D}.exe

Filesize
90KB

MD5
e0a805cfc5605513465a9a7c925a5ee8

SHA1
788a6d077700574a44a11e9f3930b8c06ff02a82

SHA256
2cb9a2a2ad8a99e97d60954368568ab028e2ee939448fb7d4b4db0df697e9903

SHA512
7ba087581daadb3ce49c89005d685a5ccbb161f4725367dc44a9e362a236bcf7a2ffef227ee2d23a2597f58eb841c0ffc85f29493443dde3cda1ed17e5e6dc45

Download Submit
C:\Windows\{9EC29AEB-7A78-49a6-9628-2ABB0D1EDEB6}.exe

Filesize
90KB

MD5
ab29cd1e3f4e3692cf32fc5dd7736b74

SHA1
4ff535487b8c07e643619899886edc5bc1a9cebb

SHA256
29a5fb3df46199ec2edee551b19c56ef50bd93e1769ce1740f18ab58891063e5

SHA512
cf265b14a1030cb00da5f12a6d8aef1d7c226f9017aeff63e804b4984eaf68be39c1a887d8c07b549feec48b59d00218c9f564425b55cd0132200f68d9322fe7

Download Submit
C:\Windows\{B1A5C11F-7A08-4e9d-B4C4-21DF7A30D6E8}.exe

Filesize
90KB

MD5
14a5451825545038eb73b82dd2f0ca01

SHA1
f5a3f74497a9f130c707d8ea03bd84c3728ba961

SHA256
bcb34fc389514add04a6893771cb80b518da83e2ade8d78ffd1ee8c818d05964

SHA512
da2791a2cddbc81d7dfa5af82aee83e6dcf698f89245ae72655099b3de3660cd62e30303f7e9e9c62077c551079f1726eefe00946e7848216d95eeef01c6cf11

Download Submit
C:\Windows\{BE9436A9-9874-4e96-A1D3-5C0982CA8B6E}.exe

Filesize
90KB

MD5
fe1f89c41595b139549a591b62772974

SHA1
38b343fd5ea7e23863587e18713a074f1ab238cc

SHA256
1c7a466b21867bf37d79b127b37e76e9dc5df1e3c5d099bcf451e623590748d7

SHA512
32fd09e9ef5ae0a5b667dedffda3eecba6767e611b39a045e6ee7d39ccd290569caa605f43eaa4a727fd50da7c0227360fbe4c3ef10b004777df2e995d851421

Download Submit
C:\Windows\{C5D67B7B-46EB-4313-82FF-9A5C3F7DB257}.exe

Filesize
90KB

MD5
060f5d10af4bb8a7d38fdd48bc9d7752

SHA1
0d943103fbc36c0a309c3a6cb46abd1b39a121c0

SHA256
e84a2ba527914e461dc748c6b5fa7eab9abc36803997087c38c290c96c1eae2d

SHA512
8e276b5aefe801be8e549e0ba7b12ecdee9687d73ac48606263f10d58862ed0d2f07e4b27943101fdf74ca8b237fa2290dce4c74914523b94bbb7aa3f0a58436

Download Submit
C:\Windows\{D1AA48DA-9D06-4cef-9676-0E5F7A25BAED}.exe

Filesize
90KB

MD5
ea838914f8efd10b77183da8634d0067

SHA1
6391aecd4545314af0c9debe560d12bbcc31846b

SHA256
a986dea55e9eef7ebbb0a8cafdebbb2db2b23a4bd2b9bbf301d77e2ea4bd6768

SHA512
9e06e8ba6f73854bbb6d22387792040c3f42f3342a31b2b1dda41dbb0093abf23c9c52c2c4f14231577551f4845822c77fdbd8a0e05cfeee0a5c50ef657466ea

Download Submit
C:\Windows\{DDCB5488-52A6-428f-B55D-8C35E42BD22D}.exe

Filesize
90KB

MD5
6a727afcddb8de83550910019d40ccd7

SHA1
37dce7d9c9cd6e4e5bc02fc4a1a577e5136ad224

SHA256
228d2c3d7b688edfa80f3746a5780b7332cf5cca58941dd5554386c5156c297c

SHA512
a0edb27cc38fc9e9983a96072ed32839a5a6c5951fba29939f63b56a136759c468f68471d3f7e818ba28bec076011ce6b4e56405c8ca0a4518d782c0fd1dad1d

Download Submit
C:\Windows\{EE1A8D6E-8719-4c94-9719-366F1637E068}.exe

Filesize
90KB

MD5
b62cbb21e24148d19270d855a339cc46

SHA1
a95c118378187d8293cab103e0c6e8d09192bef1

SHA256
9564d6173e8716ceaf2a4412f7d14daf86567eab7bf861316a7cf3f116586481

SHA512
2363d31831d63615e0614609da47e77f202ea3389769d1a1c2ebece2d835a061dd93326753cb64330c1b16a8a5322b99ac254eb2f4753d9f089874d015475b72

Download Submit
memory/2304-20-0x0000000003910000-0x00000000039EB000-memory.dmp

Filesize
876KB

Download
memory/2304-19-0x0000000003830000-0x000000000390B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads