d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
Size

64KB
MD5

c655b231e9752ccefa964fade1ef223c
SHA1

f0275fb80e1b7148703e462952a52c97d92ca68c
SHA256

d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a
SHA512

c5fa19386b717e7e0ccec80db38712d15310ac928ffef7e3354b75f265fda5172acacf3be1ddc5361868a203aeb9afd9454a4a4af2d603e796caad603624e931
SSDEEP

192:ObOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwBY04/CFxyNhoy5tT:ObLwOs8AHsc4sMfwhKQLroz4/CFsrdT

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C291BEF4-E6D8-495b-B231-062F3D960DFC}\stubpath = "C:\\Windows\\{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe"	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}\stubpath = "C:\\Windows\\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe"	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}\stubpath = "C:\\Windows\\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe"	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9804426D-F6A0-4400-9736-48C94952F80D}	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5818C928-334B-4a45-9E4B-43993D272FA6}	{9804426D-F6A0-4400-9736-48C94952F80D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E71F60-923A-41e8-A135-6C7F960BC5A9}\stubpath = "C:\\Windows\\{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe"	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C291BEF4-E6D8-495b-B231-062F3D960DFC}	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}	{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5818C928-334B-4a45-9E4B-43993D272FA6}\stubpath = "C:\\Windows\\{5818C928-334B-4a45-9E4B-43993D272FA6}.exe"	{9804426D-F6A0-4400-9736-48C94952F80D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA8F042-8670-4210-8EB5-46BABB89B569}	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}\stubpath = "C:\\Windows\\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe"	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}\stubpath = "C:\\Windows\\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe"	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02CFC702-7771-4dfd-A150-838D45ABEAA3}\stubpath = "C:\\Windows\\{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe"	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9804426D-F6A0-4400-9736-48C94952F80D}\stubpath = "C:\\Windows\\{9804426D-F6A0-4400-9736-48C94952F80D}.exe"	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02CFC702-7771-4dfd-A150-838D45ABEAA3}	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA8F042-8670-4210-8EB5-46BABB89B569}\stubpath = "C:\\Windows\\{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe"	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}\stubpath = "C:\\Windows\\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe"	{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E71F60-923A-41e8-A135-6C7F960BC5A9}	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}\stubpath = "C:\\Windows\\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe"	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe

Executes dropped EXE 12 IoCs

pid	Process
4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe
3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
4740	{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
772	{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9804426D-F6A0-4400-9736-48C94952F80D}.exe	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
File created	C:\Windows\{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
File created	C:\Windows\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
File created	C:\Windows\{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
File created	C:\Windows\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
File created	C:\Windows\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
File created	C:\Windows\{5818C928-334B-4a45-9E4B-43993D272FA6}.exe	{9804426D-F6A0-4400-9736-48C94952F80D}.exe
File created	C:\Windows\{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
File created	C:\Windows\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe	{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
File created	C:\Windows\{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
File created	C:\Windows\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
File created	C:\Windows\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
Token: SeIncBasePriorityPrivilege	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
Token: SeIncBasePriorityPrivilege	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
Token: SeIncBasePriorityPrivilege	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
Token: SeIncBasePriorityPrivilege	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
Token: SeIncBasePriorityPrivilege	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
Token: SeIncBasePriorityPrivilege	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
Token: SeIncBasePriorityPrivilege	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
Token: SeIncBasePriorityPrivilege	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
Token: SeIncBasePriorityPrivilege	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe
Token: SeIncBasePriorityPrivilege	3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
Token: SeIncBasePriorityPrivilege	4740	{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4952	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	97
PID 208 wrote to memory of 4952	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	97
PID 208 wrote to memory of 4952	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	97
PID 208 wrote to memory of 2236	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	98
PID 208 wrote to memory of 2236	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	98
PID 208 wrote to memory of 2236	208	d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe	98
PID 4952 wrote to memory of 3848	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	99
PID 4952 wrote to memory of 3848	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	99
PID 4952 wrote to memory of 3848	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	99
PID 4952 wrote to memory of 4656	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	100
PID 4952 wrote to memory of 4656	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	100
PID 4952 wrote to memory of 4656	4952	{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe	100
PID 3848 wrote to memory of 4436	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	103
PID 3848 wrote to memory of 4436	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	103
PID 3848 wrote to memory of 4436	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	103
PID 3848 wrote to memory of 2624	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	104
PID 3848 wrote to memory of 2624	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	104
PID 3848 wrote to memory of 2624	3848	{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe	104
PID 4436 wrote to memory of 3584	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	105
PID 4436 wrote to memory of 3584	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	105
PID 4436 wrote to memory of 3584	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	105
PID 4436 wrote to memory of 3104	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	106
PID 4436 wrote to memory of 3104	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	106
PID 4436 wrote to memory of 3104	4436	{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe	106
PID 3584 wrote to memory of 2876	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	107
PID 3584 wrote to memory of 2876	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	107
PID 3584 wrote to memory of 2876	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	107
PID 3584 wrote to memory of 368	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	108
PID 3584 wrote to memory of 368	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	108
PID 3584 wrote to memory of 368	3584	{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe	108
PID 2876 wrote to memory of 2352	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	110
PID 2876 wrote to memory of 2352	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	110
PID 2876 wrote to memory of 2352	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	110
PID 2876 wrote to memory of 2728	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	111
PID 2876 wrote to memory of 2728	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	111
PID 2876 wrote to memory of 2728	2876	{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe	111
PID 2352 wrote to memory of 468	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	112
PID 2352 wrote to memory of 468	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	112
PID 2352 wrote to memory of 468	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	112
PID 2352 wrote to memory of 3512	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	113
PID 2352 wrote to memory of 3512	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	113
PID 2352 wrote to memory of 3512	2352	{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe	113
PID 468 wrote to memory of 2268	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	116
PID 468 wrote to memory of 2268	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	116
PID 468 wrote to memory of 2268	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	116
PID 468 wrote to memory of 2792	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	117
PID 468 wrote to memory of 2792	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	117
PID 468 wrote to memory of 2792	468	{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe	117
PID 2268 wrote to memory of 2860	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	122
PID 2268 wrote to memory of 2860	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	122
PID 2268 wrote to memory of 2860	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	122
PID 2268 wrote to memory of 2328	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	123
PID 2268 wrote to memory of 2328	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	123
PID 2268 wrote to memory of 2328	2268	{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe	123
PID 2860 wrote to memory of 3732	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	124
PID 2860 wrote to memory of 3732	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	124
PID 2860 wrote to memory of 3732	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	124
PID 2860 wrote to memory of 1148	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	125
PID 2860 wrote to memory of 1148	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	125
PID 2860 wrote to memory of 1148	2860	{9804426D-F6A0-4400-9736-48C94952F80D}.exe	125
PID 3732 wrote to memory of 4740	3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe	128
PID 3732 wrote to memory of 4740	3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe	128
PID 3732 wrote to memory of 4740	3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe	128
PID 3732 wrote to memory of 4980	3732	{5818C928-334B-4a45-9E4B-43993D272FA6}.exe	129

C:\Users\Admin\AppData\Local\Temp\d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe
"C:\Users\Admin\AppData\Local\Temp\d8a67987140ab465b1140c027d221f0f8c035e9cecb1669f487c5f653435179a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
  C:\Windows\{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
    C:\Windows\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
      C:\Windows\{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
        
        C:\Windows\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
        
        C:\Windows\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
        
        C:\Windows\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
        
        C:\Windows\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
        
        C:\Windows\{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{9804426D-F6A0-4400-9736-48C94952F80D}.exe
        
        C:\Windows\{9804426D-F6A0-4400-9736-48C94952F80D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
        
        C:\Windows\{5818C928-334B-4a45-9E4B-43993D272FA6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
        
        C:\Windows\{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe
        
        C:\Windows\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe
        13⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFA8F~1.EXE > nul
        13⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5818C~1.EXE > nul
        12⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98044~1.EXE > nul
        11⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02CFC~1.EXE > nul
        10⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09C78~1.EXE > nul
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6754C~1.EXE > nul
        8⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7835~1.EXE > nul
        7⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84394~1.EXE > nul
        6⤵
        
        PID:368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C291B~1.EXE > nul
        5⤵
        
        PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6405F~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30E71~1.EXE > nul
    3⤵
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D8A679~1.EXE > nul
  2⤵
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02CFC702-7771-4dfd-A150-838D45ABEAA3}.exe

Filesize
64KB

MD5
f4946dc5e8a6dce4e0f5a6c87c82b5dc

SHA1
7b1fb82aeb0842e096de0d61617a08b9eb4ef978

SHA256
4bee68ef1828d2d92c10e54323ea3fe260dd4ea75df8738d76ae468f517053d1

SHA512
fecbd2fdece6306078ad68e66a2d35acf9e2967f4496caa9f5920c4171d4504d37d717060b67d2f196d2d52c369837741c83a07c320564c5d3ab8e44c110e2a9

Download Submit
C:\Windows\{09C7804A-9AE6-48aa-82B5-B438EBA43CE5}.exe

Filesize
64KB

MD5
cc5789ed81fe3b91741eb61b4f1b43c2

SHA1
ac0d548c2b2e7d9976f7299a018ed98bcf756638

SHA256
e58f94098c31303be5d39819bf684c9f38c7679200a4a6137d5e428f44b462e6

SHA512
c02538d34f5274826f49a60bb99a43e085cfcea45e1caf4ad49e802db217a57e88b53cc61dde7fb80660a86eb6dad909769ebbcd53e3d6456376afc7276aa650

Download Submit
C:\Windows\{30E71F60-923A-41e8-A135-6C7F960BC5A9}.exe

Filesize
64KB

MD5
7f0ac20aa844ef752d5620949cdd4bb0

SHA1
85c583f3e6865d8691e8de03662c1cfa2a1c2b95

SHA256
e37cdc4a08d71ca5e1aaa12477741892881da69fbbc0eea0a6ec8d177b6bca09

SHA512
56fdbb5103819cdb0004d10beb0f1271602ad5bbb08a13807a5ea866ea1e95a3a6ff9d50e4b9dfe5b77336671f2c874e74bed323748974862078ef82dfdf9301

Download Submit
C:\Windows\{5818C928-334B-4a45-9E4B-43993D272FA6}.exe

Filesize
64KB

MD5
996bc21df1aa75f07d57c75419427029

SHA1
a7f1584fb1861079bc875f39a2ebe939ee2bd294

SHA256
78aac8c34e40c0c7ba55069621f7c6de4e3f41d6c4b9b708f67e50f9cc83ef60

SHA512
05a5ac20445c422f20d99b9bee26160087fc6973d76d6ba82fa218952288b0a97ab79301a8af86c7abe76cb2478ea9f8e34aa7dd6ceb051c8112e26503690c6d

Download Submit
C:\Windows\{6405FFD3-422E-483a-87A7-DD3DC4AB62D3}.exe

Filesize
64KB

MD5
0e7b9845c9070b2576bb570edde17601

SHA1
e9727de923ba3145135706944a51dd6712cee269

SHA256
d3a54cc229d4d748b7890d22f821ee4c1f792c9d6e5a0f1008f9409aebfd2366

SHA512
9dc569d6ce46505bcc2b3c44d5fc507750f9f8114af8d46ae8c0b031b76391b907887951f013b886147078d43ed749d5cf0c00ae3937df3fee16eee6fc70f31f

Download Submit
C:\Windows\{6754CE63-C63C-4dd3-B786-5EBA5D1E859E}.exe

Filesize
64KB

MD5
fb02481c06bc56f02c0c5ee5d28310f3

SHA1
41868e588ae271ef551f6ab3bf30ea94e9cb53e0

SHA256
2a2a6b2fbaffae6b62fa5b9db909be435a030a8fad78b552f91d5d9f66772413

SHA512
0e96c8bb88c7e70ca1583211d2e60579ebdadf0a868be768b81f04b3be472a46e476781a9250d0d29c636069a45dc687be7fdf2d2d1eb40ef306c84edf552cd0

Download Submit
C:\Windows\{84394E8C-D909-4b43-899F-AC45E7BE2EFF}.exe

Filesize
64KB

MD5
53aae3c7724f9b56a630c8a6e07ca884

SHA1
7069b13f4ac6512873eb836ce1f9d7cfc690a3f9

SHA256
a776a769ef7449d51508518c42560d05b59421a3de76a1ee67442b0dfed96b5f

SHA512
74ed59ec7b673d4f37e659fb8e546ed6a986727951f5b86b69b8e2e70781c2b1c7fa965b982c68fa6c76689065027b3efff8ffa590bd369eb765e6aebe1a4081

Download Submit
C:\Windows\{9804426D-F6A0-4400-9736-48C94952F80D}.exe

Filesize
64KB

MD5
8c3457ecf65da8d369d44c67f52a2cae

SHA1
f601c0ec32d3db27033b8ee5d5f485c1b19617cd

SHA256
0f756354b4cc14cd21e61327b55d5178c14df8b701ce9ae3110a9601badba360

SHA512
265e809c1da4150cef160847da8b3323efc611a92de8a184d2cf04b0540e22a15cad854836f0a2467e95203a6b6993ce417f89c25e5f1f3c215866b882f79ae9

Download Submit
C:\Windows\{A1779024-461E-4dcf-82B5-B27A5AF8F4B7}.exe

Filesize
64KB

MD5
0a76d1d69aad7054e6e5091a08603c22

SHA1
7ffb26e02df6533c3cffeacbdde850e90f742d6d

SHA256
3f75717d40a11ace9d78854898419a2c77457159f0a8d11bc1b7ece6694e6cb8

SHA512
ad904c1036e1b8a122b2819c486d5b45f82dc34a846e9d312462473d5a7dcc33679608291178d60c47a8eda44df6b687df0fa996a7ee51f8c27b366f981dd9cd

Download Submit
C:\Windows\{B7835DDA-BDB8-4c55-8CE8-51CC6DE06E0D}.exe

Filesize
64KB

MD5
1a606ebb41d5e41c9cef21b81e49f3bf

SHA1
9dea7519ce16421e05ac37bf5b89fc45703a625b

SHA256
fa43993cc654599b36bb87d32080f5ad90024a0121edd00e1f0ba8be525bc04c

SHA512
aac63649c13c8a851e61346a2662cc0ddc1b68e7bde36a25e73e13394515e33e91aa9ba96cc612e1d2585e0f70ed8224b3059c270c6af6f10e507dfa337488ad

Download Submit
C:\Windows\{C291BEF4-E6D8-495b-B231-062F3D960DFC}.exe

Filesize
64KB

MD5
08f769f781715ed7315e8a44df3087cb

SHA1
4f55e980de4d35b4bd701e5b5947fee902c50367

SHA256
edf8fbfab0be89a793df5748dc939dcaba25051a8d28dd9eb09857af28255341

SHA512
bd38e038def100f02a1370b809098c23772270c2e93a95465e95a932aa0469953bea9fbabeb3e8890ba4dd078626fa1f8ae7cf42f30641a611faef62b9ba5b9a

Download Submit
C:\Windows\{DFA8F042-8670-4210-8EB5-46BABB89B569}.exe

Filesize
64KB

MD5
d0d5f3c3961e820b49ab4735da40953c

SHA1
9650609c1e897b13b8e66a9553920b3e5150c886

SHA256
0654cfdd10884bb6ff93716d5d329ff15fcdada52232e231b80fcf616e7b86fa

SHA512
b526013394d40dc4d43002132ed22a7eab561d05b26abab4814beb1b3b9091c92a2dac10d1c4237094e79db8fd22654f6c752f2d4cc2fd7981a6505c2ec0b3c1

Download Submit
memory/208-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/208-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/468-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/468-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/772-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2352-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2352-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2860-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3584-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3584-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3848-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3848-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4436-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4436-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4740-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4952-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4952-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads