f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
Size

98KB
MD5

e458978d22765bbd70d6fba50e36e52b
SHA1

5426a551311cefd580bc20eb50ed15dc590bea59
SHA256

f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088
SHA512

5016b10ccd867630f5415753a99e0f851bb6ecf6e41565fd3bd5c47a7b018dcf38555331107438b1c76e83d7ddf61fe7ff0cfc0a81e742cbd3c99150d648a9d7
SSDEEP

768:5vw981UMhKQLroB4/wQ4pNrfrunMxVFA3b7glw6:lEG00oBl3zunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BAA79DB-8788-447f-B76B-A953A0AE5407}\stubpath = "C:\\Windows\\{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe"	{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA5589D5-6417-4996-8D82-D0A5316EAB01}	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C171DE31-61CB-4021-888E-B7F3A8971C89}\stubpath = "C:\\Windows\\{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe"	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}\stubpath = "C:\\Windows\\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe"	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C171DE31-61CB-4021-888E-B7F3A8971C89}	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}\stubpath = "C:\\Windows\\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe"	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37BAE0F-544F-4095-8735-16D5CF9854F0}\stubpath = "C:\\Windows\\{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe"	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}\stubpath = "C:\\Windows\\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe"	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20771EEC-150B-4729-B5DB-59100EA229FF}\stubpath = "C:\\Windows\\{20771EEC-150B-4729-B5DB-59100EA229FF}.exe"	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BAA79DB-8788-447f-B76B-A953A0AE5407}	{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37BAE0F-544F-4095-8735-16D5CF9854F0}	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50417B5E-6AC6-4d94-B38C-D625078FC42D}	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}\stubpath = "C:\\Windows\\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe"	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}\stubpath = "C:\\Windows\\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe"	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20771EEC-150B-4729-B5DB-59100EA229FF}	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA5589D5-6417-4996-8D82-D0A5316EAB01}\stubpath = "C:\\Windows\\{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe"	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50417B5E-6AC6-4d94-B38C-D625078FC42D}\stubpath = "C:\\Windows\\{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe"	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95865F9A-FCE9-4682-A367-506FEE3DDB09}	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95865F9A-FCE9-4682-A367-506FEE3DDB09}\stubpath = "C:\\Windows\\{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe"	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe

Executes dropped EXE 12 IoCs

pid	Process
1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
3880	{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe
1356	{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
File created	C:\Windows\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
File created	C:\Windows\{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
File created	C:\Windows\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
File created	C:\Windows\{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
File created	C:\Windows\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
File created	C:\Windows\{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
File created	C:\Windows\{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
File created	C:\Windows\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
File created	C:\Windows\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
File created	C:\Windows\{20771EEC-150B-4729-B5DB-59100EA229FF}.exe	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
File created	C:\Windows\{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe	{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
Token: SeIncBasePriorityPrivilege	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
Token: SeIncBasePriorityPrivilege	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
Token: SeIncBasePriorityPrivilege	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
Token: SeIncBasePriorityPrivilege	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
Token: SeIncBasePriorityPrivilege	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
Token: SeIncBasePriorityPrivilege	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
Token: SeIncBasePriorityPrivilege	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
Token: SeIncBasePriorityPrivilege	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
Token: SeIncBasePriorityPrivilege	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
Token: SeIncBasePriorityPrivilege	1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
Token: SeIncBasePriorityPrivilege	3880	{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1932	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	97
PID 660 wrote to memory of 1932	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	97
PID 660 wrote to memory of 1932	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	97
PID 660 wrote to memory of 1420	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	98
PID 660 wrote to memory of 1420	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	98
PID 660 wrote to memory of 1420	660	f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe	98
PID 1932 wrote to memory of 4580	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	99
PID 1932 wrote to memory of 4580	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	99
PID 1932 wrote to memory of 4580	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	99
PID 1932 wrote to memory of 2904	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	100
PID 1932 wrote to memory of 2904	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	100
PID 1932 wrote to memory of 2904	1932	{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe	100
PID 4580 wrote to memory of 4968	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	103
PID 4580 wrote to memory of 4968	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	103
PID 4580 wrote to memory of 4968	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	103
PID 4580 wrote to memory of 3436	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	104
PID 4580 wrote to memory of 3436	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	104
PID 4580 wrote to memory of 3436	4580	{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe	104
PID 4968 wrote to memory of 4428	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	105
PID 4968 wrote to memory of 4428	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	105
PID 4968 wrote to memory of 4428	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	105
PID 4968 wrote to memory of 4424	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	106
PID 4968 wrote to memory of 4424	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	106
PID 4968 wrote to memory of 4424	4968	{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe	106
PID 4428 wrote to memory of 3228	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	107
PID 4428 wrote to memory of 3228	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	107
PID 4428 wrote to memory of 3228	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	107
PID 4428 wrote to memory of 2272	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	108
PID 4428 wrote to memory of 2272	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	108
PID 4428 wrote to memory of 2272	4428	{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe	108
PID 3228 wrote to memory of 4068	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	110
PID 3228 wrote to memory of 4068	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	110
PID 3228 wrote to memory of 4068	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	110
PID 3228 wrote to memory of 1928	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	111
PID 3228 wrote to memory of 1928	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	111
PID 3228 wrote to memory of 1928	3228	{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe	111
PID 4068 wrote to memory of 2520	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	112
PID 4068 wrote to memory of 2520	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	112
PID 4068 wrote to memory of 2520	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	112
PID 4068 wrote to memory of 5112	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	113
PID 4068 wrote to memory of 5112	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	113
PID 4068 wrote to memory of 5112	4068	{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe	113
PID 2520 wrote to memory of 4432	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	120
PID 2520 wrote to memory of 4432	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	120
PID 2520 wrote to memory of 4432	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	120
PID 2520 wrote to memory of 4900	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	121
PID 2520 wrote to memory of 4900	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	121
PID 2520 wrote to memory of 4900	2520	{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe	121
PID 4432 wrote to memory of 1692	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	123
PID 4432 wrote to memory of 1692	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	123
PID 4432 wrote to memory of 1692	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	123
PID 4432 wrote to memory of 1456	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	124
PID 4432 wrote to memory of 1456	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	124
PID 4432 wrote to memory of 1456	4432	{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe	124
PID 1692 wrote to memory of 1412	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	125
PID 1692 wrote to memory of 1412	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	125
PID 1692 wrote to memory of 1412	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	125
PID 1692 wrote to memory of 1144	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	126
PID 1692 wrote to memory of 1144	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	126
PID 1692 wrote to memory of 1144	1692	{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe	126
PID 1412 wrote to memory of 3880	1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe	129
PID 1412 wrote to memory of 3880	1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe	129
PID 1412 wrote to memory of 3880	1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe	129
PID 1412 wrote to memory of 3244	1412	{20771EEC-150B-4729-B5DB-59100EA229FF}.exe	130

C:\Users\Admin\AppData\Local\Temp\f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe
"C:\Users\Admin\AppData\Local\Temp\f1435a4f4d268fa92f2dac77fd5f84e0e8ca2f8f946628e20ecdd2ac60d2d088.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
  C:\Windows\{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
    C:\Windows\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
      C:\Windows\{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
        
        C:\Windows\{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
        
        C:\Windows\{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
        
        C:\Windows\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
        
        C:\Windows\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
        
        C:\Windows\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
        
        C:\Windows\{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
        
        C:\Windows\{20771EEC-150B-4729-B5DB-59100EA229FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe
        
        C:\Windows\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe
        
        C:\Windows\{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe
        13⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97C99~1.EXE > nul
        13⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20771~1.EXE > nul
        12⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C171D~1.EXE > nul
        11⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86BC6~1.EXE > nul
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFFEF~1.EXE > nul
        9⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E65A~1.EXE > nul
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95865~1.EXE > nul
        7⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50417~1.EXE > nul
        6⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F37BA~1.EXE > nul
        5⤵
        
        PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11BBB~1.EXE > nul
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DA558~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F1435A~1.EXE > nul
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E65A893-CFF5-4eb6-9EBA-2221BAFD9270}.exe

Filesize
98KB

MD5
f475abaa885a04ed1a42c8b4d67fa9fa

SHA1
176f4f48e6e28c674b426d60982e12d614b4a17d

SHA256
cffb58e9e4a1410850286e5538c7fee6bb60fb508b7e442839743bf47360e0a2

SHA512
75f57571dd55d6c2753b70f3a81ebb05f2efccccb124c867880882f93cd40d67bbd4519d4d3c35e10aaac814d4a6019e12e67aa8cfc5f5f9001cccedf420bd58

Download Submit
C:\Windows\{11BBB8C5-2B5A-410d-B494-0A4DA93AD788}.exe

Filesize
98KB

MD5
8de91155786350fa6c6a39785c777539

SHA1
fdfc23a6f6f5b4624abb74c0503700fb5389ca1c

SHA256
f7b101338bac7334ca7f96de278c34bcf1179067d0dafcef77a6381b77729a4c

SHA512
fb7b0fe91f7455b4b3fd0a54e5a5e5cc41e3ec7b8b6d5a2a2a0185103e98cc9e97f99a0d0f382daedd7a40d517b4dfffc9defe2a031afd15e8c9f7889e13a9a3

Download Submit
C:\Windows\{1BAA79DB-8788-447f-B76B-A953A0AE5407}.exe

Filesize
98KB

MD5
042ad1549ef64a75645d495ad9c98961

SHA1
4ce7973ab143f39acdb30f264c934087fa2a12c4

SHA256
8b7bd95d3e7de941825f045e9a843ac9e2c9ffe687eee19177dc572faf172caf

SHA512
1c1a3a8b1d1228289a349a7baec6405c0aebd58283a90cd462c5556e1ee00c9617efbb47eb82160f5627b930f0227ebc23c319fca2807e89a844832ded9a2dca

Download Submit
C:\Windows\{20771EEC-150B-4729-B5DB-59100EA229FF}.exe

Filesize
98KB

MD5
68fde24a5bd528e5a6efffb8641df911

SHA1
433fac774bc624ba3c1137d91d4c5ae58f4ab8ca

SHA256
97ebc1d7e245e041ab55735890f551df7e24abf8748d06b0eaef4e444a56c271

SHA512
8d3c9268c8d45766fcb87c54ef824508295f4966e2731f5010a53e1e1ae7e89118e4876cdb1816988cf0edd2b804afa18442a8771a4663948ce18c821695b7ad

Download Submit
C:\Windows\{50417B5E-6AC6-4d94-B38C-D625078FC42D}.exe

Filesize
98KB

MD5
5d55e85abbad16be70cbf8bed638a389

SHA1
1c31c20cfb1ca592897667c5e8d249d571d84c4e

SHA256
16bdd54fe161ba399abdfe4b8b2d6f93ff3dbe3c9e72d46e1f7237e65922bca9

SHA512
5441197c57ce9b2782f1e190834d1817f3d07243de6f65af73a03c1159c0f1499f4bd3c68e3a496a2c67aedd738d91f1c35561a612390c9540dab48832f5a000

Download Submit
C:\Windows\{86BC6933-AC5F-48b5-A978-EBDB2B2C3505}.exe

Filesize
98KB

MD5
4e292e011c9bd949e6074d926cd1833c

SHA1
63239bf4fbfccfd651ad7c749b4e3770f739055e

SHA256
708e550340d6fe7be9b267a4492578acb6108793e574a2c13994201d9ccac6a6

SHA512
2a17f994a583a473cb2185277fd70ccc46dbd24229170c302a4bcb3267489b77cf45a036d3fa46e35473e630c45bf86953d5109e7160b4eb819380de1c64c9aa

Download Submit
C:\Windows\{95865F9A-FCE9-4682-A367-506FEE3DDB09}.exe

Filesize
98KB

MD5
3c4c06769e8d074503320c966bee6da9

SHA1
568af3b58634f548dbea32998a350515a764cdba

SHA256
f28adae6f5a73eb0f054a4b504245e1b66335783f5ed4d4e2e1ab66af3e46b7b

SHA512
ae6713eb72ff6693dea332148f548030e0c2e70ea25b126812dfb49ddc68bd0077cb6b0075eaf2c7b44bb00bd7b5f64fe6181df5d095a36b34cd1ff6cc77c0cd

Download Submit
C:\Windows\{97C99E52-B92D-461e-B9B0-29BC6190B6C6}.exe

Filesize
98KB

MD5
a6e25dcebde9b8277d570e26c46e2f00

SHA1
391bacc4f6c384723847be6196426c15ccc2bc25

SHA256
14dc32a8e795b9315973549656a04ce674cc2d55cc11f8248c69168c6890955a

SHA512
ee8107ceae198970c03e08a01207159410da0170201b286087625c1aaf84442c31e43508265a7cdd580efcaea0e77b281326ba063fe724e6203ef65260d67d73

Download Submit
C:\Windows\{AFFEF7DB-28F4-410e-BCA0-BD05F1740E78}.exe

Filesize
98KB

MD5
4152968518185d46cca4355e08eecf62

SHA1
2deb6113a5ddd59ae27265a67cd89fc4c6ceb8ff

SHA256
f29e2b4239aac1a6ab7216fce0d58873f6ed17432e617f691e0aff307184b066

SHA512
57c21bd0c470cb9c271dacdf67c913cbde60cf55cd903a16ac384b3f964ece3db09f56c0a9a55a8ed056aa9d244ee9c2dd6b593d1b04e5b7af5c3506d1cf1af7

Download Submit
C:\Windows\{C171DE31-61CB-4021-888E-B7F3A8971C89}.exe

Filesize
98KB

MD5
4d6a9931a06c2d7b098f41f3cef5f92d

SHA1
a14292bb0f1ba58f35b16e683d347f516835ca73

SHA256
24e4661a45e56f38a63cf3a31e866741696d4d435719bbe11af1b9585a90e049

SHA512
327341a505ceffd31f4faf2d4ea08f077f41d81dfbec6b9283bfc458314d0394ccc65bf3af6aa205cdfae9f8edfc219c0400865fac8876be52cc6507e16e799e

Download Submit
C:\Windows\{DA5589D5-6417-4996-8D82-D0A5316EAB01}.exe

Filesize
98KB

MD5
b1b70e586696882a4bf7a589a3bd242d

SHA1
278d6233395b29fa375fb1b6f9e2cb05a04579fe

SHA256
9cded3453c2b08b135189515d63a34702c2a8229a203cb4badc9d958615c7933

SHA512
9be299e79e641563077b72dbe2183e560120f17b71bbeeae55315568c6ca80c81769fb077121bc155b297ab36eb4cc23d41ee39a482b3f0c48589d55e9b624a2

Download Submit
C:\Windows\{F37BAE0F-544F-4095-8735-16D5CF9854F0}.exe

Filesize
98KB

MD5
c12e942223c0a3e78bb7167de64d066d

SHA1
81879b37e08cca6751e683cf1530fcba81265c3a

SHA256
e16182f1a790869168e83f11320c4c2e9cb01e4ddaf0a6441d26702e165d9ec1

SHA512
9f7350d3dd22945fecc1a8901a4795ea1969f66c8a4dd1a1a1836a68ef94db57416b0bd72baf91a05ad4cd0096d6ea71d0b60fadc28e6dd0bc184b7412606f65

Download Submit
memory/660-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/660-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1412-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3228-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3228-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3880-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3880-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4068-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4068-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4432-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4432-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4580-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4580-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4968-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4968-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads