009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e

Analysis

max time kernel
100s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
Size

90KB
MD5

1c96f3a253cc8b650cf303062f669dc9
SHA1

2b6cbd2730f137972f49b468b754ff7958ef594c
SHA256

009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e
SHA512

bbdec1b83e6e9ab0d80ed3a52df253daa770b70ff64cc94dea19beb1994719ea511eaf2eee2c9aa58abda8fb34d1d7f72969da14fdbaa5b0ec2bc19e10bb2184
SSDEEP

768:5vw981UMhKQLroTL4/wQ4pNrfrunMxVFA3b:lEG00oTLl3zunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6909AD4B-7591-40a4-B431-D31233A6665B}	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710621BB-C0C9-4690-86FC-41FA3C3264E1}\stubpath = "C:\\Windows\\{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe"	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}\stubpath = "C:\\Windows\\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe"	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710621BB-C0C9-4690-86FC-41FA3C3264E1}	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6909AD4B-7591-40a4-B431-D31233A6665B}\stubpath = "C:\\Windows\\{6909AD4B-7591-40a4-B431-D31233A6665B}.exe"	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC63892-5B80-482b-B7AF-3895556CF1B3}	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC63892-5B80-482b-B7AF-3895556CF1B3}\stubpath = "C:\\Windows\\{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe"	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}\stubpath = "C:\\Windows\\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe"	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}\stubpath = "C:\\Windows\\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe"	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66B37971-3018-47e5-A0D8-F90F7082E8D2}	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66B37971-3018-47e5-A0D8-F90F7082E8D2}\stubpath = "C:\\Windows\\{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe"	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}\stubpath = "C:\\Windows\\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe"	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe

Executes dropped EXE 8 IoCs

pid	Process
2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
3608	{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
File created	C:\Windows\{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
File created	C:\Windows\{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
File created	C:\Windows\{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
File created	C:\Windows\{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
File created	C:\Windows\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
File created	C:\Windows\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
File created	C:\Windows\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
Token: SeIncBasePriorityPrivilege	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
Token: SeIncBasePriorityPrivilege	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
Token: SeIncBasePriorityPrivilege	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
Token: SeIncBasePriorityPrivilege	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
Token: SeIncBasePriorityPrivilege	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
Token: SeIncBasePriorityPrivilege	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
Token: SeIncBasePriorityPrivilege	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2448	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	87
PID 1540 wrote to memory of 2448	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	87
PID 1540 wrote to memory of 2448	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	87
PID 1540 wrote to memory of 4500	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	88
PID 1540 wrote to memory of 4500	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	88
PID 1540 wrote to memory of 4500	1540	009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe	88
PID 2448 wrote to memory of 5116	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	89
PID 2448 wrote to memory of 5116	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	89
PID 2448 wrote to memory of 5116	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	89
PID 2448 wrote to memory of 5020	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	90
PID 2448 wrote to memory of 5020	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	90
PID 2448 wrote to memory of 5020	2448	{6909AD4B-7591-40a4-B431-D31233A6665B}.exe	90
PID 5116 wrote to memory of 2608	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	92
PID 5116 wrote to memory of 2608	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	92
PID 5116 wrote to memory of 2608	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	92
PID 5116 wrote to memory of 4784	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	93
PID 5116 wrote to memory of 4784	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	93
PID 5116 wrote to memory of 4784	5116	{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe	93
PID 2608 wrote to memory of 3880	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	94
PID 2608 wrote to memory of 3880	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	94
PID 2608 wrote to memory of 3880	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	94
PID 2608 wrote to memory of 3108	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	95
PID 2608 wrote to memory of 3108	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	95
PID 2608 wrote to memory of 3108	2608	{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe	95
PID 3880 wrote to memory of 3364	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	96
PID 3880 wrote to memory of 3364	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	96
PID 3880 wrote to memory of 3364	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	96
PID 3880 wrote to memory of 2112	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	97
PID 3880 wrote to memory of 2112	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	97
PID 3880 wrote to memory of 2112	3880	{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe	97
PID 3364 wrote to memory of 3844	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	98
PID 3364 wrote to memory of 3844	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	98
PID 3364 wrote to memory of 3844	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	98
PID 3364 wrote to memory of 1016	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	99
PID 3364 wrote to memory of 1016	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	99
PID 3364 wrote to memory of 1016	3364	{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe	99
PID 3844 wrote to memory of 384	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	100
PID 3844 wrote to memory of 384	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	100
PID 3844 wrote to memory of 384	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	100
PID 3844 wrote to memory of 4108	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	101
PID 3844 wrote to memory of 4108	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	101
PID 3844 wrote to memory of 4108	3844	{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe	101
PID 384 wrote to memory of 3608	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	102
PID 384 wrote to memory of 3608	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	102
PID 384 wrote to memory of 3608	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	102
PID 384 wrote to memory of 3012	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	103
PID 384 wrote to memory of 3012	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	103
PID 384 wrote to memory of 3012	384	{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe	103

C:\Users\Admin\AppData\Local\Temp\009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe
"C:\Users\Admin\AppData\Local\Temp\009ab4b8d9d7f80ab351daf12042dc7e2bf996bb26a7be9a505b6a5dba51342e.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
  C:\Windows\{6909AD4B-7591-40a4-B431-D31233A6665B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
    C:\Windows\{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
      C:\Windows\{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
        
        C:\Windows\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
        
        C:\Windows\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
        
        C:\Windows\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
        
        C:\Windows\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe
        
        C:\Windows\{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe
        9⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\{87D22E27-A284-4e2e-991B-B2A9E513EDFE}.exe
        
        C:\Windows\{87D22E27-A284-4e2e-991B-B2A9E513EDFE}.exe
        10⤵
        
        PID:2800
        
        C:\Windows\{57BCD470-EAB5-4137-A40D-F5466B3442A7}.exe
        
        C:\Windows\{57BCD470-EAB5-4137-A40D-F5466B3442A7}.exe
        11⤵
        
        PID:4556
        
        C:\Windows\{33D6EB58-5275-48ec-A4D5-BDFEBBE6E2D5}.exe
        
        C:\Windows\{33D6EB58-5275-48ec-A4D5-BDFEBBE6E2D5}.exe
        12⤵
        
        PID:2872
        
        C:\Windows\{FFED865D-2C6C-4b64-B9D8-30E982892BA3}.exe
        
        C:\Windows\{FFED865D-2C6C-4b64-B9D8-30E982892BA3}.exe
        13⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33D6E~1.EXE > nul
        13⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BCD~1.EXE > nul
        12⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D22~1.EXE > nul
        11⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71062~1.EXE > nul
        10⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFD1B~1.EXE > nul
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{802D2~1.EXE > nul
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0821A~1.EXE > nul
        7⤵
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA7A4~1.EXE > nul
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66B37~1.EXE > nul
        5⤵
        
        PID:3108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC63~1.EXE > nul
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6909A~1.EXE > nul
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\009AB4~1.EXE > nul
  2⤵
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0821AE5A-F703-4fed-BBBF-FF57E02D664E}.exe

Filesize
90KB

MD5
bf77a4cd672b60378e519497ee1c9f98

SHA1
7b83d08f13ad3b8fc6c85bb8a58c8ed5d878dcb2

SHA256
a181997c76aca192a8e0f4feae5aa3134a53b3c26e60911ac1561355c0fe4f58

SHA512
7e542e149339b213e1738e84dc41a2cc626ddd035745f3a92755e61ca2d4209d37ee2b7134615594bb53d1c507beaa00171376019ecdfb93bbd1a9d2fa69fbaa

Download Submit
C:\Windows\{1DC63892-5B80-482b-B7AF-3895556CF1B3}.exe

Filesize
90KB

MD5
433336ee221f4c1b9afed85df4fbb8f0

SHA1
e7e2c4bab89ffdc7b0f61a27247a75dff0da86d1

SHA256
a896692e13401d177392e9739815c8fbada740eb151b41508421e88ca11bd4b1

SHA512
4936928473d19344ffc628a9446485e4d683f5f35821f5a3483c1f5d3f77e70a75374ddaf2c4f06901c15bcb46460d5f434bee562086aba10f0e538b614e9f45

Download Submit
C:\Windows\{33D6EB58-5275-48ec-A4D5-BDFEBBE6E2D5}.exe

Filesize
90KB

MD5
adb3017e9fa2f9fce23e83911c35094b

SHA1
339d1d636d58a936151ca77fb211b1113bf9cf09

SHA256
8cd50f0f99351d28dc5e07a5745741e68852981f2bd3721138e3c2f1f48c1779

SHA512
2b7a3139b00ed28795d85aef2ab0e818ca7aec656801968713a4d9e565aee9d53429e912e957049b62dbd5f810b6f3e96df47f9ce203da340b5e6686454a0374

Download Submit
C:\Windows\{57BCD470-EAB5-4137-A40D-F5466B3442A7}.exe

Filesize
90KB

MD5
9bc10a4f1d216343388fa8c0196ec9d7

SHA1
f434cfb62c0fdef82f9d8b1bcd410a2f6cf7e090

SHA256
52cde5e28503b265f5c220cb9fbe36c89226e93c692afc6d85f8568a9119a25c

SHA512
0e2318146ca2f3d01ad069229b7f97f63386466ceba74bb53a4ebfb9e5a87f2ef75fa55401a930d286a02c8c33d8080229155ba0c18f41f53d857df63290ad8c

Download Submit
C:\Windows\{66B37971-3018-47e5-A0D8-F90F7082E8D2}.exe

Filesize
90KB

MD5
711b6c417884cbf4f115e718d9899a33

SHA1
0a0b392bd93ce0c8e845ec0b6dba001055db9e7f

SHA256
2b57a52b6e739d25e8490b84d04d05affc9d1c19691d10300761db18fde68a53

SHA512
b6bb51ca77f8837ba3e9c0e9bce05e4ea9fc01e52e298ee4cd81d8acc85b8afc3257415681cc8cd0af8e33d2ce2d04af0f6ddbeb587f8c35930426b35af4fbe9

Download Submit
C:\Windows\{6909AD4B-7591-40a4-B431-D31233A6665B}.exe

Filesize
90KB

MD5
96d9cb4233e5376dd4c8248bf2dd799a

SHA1
2d25692a32e4b71291d2330794b0138b7e02dae6

SHA256
91cbf4d5caf000ce8de69b2d98fb86e3f27e3534bd2787600c01c84a541b38f6

SHA512
6a4ee3749220e3a9ca4dc151d47c56a3eaec8b9ec9fd0418732d11fc95c617d059ff45a1148e84556f5f54f50dd750643d9094911d11eb8ab177dbb4113e5485

Download Submit
C:\Windows\{710621BB-C0C9-4690-86FC-41FA3C3264E1}.exe

Filesize
90KB

MD5
41e518f8fafb49c59f2468c342260fcd

SHA1
95bc5fdcdb754312db3c7d02f2e429461abb2d01

SHA256
bce855870194757908d26954ffe2e9dff4227c49d58bdf112241ab514a05faa3

SHA512
8a7e4a431eec66e03249337d1b4e030a6d5045035753ea56cb06692550d82279748755bfb05e3eaa1cdbdf8611c8a53e09e7c6f9a405c17897fa47b8ecebe02a

Download Submit
C:\Windows\{802D293A-A632-4eaa-AFD7-BA0F67E845CF}.exe

Filesize
90KB

MD5
814f5ecbbba22e1036cb5636abf28b58

SHA1
3ae0676b0b17bfbdb79c4f8b94ccefbb8a7e59ed

SHA256
2faa19adf7ef110ae9e2e0c1b106cc0d047a100a062a8840482109448c7b4823

SHA512
9bcfe5a16e883704ecd6d61ca99124332ef5427cad4bade5104f461e3b1994d59a8f4b4749b4cb9db7d691f5809c7e284bba48dc1e4d04e494002caa9809738a

Download Submit
C:\Windows\{87D22E27-A284-4e2e-991B-B2A9E513EDFE}.exe

Filesize
90KB

MD5
1a91c418aa00aec78672b9b113f8b553

SHA1
f3b13f4f02e0c1fcf831a258f7f29ae3bc769371

SHA256
16341007b96b2a05f270a57fcb0bd004376850e3427e2564c923bf2429df67ae

SHA512
d32cdfda8b9f2330729125ca8aec2da0519e31e66d2e626820d4ac40319ac0a92a5d249b4db08a35479ee8e0ff4565522c662cb50d43963aba6938abbecd0974

Download Submit
C:\Windows\{AA7A42B1-82B0-409d-9FD0-6F22B6A0589D}.exe

Filesize
90KB

MD5
3133350f313e26481e064961850c7def

SHA1
66e77dafba49e41d7494e0d23e0e267f0455864d

SHA256
96658c5dbf53b838c24df1c6ccdfb94ea2772aa1d68e48f6e6a71e7ebeee9bde

SHA512
1aca1f2a04ca7c65a1161918ea2152682ed84600df91ee99a57338e550ca4bcc3efe2ac0d04fabfb0a9be433831162da648d129d0c821ae7a865003569ca119d

Download Submit
C:\Windows\{AFD1BD7E-43A5-4cf6-B2B2-88FDF0F1D94A}.exe

Filesize
90KB

MD5
c3e6dd92995f0e140b64318cfea6c10b

SHA1
c20ed7c874fab90ed1b1454e70e01f7127b1bbf0

SHA256
63c0f4e1902f4595b6bf3a90af0961521b83a0cb950d364b3dc2f8cfdaa13830

SHA512
b829f1b7c3bd3484ea09ef1032cbd9e496a1d12cf45999e8b0116c1defff0f1d837173b6d8a9a1e5ddf593d55c19f2a97e17a769f98c37be129a37f0e47b1934

Download Submit
C:\Windows\{FFED865D-2C6C-4b64-B9D8-30E982892BA3}.exe

Filesize
90KB

MD5
86729d7382b7e2282b7f2af1f23dc22e

SHA1
064af8fcc21a65dcfbae5c94a07c418315b6e235

SHA256
d9e697bea8d4ca6d344031f0dcefc3a44d0028f95e23c17491f95e8e6d0aa351

SHA512
67f645ca1f6edd782c3221211eae3b1f7f6afee8dd79de1745883cab2adf1d3857a02cc9d7ea1e248c1b0e45933f92cff5886669582df8250f9d74d7e63d39bc

Download Submit
C:\Windows\{FFED865D-2C6C-4b64-B9D8-30E982892BA3}.exe

Filesize
64KB

MD5
dfdda0861657313cb456c850e7c925d5

SHA1
9cec28eff7e69056100ab55b5583071882d03fd1

SHA256
008aa4bc3283987e6ef73933d79bf158767fce0187a02bcd65c699fd12e7e2f1

SHA512
1d8599cb552867fa397863aa493aebcc5e687718bab5c2810b1305f437ec770c2a88a18b7cef72b6c89181e839d73dc3d87b7f19920261143e3d1199168a8eaf

Download Submit
memory/384-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2872-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2872-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2896-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3364-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3364-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3608-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3844-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3844-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3880-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3880-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads