71535ad3f9b1b6a350d932b557af1e7499b1ff062061bd37106bcd64a527ae5a

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d4d4a02b095380d7335c704f434ec0.exe
Size

64KB
MD5

15d4d4a02b095380d7335c704f434ec0
SHA1

613d47f8f1127bfafb0bc0fc586f871a6ec4c797
SHA256

71535ad3f9b1b6a350d932b557af1e7499b1ff062061bd37106bcd64a527ae5a
SHA512

7e4f6f6c387a4a052381089ea4e2a2d1a2120b2e63320a442810bb304d2417ec18a8002faca8b91b701e6d74cdab70c16249f8437014586bb1582c7df45e3c41
SSDEEP

384:ObLwOs8AHsc42MPwhKQLrow4/CFsrdHWMZ/:Ovw981QvhKQLrow4/wQpWMZ/

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8583FA79-2947-44ab-A270-D1D56F818BD9}	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8583FA79-2947-44ab-A270-D1D56F818BD9}\stubpath = "C:\\Windows\\{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe"	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}\stubpath = "C:\\Windows\\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe"	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}	15d4d4a02b095380d7335c704f434ec0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}\stubpath = "C:\\Windows\\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe"	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}\stubpath = "C:\\Windows\\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe"	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1887E2-8D18-4804-BC56-7F9ECF615508}\stubpath = "C:\\Windows\\{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe"	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6929D18A-0E05-4634-9590-0ABC73D930B8}	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}\stubpath = "C:\\Windows\\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe"	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C57E964E-9B6C-42cc-818F-0F1725884121}	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}\stubpath = "C:\\Windows\\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe"	15d4d4a02b095380d7335c704f434ec0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C57E964E-9B6C-42cc-818F-0F1725884121}\stubpath = "C:\\Windows\\{C57E964E-9B6C-42cc-818F-0F1725884121}.exe"	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC23713-8EFD-4649-86C7-2B572552FFF9}\stubpath = "C:\\Windows\\{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe"	{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}\stubpath = "C:\\Windows\\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe"	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}\stubpath = "C:\\Windows\\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe"	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC23713-8EFD-4649-86C7-2B572552FFF9}	{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1887E2-8D18-4804-BC56-7F9ECF615508}	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6929D18A-0E05-4634-9590-0ABC73D930B8}\stubpath = "C:\\Windows\\{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe"	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe

Executes dropped EXE 12 IoCs

pid	Process
1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
4440	{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
1956	{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
File created	C:\Windows\{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
File created	C:\Windows\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
File created	C:\Windows\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
File created	C:\Windows\{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe	{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
File created	C:\Windows\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
File created	C:\Windows\{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
File created	C:\Windows\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
File created	C:\Windows\{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
File created	C:\Windows\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
File created	C:\Windows\{C57E964E-9B6C-42cc-818F-0F1725884121}.exe	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
File created	C:\Windows\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	15d4d4a02b095380d7335c704f434ec0.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1592	15d4d4a02b095380d7335c704f434ec0.exe
Token: SeIncBasePriorityPrivilege	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
Token: SeIncBasePriorityPrivilege	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
Token: SeIncBasePriorityPrivilege	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
Token: SeIncBasePriorityPrivilege	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
Token: SeIncBasePriorityPrivilege	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
Token: SeIncBasePriorityPrivilege	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
Token: SeIncBasePriorityPrivilege	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
Token: SeIncBasePriorityPrivilege	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
Token: SeIncBasePriorityPrivilege	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
Token: SeIncBasePriorityPrivilege	3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
Token: SeIncBasePriorityPrivilege	4440	{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1920	1592	15d4d4a02b095380d7335c704f434ec0.exe	85
PID 1592 wrote to memory of 1920	1592	15d4d4a02b095380d7335c704f434ec0.exe	85
PID 1592 wrote to memory of 1920	1592	15d4d4a02b095380d7335c704f434ec0.exe	85
PID 1592 wrote to memory of 2480	1592	15d4d4a02b095380d7335c704f434ec0.exe	86
PID 1592 wrote to memory of 2480	1592	15d4d4a02b095380d7335c704f434ec0.exe	86
PID 1592 wrote to memory of 2480	1592	15d4d4a02b095380d7335c704f434ec0.exe	86
PID 1920 wrote to memory of 4204	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	87
PID 1920 wrote to memory of 4204	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	87
PID 1920 wrote to memory of 4204	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	87
PID 1920 wrote to memory of 3200	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	88
PID 1920 wrote to memory of 3200	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	88
PID 1920 wrote to memory of 3200	1920	{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe	88
PID 4204 wrote to memory of 2396	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	92
PID 4204 wrote to memory of 2396	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	92
PID 4204 wrote to memory of 2396	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	92
PID 4204 wrote to memory of 1124	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	93
PID 4204 wrote to memory of 1124	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	93
PID 4204 wrote to memory of 1124	4204	{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe	93
PID 2396 wrote to memory of 4084	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	94
PID 2396 wrote to memory of 4084	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	94
PID 2396 wrote to memory of 4084	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	94
PID 2396 wrote to memory of 1532	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	95
PID 2396 wrote to memory of 1532	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	95
PID 2396 wrote to memory of 1532	2396	{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe	95
PID 4084 wrote to memory of 4608	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	96
PID 4084 wrote to memory of 4608	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	96
PID 4084 wrote to memory of 4608	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	96
PID 4084 wrote to memory of 3068	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	97
PID 4084 wrote to memory of 3068	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	97
PID 4084 wrote to memory of 3068	4084	{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe	97
PID 4608 wrote to memory of 3512	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	98
PID 4608 wrote to memory of 3512	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	98
PID 4608 wrote to memory of 3512	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	98
PID 4608 wrote to memory of 3964	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	99
PID 4608 wrote to memory of 3964	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	99
PID 4608 wrote to memory of 3964	4608	{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe	99
PID 3512 wrote to memory of 4836	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	100
PID 3512 wrote to memory of 4836	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	100
PID 3512 wrote to memory of 4836	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	100
PID 3512 wrote to memory of 4460	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	101
PID 3512 wrote to memory of 4460	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	101
PID 3512 wrote to memory of 4460	3512	{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe	101
PID 4836 wrote to memory of 4672	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	102
PID 4836 wrote to memory of 4672	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	102
PID 4836 wrote to memory of 4672	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	102
PID 4836 wrote to memory of 2784	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	103
PID 4836 wrote to memory of 2784	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	103
PID 4836 wrote to memory of 2784	4836	{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe	103
PID 4672 wrote to memory of 1292	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	104
PID 4672 wrote to memory of 1292	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	104
PID 4672 wrote to memory of 1292	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	104
PID 4672 wrote to memory of 3208	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	105
PID 4672 wrote to memory of 3208	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	105
PID 4672 wrote to memory of 3208	4672	{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe	105
PID 1292 wrote to memory of 3588	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	106
PID 1292 wrote to memory of 3588	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	106
PID 1292 wrote to memory of 3588	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	106
PID 1292 wrote to memory of 444	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	107
PID 1292 wrote to memory of 444	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	107
PID 1292 wrote to memory of 444	1292	{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe	107
PID 3588 wrote to memory of 4440	3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe	108
PID 3588 wrote to memory of 4440	3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe	108
PID 3588 wrote to memory of 4440	3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe	108
PID 3588 wrote to memory of 1840	3588	{C57E964E-9B6C-42cc-818F-0F1725884121}.exe	109

C:\Users\Admin\AppData\Local\Temp\15d4d4a02b095380d7335c704f434ec0.exe
"C:\Users\Admin\AppData\Local\Temp\15d4d4a02b095380d7335c704f434ec0.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
  C:\Windows\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
    C:\Windows\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
      C:\Windows\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
        
        C:\Windows\{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
        
        C:\Windows\{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
        
        C:\Windows\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
        
        C:\Windows\{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
        
        C:\Windows\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
        
        C:\Windows\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
        
        C:\Windows\{C57E964E-9B6C-42cc-818F-0F1725884121}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
        
        C:\Windows\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe
        
        C:\Windows\{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE8BD~1.EXE > nul
        13⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C57E9~1.EXE > nul
        12⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB7E~1.EXE > nul
        11⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CFDB~1.EXE > nul
        10⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8583F~1.EXE > nul
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3826F~1.EXE > nul
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6929D~1.EXE > nul
        7⤵
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D188~1.EXE > nul
        6⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DC57~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98976~1.EXE > nul
      4⤵
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53AAE~1.EXE > nul
    3⤵
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\15D4D4~1.EXE > nul
  2⤵
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DB7E9E9-79C6-448f-80DE-5656EA920A89}.exe

Filesize
64KB

MD5
e137386e1984bf30b609ec84bbadb7c6

SHA1
aa8c3c816bab9760f331772d3ba3194a50bb6c33

SHA256
294854cb66bd208ebb54bb6573f2819f18b3120222666687e7f54002c1f3f9c7

SHA512
3e5676bc3b82d0b6caf7756d8576565702c5ed568437c8ad1b1f2d7509192cfcaa627b9fa3985776011a18899a1b2450829dc7156b0fb18b50f28ba56a539dbe

Download Submit
C:\Windows\{0DC57E9D-842D-4f86-850D-5A55D56CFDA9}.exe

Filesize
64KB

MD5
8459733415c8bf6f69f104dff0293843

SHA1
8d8cb875b1e259ee7bd144afee5f1b60044428f4

SHA256
7b8eee3a296abafa591555a0a7827ecbd2e596312c8e70e33baf6a0d771f8e37

SHA512
1dcff5992cf18978478826a9a0a564b042129b8ee7c57038ca4a5698c6c64a330867a1bef82103568d5533c9d1d69c26e3c1d2f714246e478f3b823aa406834f

Download Submit
C:\Windows\{1D1887E2-8D18-4804-BC56-7F9ECF615508}.exe

Filesize
64KB

MD5
0c2610a29f8358f5da667e086e53e707

SHA1
cb0226d44613adf76d3fa5189f5aebfd75fd93c3

SHA256
8b6351c3cb959ebe7739f3ae80bb777a0a4a0d228d96bc7213e4e35fc59353cd

SHA512
8691b3fb29482d19fd9030e268c0575288b5090be8e3459710869c9ff91b58c11ceb520744473ebe5a660334039ca2d8ba7cd8b21c6ce19214f159bf614e7245

Download Submit
C:\Windows\{1FC23713-8EFD-4649-86C7-2B572552FFF9}.exe

Filesize
64KB

MD5
a0d3aedf7026beae98e0433de55cf6c5

SHA1
273e083ea1ddae2244a992dce7bda0aa3c1f39bf

SHA256
5b3ff66a0000f3c0d5328b5befb231d0175a42848f1cb5b914d6f2e30208481c

SHA512
7cd94558f03b115505b195e7ac5f713823a2847b46afca05852574f830c580110015721ffc3048fa5679a425819812f268b33c1e68f1be2196987f9e97595f1a

Download Submit
C:\Windows\{3826F7D2-96BF-4307-9AC9-EDE0C86DD5B2}.exe

Filesize
64KB

MD5
9e35b707102953dc9ffddbf65d38a29d

SHA1
b4ffb6e066bf51e226237835ddb51c03bde8cdac

SHA256
8e8ed79b610c08422aae4cc3658799da0a20d05a7115d649e04a8261f9603687

SHA512
fde758e3df7085d0634b5aa83571f3230c216136ed7f3011ada34f215b4750166448e340944fd9563fe8a6aa72103010f756ff061acfb47763f9e349dce69f78

Download Submit
C:\Windows\{53AAE34F-0E52-4bb4-B054-683C9DCF3486}.exe

Filesize
64KB

MD5
8d1ed4e4d5c54e5ff71553ec6fa6e3c2

SHA1
37911f75371e60c96bbe329af80ffef44f97b58b

SHA256
9613f4c3e849018edf26eea5f66cb0260edeebd8bd7cf4fe600c2728fa2303bf

SHA512
a903c6beb785b4aaff18307faccdc3267715c57bca02509aadd4dad2eadc3b4bd729a9ee49d1288d92f6323e04c698ed4dad1f63d480033c5fd514ee2b637754

Download Submit
C:\Windows\{6929D18A-0E05-4634-9590-0ABC73D930B8}.exe

Filesize
64KB

MD5
cb72496e53778f7227609101c5d83bf8

SHA1
c5576791a8461ea07baae8e5a84d9f66758b4e36

SHA256
55330318f4f073448c9ac2d65eaf086d765bbafce3e05b473866bdf6a0faf138

SHA512
e72c60d04d65ab5ccfecb8d6dcab0b50e6a540ae6fa06eb3038b45fd3ea108c9cb380ff26b667564e943e605fcc878391cf952e6beb7c51512d2d0ba32c47089

Download Submit
C:\Windows\{7CFDBD1F-9647-4ba1-9BF2-DB512897C234}.exe

Filesize
64KB

MD5
343237215aa2a883383ea1fe9b3175ca

SHA1
3ce1a6539096a88aadb0be9d2f384c14964f3f28

SHA256
c5b493ed81ee0d5c36890f734ff8fd3f4b6e90cd707c43c225a6316bc7466770

SHA512
7bf306f198a012990f80b9176b4e9c2ecffa5e4d2478212741c7128a42d756dbad0e0ccd8e7dd63ee0edcf8340a72614ff7ac44fc5776e956d388f8da7f096ea

Download Submit
C:\Windows\{8583FA79-2947-44ab-A270-D1D56F818BD9}.exe

Filesize
64KB

MD5
ff2186dc20a888f3f4595a65c3220858

SHA1
00298c17b2723fe40856c9a19456e24b7479c1ce

SHA256
5f223e3c61db43eb2e10137b4121e9f9e187d0e9d775acafb4e193594b924d9f

SHA512
8cab28e18b9b2977a5d7829a46995015fd5404e8bd99516f5d1d1a5c1224f2ebf6246b53379acf0abdb2e107b801448d769c87d42e0870c390e75084cdf5d511

Download Submit
C:\Windows\{9897614B-7211-4c77-A0F4-39D1E74BDD7F}.exe

Filesize
64KB

MD5
cbb3510273216f07034c9cf5ed27ed9f

SHA1
5fd7b8d7b33c7271aa96c0b8bb4259ba2ba293ad

SHA256
16ca3a7608d670735fbb74c54d7de3525e2343a62ed2264f6b42bac8ead59366

SHA512
fdfe72a97308cee8ddfbf88831143af60ee388bc365cf44c7ff229295c6090baef5d3000d600a5af0c490f7fd870463812b3d851b4fa0320cf282d9aba59d8b5

Download Submit
C:\Windows\{C57E964E-9B6C-42cc-818F-0F1725884121}.exe

Filesize
64KB

MD5
159359531d63f63403cb058a3abc3898

SHA1
5c9cbb6303d8a98825e6233d661e055c68d60174

SHA256
1a3a57d0ee0dffafefa144996336f7c8bf68390f914144155ccfeaada4d0bac0

SHA512
98bd139364a18bc3d58497b9b771ab6750426bd2614c77cb08af7b584f93366b684cd5358a0e2ca18d7a933b2b8418d6301919e253537cffbe58d72273872e92

Download Submit
C:\Windows\{EE8BD355-BB07-4fa5-AAB9-956C90329C70}.exe

Filesize
64KB

MD5
d7d70331437f5fc8a12c0a6580f044d2

SHA1
c42ca31cdf9abd430c20ac99c1a111070b5fb92d

SHA256
b4df05a1bcfd7bb85fc177a8fcb75388444bc296cb27d0bdf23fd218b6188d8b

SHA512
e0294d4cf9d04955682b5015ff2800988ba4d32919e97d367678981afe8ca53c9929a45cea4f7e340e665f08b3823de11f336316cccfcdb5f74cfdc89ba249cd

Download Submit
memory/1292-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1292-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1592-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1592-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1920-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1920-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2396-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2396-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3512-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3512-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3588-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4084-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4084-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4204-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4204-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4440-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4440-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4608-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4672-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4672-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4836-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4836-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads