18f19d6a088cbbd34c7746594567cf6057917fe76ad39d51d8d44661ddb7cd57

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Size

168KB
MD5

400bb9c62735a23a3d4fa824e949cc30
SHA1

997e89d83cd568a4dfbdcbaca078c56573794f66
SHA256

18f19d6a088cbbd34c7746594567cf6057917fe76ad39d51d8d44661ddb7cd57
SHA512

e7a56cbc4612834021ffcce7ae94adf5d204792384aa1f050a956d6659b0282f13840020a3e7dcf666c42835e5d5df62939c2ff151ab33a2400ccd44bc6d02f5
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwoZ4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLro64/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}\stubpath = "C:\\Windows\\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe"	{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A962E4F3-A9CA-439d-B013-29DAC5A91104}\stubpath = "C:\\Windows\\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe"	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}\stubpath = "C:\\Windows\\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe"	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352D8ABD-C531-4365-83BC-F98AF8622A5E}\stubpath = "C:\\Windows\\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe"	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D849077-9B83-484f-AF00-EC56F2AF110C}\stubpath = "C:\\Windows\\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe"	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}\stubpath = "C:\\Windows\\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe"	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8804189-CCB9-4757-86ED-48267F5A995B}	{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}	{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}\stubpath = "C:\\Windows\\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe"	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C633FC6B-3463-4454-A276-68D5D268B7B6}	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}\stubpath = "C:\\Windows\\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe"	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352D8ABD-C531-4365-83BC-F98AF8622A5E}	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92725794-90B2-46fb-A28D-A5E2A809921B}	{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92725794-90B2-46fb-A28D-A5E2A809921B}\stubpath = "C:\\Windows\\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe"	{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8804189-CCB9-4757-86ED-48267F5A995B}\stubpath = "C:\\Windows\\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe"	{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}\stubpath = "C:\\Windows\\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe"	{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C633FC6B-3463-4454-A276-68D5D268B7B6}\stubpath = "C:\\Windows\\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe"	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A962E4F3-A9CA-439d-B013-29DAC5A91104}	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}	{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D849077-9B83-484f-AF00-EC56F2AF110C}	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe

Deletes itself 1 IoCs

pid	Process
1816	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
2852	{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
1280	{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
2176	{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
2004	{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
2568	{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe	{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
File created	C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
File created	C:\Windows\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
File created	C:\Windows\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe	{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
File created	C:\Windows\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe	{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
File created	C:\Windows\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
File created	C:\Windows\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
File created	C:\Windows\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe	{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
File created	C:\Windows\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
File created	C:\Windows\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
File created	C:\Windows\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
File created	C:\Windows\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Token: SeIncBasePriorityPrivilege	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
Token: SeIncBasePriorityPrivilege	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
Token: SeIncBasePriorityPrivilege	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
Token: SeIncBasePriorityPrivilege	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
Token: SeIncBasePriorityPrivilege	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
Token: SeIncBasePriorityPrivilege	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
Token: SeIncBasePriorityPrivilege	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
Token: SeIncBasePriorityPrivilege	2852	{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
Token: SeIncBasePriorityPrivilege	1280	{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
Token: SeIncBasePriorityPrivilege	2176	{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
Token: SeIncBasePriorityPrivilege	2004	{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2248	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	28
PID 1988 wrote to memory of 2248	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	28
PID 1988 wrote to memory of 2248	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	28
PID 1988 wrote to memory of 2248	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	28
PID 1988 wrote to memory of 1816	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	29
PID 1988 wrote to memory of 1816	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	29
PID 1988 wrote to memory of 1816	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	29
PID 1988 wrote to memory of 1816	1988	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	29
PID 2248 wrote to memory of 2640	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	32
PID 2248 wrote to memory of 2640	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	32
PID 2248 wrote to memory of 2640	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	32
PID 2248 wrote to memory of 2640	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	32
PID 2248 wrote to memory of 2776	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	33
PID 2248 wrote to memory of 2776	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	33
PID 2248 wrote to memory of 2776	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	33
PID 2248 wrote to memory of 2776	2248	{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe	33
PID 2640 wrote to memory of 2676	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	34
PID 2640 wrote to memory of 2676	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	34
PID 2640 wrote to memory of 2676	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	34
PID 2640 wrote to memory of 2676	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	34
PID 2640 wrote to memory of 2544	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	35
PID 2640 wrote to memory of 2544	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	35
PID 2640 wrote to memory of 2544	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	35
PID 2640 wrote to memory of 2544	2640	{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe	35
PID 2676 wrote to memory of 3036	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	36
PID 2676 wrote to memory of 3036	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	36
PID 2676 wrote to memory of 3036	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	36
PID 2676 wrote to memory of 3036	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	36
PID 2676 wrote to memory of 2684	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	37
PID 2676 wrote to memory of 2684	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	37
PID 2676 wrote to memory of 2684	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	37
PID 2676 wrote to memory of 2684	2676	{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe	37
PID 3036 wrote to memory of 2516	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	38
PID 3036 wrote to memory of 2516	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	38
PID 3036 wrote to memory of 2516	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	38
PID 3036 wrote to memory of 2516	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	38
PID 3036 wrote to memory of 2548	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	39
PID 3036 wrote to memory of 2548	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	39
PID 3036 wrote to memory of 2548	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	39
PID 3036 wrote to memory of 2548	3036	{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe	39
PID 2516 wrote to memory of 2592	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	40
PID 2516 wrote to memory of 2592	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	40
PID 2516 wrote to memory of 2592	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	40
PID 2516 wrote to memory of 2592	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	40
PID 2516 wrote to memory of 2560	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	41
PID 2516 wrote to memory of 2560	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	41
PID 2516 wrote to memory of 2560	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	41
PID 2516 wrote to memory of 2560	2516	{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe	41
PID 2592 wrote to memory of 3004	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	42
PID 2592 wrote to memory of 3004	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	42
PID 2592 wrote to memory of 3004	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	42
PID 2592 wrote to memory of 3004	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	42
PID 2592 wrote to memory of 1924	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	43
PID 2592 wrote to memory of 1924	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	43
PID 2592 wrote to memory of 1924	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	43
PID 2592 wrote to memory of 1924	2592	{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe	43
PID 3004 wrote to memory of 2852	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	44
PID 3004 wrote to memory of 2852	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	44
PID 3004 wrote to memory of 2852	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	44
PID 3004 wrote to memory of 2852	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	44
PID 3004 wrote to memory of 2900	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	45
PID 3004 wrote to memory of 2900	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	45
PID 3004 wrote to memory of 2900	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	45
PID 3004 wrote to memory of 2900	3004	{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe	45

C:\Users\Admin\AppData\Local\Temp\400bb9c62735a23a3d4fa824e949cc30_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\400bb9c62735a23a3d4fa824e949cc30_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
  C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
    C:\Windows\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
      C:\Windows\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
        
        C:\Windows\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
        
        C:\Windows\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
        
        C:\Windows\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
        
        C:\Windows\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
        
        C:\Windows\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
        
        C:\Windows\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
        
        C:\Windows\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
        
        C:\Windows\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe
        
        C:\Windows\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe
        13⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12FF7~1.EXE > nul
        13⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8804~1.EXE > nul
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92725~1.EXE > nul
        11⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{348F7~1.EXE > nul
        10⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{352D8~1.EXE > nul
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D849~1.EXE > nul
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A32~1.EXE > nul
        7⤵
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B75~1.EXE > nul
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A962E~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C633F~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6EC~1.EXE > nul
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\400BB9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe

Filesize
168KB

MD5
6fea918b938a2e422eebfccda72db3a8

SHA1
40f919995f1d27954f3d6107e7df4dcb8a51ac04

SHA256
47eb97dce2433824b597358991d3de72d1225f5a7fd942e424c71e5c7e0fa6a4

SHA512
62ee4dd5e9b46704bcffa5acd84109ca62cb245c41c0e9c3cc891dc1cfd2e5706ddbfccf05f95b407ca9e839e581667d724957e137d52ffd033164adda133134

Download Submit
C:\Windows\{12FF7E76-FEA0-43d1-A097-3CCEADF33D41}.exe

Filesize
168KB

MD5
6fea918b938a2e422eebfccda72db3a8

SHA1
40f919995f1d27954f3d6107e7df4dcb8a51ac04

SHA256
47eb97dce2433824b597358991d3de72d1225f5a7fd942e424c71e5c7e0fa6a4

SHA512
62ee4dd5e9b46704bcffa5acd84109ca62cb245c41c0e9c3cc891dc1cfd2e5706ddbfccf05f95b407ca9e839e581667d724957e137d52ffd033164adda133134

Download Submit
C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe

Filesize
168KB

MD5
94ead42ef6b3e2ed8f053c4df57311f5

SHA1
ccf7097074e45994effcbca741a714a96a2e0e10

SHA256
f353655244e383a97437fae7b7b0023238aa77784ac7d6c5c51223fe72e688c7

SHA512
7dd08e946e61b1e9e1dbfd430d62e26b19dd6caafac7216b14c296a901d71c17ca93987924d1fa0c191e8b5338d17084acab4faf8ecb6a2c7e2ee5f18f004c7d

Download Submit
C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe

Filesize
168KB

MD5
94ead42ef6b3e2ed8f053c4df57311f5

SHA1
ccf7097074e45994effcbca741a714a96a2e0e10

SHA256
f353655244e383a97437fae7b7b0023238aa77784ac7d6c5c51223fe72e688c7

SHA512
7dd08e946e61b1e9e1dbfd430d62e26b19dd6caafac7216b14c296a901d71c17ca93987924d1fa0c191e8b5338d17084acab4faf8ecb6a2c7e2ee5f18f004c7d

Download Submit
C:\Windows\{1A6EC5C4-6487-4f94-8490-B1CD00B8306D}.exe

Filesize
168KB

MD5
94ead42ef6b3e2ed8f053c4df57311f5

SHA1
ccf7097074e45994effcbca741a714a96a2e0e10

SHA256
f353655244e383a97437fae7b7b0023238aa77784ac7d6c5c51223fe72e688c7

SHA512
7dd08e946e61b1e9e1dbfd430d62e26b19dd6caafac7216b14c296a901d71c17ca93987924d1fa0c191e8b5338d17084acab4faf8ecb6a2c7e2ee5f18f004c7d

Download Submit
C:\Windows\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe

Filesize
168KB

MD5
cf993cdea67ffb75a31fd93a71eead55

SHA1
c64720bee6430650845ea82510d50088684f71f3

SHA256
40228b208aae91844cbb8feb817e5e2ca77421684b0b3764d0fd45730af67bfe

SHA512
10136ed5a20ec163e8f779de7cfb02b12e2f424260ff3c361a422a102cefa2544501a5d3dc830cd97d28e70f7b9afc6b413102d36e9febc4682c759cd897136d

Download Submit
C:\Windows\{2D849077-9B83-484f-AF00-EC56F2AF110C}.exe

Filesize
168KB

MD5
cf993cdea67ffb75a31fd93a71eead55

SHA1
c64720bee6430650845ea82510d50088684f71f3

SHA256
40228b208aae91844cbb8feb817e5e2ca77421684b0b3764d0fd45730af67bfe

SHA512
10136ed5a20ec163e8f779de7cfb02b12e2f424260ff3c361a422a102cefa2544501a5d3dc830cd97d28e70f7b9afc6b413102d36e9febc4682c759cd897136d

Download Submit
C:\Windows\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe

Filesize
168KB

MD5
5f0303c28444dd715ed4ef2a20586b5e

SHA1
c4aef79ea5f60a200d899411fe09da12035645aa

SHA256
778979494ab82618174df68341c1e2326de6b76816fb6d3d45b5b20c6ce06234

SHA512
7ad07d2b1e4501618b1d43fd57cba0922e89968adc8b2b8a8b5ab559b7c9617524dd2bfb856ee8bf7db700384454b3cdd2e3f2c175a984d4fa38923ffb568867

Download Submit
C:\Windows\{348F7956-A2F9-4a94-A7D0-F2A68EAB37CF}.exe

Filesize
168KB

MD5
5f0303c28444dd715ed4ef2a20586b5e

SHA1
c4aef79ea5f60a200d899411fe09da12035645aa

SHA256
778979494ab82618174df68341c1e2326de6b76816fb6d3d45b5b20c6ce06234

SHA512
7ad07d2b1e4501618b1d43fd57cba0922e89968adc8b2b8a8b5ab559b7c9617524dd2bfb856ee8bf7db700384454b3cdd2e3f2c175a984d4fa38923ffb568867

Download Submit
C:\Windows\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe

Filesize
168KB

MD5
03175f0240e54650a2d878cdfb0d058a

SHA1
8eaa6dcbf213c079909d6c289b761feb5a17bf02

SHA256
52972e2154a801650e3fd97686035c0bdc9ac24e712c4bde30b5dc7d85cecae4

SHA512
75a1b987172b8a128ebf1708fed452a65e799cb6609023420d67ea277d8423f9412a262cdb1e003289e8cb6dc73d47c0a230b6cfbe91879fbee44b218f0ee438

Download Submit
C:\Windows\{352D8ABD-C531-4365-83BC-F98AF8622A5E}.exe

Filesize
168KB

MD5
03175f0240e54650a2d878cdfb0d058a

SHA1
8eaa6dcbf213c079909d6c289b761feb5a17bf02

SHA256
52972e2154a801650e3fd97686035c0bdc9ac24e712c4bde30b5dc7d85cecae4

SHA512
75a1b987172b8a128ebf1708fed452a65e799cb6609023420d67ea277d8423f9412a262cdb1e003289e8cb6dc73d47c0a230b6cfbe91879fbee44b218f0ee438

Download Submit
C:\Windows\{81EDE4D2-E96F-403e-ADF8-45D2B49FB123}.exe

Filesize
168KB

MD5
9e31176f6329fc03e47c4dcbcd09352d

SHA1
5c74c98dfa5fb2cf50b0179e137166af7397c024

SHA256
41ecc6ce0cdfeb4cc775e8acc694293b61ef77dd17fd348d05b7157c14c9f589

SHA512
606c7faf832bd8d17917da065364b3268a5cdadd795869d969eaf184742ee312f91bdf4ef03ad13526246083c8f7b0671ddcede1a903f8a6c40eddebf2b2ee80

Download Submit
C:\Windows\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe

Filesize
168KB

MD5
04fbabcb0357e4205916f5d4232691bf

SHA1
65a1bce5fffda4a884fedf1fc87a5946ae517e1a

SHA256
b4c03f591b072aed62197ac7d8455ae357b5aa22493dede1e61dd3cc3ac00f62

SHA512
2b21c2b184acbf20db16d03e77a96a6896a24f18e5d149b4f78bccc9fa5931d587017de2b42a16eb3f16c0af42efb8632fc0c8edc037c48d9155b464feb33913

Download Submit
C:\Windows\{92725794-90B2-46fb-A28D-A5E2A809921B}.exe

Filesize
168KB

MD5
04fbabcb0357e4205916f5d4232691bf

SHA1
65a1bce5fffda4a884fedf1fc87a5946ae517e1a

SHA256
b4c03f591b072aed62197ac7d8455ae357b5aa22493dede1e61dd3cc3ac00f62

SHA512
2b21c2b184acbf20db16d03e77a96a6896a24f18e5d149b4f78bccc9fa5931d587017de2b42a16eb3f16c0af42efb8632fc0c8edc037c48d9155b464feb33913

Download Submit
C:\Windows\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe

Filesize
168KB

MD5
df81b7a081133d6cbd89e532e50b4747

SHA1
9eff84152bb437d4f1fa4bb0053b5976d8e9334d

SHA256
582d58780150c979af712b6f3c2b0f6420430001987db8456f7fd884fad7abc6

SHA512
791db1796a949d06bd6696e291bf3ae9911a6cf249a57e300c7177ec06ae330b3de7f9c51b0cf49d9b197dd811e12177d4b679b7930bbb6f1dc250cf124b9e2c

Download Submit
C:\Windows\{A962E4F3-A9CA-439d-B013-29DAC5A91104}.exe

Filesize
168KB

MD5
df81b7a081133d6cbd89e532e50b4747

SHA1
9eff84152bb437d4f1fa4bb0053b5976d8e9334d

SHA256
582d58780150c979af712b6f3c2b0f6420430001987db8456f7fd884fad7abc6

SHA512
791db1796a949d06bd6696e291bf3ae9911a6cf249a57e300c7177ec06ae330b3de7f9c51b0cf49d9b197dd811e12177d4b679b7930bbb6f1dc250cf124b9e2c

Download Submit
C:\Windows\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe

Filesize
168KB

MD5
74bc7983374dd2ecfa8ad886b0cd25f4

SHA1
a5f93500aedfad9043b37f7006b60138235edd8f

SHA256
6cc4bcf4a81c96464e83014771cc03339c4e8ae8a19febaf20d2ea0dc2532038

SHA512
84a54aab642e9290ae22779d44c1838662b2a46c0ba33caceff528e66d6cde5b6f4f78cf4213e518cf7d11fbf355c41af8dc3068b3b91ed164d34e3ec7e03a56

Download Submit
C:\Windows\{C633FC6B-3463-4454-A276-68D5D268B7B6}.exe

Filesize
168KB

MD5
74bc7983374dd2ecfa8ad886b0cd25f4

SHA1
a5f93500aedfad9043b37f7006b60138235edd8f

SHA256
6cc4bcf4a81c96464e83014771cc03339c4e8ae8a19febaf20d2ea0dc2532038

SHA512
84a54aab642e9290ae22779d44c1838662b2a46c0ba33caceff528e66d6cde5b6f4f78cf4213e518cf7d11fbf355c41af8dc3068b3b91ed164d34e3ec7e03a56

Download Submit
C:\Windows\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe

Filesize
168KB

MD5
864cd1999bd8f467b078df63fa4a260f

SHA1
a076e1694129eab4ccf08ed789060a303e2f98ef

SHA256
0e41df8593cb44c168ee8dec472fe4224b00219e9ae1381d02365598d097ffc5

SHA512
666da20a52e67da03310cdcab791976598f968e9555ad4f47b04f1f4cd6a1bd069a4efc158bcde4d450da30a51dc42847d6fa6d73cd22aab89ec04b8e383b22c

Download Submit
C:\Windows\{C8804189-CCB9-4757-86ED-48267F5A995B}.exe

Filesize
168KB

MD5
864cd1999bd8f467b078df63fa4a260f

SHA1
a076e1694129eab4ccf08ed789060a303e2f98ef

SHA256
0e41df8593cb44c168ee8dec472fe4224b00219e9ae1381d02365598d097ffc5

SHA512
666da20a52e67da03310cdcab791976598f968e9555ad4f47b04f1f4cd6a1bd069a4efc158bcde4d450da30a51dc42847d6fa6d73cd22aab89ec04b8e383b22c

Download Submit
C:\Windows\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe

Filesize
168KB

MD5
9c59301f6f6d2b2ecd0e1b24cbc547fc

SHA1
d488e8f6e3403be61cb0aa2162b6a101728bf834

SHA256
9b09100d2078a0f59702b2646cc9d39c4b83ceb92a9e6f99314b7f6692460ed6

SHA512
5d4213e543a95e0cd1b88023613e6f1cc1eb863bb0978c323f0d5610bc671932f2ddf8785733be8f7f8163b21f6e12936ccdffc87d574ea688c66ea2244ed484

Download Submit
C:\Windows\{D3A3270C-C8BD-4966-AEEF-D3F76183A6E4}.exe

Filesize
168KB

MD5
9c59301f6f6d2b2ecd0e1b24cbc547fc

SHA1
d488e8f6e3403be61cb0aa2162b6a101728bf834

SHA256
9b09100d2078a0f59702b2646cc9d39c4b83ceb92a9e6f99314b7f6692460ed6

SHA512
5d4213e543a95e0cd1b88023613e6f1cc1eb863bb0978c323f0d5610bc671932f2ddf8785733be8f7f8163b21f6e12936ccdffc87d574ea688c66ea2244ed484

Download Submit
C:\Windows\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe

Filesize
168KB

MD5
076501ec984f1102f6e99215103821da

SHA1
bc5536b25b76675c0383551cd19ad0c068dc00e6

SHA256
2a08a434b0ed412db36d7c4325ba2916e4a878028facf13becd06ab4e14b26f1

SHA512
c1a77b60028634b1d9b975f7ea5749398afe1cbfab5b924c1d7ef7069ad5eaca2b9d7d09513b48000dce3010ab436fb5c827917ae0f4eddcf9c6d81f9d3c6439

Download Submit
C:\Windows\{F9B75607-2A0C-4c9e-8A0F-931F0B7D8A20}.exe

Filesize
168KB

MD5
076501ec984f1102f6e99215103821da

SHA1
bc5536b25b76675c0383551cd19ad0c068dc00e6

SHA256
2a08a434b0ed412db36d7c4325ba2916e4a878028facf13becd06ab4e14b26f1

SHA512
c1a77b60028634b1d9b975f7ea5749398afe1cbfab5b924c1d7ef7069ad5eaca2b9d7d09513b48000dce3010ab436fb5c827917ae0f4eddcf9c6d81f9d3c6439

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads