20dcc246b99894a5389aabf04acf6745b4ac519067bef4ad7f68c90b871a8ad8

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42515bd6245dfc3a5454b45269742b60_exe32.exe
Size

80KB
MD5

42515bd6245dfc3a5454b45269742b60
SHA1

ea5205459d552d7216771e445fd54661fe9db399
SHA256

20dcc246b99894a5389aabf04acf6745b4ac519067bef4ad7f68c90b871a8ad8
SHA512

62f09e5f4d69d4b30528ab2735e9e52ce69acd9be45d31441f98a2258cf68ee81333c6bf1050e59ce9c6b8b319e40012f64510fa1fca7b54fe26afbf79df4bd7
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro14/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLro14/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}\stubpath = "C:\\Windows\\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe"	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}\stubpath = "C:\\Windows\\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe"	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}	{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E4E864-25B8-4a4f-AE22-0803FD257897}	{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}	42515bd6245dfc3a5454b45269742b60_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}\stubpath = "C:\\Windows\\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe"	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB65FA6-E391-4084-8BEF-211DBE187034}\stubpath = "C:\\Windows\\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe"	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}\stubpath = "C:\\Windows\\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe"	{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E4E864-25B8-4a4f-AE22-0803FD257897}\stubpath = "C:\\Windows\\{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe"	{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}\stubpath = "C:\\Windows\\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe"	42515bd6245dfc3a5454b45269742b60_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}	{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}	{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}\stubpath = "C:\\Windows\\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe"	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}\stubpath = "C:\\Windows\\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe"	{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB65FA6-E391-4084-8BEF-211DBE187034}	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FA8315-47C4-4136-A930-7546F62EAF8D}	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FA8315-47C4-4136-A930-7546F62EAF8D}\stubpath = "C:\\Windows\\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe"	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}\stubpath = "C:\\Windows\\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe"	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}\stubpath = "C:\\Windows\\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe"	{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe

Deletes itself 1 IoCs

pid	Process
916	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
2888	{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
2472	{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
2864	{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
1504	{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
1520	{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
File created	C:\Windows\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
File created	C:\Windows\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
File created	C:\Windows\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe	{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
File created	C:\Windows\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe	{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
File created	C:\Windows\{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe	{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
File created	C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	42515bd6245dfc3a5454b45269742b60_exe32.exe
File created	C:\Windows\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
File created	C:\Windows\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
File created	C:\Windows\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
File created	C:\Windows\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
File created	C:\Windows\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe	{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe
Token: SeIncBasePriorityPrivilege	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
Token: SeIncBasePriorityPrivilege	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
Token: SeIncBasePriorityPrivilege	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
Token: SeIncBasePriorityPrivilege	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
Token: SeIncBasePriorityPrivilege	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
Token: SeIncBasePriorityPrivilege	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
Token: SeIncBasePriorityPrivilege	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
Token: SeIncBasePriorityPrivilege	2888	{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
Token: SeIncBasePriorityPrivilege	2472	{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
Token: SeIncBasePriorityPrivilege	2864	{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
Token: SeIncBasePriorityPrivilege	1504	{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2776	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	29
PID 2088 wrote to memory of 2776	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	29
PID 2088 wrote to memory of 2776	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	29
PID 2088 wrote to memory of 2776	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	29
PID 2088 wrote to memory of 916	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	31
PID 2088 wrote to memory of 916	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	31
PID 2088 wrote to memory of 916	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	31
PID 2088 wrote to memory of 916	2088	42515bd6245dfc3a5454b45269742b60_exe32.exe	31
PID 2776 wrote to memory of 2944	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	32
PID 2776 wrote to memory of 2944	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	32
PID 2776 wrote to memory of 2944	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	32
PID 2776 wrote to memory of 2944	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	32
PID 2776 wrote to memory of 2992	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	33
PID 2776 wrote to memory of 2992	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	33
PID 2776 wrote to memory of 2992	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	33
PID 2776 wrote to memory of 2992	2776	{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe	33
PID 2944 wrote to memory of 840	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	34
PID 2944 wrote to memory of 840	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	34
PID 2944 wrote to memory of 840	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	34
PID 2944 wrote to memory of 840	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	34
PID 2944 wrote to memory of 2936	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	35
PID 2944 wrote to memory of 2936	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	35
PID 2944 wrote to memory of 2936	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	35
PID 2944 wrote to memory of 2936	2944	{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe	35
PID 840 wrote to memory of 2964	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	36
PID 840 wrote to memory of 2964	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	36
PID 840 wrote to memory of 2964	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	36
PID 840 wrote to memory of 2964	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	36
PID 840 wrote to memory of 2588	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	37
PID 840 wrote to memory of 2588	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	37
PID 840 wrote to memory of 2588	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	37
PID 840 wrote to memory of 2588	840	{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe	37
PID 2964 wrote to memory of 2688	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	38
PID 2964 wrote to memory of 2688	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	38
PID 2964 wrote to memory of 2688	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	38
PID 2964 wrote to memory of 2688	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	38
PID 2964 wrote to memory of 2612	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	39
PID 2964 wrote to memory of 2612	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	39
PID 2964 wrote to memory of 2612	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	39
PID 2964 wrote to memory of 2612	2964	{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe	39
PID 2688 wrote to memory of 2736	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	40
PID 2688 wrote to memory of 2736	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	40
PID 2688 wrote to memory of 2736	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	40
PID 2688 wrote to memory of 2736	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	40
PID 2688 wrote to memory of 2468	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	41
PID 2688 wrote to memory of 2468	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	41
PID 2688 wrote to memory of 2468	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	41
PID 2688 wrote to memory of 2468	2688	{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe	41
PID 2736 wrote to memory of 2496	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	42
PID 2736 wrote to memory of 2496	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	42
PID 2736 wrote to memory of 2496	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	42
PID 2736 wrote to memory of 2496	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	42
PID 2736 wrote to memory of 2676	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	43
PID 2736 wrote to memory of 2676	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	43
PID 2736 wrote to memory of 2676	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	43
PID 2736 wrote to memory of 2676	2736	{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe	43
PID 2496 wrote to memory of 2888	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	44
PID 2496 wrote to memory of 2888	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	44
PID 2496 wrote to memory of 2888	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	44
PID 2496 wrote to memory of 2888	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	44
PID 2496 wrote to memory of 2516	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	45
PID 2496 wrote to memory of 2516	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	45
PID 2496 wrote to memory of 2516	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	45
PID 2496 wrote to memory of 2516	2496	{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe	45

C:\Users\Admin\AppData\Local\Temp\42515bd6245dfc3a5454b45269742b60_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\42515bd6245dfc3a5454b45269742b60_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
  C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
    C:\Windows\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
      C:\Windows\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
        
        C:\Windows\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
        
        C:\Windows\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
        
        C:\Windows\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
        
        C:\Windows\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
        
        C:\Windows\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
        
        C:\Windows\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
        
        C:\Windows\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
        
        C:\Windows\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe
        
        C:\Windows\{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe
        13⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06943~1.EXE > nul
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC2E~1.EXE > nul
        12⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A67DC~1.EXE > nul
        11⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90EC9~1.EXE > nul
        10⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F50B9~1.EXE > nul
        9⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{188FE~1.EXE > nul
        8⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFAB9~1.EXE > nul
        7⤵
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FA8~1.EXE > nul
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB65~1.EXE > nul
        5⤵
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF43~1.EXE > nul
      4⤵
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B6CC~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\42515B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe

Filesize
80KB

MD5
841743973d8493673d0df2b29a7b8f80

SHA1
78fc1870cd1b98e4c7f87aea13cf26175dc0a550

SHA256
84d85f9199a0b5d547e0a3b9695038492e0e53ea93429288c9ba983c6a3ae2e4

SHA512
1cd468b8d76e47d45754bcbbf8da1e5169822903c66d4acb29354001a375bb132bd9a9224c254b3806af7cd3a24eb9b797b8314425a0743ee5b94f1a839a8e7f

Download Submit
C:\Windows\{06943388-C5FC-4849-BA9F-04EBBD11DBEF}.exe

Filesize
80KB

MD5
841743973d8493673d0df2b29a7b8f80

SHA1
78fc1870cd1b98e4c7f87aea13cf26175dc0a550

SHA256
84d85f9199a0b5d547e0a3b9695038492e0e53ea93429288c9ba983c6a3ae2e4

SHA512
1cd468b8d76e47d45754bcbbf8da1e5169822903c66d4acb29354001a375bb132bd9a9224c254b3806af7cd3a24eb9b797b8314425a0743ee5b94f1a839a8e7f

Download Submit
C:\Windows\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe

Filesize
80KB

MD5
2f7318ae0d0055ab6f0bc2e84809b38d

SHA1
d44fbacd03c07b489a31b7fd895409c3b0d97466

SHA256
bfb0b61bf9b5f4fd74204a513fa34021e3c88e26464d9c2b215366897407e054

SHA512
36958b53ed8bfebc5e23f7ca60934f5f6e7da16c1e738b0c1ae9e8de37a77a10061fe7a7a925029490df5671e537ea3d063873ab95cde18f5746953429930f33

Download Submit
C:\Windows\{188FEC72-388E-49fe-8580-DF2BF7EE14BE}.exe

Filesize
80KB

MD5
2f7318ae0d0055ab6f0bc2e84809b38d

SHA1
d44fbacd03c07b489a31b7fd895409c3b0d97466

SHA256
bfb0b61bf9b5f4fd74204a513fa34021e3c88e26464d9c2b215366897407e054

SHA512
36958b53ed8bfebc5e23f7ca60934f5f6e7da16c1e738b0c1ae9e8de37a77a10061fe7a7a925029490df5671e537ea3d063873ab95cde18f5746953429930f33

Download Submit
C:\Windows\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe

Filesize
80KB

MD5
3a6a939b8c0ab4ebcc60d5f4ac05ccd0

SHA1
4cc397dafab1923720275665d4e31bee711036d1

SHA256
f5c56c421256a7990dcb0406bb459175d6e5382c05a2f7e1eec094ed2cf3ee53

SHA512
4f3c54e8220d71f7adf3680b4d6dd47fb530feed30eb7fbdbb102c59e68102dd7c74707f3a1d1f388a850f3f8cc693d088067f3eaad83b3d7be2fa4ff71c5154

Download Submit
C:\Windows\{4CF43BA4-BFAC-42f5-BDD2-0EEE1D405527}.exe

Filesize
80KB

MD5
3a6a939b8c0ab4ebcc60d5f4ac05ccd0

SHA1
4cc397dafab1923720275665d4e31bee711036d1

SHA256
f5c56c421256a7990dcb0406bb459175d6e5382c05a2f7e1eec094ed2cf3ee53

SHA512
4f3c54e8220d71f7adf3680b4d6dd47fb530feed30eb7fbdbb102c59e68102dd7c74707f3a1d1f388a850f3f8cc693d088067f3eaad83b3d7be2fa4ff71c5154

Download Submit
C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe

Filesize
80KB

MD5
335ad9663b170f8957d775da16887265

SHA1
ba60ccc4853107d04283233dab6202f2639d25dc

SHA256
ff4112c3e27c7fb38d974a39ecd47951371335f40ceae4286b8b155f447284a7

SHA512
2e11eaed4f957f58f5466222b7eaf102e6a64c6e208761f4c030e20af5dc2fa06aa61c1ab9bc837af7a45fc78ae5d242ce65befe720f2ee01c85c4aed8b8a825

Download Submit
C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe

Filesize
80KB

MD5
335ad9663b170f8957d775da16887265

SHA1
ba60ccc4853107d04283233dab6202f2639d25dc

SHA256
ff4112c3e27c7fb38d974a39ecd47951371335f40ceae4286b8b155f447284a7

SHA512
2e11eaed4f957f58f5466222b7eaf102e6a64c6e208761f4c030e20af5dc2fa06aa61c1ab9bc837af7a45fc78ae5d242ce65befe720f2ee01c85c4aed8b8a825

Download Submit
C:\Windows\{5B6CC3F5-5A4B-4142-AFE5-215F710F4918}.exe

Filesize
80KB

MD5
335ad9663b170f8957d775da16887265

SHA1
ba60ccc4853107d04283233dab6202f2639d25dc

SHA256
ff4112c3e27c7fb38d974a39ecd47951371335f40ceae4286b8b155f447284a7

SHA512
2e11eaed4f957f58f5466222b7eaf102e6a64c6e208761f4c030e20af5dc2fa06aa61c1ab9bc837af7a45fc78ae5d242ce65befe720f2ee01c85c4aed8b8a825

Download Submit
C:\Windows\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe

Filesize
80KB

MD5
8d8def8f0180e835fdd3d58e97a30806

SHA1
d9ba8d71067815ba53f8cb4d57e3e9ed79056ad6

SHA256
0ab380c403464a326fb5022f3e1a14e92108daa0db5177d89a46a3bb2f65a5c4

SHA512
5d625ffd48613ee4b03bf565bb7a3c53eb98fb9869ccd531326a48a0822b1f56bb218159ae5e2e34ffe73a3cb6874a499fffac0fd144e4fe2cbf49cc1bb762a7

Download Submit
C:\Windows\{8EC2ECD7-9C55-45cf-8C0A-964B85CFE26F}.exe

Filesize
80KB

MD5
8d8def8f0180e835fdd3d58e97a30806

SHA1
d9ba8d71067815ba53f8cb4d57e3e9ed79056ad6

SHA256
0ab380c403464a326fb5022f3e1a14e92108daa0db5177d89a46a3bb2f65a5c4

SHA512
5d625ffd48613ee4b03bf565bb7a3c53eb98fb9869ccd531326a48a0822b1f56bb218159ae5e2e34ffe73a3cb6874a499fffac0fd144e4fe2cbf49cc1bb762a7

Download Submit
C:\Windows\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe

Filesize
80KB

MD5
bce26d3215ee880b7c12d3a82a01241f

SHA1
9269d7bde8cf372c7ffd7269a85d72fd2c6bccee

SHA256
f875df61f4a9029ec4c9c8be7f4f30318c14d20a56438b5fdea0622c0cd4222d

SHA512
ba9d1f3c350d08bf95de9cdb93c4cb926c1fc1373dcfc1b285d1fd382261e27590d852349d95b548f81a79b6c8e5026f9277d8061fa89c6944417efe3a2141fa

Download Submit
C:\Windows\{90EC9701-6D70-4a47-9D1F-0CE5AA3FBB9C}.exe

Filesize
80KB

MD5
bce26d3215ee880b7c12d3a82a01241f

SHA1
9269d7bde8cf372c7ffd7269a85d72fd2c6bccee

SHA256
f875df61f4a9029ec4c9c8be7f4f30318c14d20a56438b5fdea0622c0cd4222d

SHA512
ba9d1f3c350d08bf95de9cdb93c4cb926c1fc1373dcfc1b285d1fd382261e27590d852349d95b548f81a79b6c8e5026f9277d8061fa89c6944417efe3a2141fa

Download Submit
C:\Windows\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe

Filesize
80KB

MD5
47f97e58348c6a5cfa6015e54e3871f1

SHA1
03b9ddea042712345ebb4382fb8b53aa8482da6a

SHA256
5bc71ee803f718626800232d04c08fb2af225ada4a1b852bbe828752936caa84

SHA512
5c13131133ab2e51dca5e5ad088d0a655772f9f9e84dbdba6a745961866e0d9c1bd7319f5102096db803f3de347744fbee00d9ebace7bb0d73af03c1f8feed5f

Download Submit
C:\Windows\{9CB65FA6-E391-4084-8BEF-211DBE187034}.exe

Filesize
80KB

MD5
47f97e58348c6a5cfa6015e54e3871f1

SHA1
03b9ddea042712345ebb4382fb8b53aa8482da6a

SHA256
5bc71ee803f718626800232d04c08fb2af225ada4a1b852bbe828752936caa84

SHA512
5c13131133ab2e51dca5e5ad088d0a655772f9f9e84dbdba6a745961866e0d9c1bd7319f5102096db803f3de347744fbee00d9ebace7bb0d73af03c1f8feed5f

Download Submit
C:\Windows\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe

Filesize
80KB

MD5
475663b607ef6332c90a86f29611cd36

SHA1
fa0a2a1e690057538bfe156092d0c1dea1c6bbc4

SHA256
4cd2f453b65d053dc408a28c13c3a64a80da0f7c6281377198e835ea4f851477

SHA512
f7ace078d339a383ad359f3df2482b1ddf9c7e7e123d0181a602c57b8cc52011e5c6e77863c0b0ec7ebd24d2b4ef193ba91db3f2c8c14ba8f167c82ffaad85d1

Download Submit
C:\Windows\{A67DCA5F-82C0-4854-B1BB-B6A314DF1B19}.exe

Filesize
80KB

MD5
475663b607ef6332c90a86f29611cd36

SHA1
fa0a2a1e690057538bfe156092d0c1dea1c6bbc4

SHA256
4cd2f453b65d053dc408a28c13c3a64a80da0f7c6281377198e835ea4f851477

SHA512
f7ace078d339a383ad359f3df2482b1ddf9c7e7e123d0181a602c57b8cc52011e5c6e77863c0b0ec7ebd24d2b4ef193ba91db3f2c8c14ba8f167c82ffaad85d1

Download Submit
C:\Windows\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe

Filesize
80KB

MD5
4fc277d075f7b574d8a31f2f77592b8b

SHA1
01959d0a50b390bdce4500f5a6b55d9d3505ed7c

SHA256
824d85e03f7ad4b0b020b801ba6ebd344fadcbee1cc90cb8c7c2f3f60dd0674b

SHA512
a6a798769d5d0154bab7f155973e026602170dcef924b29f8feecfc74ada200f47fe36259441441b3ab6e91f613029270002daf3c5157c33132010480e404d6b

Download Submit
C:\Windows\{C6FA8315-47C4-4136-A930-7546F62EAF8D}.exe

Filesize
80KB

MD5
4fc277d075f7b574d8a31f2f77592b8b

SHA1
01959d0a50b390bdce4500f5a6b55d9d3505ed7c

SHA256
824d85e03f7ad4b0b020b801ba6ebd344fadcbee1cc90cb8c7c2f3f60dd0674b

SHA512
a6a798769d5d0154bab7f155973e026602170dcef924b29f8feecfc74ada200f47fe36259441441b3ab6e91f613029270002daf3c5157c33132010480e404d6b

Download Submit
C:\Windows\{E2E4E864-25B8-4a4f-AE22-0803FD257897}.exe

Filesize
80KB

MD5
f9dc6abe479d8eb0dc3fbee118dc3662

SHA1
72aa8e8fc9e75bc944fb55cb5068a9e830211547

SHA256
c5f84e1df93721d74eb258c853928bbf3e4fb864bd0561f67d9b269118853a1d

SHA512
6b8545a8733b56d69cf86bc1e5daf84d89ceaa5c54ce7172831d4bcffae3e1ca9b132c96bd7161d1ac5f2956ed851e6a93915fd3d456ed01a31563a556e95e09

Download Submit
C:\Windows\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe

Filesize
80KB

MD5
570ecf73894c28b068f2e0f6a62992db

SHA1
0f58900bb5c7938fb569b8059d74b8ffe033e376

SHA256
a1a2be6cf40dbe072aed381aba351ac33753fa847cf8f2b1b96300164ed265f2

SHA512
aff7d273b3456ab720d71e829e06a881e18fd1d2acca6474bc7160e65e4deb2fa126c8108717705c72f1cf9f81160fd2b964d74acadd9c54314756286eb72200

Download Submit
C:\Windows\{F50B96F0-8615-4991-BFB2-FCC4E455DA10}.exe

Filesize
80KB

MD5
570ecf73894c28b068f2e0f6a62992db

SHA1
0f58900bb5c7938fb569b8059d74b8ffe033e376

SHA256
a1a2be6cf40dbe072aed381aba351ac33753fa847cf8f2b1b96300164ed265f2

SHA512
aff7d273b3456ab720d71e829e06a881e18fd1d2acca6474bc7160e65e4deb2fa126c8108717705c72f1cf9f81160fd2b964d74acadd9c54314756286eb72200

Download Submit
C:\Windows\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe

Filesize
80KB

MD5
f86b7ea84598caedb4b75f716d28107a

SHA1
bbc4a23f0ed6ca135cba23cbf59e67ad2200461a

SHA256
e1f4cd50d2868142f47d0fbf29904670e3975b5d18c4ecca83a5a5325c1322f9

SHA512
045b2d371cc68b732e8f3d953220fcf349089e2c2b1dec5aad9ff35bf04cab2f1d73d8af7fd26628a624659ade81f61e7e53e9cb32df8766f5962df6f49d5c18

Download Submit
C:\Windows\{FFAB94F6-D61C-4352-9AE3-B1E9B975352B}.exe

Filesize
80KB

MD5
f86b7ea84598caedb4b75f716d28107a

SHA1
bbc4a23f0ed6ca135cba23cbf59e67ad2200461a

SHA256
e1f4cd50d2868142f47d0fbf29904670e3975b5d18c4ecca83a5a5325c1322f9

SHA512
045b2d371cc68b732e8f3d953220fcf349089e2c2b1dec5aad9ff35bf04cab2f1d73d8af7fd26628a624659ade81f61e7e53e9cb32df8766f5962df6f49d5c18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads