88814c8b8dd2adb27dc732fbb6aed30464738c5cbc028fe0ba32c06ca7cad868

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Size

103KB
MD5

c06d57218ad65d7cb759b1cc663e5260
SHA1

fa7fa0bb896ef65c4308678913a5b2f1e78848e6
SHA256

88814c8b8dd2adb27dc732fbb6aed30464738c5cbc028fe0ba32c06ca7cad868
SHA512

a13ef86ba56952ecfc90c7ce0f4a20039434304cd20f7723580ebf3c695db09d5162916bf631c8822e7d09c0fee864ad11bbebe6d1cd62dedfeac5b7e7977fa3
SSDEEP

768:Qvw9816vhKQLroF4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0oFl2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D214650-3C20-477f-A537-A11508B92C89}	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}	{1D214650-3C20-477f-A537-A11508B92C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E570D24C-7D3F-41c2-A240-49C44A7B3530}	{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}\stubpath = "C:\\Windows\\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe"	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}\stubpath = "C:\\Windows\\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe"	{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}	{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}\stubpath = "C:\\Windows\\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe"	{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}\stubpath = "C:\\Windows\\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe"	{1D214650-3C20-477f-A537-A11508B92C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E1B221-7C89-4b57-937B-083B6CEBA510}	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E1B221-7C89-4b57-937B-083B6CEBA510}\stubpath = "C:\\Windows\\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe"	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}\stubpath = "C:\\Windows\\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe"	{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}	{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}\stubpath = "C:\\Windows\\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe"	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D214650-3C20-477f-A537-A11508B92C89}\stubpath = "C:\\Windows\\{1D214650-3C20-477f-A537-A11508B92C89}.exe"	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}\stubpath = "C:\\Windows\\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe"	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}	{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E570D24C-7D3F-41c2-A240-49C44A7B3530}\stubpath = "C:\\Windows\\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe"	{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}\stubpath = "C:\\Windows\\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe"	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}\stubpath = "C:\\Windows\\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe"	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe
3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
1748	{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
2736	{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
672	{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
1664	{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
1716	{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe	{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
File created	C:\Windows\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe	{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
File created	C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
File created	C:\Windows\{1D214650-3C20-477f-A537-A11508B92C89}.exe	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
File created	C:\Windows\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
File created	C:\Windows\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
File created	C:\Windows\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe	{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
File created	C:\Windows\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe	{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
File created	C:\Windows\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	{1D214650-3C20-477f-A537-A11508B92C89}.exe
File created	C:\Windows\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
File created	C:\Windows\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
File created	C:\Windows\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Token: SeIncBasePriorityPrivilege	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
Token: SeIncBasePriorityPrivilege	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe
Token: SeIncBasePriorityPrivilege	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
Token: SeIncBasePriorityPrivilege	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
Token: SeIncBasePriorityPrivilege	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
Token: SeIncBasePriorityPrivilege	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
Token: SeIncBasePriorityPrivilege	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
Token: SeIncBasePriorityPrivilege	1748	{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
Token: SeIncBasePriorityPrivilege	2736	{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
Token: SeIncBasePriorityPrivilege	672	{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
Token: SeIncBasePriorityPrivilege	1664	{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2548	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	28
PID 2148 wrote to memory of 2548	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	28
PID 2148 wrote to memory of 2548	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	28
PID 2148 wrote to memory of 2548	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	28
PID 2148 wrote to memory of 2140	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	29
PID 2148 wrote to memory of 2140	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	29
PID 2148 wrote to memory of 2140	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	29
PID 2148 wrote to memory of 2140	2148	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	29
PID 2548 wrote to memory of 2200	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	30
PID 2548 wrote to memory of 2200	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	30
PID 2548 wrote to memory of 2200	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	30
PID 2548 wrote to memory of 2200	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	30
PID 2548 wrote to memory of 2788	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	31
PID 2548 wrote to memory of 2788	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	31
PID 2548 wrote to memory of 2788	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	31
PID 2548 wrote to memory of 2788	2548	{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe	31
PID 2200 wrote to memory of 3024	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	32
PID 2200 wrote to memory of 3024	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	32
PID 2200 wrote to memory of 3024	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	32
PID 2200 wrote to memory of 3024	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	32
PID 2200 wrote to memory of 2692	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	33
PID 2200 wrote to memory of 2692	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	33
PID 2200 wrote to memory of 2692	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	33
PID 2200 wrote to memory of 2692	2200	{1D214650-3C20-477f-A537-A11508B92C89}.exe	33
PID 3024 wrote to memory of 2876	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	36
PID 3024 wrote to memory of 2876	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	36
PID 3024 wrote to memory of 2876	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	36
PID 3024 wrote to memory of 2876	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	36
PID 3024 wrote to memory of 2648	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	37
PID 3024 wrote to memory of 2648	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	37
PID 3024 wrote to memory of 2648	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	37
PID 3024 wrote to memory of 2648	3024	{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe	37
PID 2876 wrote to memory of 2840	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	38
PID 2876 wrote to memory of 2840	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	38
PID 2876 wrote to memory of 2840	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	38
PID 2876 wrote to memory of 2840	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	38
PID 2876 wrote to memory of 2664	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	39
PID 2876 wrote to memory of 2664	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	39
PID 2876 wrote to memory of 2664	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	39
PID 2876 wrote to memory of 2664	2876	{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe	39
PID 2840 wrote to memory of 2412	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	40
PID 2840 wrote to memory of 2412	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	40
PID 2840 wrote to memory of 2412	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	40
PID 2840 wrote to memory of 2412	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	40
PID 2840 wrote to memory of 2484	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	41
PID 2840 wrote to memory of 2484	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	41
PID 2840 wrote to memory of 2484	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	41
PID 2840 wrote to memory of 2484	2840	{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe	41
PID 2412 wrote to memory of 2540	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	42
PID 2412 wrote to memory of 2540	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	42
PID 2412 wrote to memory of 2540	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	42
PID 2412 wrote to memory of 2540	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	42
PID 2412 wrote to memory of 2956	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	43
PID 2412 wrote to memory of 2956	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	43
PID 2412 wrote to memory of 2956	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	43
PID 2412 wrote to memory of 2956	2412	{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe	43
PID 2540 wrote to memory of 1748	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	44
PID 2540 wrote to memory of 1748	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	44
PID 2540 wrote to memory of 1748	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	44
PID 2540 wrote to memory of 1748	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	44
PID 2540 wrote to memory of 2452	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	45
PID 2540 wrote to memory of 2452	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	45
PID 2540 wrote to memory of 2452	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	45
PID 2540 wrote to memory of 2452	2540	{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe	45

C:\Users\Admin\AppData\Local\Temp\c06d57218ad65d7cb759b1cc663e5260_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c06d57218ad65d7cb759b1cc663e5260_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
  C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{1D214650-3C20-477f-A537-A11508B92C89}.exe
    C:\Windows\{1D214650-3C20-477f-A537-A11508B92C89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
      C:\Windows\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
        
        C:\Windows\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
        
        C:\Windows\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
        
        C:\Windows\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
        
        C:\Windows\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
        
        C:\Windows\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
        
        C:\Windows\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
        
        C:\Windows\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
        
        C:\Windows\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe
        
        C:\Windows\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe
        13⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E570D~1.EXE > nul
        13⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0335F~1.EXE > nul
        12⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EED52~1.EXE > nul
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2966D~1.EXE > nul
        10⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB2ED~1.EXE > nul
        9⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E1B~1.EXE > nul
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C0A~1.EXE > nul
        7⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E5EA~1.EXE > nul
        6⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD5E~1.EXE > nul
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1D214~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA7B~1.EXE > nul
    3⤵
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C06D57~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe

Filesize
103KB

MD5
555a9dd32eb4ff72ccceefb0c901ae48

SHA1
67d94e5ec00543028850ee77b7ba098c9c314fd0

SHA256
e2c9e5bb0843a22c60754fc05db1c01be5a138c2c596e676e2a3111e4847667d

SHA512
1d25d2be3d825eb4d4f5dbe37e2a676f6f231ee1571343cc9fb169baf5eb6fa00beda0259deabaa07799692a7b85fa75ed750506624479be12f462abccc4dec3

Download Submit
C:\Windows\{0335F7DF-C917-428d-AF3A-B3CA03A81F08}.exe

Filesize
103KB

MD5
555a9dd32eb4ff72ccceefb0c901ae48

SHA1
67d94e5ec00543028850ee77b7ba098c9c314fd0

SHA256
e2c9e5bb0843a22c60754fc05db1c01be5a138c2c596e676e2a3111e4847667d

SHA512
1d25d2be3d825eb4d4f5dbe37e2a676f6f231ee1571343cc9fb169baf5eb6fa00beda0259deabaa07799692a7b85fa75ed750506624479be12f462abccc4dec3

Download Submit
C:\Windows\{1D214650-3C20-477f-A537-A11508B92C89}.exe

Filesize
103KB

MD5
709ce3ccc9440ff90be9c2a86c864ed8

SHA1
e533cf3eaa2a6fc01743b1c835209bbbb60bba73

SHA256
29bf967fd931087cefc04c7680d5aef1a86dcefa9b26771be458d98b77ce8f7a

SHA512
669b820501660dbbd0560930ac8a9bdf77a49087decc1c5e309c34175ce01086763cbbb0ce16556df6836740277233cd623f015921c079a56e58b9111dbc5577

Download Submit
C:\Windows\{1D214650-3C20-477f-A537-A11508B92C89}.exe

Filesize
103KB

MD5
709ce3ccc9440ff90be9c2a86c864ed8

SHA1
e533cf3eaa2a6fc01743b1c835209bbbb60bba73

SHA256
29bf967fd931087cefc04c7680d5aef1a86dcefa9b26771be458d98b77ce8f7a

SHA512
669b820501660dbbd0560930ac8a9bdf77a49087decc1c5e309c34175ce01086763cbbb0ce16556df6836740277233cd623f015921c079a56e58b9111dbc5577

Download Submit
C:\Windows\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe

Filesize
103KB

MD5
6ff955452c1d1e1fb340a441816594ed

SHA1
3d79270b2edd1b5ecae4fd1eddf0cc25f349c8c3

SHA256
7e5482071c163d3dd9654e9a59bab82e342abf6297768dd7c056b225e59d301b

SHA512
db5a99ba2bdf83553937da58e6f2e0e22f02c7f613d6fa0e8b501cc8619318c02c5b76277e97c5c7d1bfed08f8beeaea85c02847bcf9228509e9fc02e4739518

Download Submit
C:\Windows\{2966DF0A-D5C1-49c2-9681-642F64D69E3F}.exe

Filesize
103KB

MD5
6ff955452c1d1e1fb340a441816594ed

SHA1
3d79270b2edd1b5ecae4fd1eddf0cc25f349c8c3

SHA256
7e5482071c163d3dd9654e9a59bab82e342abf6297768dd7c056b225e59d301b

SHA512
db5a99ba2bdf83553937da58e6f2e0e22f02c7f613d6fa0e8b501cc8619318c02c5b76277e97c5c7d1bfed08f8beeaea85c02847bcf9228509e9fc02e4739518

Download Submit
C:\Windows\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe

Filesize
103KB

MD5
a2aea066e45e0c2765820813b7362c29

SHA1
c4d2d6d636d18fb3d498efc9d3ba2279ba42cae1

SHA256
d69f956177f747719679f9f5b57854400b72f4f365a0cc9ea3907b94b6a2e144

SHA512
deea8a989ef0a5f0beacce224a9dbfb74cc850a2ee26e6e5fa6babc5e27df9130bd202f598435242715c462ec8211f324b95b29e2cca5c9c3ff4fc37a437b78d

Download Submit
C:\Windows\{4E5EA3AD-79E7-4111-B701-8E95D5DC8C3A}.exe

Filesize
103KB

MD5
a2aea066e45e0c2765820813b7362c29

SHA1
c4d2d6d636d18fb3d498efc9d3ba2279ba42cae1

SHA256
d69f956177f747719679f9f5b57854400b72f4f365a0cc9ea3907b94b6a2e144

SHA512
deea8a989ef0a5f0beacce224a9dbfb74cc850a2ee26e6e5fa6babc5e27df9130bd202f598435242715c462ec8211f324b95b29e2cca5c9c3ff4fc37a437b78d

Download Submit
C:\Windows\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe

Filesize
103KB

MD5
5197ba602165a177fe056738e93035eb

SHA1
c003310c386d9bb311ac4d73fadc66844e98c0dc

SHA256
0ac3b97510eeff6f91672181f553a700142f6a6e5ab18247fd1fb4002cb2a340

SHA512
58bcae8a52d6ee08460148d99794eb6e9f68a7d57c78edfcf747dda9fb6547582f0399a63e0d64bd86e8c43ad6ba4ba1f76da4521eac99500d587245c052b9b2

Download Submit
C:\Windows\{65C0A641-0144-4a08-965A-AC8E0AF56BC1}.exe

Filesize
103KB

MD5
5197ba602165a177fe056738e93035eb

SHA1
c003310c386d9bb311ac4d73fadc66844e98c0dc

SHA256
0ac3b97510eeff6f91672181f553a700142f6a6e5ab18247fd1fb4002cb2a340

SHA512
58bcae8a52d6ee08460148d99794eb6e9f68a7d57c78edfcf747dda9fb6547582f0399a63e0d64bd86e8c43ad6ba4ba1f76da4521eac99500d587245c052b9b2

Download Submit
C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe

Filesize
103KB

MD5
a51603fbecd7bfb22f52bfd8c169b6ab

SHA1
386c8f8a1638bce8b3d660cce54e43b0345db57b

SHA256
6047285daab6e1c73a45a6d2e782245b87fedaa508a22f7d58e90a60b273ffa0

SHA512
1c2f61af5eaed500c0c673d1cb484ed329a73de7b5c1c376fd98f976a795053fcfd325e8c2b1a8e7fe0e08bc55c461b2528cc77d174dd62210aa610067c8fd7e

Download Submit
C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe

Filesize
103KB

MD5
a51603fbecd7bfb22f52bfd8c169b6ab

SHA1
386c8f8a1638bce8b3d660cce54e43b0345db57b

SHA256
6047285daab6e1c73a45a6d2e782245b87fedaa508a22f7d58e90a60b273ffa0

SHA512
1c2f61af5eaed500c0c673d1cb484ed329a73de7b5c1c376fd98f976a795053fcfd325e8c2b1a8e7fe0e08bc55c461b2528cc77d174dd62210aa610067c8fd7e

Download Submit
C:\Windows\{ACA7B2E4-8ABF-407a-BE36-3D42CA321943}.exe

Filesize
103KB

MD5
a51603fbecd7bfb22f52bfd8c169b6ab

SHA1
386c8f8a1638bce8b3d660cce54e43b0345db57b

SHA256
6047285daab6e1c73a45a6d2e782245b87fedaa508a22f7d58e90a60b273ffa0

SHA512
1c2f61af5eaed500c0c673d1cb484ed329a73de7b5c1c376fd98f976a795053fcfd325e8c2b1a8e7fe0e08bc55c461b2528cc77d174dd62210aa610067c8fd7e

Download Submit
C:\Windows\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe

Filesize
103KB

MD5
f1499b9db19d252aaa4d4580cbe71ea6

SHA1
8b491b73dc934caedf65fbf1c94d098044f40f11

SHA256
7dca223d418745c1627e455e3e0f24066acf622bfbbe4dbc17d864d631117bc9

SHA512
6b3db5dd328e34e6d4589f7e4654b626eb9ae69bb7e2410829e0c28e656f635eba20032b6efe7a861e499ea146973b9a1a567042d6708e4cf372f23013bd9702

Download Submit
C:\Windows\{BB2EDF14-D12C-4627-9A6F-4E87E2BCE240}.exe

Filesize
103KB

MD5
f1499b9db19d252aaa4d4580cbe71ea6

SHA1
8b491b73dc934caedf65fbf1c94d098044f40f11

SHA256
7dca223d418745c1627e455e3e0f24066acf622bfbbe4dbc17d864d631117bc9

SHA512
6b3db5dd328e34e6d4589f7e4654b626eb9ae69bb7e2410829e0c28e656f635eba20032b6efe7a861e499ea146973b9a1a567042d6708e4cf372f23013bd9702

Download Submit
C:\Windows\{C5C6E4D5-25BE-4291-AE30-13F351BB7A53}.exe

Filesize
103KB

MD5
f03e1dd04d1358fc4bc20c26dcc0196a

SHA1
366ba23dd57f06e352c0a0af21f95477485a7499

SHA256
0233ec18710430e36176436ec5d0e3c7e544cc3aa4f5e2a10c6e82eec8fadc5d

SHA512
61d42ae81878f97cadaa6da76410d2b88f8e179d6e3c23095a9c0da9ba3ea531b26ade5e6bb46a986c7e42f802ad58d826c589b09148aedf7e81db47fb9c0f42

Download Submit
C:\Windows\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe

Filesize
103KB

MD5
772401bbf2df7e0ddd82041d3287680e

SHA1
91ea44e96151fa4e424093c96e7f4531aef55340

SHA256
48d2ef94fd1db906acd9255ca108779d2618e13d9e1ee1bb8c3c0bf4f2db3fa9

SHA512
0ab1aad8a6c9b9fa60e542e1e320e0f80eac71e88b5c91609a3d10da4bbd538d988f93a98ac22ce97625813919ee042eafa867daac72c7a1d15471173cda7279

Download Submit
C:\Windows\{CAD5EC1B-3476-4604-B6DA-C4E1E2DA3B43}.exe

Filesize
103KB

MD5
772401bbf2df7e0ddd82041d3287680e

SHA1
91ea44e96151fa4e424093c96e7f4531aef55340

SHA256
48d2ef94fd1db906acd9255ca108779d2618e13d9e1ee1bb8c3c0bf4f2db3fa9

SHA512
0ab1aad8a6c9b9fa60e542e1e320e0f80eac71e88b5c91609a3d10da4bbd538d988f93a98ac22ce97625813919ee042eafa867daac72c7a1d15471173cda7279

Download Submit
C:\Windows\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe

Filesize
103KB

MD5
f34287b6bd83a90dae66a8d4d9c2231e

SHA1
5659fa336da1eb3febfd9020cc85b5b47d1071be

SHA256
124b57eee798b4c06df543b5a0112d621eb76cd623338951e490aed704da3dcf

SHA512
9840c25cd11489289cda6da27dc96f8cc41b0c1d74cc00d0a4fec5e73df276631b0f2682475c58409fb2e28b3858f8cf51e005f1f69d0d9f8da746b0e50ccc9a

Download Submit
C:\Windows\{E570D24C-7D3F-41c2-A240-49C44A7B3530}.exe

Filesize
103KB

MD5
f34287b6bd83a90dae66a8d4d9c2231e

SHA1
5659fa336da1eb3febfd9020cc85b5b47d1071be

SHA256
124b57eee798b4c06df543b5a0112d621eb76cd623338951e490aed704da3dcf

SHA512
9840c25cd11489289cda6da27dc96f8cc41b0c1d74cc00d0a4fec5e73df276631b0f2682475c58409fb2e28b3858f8cf51e005f1f69d0d9f8da746b0e50ccc9a

Download Submit
C:\Windows\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe

Filesize
103KB

MD5
40c9a5e9d7611534db1a4c93554238f5

SHA1
ee66a8e0ae26e471302a17c39024c910545c0a27

SHA256
e741f7d1f9a3bc5614f9737c4ea5402515a7cfe1a5830e8da84d95ee01e98aba

SHA512
26be4d3a542c554265dcc93f6b0f94a584fcddf2796f1b7f7d38e0d132af6f12f313e739398239c72028a8ddc6f2a8b7d268aa5c6e6eb14581611e74bb0421aa

Download Submit
C:\Windows\{EED520B2-E831-4f20-9AA8-A11FDD859B2F}.exe

Filesize
103KB

MD5
40c9a5e9d7611534db1a4c93554238f5

SHA1
ee66a8e0ae26e471302a17c39024c910545c0a27

SHA256
e741f7d1f9a3bc5614f9737c4ea5402515a7cfe1a5830e8da84d95ee01e98aba

SHA512
26be4d3a542c554265dcc93f6b0f94a584fcddf2796f1b7f7d38e0d132af6f12f313e739398239c72028a8ddc6f2a8b7d268aa5c6e6eb14581611e74bb0421aa

Download Submit
C:\Windows\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe

Filesize
103KB

MD5
2d4c06460b712363e1e68318a4ef9c04

SHA1
d7c6eaa052f12377b4d75e2569fd52ec784af959

SHA256
1d021f12d9c959fd8596e94e2bcd1082be6e002e1918969be58c8dd2f3fe29ee

SHA512
e4b34bef2f505ba23bea92e70b29f22c644b5535ead6418f8fecf80711623a9f62f4f949d476b0b361df7fd96096753b3d69dbaf1ce9fb7924879d74e05f7e5f

Download Submit
C:\Windows\{F0E1B221-7C89-4b57-937B-083B6CEBA510}.exe

Filesize
103KB

MD5
2d4c06460b712363e1e68318a4ef9c04

SHA1
d7c6eaa052f12377b4d75e2569fd52ec784af959

SHA256
1d021f12d9c959fd8596e94e2bcd1082be6e002e1918969be58c8dd2f3fe29ee

SHA512
e4b34bef2f505ba23bea92e70b29f22c644b5535ead6418f8fecf80711623a9f62f4f949d476b0b361df7fd96096753b3d69dbaf1ce9fb7924879d74e05f7e5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads