fb64703364185579f6c811de7c4886240675ac2a71adf12fb76988ebae28fafd

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Size

76KB
MD5

c82d2a5fd41b7e9d876267bc76b69550
SHA1

09bbdbed216b8853e74552614367024adc3ee94c
SHA256

fb64703364185579f6c811de7c4886240675ac2a71adf12fb76988ebae28fafd
SHA512

6cdd6a2f01040a7e8aa85d2184106a601832ddde2efab28fdc30e75946570de0d8b6c1169a71ebff7bb44e18422dc20773ee4a070f877e278bfca2af552a08b4
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroVL4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroVL4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8742B00A-6A62-4005-A317-E89A66EF9EBE}\stubpath = "C:\\Windows\\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe"	{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}\stubpath = "C:\\Windows\\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe"	{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0133F833-1989-4219-B469-0D19AEDEE7B7}\stubpath = "C:\\Windows\\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe"	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}\stubpath = "C:\\Windows\\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe"	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}\stubpath = "C:\\Windows\\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe"	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}\stubpath = "C:\\Windows\\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe"	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E641DD56-6650-44fd-9831-2BE3E09F54EB}\stubpath = "C:\\Windows\\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe"	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0133F833-1989-4219-B469-0D19AEDEE7B7}	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}\stubpath = "C:\\Windows\\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe"	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}	{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}\stubpath = "C:\\Windows\\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe"	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E641DD56-6650-44fd-9831-2BE3E09F54EB}	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8742B00A-6A62-4005-A317-E89A66EF9EBE}	{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B301E699-40D4-46d3-858E-BCC29B68D6E8}	{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B301E699-40D4-46d3-858E-BCC29B68D6E8}\stubpath = "C:\\Windows\\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe"	{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}\stubpath = "C:\\Windows\\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe"	{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}	{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}\stubpath = "C:\\Windows\\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe"	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
956	{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
2840	{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
2988	{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
2676	{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe
1992	{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
File created	C:\Windows\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
File created	C:\Windows\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe	{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
File created	C:\Windows\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
File created	C:\Windows\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe	{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
File created	C:\Windows\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe	{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
File created	C:\Windows\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
File created	C:\Windows\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
File created	C:\Windows\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
File created	C:\Windows\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
File created	C:\Windows\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
File created	C:\Windows\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe	{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Token: SeIncBasePriorityPrivilege	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
Token: SeIncBasePriorityPrivilege	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
Token: SeIncBasePriorityPrivilege	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
Token: SeIncBasePriorityPrivilege	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
Token: SeIncBasePriorityPrivilege	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
Token: SeIncBasePriorityPrivilege	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
Token: SeIncBasePriorityPrivilege	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
Token: SeIncBasePriorityPrivilege	956	{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
Token: SeIncBasePriorityPrivilege	2840	{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
Token: SeIncBasePriorityPrivilege	2988	{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
Token: SeIncBasePriorityPrivilege	2676	{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2732	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	28
PID 2076 wrote to memory of 2732	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	28
PID 2076 wrote to memory of 2732	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	28
PID 2076 wrote to memory of 2732	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	28
PID 2076 wrote to memory of 2340	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	29
PID 2076 wrote to memory of 2340	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	29
PID 2076 wrote to memory of 2340	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	29
PID 2076 wrote to memory of 2340	2076	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	29
PID 2732 wrote to memory of 2668	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	32
PID 2732 wrote to memory of 2668	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	32
PID 2732 wrote to memory of 2668	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	32
PID 2732 wrote to memory of 2668	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	32
PID 2732 wrote to memory of 2288	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	33
PID 2732 wrote to memory of 2288	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	33
PID 2732 wrote to memory of 2288	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	33
PID 2732 wrote to memory of 2288	2732	{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe	33
PID 2668 wrote to memory of 2268	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	34
PID 2668 wrote to memory of 2268	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	34
PID 2668 wrote to memory of 2268	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	34
PID 2668 wrote to memory of 2268	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	34
PID 2668 wrote to memory of 2828	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	35
PID 2668 wrote to memory of 2828	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	35
PID 2668 wrote to memory of 2828	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	35
PID 2668 wrote to memory of 2828	2668	{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe	35
PID 2268 wrote to memory of 2636	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	36
PID 2268 wrote to memory of 2636	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	36
PID 2268 wrote to memory of 2636	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	36
PID 2268 wrote to memory of 2636	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	36
PID 2268 wrote to memory of 2724	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	37
PID 2268 wrote to memory of 2724	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	37
PID 2268 wrote to memory of 2724	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	37
PID 2268 wrote to memory of 2724	2268	{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe	37
PID 2636 wrote to memory of 2484	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	38
PID 2636 wrote to memory of 2484	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	38
PID 2636 wrote to memory of 2484	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	38
PID 2636 wrote to memory of 2484	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	38
PID 2636 wrote to memory of 2584	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	39
PID 2636 wrote to memory of 2584	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	39
PID 2636 wrote to memory of 2584	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	39
PID 2636 wrote to memory of 2584	2636	{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe	39
PID 2484 wrote to memory of 3004	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	40
PID 2484 wrote to memory of 3004	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	40
PID 2484 wrote to memory of 3004	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	40
PID 2484 wrote to memory of 3004	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	40
PID 2484 wrote to memory of 2300	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	41
PID 2484 wrote to memory of 2300	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	41
PID 2484 wrote to memory of 2300	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	41
PID 2484 wrote to memory of 2300	2484	{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe	41
PID 3004 wrote to memory of 1432	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	43
PID 3004 wrote to memory of 1432	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	43
PID 3004 wrote to memory of 1432	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	43
PID 3004 wrote to memory of 1432	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	43
PID 3004 wrote to memory of 2000	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	42
PID 3004 wrote to memory of 2000	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	42
PID 3004 wrote to memory of 2000	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	42
PID 3004 wrote to memory of 2000	3004	{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe	42
PID 1432 wrote to memory of 956	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	44
PID 1432 wrote to memory of 956	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	44
PID 1432 wrote to memory of 956	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	44
PID 1432 wrote to memory of 956	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	44
PID 1432 wrote to memory of 828	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	45
PID 1432 wrote to memory of 828	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	45
PID 1432 wrote to memory of 828	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	45
PID 1432 wrote to memory of 828	1432	{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe	45

C:\Users\Admin\AppData\Local\Temp\c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c82d2a5fd41b7e9d876267bc76b69550_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
  C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
    C:\Windows\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
      C:\Windows\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
        
        C:\Windows\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
        
        C:\Windows\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
        
        C:\Windows\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A231B~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
        
        C:\Windows\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
        
        C:\Windows\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
        
        C:\Windows\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
        
        C:\Windows\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe
        
        C:\Windows\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE7F~1.EXE > nul
        13⤵
        
        PID:1580
        
        C:\Windows\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe
        
        C:\Windows\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe
        13⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B301E~1.EXE > nul
        12⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8742B~1.EXE > nul
        11⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E641D~1.EXE > nul
        10⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA6C7~1.EXE > nul
        9⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62F85~1.EXE > nul
        7⤵
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7BF~1.EXE > nul
        6⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0133F~1.EXE > nul
        5⤵
        
        PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25AA1~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D478C~1.EXE > nul
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82D2A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe

Filesize
76KB

MD5
95e9b7dd55875395699920bb29f73f49

SHA1
02685c546b3b0ecfaadb1c169ab2addd8492367d

SHA256
570ba953a8090385318fa94d560dc7754d70e41b15b1c064d844c94c986a3d61

SHA512
cbeaa1aa3f313637ab555207dddeb5a01fe7694076dee54fc315e09778c9b57fdc6a8903545b250c9cf18028eaffb22030564e089fa42ea3713570fb34efb2ca

Download Submit
C:\Windows\{0133F833-1989-4219-B469-0D19AEDEE7B7}.exe

Filesize
76KB

MD5
95e9b7dd55875395699920bb29f73f49

SHA1
02685c546b3b0ecfaadb1c169ab2addd8492367d

SHA256
570ba953a8090385318fa94d560dc7754d70e41b15b1c064d844c94c986a3d61

SHA512
cbeaa1aa3f313637ab555207dddeb5a01fe7694076dee54fc315e09778c9b57fdc6a8903545b250c9cf18028eaffb22030564e089fa42ea3713570fb34efb2ca

Download Submit
C:\Windows\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe

Filesize
76KB

MD5
529bc94494048de4a1a32e9f83a929b7

SHA1
b99cc9558221938ab477dbabd4be6a9f57e7d9c0

SHA256
df8386310851300d6a0d356132acdd74be1b5baddd9814a211c9fc2de2fbc061

SHA512
c84221b0b35feb9eb760690f3f590892c8af311a110b64c77256230dffc840fedaf2c99186488addb628a8c093c123aa0863df1b81c855c011bf0c0607625151

Download Submit
C:\Windows\{25AA1FE2-F728-4d30-8A59-252AB59C22E3}.exe

Filesize
76KB

MD5
529bc94494048de4a1a32e9f83a929b7

SHA1
b99cc9558221938ab477dbabd4be6a9f57e7d9c0

SHA256
df8386310851300d6a0d356132acdd74be1b5baddd9814a211c9fc2de2fbc061

SHA512
c84221b0b35feb9eb760690f3f590892c8af311a110b64c77256230dffc840fedaf2c99186488addb628a8c093c123aa0863df1b81c855c011bf0c0607625151

Download Submit
C:\Windows\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe

Filesize
76KB

MD5
8607ba40d3b90bdca614668a3cd4f51c

SHA1
87af9a1cf78def75143a03c0648d0c7d5460aff1

SHA256
b908e42e162104017b66bff4c49bce7513901fc54ab30316b82141591aa43afa

SHA512
cf909a85fff020a982ca932d1dcd48af32d055fdf52909a02f1b1d564358762971b57892a5dcd4954c05334ea49f46f3d6a2968e5717a74ef78410773a849e05

Download Submit
C:\Windows\{62F85CC5-5AF0-432d-B098-2B574F0E6E2D}.exe

Filesize
76KB

MD5
8607ba40d3b90bdca614668a3cd4f51c

SHA1
87af9a1cf78def75143a03c0648d0c7d5460aff1

SHA256
b908e42e162104017b66bff4c49bce7513901fc54ab30316b82141591aa43afa

SHA512
cf909a85fff020a982ca932d1dcd48af32d055fdf52909a02f1b1d564358762971b57892a5dcd4954c05334ea49f46f3d6a2968e5717a74ef78410773a849e05

Download Submit
C:\Windows\{7FF8CF68-6801-491d-AA88-E49AC4B73A59}.exe

Filesize
76KB

MD5
f4db0072d194b0b114cb1596501caeab

SHA1
facfa97c442e10742e616da1e5818cf703a3d0d5

SHA256
e4aebf8c765edcb2cfae8faf3101002eb316acaecff2714d7c87c07ba5f48552

SHA512
568bc8b3533c20006d89a6aee690c43e7302fc89b3cc949ff49e82742b2cf8b8d2f32dee4b51bf5861b86a9dd5581546ddd590b3ec268706041d432b05e2da6b

Download Submit
C:\Windows\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe

Filesize
76KB

MD5
c50aa014bdb6dc378f2449888ef3aaf9

SHA1
9a57df5829eb99df51eff9499b6eb9674db928bd

SHA256
26c75628c225d1ae1ea96337f6d61b8039f6624cc2e3cb27e09e03218734f66b

SHA512
e53db4a5a014054658f5ee3e764b262dbc45200f38325a683683a2b79833e94b9b6ba98b180ff31673971cd5e9593dbd787bcbb8769aa58d0b42597128ea1b68

Download Submit
C:\Windows\{8742B00A-6A62-4005-A317-E89A66EF9EBE}.exe

Filesize
76KB

MD5
c50aa014bdb6dc378f2449888ef3aaf9

SHA1
9a57df5829eb99df51eff9499b6eb9674db928bd

SHA256
26c75628c225d1ae1ea96337f6d61b8039f6624cc2e3cb27e09e03218734f66b

SHA512
e53db4a5a014054658f5ee3e764b262dbc45200f38325a683683a2b79833e94b9b6ba98b180ff31673971cd5e9593dbd787bcbb8769aa58d0b42597128ea1b68

Download Submit
C:\Windows\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe

Filesize
76KB

MD5
59fd4ead0c533ea4106add13ba132b0a

SHA1
249169ed0acad02ae3bd23267276a69f6bbd5b69

SHA256
fb66e317f5523824afa3f5d0dbf93d88ca31159aed49e26ec8a13c95c04b226c

SHA512
10e5f61920d4d81ae5e2eae6b0cada3ec0b62f11bbd6efaae8b1a11afa6e3c6af0a40df678bfe8e8b42f1dc12ba959f3079a0505c57886af847d270115395f51

Download Submit
C:\Windows\{8B7BFAFE-884C-466a-8BE1-6D25C454FFA8}.exe

Filesize
76KB

MD5
59fd4ead0c533ea4106add13ba132b0a

SHA1
249169ed0acad02ae3bd23267276a69f6bbd5b69

SHA256
fb66e317f5523824afa3f5d0dbf93d88ca31159aed49e26ec8a13c95c04b226c

SHA512
10e5f61920d4d81ae5e2eae6b0cada3ec0b62f11bbd6efaae8b1a11afa6e3c6af0a40df678bfe8e8b42f1dc12ba959f3079a0505c57886af847d270115395f51

Download Submit
C:\Windows\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe

Filesize
76KB

MD5
56ba8f82a739d351d76619e7339e243e

SHA1
60c0ea15395b5ca67c32cd8ce3273019b0640ab1

SHA256
571d2b38ffd7b741c085ad5c97410bda970237fd1020af1b6d2f836791bbd92d

SHA512
6bad03aeeaac21b7647e98ad6f0fee6943795ab9404a6c119baf6431b7187d03a77072542acb5384a9ed78060f1fee6b052b86b8e9557ca2828838b2fcad8a80

Download Submit
C:\Windows\{A231BFAD-CDF2-49a8-960A-F63C3607EEE1}.exe

Filesize
76KB

MD5
56ba8f82a739d351d76619e7339e243e

SHA1
60c0ea15395b5ca67c32cd8ce3273019b0640ab1

SHA256
571d2b38ffd7b741c085ad5c97410bda970237fd1020af1b6d2f836791bbd92d

SHA512
6bad03aeeaac21b7647e98ad6f0fee6943795ab9404a6c119baf6431b7187d03a77072542acb5384a9ed78060f1fee6b052b86b8e9557ca2828838b2fcad8a80

Download Submit
C:\Windows\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe

Filesize
76KB

MD5
d972e6aa5810da8176ddc321f00a4484

SHA1
394ae44d0aca0896b317fd96aa0da103a384030f

SHA256
78120f0dea495f101052f935e07cc4d3492fea7e7c41135499f91a95cb44b8d1

SHA512
df05db40d7585aba1905b1100f3eb2678e2ff36188ee54a7f1ac795ddf93a8f468bcb9c75d3783d866c260e4038f77b1beff68e6fa428c16b6a0152b81852bf4

Download Submit
C:\Windows\{AA6C72BD-6891-4cb8-8BDA-456F34F0D6E3}.exe

Filesize
76KB

MD5
d972e6aa5810da8176ddc321f00a4484

SHA1
394ae44d0aca0896b317fd96aa0da103a384030f

SHA256
78120f0dea495f101052f935e07cc4d3492fea7e7c41135499f91a95cb44b8d1

SHA512
df05db40d7585aba1905b1100f3eb2678e2ff36188ee54a7f1ac795ddf93a8f468bcb9c75d3783d866c260e4038f77b1beff68e6fa428c16b6a0152b81852bf4

Download Submit
C:\Windows\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe

Filesize
76KB

MD5
5bc0ecdd81f797792b8de1a38b7c7cc7

SHA1
349e59c4c3fca00b753c6a7e9794643b40eae62b

SHA256
73306ff1591423b04f7573c063ef1372e96f222dd2b6cb2b56aa3c2bfe74113b

SHA512
2e4446ad003fa220c5f243b1a0ff39b905a84f7ffea502542fc31828b65321c473e4b4afdf6bd11336a089e928e9d37b8a8f181ac025297fd02cdc528195c125

Download Submit
C:\Windows\{B301E699-40D4-46d3-858E-BCC29B68D6E8}.exe

Filesize
76KB

MD5
5bc0ecdd81f797792b8de1a38b7c7cc7

SHA1
349e59c4c3fca00b753c6a7e9794643b40eae62b

SHA256
73306ff1591423b04f7573c063ef1372e96f222dd2b6cb2b56aa3c2bfe74113b

SHA512
2e4446ad003fa220c5f243b1a0ff39b905a84f7ffea502542fc31828b65321c473e4b4afdf6bd11336a089e928e9d37b8a8f181ac025297fd02cdc528195c125

Download Submit
C:\Windows\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe

Filesize
76KB

MD5
c72fb05a8198d37bdbd9f87b323f0438

SHA1
7368a4e4c2671957522e608bd09a96c63a711232

SHA256
aef36fe5e8f65d226001a58ce5ee458ef807f9e9e2e540aed7564527d0df9f77

SHA512
0f3256837c322c45de527b0a0470e5d29b89947a8689db73e568c5da9c5f2b0c98d83272a877f37e9668b615586118330eddde0463e8e47a75fc977a6d8e37b3

Download Submit
C:\Windows\{BDE7F5B6-43B7-4d98-9F69-1D03FFB8386B}.exe

Filesize
76KB

MD5
c72fb05a8198d37bdbd9f87b323f0438

SHA1
7368a4e4c2671957522e608bd09a96c63a711232

SHA256
aef36fe5e8f65d226001a58ce5ee458ef807f9e9e2e540aed7564527d0df9f77

SHA512
0f3256837c322c45de527b0a0470e5d29b89947a8689db73e568c5da9c5f2b0c98d83272a877f37e9668b615586118330eddde0463e8e47a75fc977a6d8e37b3

Download Submit
C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe

Filesize
76KB

MD5
0996494a630b44b06feacab7a459cde3

SHA1
5e2ecfd52e1045576630cc97a25ba535a06dcabe

SHA256
3ef09c0bb7e365c298a845e18c56719f81c7f16fc2364935f2c801134356895d

SHA512
68be66059ce16506b6d9cddc356034dfcc4125af7a4878c465c7947b0a3de9a9d4d02522a2c4a388f5b094834d2ad8adf434e7713df5277f9780f044d696dce7

Download Submit
C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe

Filesize
76KB

MD5
0996494a630b44b06feacab7a459cde3

SHA1
5e2ecfd52e1045576630cc97a25ba535a06dcabe

SHA256
3ef09c0bb7e365c298a845e18c56719f81c7f16fc2364935f2c801134356895d

SHA512
68be66059ce16506b6d9cddc356034dfcc4125af7a4878c465c7947b0a3de9a9d4d02522a2c4a388f5b094834d2ad8adf434e7713df5277f9780f044d696dce7

Download Submit
C:\Windows\{D478C118-C4BE-470f-BCF2-BE095CABA8EF}.exe

Filesize
76KB

MD5
0996494a630b44b06feacab7a459cde3

SHA1
5e2ecfd52e1045576630cc97a25ba535a06dcabe

SHA256
3ef09c0bb7e365c298a845e18c56719f81c7f16fc2364935f2c801134356895d

SHA512
68be66059ce16506b6d9cddc356034dfcc4125af7a4878c465c7947b0a3de9a9d4d02522a2c4a388f5b094834d2ad8adf434e7713df5277f9780f044d696dce7

Download Submit
C:\Windows\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe

Filesize
76KB

MD5
6b6fa038c8718f883ae75fd7272da555

SHA1
d7b54990c02b548ea042999a6fc77a071412fadb

SHA256
77b2489a998f835a37cf59364906e9625a1251acea7ef5f7cec658ca8c13c6c7

SHA512
a0fd510d7e48cf10af77f870472e26fd04f475fbd8539e94cf88c0650f41b287ed1846645526b4130bca0f466acf49dedc5e96307ecfb60c26ce829897e702c4

Download Submit
C:\Windows\{E641DD56-6650-44fd-9831-2BE3E09F54EB}.exe

Filesize
76KB

MD5
6b6fa038c8718f883ae75fd7272da555

SHA1
d7b54990c02b548ea042999a6fc77a071412fadb

SHA256
77b2489a998f835a37cf59364906e9625a1251acea7ef5f7cec658ca8c13c6c7

SHA512
a0fd510d7e48cf10af77f870472e26fd04f475fbd8539e94cf88c0650f41b287ed1846645526b4130bca0f466acf49dedc5e96307ecfb60c26ce829897e702c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads