93cdc816e34b8f935eb7ba09a5c8c75bfb5af317f032736210c9868d858a238c

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3d5243019a4b1a8321608b878788895.exe
Size

344KB
MD5

e3d5243019a4b1a8321608b878788895
SHA1

089b2bb2252d79f2966235d92a84b0737157f37e
SHA256

93cdc816e34b8f935eb7ba09a5c8c75bfb5af317f032736210c9868d858a238c
SHA512

2ff7b208742c5aa4b0f5b13030a5ef97a9bbd30e8c0ef59325a453e2bd739e75fa1c1d9e6b3eeaef3a428b795350db446f969ddf0ba1d8b336b11f87f76d77a6
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FE96358-EA29-403d-AB42-BA29B797B647}\stubpath = "C:\\Windows\\{7FE96358-EA29-403d-AB42-BA29B797B647}.exe"	{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}\stubpath = "C:\\Windows\\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe"	e3d5243019a4b1a8321608b878788895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7445CF37-54C8-4864-A351-38981FB396D4}\stubpath = "C:\\Windows\\{7445CF37-54C8-4864-A351-38981FB396D4}.exe"	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91A2830-8320-4a5d-9C17-DC2B8E410859}	{A6DC974C-109D-4750-A39B-07C67B148366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}	{7445CF37-54C8-4864-A351-38981FB396D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66329367-51B6-4576-8F54-39F1E8BE2650}	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91A2830-8320-4a5d-9C17-DC2B8E410859}\stubpath = "C:\\Windows\\{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe"	{A6DC974C-109D-4750-A39B-07C67B148366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}	{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7445CF37-54C8-4864-A351-38981FB396D4}	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}\stubpath = "C:\\Windows\\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe"	{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}\stubpath = "C:\\Windows\\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe"	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DC974C-109D-4750-A39B-07C67B148366}	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DC974C-109D-4750-A39B-07C67B148366}\stubpath = "C:\\Windows\\{A6DC974C-109D-4750-A39B-07C67B148366}.exe"	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FE96358-EA29-403d-AB42-BA29B797B647}	{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}\stubpath = "C:\\Windows\\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe"	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}\stubpath = "C:\\Windows\\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe"	{7445CF37-54C8-4864-A351-38981FB396D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66329367-51B6-4576-8F54-39F1E8BE2650}\stubpath = "C:\\Windows\\{66329367-51B6-4576-8F54-39F1E8BE2650}.exe"	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}	e3d5243019a4b1a8321608b878788895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}\stubpath = "C:\\Windows\\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe"	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe
3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
348	{A6DC974C-109D-4750-A39B-07C67B148366}.exe
1200	{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
2016	{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
1096	{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
File created	C:\Windows\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
File created	C:\Windows\{A6DC974C-109D-4750-A39B-07C67B148366}.exe	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
File created	C:\Windows\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe	{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
File created	C:\Windows\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	e3d5243019a4b1a8321608b878788895.exe
File created	C:\Windows\{7445CF37-54C8-4864-A351-38981FB396D4}.exe	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
File created	C:\Windows\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	{7445CF37-54C8-4864-A351-38981FB396D4}.exe
File created	C:\Windows\{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
File created	C:\Windows\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
File created	C:\Windows\{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe	{A6DC974C-109D-4750-A39B-07C67B148366}.exe
File created	C:\Windows\{7FE96358-EA29-403d-AB42-BA29B797B647}.exe	{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1540	e3d5243019a4b1a8321608b878788895.exe
Token: SeIncBasePriorityPrivilege	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
Token: SeIncBasePriorityPrivilege	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
Token: SeIncBasePriorityPrivilege	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
Token: SeIncBasePriorityPrivilege	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe
Token: SeIncBasePriorityPrivilege	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
Token: SeIncBasePriorityPrivilege	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
Token: SeIncBasePriorityPrivilege	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
Token: SeIncBasePriorityPrivilege	348	{A6DC974C-109D-4750-A39B-07C67B148366}.exe
Token: SeIncBasePriorityPrivilege	1200	{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
Token: SeIncBasePriorityPrivilege	2016	{7FE96358-EA29-403d-AB42-BA29B797B647}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2264	1540	e3d5243019a4b1a8321608b878788895.exe	29
PID 1540 wrote to memory of 2264	1540	e3d5243019a4b1a8321608b878788895.exe	29
PID 1540 wrote to memory of 2264	1540	e3d5243019a4b1a8321608b878788895.exe	29
PID 1540 wrote to memory of 2264	1540	e3d5243019a4b1a8321608b878788895.exe	29
PID 1540 wrote to memory of 2724	1540	e3d5243019a4b1a8321608b878788895.exe	28
PID 1540 wrote to memory of 2724	1540	e3d5243019a4b1a8321608b878788895.exe	28
PID 1540 wrote to memory of 2724	1540	e3d5243019a4b1a8321608b878788895.exe	28
PID 1540 wrote to memory of 2724	1540	e3d5243019a4b1a8321608b878788895.exe	28
PID 2264 wrote to memory of 2760	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	30
PID 2264 wrote to memory of 2760	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	30
PID 2264 wrote to memory of 2760	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	30
PID 2264 wrote to memory of 2760	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	30
PID 2264 wrote to memory of 2360	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	31
PID 2264 wrote to memory of 2360	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	31
PID 2264 wrote to memory of 2360	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	31
PID 2264 wrote to memory of 2360	2264	{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe	31
PID 2760 wrote to memory of 2800	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	32
PID 2760 wrote to memory of 2800	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	32
PID 2760 wrote to memory of 2800	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	32
PID 2760 wrote to memory of 2800	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	32
PID 2760 wrote to memory of 2908	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	33
PID 2760 wrote to memory of 2908	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	33
PID 2760 wrote to memory of 2908	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	33
PID 2760 wrote to memory of 2908	2760	{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe	33
PID 2800 wrote to memory of 2040	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	36
PID 2800 wrote to memory of 2040	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	36
PID 2800 wrote to memory of 2040	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	36
PID 2800 wrote to memory of 2040	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	36
PID 2800 wrote to memory of 2956	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	37
PID 2800 wrote to memory of 2956	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	37
PID 2800 wrote to memory of 2956	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	37
PID 2800 wrote to memory of 2956	2800	{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe	37
PID 2040 wrote to memory of 3064	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	39
PID 2040 wrote to memory of 3064	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	39
PID 2040 wrote to memory of 3064	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	39
PID 2040 wrote to memory of 3064	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	39
PID 2040 wrote to memory of 2468	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	38
PID 2040 wrote to memory of 2468	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	38
PID 2040 wrote to memory of 2468	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	38
PID 2040 wrote to memory of 2468	2040	{7445CF37-54C8-4864-A351-38981FB396D4}.exe	38
PID 3064 wrote to memory of 2044	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	41
PID 3064 wrote to memory of 2044	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	41
PID 3064 wrote to memory of 2044	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	41
PID 3064 wrote to memory of 2044	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	41
PID 3064 wrote to memory of 552	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	40
PID 3064 wrote to memory of 552	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	40
PID 3064 wrote to memory of 552	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	40
PID 3064 wrote to memory of 552	3064	{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe	40
PID 2044 wrote to memory of 320	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	43
PID 2044 wrote to memory of 320	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	43
PID 2044 wrote to memory of 320	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	43
PID 2044 wrote to memory of 320	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	43
PID 2044 wrote to memory of 2852	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	42
PID 2044 wrote to memory of 2852	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	42
PID 2044 wrote to memory of 2852	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	42
PID 2044 wrote to memory of 2852	2044	{66329367-51B6-4576-8F54-39F1E8BE2650}.exe	42
PID 320 wrote to memory of 348	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	45
PID 320 wrote to memory of 348	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	45
PID 320 wrote to memory of 348	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	45
PID 320 wrote to memory of 348	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	45
PID 320 wrote to memory of 1696	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	44
PID 320 wrote to memory of 1696	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	44
PID 320 wrote to memory of 1696	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	44
PID 320 wrote to memory of 1696	320	{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe	44

C:\Users\Admin\AppData\Local\Temp\e3d5243019a4b1a8321608b878788895.exe
"C:\Users\Admin\AppData\Local\Temp\e3d5243019a4b1a8321608b878788895.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E3D524~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2724
- C:\Windows\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
  C:\Windows\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
    C:\Windows\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
      C:\Windows\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{7445CF37-54C8-4864-A351-38981FB396D4}.exe
        
        C:\Windows\{7445CF37-54C8-4864-A351-38981FB396D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7445C~1.EXE > nul
        6⤵
        
        PID:2468
      - C:\Windows\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
        
        C:\Windows\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{021C7~1.EXE > nul
        7⤵
        
        PID:552
        
        C:\Windows\{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
        
        C:\Windows\{66329367-51B6-4576-8F54-39F1E8BE2650}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66329~1.EXE > nul
        8⤵
        
        PID:2852
        
        C:\Windows\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
        
        C:\Windows\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97CE3~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\{A6DC974C-109D-4750-A39B-07C67B148366}.exe
        
        C:\Windows\{A6DC974C-109D-4750-A39B-07C67B148366}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
        
        C:\Windows\{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F91A2~1.EXE > nul
        11⤵
        
        PID:704
        
        C:\Windows\{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
        
        C:\Windows\{7FE96358-EA29-403d-AB42-BA29B797B647}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FE96~1.EXE > nul
        12⤵
        
        PID:2004
        
        C:\Windows\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe
        
        C:\Windows\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6DC9~1.EXE > nul
        10⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C2B~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7747~1.EXE > nul
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10D2A~1.EXE > nul
    3⤵
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021C70FD-9B9A-437d-BFD6-0C0750F16C3D}.exe

Filesize
344KB

MD5
928a7acb429d6e71b970d9d87707e1ae

SHA1
f0160cfa9743e63b699d8a156be19d01916a92f3

SHA256
346927a70f896db89f201a6ec26f281f1899ce3a12a7eba579e08091e2588b7b

SHA512
9c3e81f44707d2594afcd6823b562e638a4fb1683c6baafb199befa4f205b5ee422cd48793dbb75586d5800f13443660e43c5e162da29cf4c97561a0a5cec705

Download Submit
C:\Windows\{0752581D-E5F3-4136-8D45-5CB6CD8686BF}.exe

Filesize
344KB

MD5
ed659902c9bcb144f188c6e7360ac55f

SHA1
bbbfae281b963296ebd70d704a859f97969aeac6

SHA256
6340b4cf2e734d52d4b4eba426dc25ac1173cb45af8ee49a7fd302613a2d143f

SHA512
d1ca6e4bf4b7631221e52c42053c6b966d1e870212eee531d234a4a1392fb5d77a338da1114c9ea7afb4cde0ccf469dbce342e7e86ccc269a48fa8d9e2aeb3f9

Download Submit
C:\Windows\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe

Filesize
344KB

MD5
f5e3efc562296d6ad17b9592a0ceeddf

SHA1
de3ca4afa6d0762f2d7f33ec6e4aba57051c49dd

SHA256
64b87735a5521397b26c170d3fa3cf00ab40bae3275fa4bbad4c24387e72b2f7

SHA512
0b55e1ad8163d5c8f4046981580924de2271de7438f5f37c1b29f4f6dd14619ed9a025369df4178f311d5ae7c113e4390c47f3fd1e0af9f91578e0ce1ebafbcc

Download Submit
C:\Windows\{10D2ABBB-A008-4c9b-8B9B-0172234730F0}.exe

Filesize
192KB

MD5
b7c5a4c0050247bc21443a4bbcf558fa

SHA1
3a072dd32ebfa4ee2d4e234524d6300d87233535

SHA256
75392ca0d14963eec855526ab322e566c136e9622a261ca14f27363b0f6afa9c

SHA512
f905e64d28c8c48ee2bf73e71d67e614cda4a86efcef78bfefc94609b5d71897fa494413aefddb94d453350b6ddc996e675a3b9fd369cbffb5a9ef2238cbb70b

Download Submit
C:\Windows\{66329367-51B6-4576-8F54-39F1E8BE2650}.exe

Filesize
344KB

MD5
3e0a95eb7c35f5821487761e90e8ffde

SHA1
dfc93e86435fef9892f5bf2ab7217f880ede7b18

SHA256
c3ecf972a4bcb24a94f16395ae84842ea05cbd590d8ccfea2400797ee8032511

SHA512
0feacdae262a8581a2edd82e3d046cff10e4892da9a4bef7136bca5bba523c1756a52efc25df88f0ce357a0582890e31f2c80212c02562af0ed60d6d5be85e41

Download Submit
C:\Windows\{7445CF37-54C8-4864-A351-38981FB396D4}.exe

Filesize
344KB

MD5
67e4336434c9e890d70963f6c061ae16

SHA1
73ecb51d9f1ffeb6fb7079b330a6c4d921c5c55d

SHA256
91685b0389eb4838092134a96b0b0c6159a0689d085accef55a985aba863e94b

SHA512
fa0052c4dd546a7058ae9dc90baaf7ca6d7f0f3261e9bfd0526d2d8d00d3b059110ecada06dba343d5245aa79e2e9311934d50184b361733638ee0a67c21f4b0

Download Submit
C:\Windows\{7FE96358-EA29-403d-AB42-BA29B797B647}.exe

Filesize
344KB

MD5
1cf39c20c327ccccdc08c34f845885c9

SHA1
c81bfe2573feccfd31fbbff45ebf17058453a412

SHA256
8aea6bdf2c3a7af433df2b0dece806b40e35e903b9f150558d3ba15383b90b68

SHA512
83c9fa86f1b37efdb0ebbb7424c5cbd36e612eb75dc05796c819c08f34b2a9955c081744b1975c13b4bf67979904876dd4a91e3d64d5600225d1c2d3ae9a374e

Download Submit
C:\Windows\{97CE34F1-CDAB-4a8f-ADFD-0365C915E1D5}.exe

Filesize
344KB

MD5
cc8ccaad4e4f323d1a0beef6c5ec02e8

SHA1
dba4125d961ae968795e2130c753024ef1c1ada0

SHA256
a2c22447516520c41034fb68e62e990afdf0c57f2b1609dada3f12457fc8fac1

SHA512
bc8305559852ac3b3f42fc2be1ec41f024a05b567fe805bf045846a13c42d8ae4202aa4fe01850388fee6f826edb76776ad0577e11099f94e5dd7d28fe5849a6

Download Submit
C:\Windows\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe

Filesize
344KB

MD5
ca204fc8ae6aa57c3bf576f3d140f3e7

SHA1
e3a5f92420fcf82494c713d57a08d59c2de97f7e

SHA256
77a2cc16105eeea91adb6d5cd293bea9e9e12df38e558bd83295468caeb4fe62

SHA512
87a84770bdc414b9fe3bf8d220422794274caebfbf68c3f1e55051ad8d6715f5c9c26f53af8cbeafd4d33f1299861e3d1e973325fbbf375424eec0132192e7d5

Download Submit
C:\Windows\{A3C2BEF1-AD65-4c45-95F7-80A6198450DB}.exe

Filesize
48KB

MD5
5e4ad89870f10b4cc31d74d6a9e6ddad

SHA1
2b2b44ce3048a4e84abee99d049f0851543c6190

SHA256
0f6f9b1d7a2aeade7c722f789554e6fbacbdd25f55a5d7644ed1fc5dbbbaffeb

SHA512
3a10b331b923ca9d1b8e93c2138cd5abe903c0e79ae9dd2227f9378517b6e995075326ff366dab59b276b723ed5702af1da924e2bcd70f6133fb486fbc179c63

Download Submit
C:\Windows\{A6DC974C-109D-4750-A39B-07C67B148366}.exe

Filesize
344KB

MD5
b5a75fe1de3594a4f8df0a0696337c72

SHA1
dfc973fc751bd0ccf5a30b653524b74d0a92ae34

SHA256
27f7696952f6b6a6deba59a893fcbf1f995e734647d332bbdf52e4e95b1c05c9

SHA512
3fbaa78e4ef312c42f0711badc92ecef97c1e917e7be5449034b4b16b7823915afe1c32cd56f28df128acf5e4e19a31beecb7438ddee94120742e2b79357e982

Download Submit
C:\Windows\{F7747AEE-CE9B-4d23-84F5-0509D7C29B52}.exe

Filesize
344KB

MD5
fc9312b4efdafc11d7a04d3c78d49874

SHA1
b276ee42000141a81a52d1da16aadd07d1ee09d9

SHA256
522a788346d17e68c0dd0854ad972a04772e72ff95a08b016f3b954125bb9636

SHA512
dba032a4e480c2fb167f33c651bf7f46a269372a4e2d17d774a8fc6843bac4a7397832db4f65d719d0459ef8ca9a8fbc8c6a4d30bb9336cfb6a04f9515ea796f

Download Submit
C:\Windows\{F91A2830-8320-4a5d-9C17-DC2B8E410859}.exe

Filesize
344KB

MD5
4cde4ae971f5abac4db61739fc492a8a

SHA1
35ce30a718654d1346ade066fb1dd212b798a297

SHA256
c5f2993761fc909ee59848c50f86d8959df4218c3c8b2ff1614ba41681786647

SHA512
3d654dd94468db4e76f484927c448843e89e4d42edd7547972d9f8ca18606563e4dcd24d8a763cf9527f779c767db2f9e8499a4b9c2f450a33447d95df869aba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads