a0ce0e2e462397dd4fb9ec8ed3514888de87ac7307de040a4376f6d6c6a14fcf

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f51868b4244dd15e4c3f848d856c24d.exe
Size

197KB
MD5

3f51868b4244dd15e4c3f848d856c24d
SHA1

6b4941a85468926a2803b2fcb91ccf6b32c72389
SHA256

a0ce0e2e462397dd4fb9ec8ed3514888de87ac7307de040a4376f6d6c6a14fcf
SHA512

0ba5725f21b5be724ac52767eaf356f3b3d8fc5bf4cb04b14273a8a824c35d8fe6d5942dfd9864715fef74a043bc98c6046c5c363b34fd605c8d309351bb5c65
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A846F48E-E084-4ecc-9915-B9B0AA820394}	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A846F48E-E084-4ecc-9915-B9B0AA820394}\stubpath = "C:\\Windows\\{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe"	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75ABF391-A697-40d6-AFC8-7E234803F3F0}\stubpath = "C:\\Windows\\{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe"	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50BF03D2-BEFB-441f-B653-C46736696D91}	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}\stubpath = "C:\\Windows\\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe"	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701FED61-EE73-49ae-8D40-1599D32722C6}\stubpath = "C:\\Windows\\{701FED61-EE73-49ae-8D40-1599D32722C6}.exe"	{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{695E5428-EA91-4f7f-950E-A4F72214E7EB}\stubpath = "C:\\Windows\\{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe"	3f51868b4244dd15e4c3f848d856c24d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50BF03D2-BEFB-441f-B653-C46736696D91}\stubpath = "C:\\Windows\\{50BF03D2-BEFB-441f-B653-C46736696D91}.exe"	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B70F278-2325-4e3e-8BFC-F0176751E019}\stubpath = "C:\\Windows\\{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe"	{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}\stubpath = "C:\\Windows\\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe"	{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{695E5428-EA91-4f7f-950E-A4F72214E7EB}	3f51868b4244dd15e4c3f848d856c24d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701FED61-EE73-49ae-8D40-1599D32722C6}	{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75ABF391-A697-40d6-AFC8-7E234803F3F0}	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}\stubpath = "C:\\Windows\\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe"	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}\stubpath = "C:\\Windows\\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe"	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B70F278-2325-4e3e-8BFC-F0176751E019}	{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}	{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}\stubpath = "C:\\Windows\\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe"	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe
2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
572	{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
2364	{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
1852	{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
1400	{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
File created	C:\Windows\{701FED61-EE73-49ae-8D40-1599D32722C6}.exe	{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
File created	C:\Windows\{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
File created	C:\Windows\{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
File created	C:\Windows\{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
File created	C:\Windows\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
File created	C:\Windows\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
File created	C:\Windows\{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe	{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
File created	C:\Windows\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe	{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
File created	C:\Windows\{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	3f51868b4244dd15e4c3f848d856c24d.exe
File created	C:\Windows\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	3f51868b4244dd15e4c3f848d856c24d.exe
Token: SeIncBasePriorityPrivilege	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe
Token: SeIncBasePriorityPrivilege	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
Token: SeIncBasePriorityPrivilege	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
Token: SeIncBasePriorityPrivilege	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
Token: SeIncBasePriorityPrivilege	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
Token: SeIncBasePriorityPrivilege	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
Token: SeIncBasePriorityPrivilege	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
Token: SeIncBasePriorityPrivilege	572	{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
Token: SeIncBasePriorityPrivilege	2364	{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
Token: SeIncBasePriorityPrivilege	1852	{701FED61-EE73-49ae-8D40-1599D32722C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2644	2756	3f51868b4244dd15e4c3f848d856c24d.exe	28
PID 2756 wrote to memory of 2644	2756	3f51868b4244dd15e4c3f848d856c24d.exe	28
PID 2756 wrote to memory of 2644	2756	3f51868b4244dd15e4c3f848d856c24d.exe	28
PID 2756 wrote to memory of 2644	2756	3f51868b4244dd15e4c3f848d856c24d.exe	28
PID 2756 wrote to memory of 2716	2756	3f51868b4244dd15e4c3f848d856c24d.exe	29
PID 2756 wrote to memory of 2716	2756	3f51868b4244dd15e4c3f848d856c24d.exe	29
PID 2756 wrote to memory of 2716	2756	3f51868b4244dd15e4c3f848d856c24d.exe	29
PID 2756 wrote to memory of 2716	2756	3f51868b4244dd15e4c3f848d856c24d.exe	29
PID 2644 wrote to memory of 2520	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	30
PID 2644 wrote to memory of 2520	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	30
PID 2644 wrote to memory of 2520	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	30
PID 2644 wrote to memory of 2520	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	30
PID 2644 wrote to memory of 2676	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	31
PID 2644 wrote to memory of 2676	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	31
PID 2644 wrote to memory of 2676	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	31
PID 2644 wrote to memory of 2676	2644	{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe	31
PID 2520 wrote to memory of 2560	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	32
PID 2520 wrote to memory of 2560	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	32
PID 2520 wrote to memory of 2560	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	32
PID 2520 wrote to memory of 2560	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	32
PID 2520 wrote to memory of 2516	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	33
PID 2520 wrote to memory of 2516	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	33
PID 2520 wrote to memory of 2516	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	33
PID 2520 wrote to memory of 2516	2520	{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe	33
PID 2560 wrote to memory of 2832	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	37
PID 2560 wrote to memory of 2832	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	37
PID 2560 wrote to memory of 2832	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	37
PID 2560 wrote to memory of 2832	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	37
PID 2560 wrote to memory of 2700	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	36
PID 2560 wrote to memory of 2700	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	36
PID 2560 wrote to memory of 2700	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	36
PID 2560 wrote to memory of 2700	2560	{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe	36
PID 2832 wrote to memory of 2908	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	38
PID 2832 wrote to memory of 2908	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	38
PID 2832 wrote to memory of 2908	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	38
PID 2832 wrote to memory of 2908	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	38
PID 2832 wrote to memory of 1356	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	39
PID 2832 wrote to memory of 1356	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	39
PID 2832 wrote to memory of 1356	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	39
PID 2832 wrote to memory of 1356	2832	{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe	39
PID 2908 wrote to memory of 320	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	40
PID 2908 wrote to memory of 320	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	40
PID 2908 wrote to memory of 320	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	40
PID 2908 wrote to memory of 320	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	40
PID 2908 wrote to memory of 1560	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	41
PID 2908 wrote to memory of 1560	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	41
PID 2908 wrote to memory of 1560	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	41
PID 2908 wrote to memory of 1560	2908	{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe	41
PID 320 wrote to memory of 268	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	43
PID 320 wrote to memory of 268	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	43
PID 320 wrote to memory of 268	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	43
PID 320 wrote to memory of 268	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	43
PID 320 wrote to memory of 296	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	42
PID 320 wrote to memory of 296	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	42
PID 320 wrote to memory of 296	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	42
PID 320 wrote to memory of 296	320	{50BF03D2-BEFB-441f-B653-C46736696D91}.exe	42
PID 268 wrote to memory of 572	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	44
PID 268 wrote to memory of 572	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	44
PID 268 wrote to memory of 572	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	44
PID 268 wrote to memory of 572	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	44
PID 268 wrote to memory of 940	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	45
PID 268 wrote to memory of 940	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	45
PID 268 wrote to memory of 940	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	45
PID 268 wrote to memory of 940	268	{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe	45

C:\Users\Admin\AppData\Local\Temp\3f51868b4244dd15e4c3f848d856c24d.exe
"C:\Users\Admin\AppData\Local\Temp\3f51868b4244dd15e4c3f848d856c24d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe
  C:\Windows\{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
    C:\Windows\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
      C:\Windows\{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A846F~1.EXE > nul
        5⤵
        
        PID:2700
    - - C:\Windows\{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
        
        C:\Windows\{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
        
        C:\Windows\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
        
        C:\Windows\{50BF03D2-BEFB-441f-B653-C46736696D91}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50BF0~1.EXE > nul
        8⤵
        
        PID:296
        
        C:\Windows\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
        
        C:\Windows\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
        
        C:\Windows\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
        
        C:\Windows\{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
        
        C:\Windows\{701FED61-EE73-49ae-8D40-1599D32722C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe
        
        C:\Windows\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{701FE~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B70F~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9033D~1.EXE > nul
        10⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46D46~1.EXE > nul
        9⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60162~1.EXE > nul
        7⤵
        
        PID:1560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75ABF~1.EXE > nul
        6⤵
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA85C~1.EXE > nul
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{695E5~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3F5186~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{46D46048-AB3F-45e5-ACD0-76C6D2DE871E}.exe

Filesize
197KB

MD5
9d86f44a1d32894394d1fade04973507

SHA1
d4e7432fd134db58e9c799ac9bdcad4fc2998751

SHA256
594624745cee96a5e88e906245e053514fb6491a4722a8faa24d0addc924137e

SHA512
d7c1eae5ed221857941415b824449226247aa374ead435380561c452eeecc59697e83a5b959c842eb0cc99bb8cb4c8097a95b5c698e2554fbccca667d219936e

Download Submit
C:\Windows\{4F177158-73EB-4a9c-B5C3-9CDE195D94D2}.exe

Filesize
197KB

MD5
4fb87bd924495a53b05b84a12d6e7cba

SHA1
88f1cd97ad4efb2ac24b283f9db9e137fd01c3d4

SHA256
e31176aa7a04873d7cc0c60b9463feb3b9192d99f46eb20db3d1b52cb6beb5f3

SHA512
0e706f0692776df442a90a9ed9f8217413d34e2581b3f94cdaa55cc99256468041264b6419c4829ff4a4541b1f142e23cad04db74c411a2c9813d1d8253777c9

Download Submit
C:\Windows\{50BF03D2-BEFB-441f-B653-C46736696D91}.exe

Filesize
197KB

MD5
f6c3fb7cbc22481314232d1a5d048c36

SHA1
ab1dc39b31275644e3ff73474938618d4032c5b0

SHA256
c899560da3d05edeab3a39f7fa0f17f045986d4e66704fab026bc33b0ae2ab2e

SHA512
f8ca68a6a0dedb1df58875f1fe1f459b860bc6082bfc49eced4f6ea77e76446573ece3c326d88390c401854a1c25fc396638a0783facccbe43e9f9aaaf9fb9c4

Download Submit
C:\Windows\{60162B0C-493B-468f-AAA8-EB04FD5C8B55}.exe

Filesize
197KB

MD5
65490570e4a1a978189ac4bc10eb0de4

SHA1
f9e387df8f05b8a4202f3dd7b4fdb923b5b2c033

SHA256
f7b0a91ac66a738efb520757380933ae955e1704468258b30dbc7135a4280a4a

SHA512
9341ee51291be994fdd9e1b202701021c2a452a0f6cce3dbcb2512b54fe9527e5d6a16dfd8fed98fdb51535dffc75410056f81fcdff5436096ce0c6e569ab910

Download Submit
C:\Windows\{695E5428-EA91-4f7f-950E-A4F72214E7EB}.exe

Filesize
197KB

MD5
3919660bc8d93bffb57b808ef6ea268e

SHA1
ef2c84c3a756efc902ee8720fc677e5be6902dfd

SHA256
0a12972edd9d17b6eb169e7eaedb653932630c1ce6e7eaff2514cd7446855772

SHA512
8294c492afa5e747f432d361be8954a8f228d67d99206858bc099bb108f9582a4c76fa3097b195be7eaf0f0bf990d4b503e60008b4d3106af9e8e5eed3f3599c

Download Submit
C:\Windows\{701FED61-EE73-49ae-8D40-1599D32722C6}.exe

Filesize
197KB

MD5
c2e2552ca622b2b3c6974bad14c5d9a3

SHA1
306eb5f705ebcfc180329becef39577924d870f7

SHA256
9f4d0111784f5aa8590d785b79d77c7c9df0c276d47def297cf6002c250cd0ad

SHA512
afae703b173e991f154db173dd44ce4ffc043682ee2af277c4e6fa2795da914c52de8cbca94804d87fd451b48f21388f10bf82a6876eb1b66128a1b035ca2b26

Download Submit
C:\Windows\{75ABF391-A697-40d6-AFC8-7E234803F3F0}.exe

Filesize
197KB

MD5
7de02482bf50420dd205774dad1b8943

SHA1
7d0af115552089b336c4154f20f3747608a0c5dd

SHA256
578f70fc53c2de54a1a29cbb7afe521f5d656289a2d48933acdff63643486fa8

SHA512
01fd526eaf99c8d0fa600168d24f4ac429040afd81fb5ec951a1bc7232e4ca086b78497eab48dafc31502e3fd3afe338cd7bd6ef75a917c7a0e9ab0c342fd3cb

Download Submit
C:\Windows\{9033D5CB-98BD-4b78-AA2A-5BF568F34AEC}.exe

Filesize
197KB

MD5
b3ea0fe3cb88c6b7dea86a15c50f6775

SHA1
83cb9a680a5e4edd444f1153004db8a1d34c1cac

SHA256
9e9b3a33c6692f063f801e0cf9bdee8bc13d053bd399dfefd46d8c734e22841d

SHA512
c25b39a79d7ba5a60ffc161ba7b517683de0689d116aad6e2442e3008f58b27e7468e9c6b897b1c906a8ddd46b27ade095fdca0ce2acfe62512e66319ebe539a

Download Submit
C:\Windows\{9B70F278-2325-4e3e-8BFC-F0176751E019}.exe

Filesize
197KB

MD5
9fb7731d47302cf84352bc9f2127a16f

SHA1
d81838dc4d498694431e8d7bb50ed19fed5a0c30

SHA256
d96885e0ff22690be60f2027426b1a275127a18963c9738c63fd3a04186629c7

SHA512
abcd45e9c211bd53c5569d29349307bff2e89b89fb7bdca161ae1264f7d3287f1640d7e7cadf1befc0d31d5522519a93d58b74a785a09d19504b1caa438e050e

Download Submit
C:\Windows\{A846F48E-E084-4ecc-9915-B9B0AA820394}.exe

Filesize
197KB

MD5
7ff2ecf83351389a4a9e0dbcde33593a

SHA1
fda42ac8a092790b62b0de64811a7c6b3f57d51d

SHA256
472a0301e1cd3340c287688eba089545094962f3be96fee0bbfaa13737a934a6

SHA512
9a0d66c1a47889b73c1ef42df25ceb10d1436a3c461c1138353a8400a8686771a34c0e5ae87de72fbf5c5d7737ec1fb17cb55ec32e14f6d03100498ed96ff325

Download Submit
C:\Windows\{CA85C0C1-AEB3-4649-85F9-FFBEB95919C5}.exe

Filesize
197KB

MD5
2808916c37401c150c0c8254d0b6e4cd

SHA1
6fd37970484f41955d3b4cf1f38f2b884928ee67

SHA256
b5e7b9033d0b5d31792d16ebddbb3c252f4bd4962710d70376d43035c064f5ad

SHA512
31bba088bbd5108dce20a3c0eee8c26af8c9c9cb878604471d75a0ec7eb6a946d45df315acd8d6bf7b1c3b834d29b0954a3b4be26233ae1653cd76e8b59a7017

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads