f819c18f71e34db56e6a09f7728aab12b13b415911b808a6b678d59b24ac9c9c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

935ba720513a9fb67f581ff6751ad04f.exe
Size

168KB
MD5

935ba720513a9fb67f581ff6751ad04f
SHA1

60709df6385ae632c8783f61defb49b267d9cba3
SHA256

f819c18f71e34db56e6a09f7728aab12b13b415911b808a6b678d59b24ac9c9c
SHA512

2ea06fb7966f429f26b15c301c2d7b0b7086974baa99db1facaf89a147de419dbfcbfc7c27d64e793021f7c749cf56e850529f70f83f2f143f6206d563f41deb
SSDEEP

1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}\stubpath = "C:\\Windows\\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe"	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F91919-D333-41af-A048-DF13C90E7DA2}	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}	{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}\stubpath = "C:\\Windows\\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe"	{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FA11C78-7FD6-4588-B14A-0B9464053380}	{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}\stubpath = "C:\\Windows\\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe"	{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}\stubpath = "C:\\Windows\\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe"	935ba720513a9fb67f581ff6751ad04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}\stubpath = "C:\\Windows\\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe"	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}	{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}	935ba720513a9fb67f581ff6751ad04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}\stubpath = "C:\\Windows\\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe"	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}\stubpath = "C:\\Windows\\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe"	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}\stubpath = "C:\\Windows\\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe"	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F91919-D333-41af-A048-DF13C90E7DA2}\stubpath = "C:\\Windows\\{79F91919-D333-41af-A048-DF13C90E7DA2}.exe"	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FA11C78-7FD6-4588-B14A-0B9464053380}\stubpath = "C:\\Windows\\{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe"	{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}\stubpath = "C:\\Windows\\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe"	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
2668	{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
1256	{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
2688	{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe
2096	{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
File created	C:\Windows\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
File created	C:\Windows\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
File created	C:\Windows\{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
File created	C:\Windows\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe	{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
File created	C:\Windows\{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe	{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
File created	C:\Windows\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	935ba720513a9fb67f581ff6751ad04f.exe
File created	C:\Windows\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
File created	C:\Windows\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
File created	C:\Windows\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
File created	C:\Windows\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe	{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	935ba720513a9fb67f581ff6751ad04f.exe
Token: SeIncBasePriorityPrivilege	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
Token: SeIncBasePriorityPrivilege	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
Token: SeIncBasePriorityPrivilege	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
Token: SeIncBasePriorityPrivilege	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
Token: SeIncBasePriorityPrivilege	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
Token: SeIncBasePriorityPrivilege	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
Token: SeIncBasePriorityPrivilege	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
Token: SeIncBasePriorityPrivilege	2668	{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
Token: SeIncBasePriorityPrivilege	1256	{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
Token: SeIncBasePriorityPrivilege	2688	{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1544	3000	935ba720513a9fb67f581ff6751ad04f.exe	28
PID 3000 wrote to memory of 1544	3000	935ba720513a9fb67f581ff6751ad04f.exe	28
PID 3000 wrote to memory of 1544	3000	935ba720513a9fb67f581ff6751ad04f.exe	28
PID 3000 wrote to memory of 1544	3000	935ba720513a9fb67f581ff6751ad04f.exe	28
PID 3000 wrote to memory of 2036	3000	935ba720513a9fb67f581ff6751ad04f.exe	29
PID 3000 wrote to memory of 2036	3000	935ba720513a9fb67f581ff6751ad04f.exe	29
PID 3000 wrote to memory of 2036	3000	935ba720513a9fb67f581ff6751ad04f.exe	29
PID 3000 wrote to memory of 2036	3000	935ba720513a9fb67f581ff6751ad04f.exe	29
PID 1544 wrote to memory of 2640	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	30
PID 1544 wrote to memory of 2640	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	30
PID 1544 wrote to memory of 2640	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	30
PID 1544 wrote to memory of 2640	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	30
PID 1544 wrote to memory of 2852	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	31
PID 1544 wrote to memory of 2852	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	31
PID 1544 wrote to memory of 2852	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	31
PID 1544 wrote to memory of 2852	1544	{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe	31
PID 2640 wrote to memory of 1800	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	32
PID 2640 wrote to memory of 1800	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	32
PID 2640 wrote to memory of 1800	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	32
PID 2640 wrote to memory of 1800	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	32
PID 2640 wrote to memory of 2452	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	33
PID 2640 wrote to memory of 2452	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	33
PID 2640 wrote to memory of 2452	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	33
PID 2640 wrote to memory of 2452	2640	{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe	33
PID 1800 wrote to memory of 2468	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	36
PID 1800 wrote to memory of 2468	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	36
PID 1800 wrote to memory of 2468	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	36
PID 1800 wrote to memory of 2468	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	36
PID 1800 wrote to memory of 2992	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	37
PID 1800 wrote to memory of 2992	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	37
PID 1800 wrote to memory of 2992	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	37
PID 1800 wrote to memory of 2992	1800	{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe	37
PID 2468 wrote to memory of 2512	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	38
PID 2468 wrote to memory of 2512	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	38
PID 2468 wrote to memory of 2512	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	38
PID 2468 wrote to memory of 2512	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	38
PID 2468 wrote to memory of 2812	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	39
PID 2468 wrote to memory of 2812	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	39
PID 2468 wrote to memory of 2812	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	39
PID 2468 wrote to memory of 2812	2468	{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe	39
PID 2512 wrote to memory of 2616	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	40
PID 2512 wrote to memory of 2616	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	40
PID 2512 wrote to memory of 2616	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	40
PID 2512 wrote to memory of 2616	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	40
PID 2512 wrote to memory of 1812	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	41
PID 2512 wrote to memory of 1812	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	41
PID 2512 wrote to memory of 1812	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	41
PID 2512 wrote to memory of 1812	2512	{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe	41
PID 2616 wrote to memory of 1704	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	42
PID 2616 wrote to memory of 1704	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	42
PID 2616 wrote to memory of 1704	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	42
PID 2616 wrote to memory of 1704	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	42
PID 2616 wrote to memory of 1472	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	43
PID 2616 wrote to memory of 1472	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	43
PID 2616 wrote to memory of 1472	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	43
PID 2616 wrote to memory of 1472	2616	{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe	43
PID 1704 wrote to memory of 2668	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	44
PID 1704 wrote to memory of 2668	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	44
PID 1704 wrote to memory of 2668	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	44
PID 1704 wrote to memory of 2668	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	44
PID 1704 wrote to memory of 288	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	45
PID 1704 wrote to memory of 288	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	45
PID 1704 wrote to memory of 288	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	45
PID 1704 wrote to memory of 288	1704	{79F91919-D333-41af-A048-DF13C90E7DA2}.exe	45

C:\Users\Admin\AppData\Local\Temp\935ba720513a9fb67f581ff6751ad04f.exe
"C:\Users\Admin\AppData\Local\Temp\935ba720513a9fb67f581ff6751ad04f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
  C:\Windows\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
    C:\Windows\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
      C:\Windows\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
        
        C:\Windows\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
        
        C:\Windows\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
        
        C:\Windows\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
        
        C:\Windows\{79F91919-D333-41af-A048-DF13C90E7DA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
        
        C:\Windows\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
        
        C:\Windows\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe
        
        C:\Windows\{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe
        
        C:\Windows\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FA11~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BECF~1.EXE > nul
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8151A~1.EXE > nul
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F91~1.EXE > nul
        9⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE1D~1.EXE > nul
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BD71~1.EXE > nul
        7⤵
        
        PID:1812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D75DA~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AA73~1.EXE > nul
        5⤵
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3F96~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4000~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\935BA7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BD71D5E-BCEB-4b3a-BA82-F554D97368D9}.exe

Filesize
168KB

MD5
8e61318fb0085d125daea4dc6b5bce48

SHA1
a07900d11bc4c0b0722b83033f4c3500835fefa5

SHA256
c37f638968364be5c54a9a1db43aef1e117273fa03160cfa295ddbb12bb7364d

SHA512
1c15dacbd9eca0ce0125be35de16386f108c141152c2446dedc37eb1f81af0cb56e8d5aec59a2abee68b441ab3d7ed6866df68c74f66da7d65ef50ff0d8b8ff9

Download Submit
C:\Windows\{2BECF3EB-B6AC-44cd-AE90-A1BF1A1B44B8}.exe

Filesize
168KB

MD5
c66b4c54461acb2566910432cb44a401

SHA1
6247ff53afda17c64f1e5a1637d06a76c4fe6032

SHA256
ebae1f93a89996a7f61f3271200d8509f52fb9ba66dac1a85a9e3f79c0c4a288

SHA512
4155c8c7b90d0b16fa065b0b723ee5bdd82c7b3218926161f964b67a06140a07a156cc0436fc36797fe9a707b1b3f3e19da4b451e9d0bfc653795b1945bad97c

Download Submit
C:\Windows\{3AA73762-50F2-4ff2-9C86-B8A7A866562D}.exe

Filesize
168KB

MD5
639c6113d43b6694a04b1f08b78bfd78

SHA1
608a4eaf69f43802d011470a985767af505b35c7

SHA256
171e06b133e3784501d22d1692d097c0b44c6e53f34cdc01de1eb2adadb05292

SHA512
7da74767240930e599038cf21c4d1f5dd472ecfbcf22c3f9e15d023981bb8081cf0dec110410b6b378de41b15b495c10d7523e375f88c8a05e76404d0242f4c1

Download Submit
C:\Windows\{4FA11C78-7FD6-4588-B14A-0B9464053380}.exe

Filesize
168KB

MD5
7ae33270e9107c674d6711b811264d21

SHA1
9672c7bba8c334f5a3c0d4e23009fbfad9587a81

SHA256
b4a03210cd83cb0f9b7d1f649f55f2f22fae31e869bde14272de7196f4c4fd45

SHA512
50936fcd471c3cd07ed25b15494b108eed35018fe157444a84daa7e9e06e499d1d77d11a7ebac9d195cd965043942713c51784bf0cec85ff5fa69f0172509e3a

Download Submit
C:\Windows\{5BE1DC59-B177-43a5-A4B5-A4FB928C084A}.exe

Filesize
168KB

MD5
d8d938041e09a375da4cb5a447f37b4f

SHA1
2be4a34b88a6858f7b2bc94533a76ee7141ebf87

SHA256
f86098bd529150165b4b2b94eff57e58ff7accfcd67ab35d705ee8ffc05cfd29

SHA512
cabdcf2957e1353ee86e08c04bfbc7ea383e752dcb395e8623cd13ab7aea0e12d04057744d9e4df43382be8a1ec06dcccfc89593e5629efa4a9a51e15383dda1

Download Submit
C:\Windows\{79F91919-D333-41af-A048-DF13C90E7DA2}.exe

Filesize
168KB

MD5
ebc874e1daafe39117ec9a035bc2be03

SHA1
882f8b77a37dc7afae55d3a0800384b041083702

SHA256
05979d2ba87a9910a5f7afa1fad37207dc15455aad3ec7f6e39c2d4232fabb67

SHA512
5dd93bb2d977f8f6fa8e7790a77472f77022b76291da4dd99e777b46cf0fcf9c157150b758ac266f17e0131e7ef287e830e024e33d964b356c0c9c6e8e81cbdb

Download Submit
C:\Windows\{8151A31C-DA62-419b-8DC9-BF28E10AACC6}.exe

Filesize
168KB

MD5
e6285069b00423cd42a05ff0f44062ad

SHA1
8a53f9f85b815672b62124221ccc6d197a0ccbc5

SHA256
ec66674e0213da4845a52d74e76cadc7e08eafb584527689b9c0788a3a2f8365

SHA512
c215ef8ad5e123fc67799314e250b893c913da227ba61587252c8841330b41bcbd1c9f45b0db72454d61cbf37f39d3c4f95afd443ffb989705a35aaeb6b54483

Download Submit
C:\Windows\{B2F0A8B4-CF66-439a-A4AE-F5751E31AEE3}.exe

Filesize
168KB

MD5
4a50eedde7474f6471d5c79e67628129

SHA1
c62c5da4b1df3f41751fca92e578db4d360695ee

SHA256
61f13ceeb4febde1239746f8b04058e5f2db1d7cf95f3c6bfc668a3fad119231

SHA512
b8723ecc267f6a89aaa560377cca8e32370a66e8b55ffe03e71a540faff62fac03d204b3cf50107c8d780e377aa9eaa16eaf43505b4adb4578a7d4d4541fd8bd

Download Submit
C:\Windows\{B3F96A15-1117-4b45-A5D0-D85CE313FDDC}.exe

Filesize
168KB

MD5
e1665859e4e1293e62e844dd92dfeb9b

SHA1
bd7cff924544dad5354fd0f82300da98707dcb66

SHA256
5d78ff9a48f107c19a87e5f7cd36ffdb2ce5d712f79a7f8277794ee24c91f65b

SHA512
cec686756de46937d65e038f9eb4e66cba670a79e1f395c53eaefaee71e0582a2ae19e771e389c5a0f51ff3baafeabfececa34278dd8a811e1c276b23947196b

Download Submit
C:\Windows\{D400050E-6D6D-4c9d-86EB-61C9E8FB8BCC}.exe

Filesize
168KB

MD5
6d2d798be54a0bdbc13d12d48262e674

SHA1
8ca0b8160bc51a7b449c34422149b424602261b2

SHA256
a58a15cca7b3aab2f538c5d9cd3867dfd14d4a3880e4c773b07eb33fd45dd238

SHA512
f6694780add2e2419fac3a8bb8dacbd641ae575a7cb0b5eac9ea4d2a0ed08d101458acc1cc76ed078427b839ffebc5878009ebbe55295263d925dc7c0ae4380d

Download Submit
C:\Windows\{D75DA165-27A6-422a-9DD6-E1422E74BDB6}.exe

Filesize
168KB

MD5
091ca7a79e41685ed89a4cb0e1bbdc65

SHA1
fba7491aa9b1283054b103cbaa32ad4267b6706f

SHA256
5b8a3e1b0c686807c2cb6f75644f3cad1c7fb8d9804bd8be8521db2dfefc9274

SHA512
a6804ef7de3427ecd4a6ce05bdc77767065cb252aa382b39dac08439b3e551e5800a75dc48d2c25a4408920c81116a7abf7cc7afca0e62363f35a677a594d8f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads