afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
Size

213KB
MD5

cbe810f442b53955e5f5e03394166677
SHA1

604b9a3cbdb81ae63079a7474297c0654107d7e0
SHA256

afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c
SHA512

7bdf9988ab91f0a31a0ce5a9744520f36d08db17bf4af252a14f2a06a7a7a28caa34daf52f2cde0bb19035960f76be060f963801675e125df5187a354a6ca370
SSDEEP

1536:YEGh0oIl2unMxVS3HgdoKjhLJhzrryLPAneS3DquFSS4efk6kF/y+Ic7e/FtPt+A:YEGh0oIlvMUyNjhLJhXrhnJ3D4IF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D1C7A6-40B9-491d-B329-AD21C16A9136}\stubpath = "C:\\Windows\\{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe"	{665A8354-1025-4b7e-B112-85D236A7C452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F38601C7-01DA-4caf-841B-7D83154871FE}	{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E29B0A21-5A59-42ab-9893-68888C3559F0}	{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{665A8354-1025-4b7e-B112-85D236A7C452}\stubpath = "C:\\Windows\\{665A8354-1025-4b7e-B112-85D236A7C452}.exe"	{0CCF6237-5422-46d7-8920-575D47D28863}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D1C7A6-40B9-491d-B329-AD21C16A9136}	{665A8354-1025-4b7e-B112-85D236A7C452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E29B0A21-5A59-42ab-9893-68888C3559F0}\stubpath = "C:\\Windows\\{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe"	{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04C3BBA9-E253-417e-8927-63EF463CA107}	{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C829B94-4AE3-4af2-A970-540453BC87A9}	{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6827023D-B9C0-4012-A88F-44E65C77F576}	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F601EEC-BABE-455a-92D2-018925A27D48}\stubpath = "C:\\Windows\\{4F601EEC-BABE-455a-92D2-018925A27D48}.exe"	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CCF6237-5422-46d7-8920-575D47D28863}	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C829B94-4AE3-4af2-A970-540453BC87A9}\stubpath = "C:\\Windows\\{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe"	{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01235392-FFD8-40ad-A95E-3B1BAAF93218}	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6827023D-B9C0-4012-A88F-44E65C77F576}\stubpath = "C:\\Windows\\{6827023D-B9C0-4012-A88F-44E65C77F576}.exe"	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F601EEC-BABE-455a-92D2-018925A27D48}	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CCF6237-5422-46d7-8920-575D47D28863}\stubpath = "C:\\Windows\\{0CCF6237-5422-46d7-8920-575D47D28863}.exe"	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{665A8354-1025-4b7e-B112-85D236A7C452}	{0CCF6237-5422-46d7-8920-575D47D28863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F38601C7-01DA-4caf-841B-7D83154871FE}\stubpath = "C:\\Windows\\{F38601C7-01DA-4caf-841B-7D83154871FE}.exe"	{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04C3BBA9-E253-417e-8927-63EF463CA107}\stubpath = "C:\\Windows\\{04C3BBA9-E253-417e-8927-63EF463CA107}.exe"	{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01235392-FFD8-40ad-A95E-3B1BAAF93218}\stubpath = "C:\\Windows\\{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe"	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}\stubpath = "C:\\Windows\\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe"	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}\stubpath = "C:\\Windows\\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe"	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe

Deletes itself 1 IoCs

pid	Process
1224	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe
1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe
1620	{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
2756	{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
1696	{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
2524	{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
3020	{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
File created	C:\Windows\{665A8354-1025-4b7e-B112-85D236A7C452}.exe	{0CCF6237-5422-46d7-8920-575D47D28863}.exe
File created	C:\Windows\{F38601C7-01DA-4caf-841B-7D83154871FE}.exe	{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
File created	C:\Windows\{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe	{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
File created	C:\Windows\{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
File created	C:\Windows\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
File created	C:\Windows\{0CCF6237-5422-46d7-8920-575D47D28863}.exe	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
File created	C:\Windows\{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe	{665A8354-1025-4b7e-B112-85D236A7C452}.exe
File created	C:\Windows\{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe	{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
File created	C:\Windows\{04C3BBA9-E253-417e-8927-63EF463CA107}.exe	{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
File created	C:\Windows\{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
File created	C:\Windows\{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
Token: SeIncBasePriorityPrivilege	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
Token: SeIncBasePriorityPrivilege	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
Token: SeIncBasePriorityPrivilege	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
Token: SeIncBasePriorityPrivilege	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
Token: SeIncBasePriorityPrivilege	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
Token: SeIncBasePriorityPrivilege	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe
Token: SeIncBasePriorityPrivilege	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe
Token: SeIncBasePriorityPrivilege	1620	{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
Token: SeIncBasePriorityPrivilege	2756	{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
Token: SeIncBasePriorityPrivilege	1696	{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
Token: SeIncBasePriorityPrivilege	2524	{04C3BBA9-E253-417e-8927-63EF463CA107}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2512	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	28
PID 1372 wrote to memory of 2512	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	28
PID 1372 wrote to memory of 2512	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	28
PID 1372 wrote to memory of 2512	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	28
PID 1372 wrote to memory of 1224	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	29
PID 1372 wrote to memory of 1224	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	29
PID 1372 wrote to memory of 1224	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	29
PID 1372 wrote to memory of 1224	1372	afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe	29
PID 2512 wrote to memory of 2688	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	30
PID 2512 wrote to memory of 2688	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	30
PID 2512 wrote to memory of 2688	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	30
PID 2512 wrote to memory of 2688	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	30
PID 2512 wrote to memory of 2820	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	31
PID 2512 wrote to memory of 2820	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	31
PID 2512 wrote to memory of 2820	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	31
PID 2512 wrote to memory of 2820	2512	{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe	31
PID 2688 wrote to memory of 2552	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	32
PID 2688 wrote to memory of 2552	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	32
PID 2688 wrote to memory of 2552	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	32
PID 2688 wrote to memory of 2552	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	32
PID 2688 wrote to memory of 2732	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	33
PID 2688 wrote to memory of 2732	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	33
PID 2688 wrote to memory of 2732	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	33
PID 2688 wrote to memory of 2732	2688	{6827023D-B9C0-4012-A88F-44E65C77F576}.exe	33
PID 2552 wrote to memory of 2896	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	36
PID 2552 wrote to memory of 2896	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	36
PID 2552 wrote to memory of 2896	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	36
PID 2552 wrote to memory of 2896	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	36
PID 2552 wrote to memory of 3068	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	37
PID 2552 wrote to memory of 3068	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	37
PID 2552 wrote to memory of 3068	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	37
PID 2552 wrote to memory of 3068	2552	{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe	37
PID 2896 wrote to memory of 528	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	38
PID 2896 wrote to memory of 528	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	38
PID 2896 wrote to memory of 528	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	38
PID 2896 wrote to memory of 528	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	38
PID 2896 wrote to memory of 476	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	39
PID 2896 wrote to memory of 476	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	39
PID 2896 wrote to memory of 476	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	39
PID 2896 wrote to memory of 476	2896	{4F601EEC-BABE-455a-92D2-018925A27D48}.exe	39
PID 528 wrote to memory of 1088	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	40
PID 528 wrote to memory of 1088	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	40
PID 528 wrote to memory of 1088	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	40
PID 528 wrote to memory of 1088	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	40
PID 528 wrote to memory of 1964	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	41
PID 528 wrote to memory of 1964	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	41
PID 528 wrote to memory of 1964	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	41
PID 528 wrote to memory of 1964	528	{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe	41
PID 1088 wrote to memory of 1528	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	42
PID 1088 wrote to memory of 1528	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	42
PID 1088 wrote to memory of 1528	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	42
PID 1088 wrote to memory of 1528	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	42
PID 1088 wrote to memory of 936	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	43
PID 1088 wrote to memory of 936	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	43
PID 1088 wrote to memory of 936	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	43
PID 1088 wrote to memory of 936	1088	{0CCF6237-5422-46d7-8920-575D47D28863}.exe	43
PID 1528 wrote to memory of 1620	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	44
PID 1528 wrote to memory of 1620	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	44
PID 1528 wrote to memory of 1620	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	44
PID 1528 wrote to memory of 1620	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	44
PID 1528 wrote to memory of 1472	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	45
PID 1528 wrote to memory of 1472	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	45
PID 1528 wrote to memory of 1472	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	45
PID 1528 wrote to memory of 1472	1528	{665A8354-1025-4b7e-B112-85D236A7C452}.exe	45

C:\Users\Admin\AppData\Local\Temp\afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
"C:\Users\Admin\AppData\Local\Temp\afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
  C:\Windows\{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
    C:\Windows\{6827023D-B9C0-4012-A88F-44E65C77F576}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
      C:\Windows\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
        
        C:\Windows\{4F601EEC-BABE-455a-92D2-018925A27D48}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
        
        C:\Windows\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{0CCF6237-5422-46d7-8920-575D47D28863}.exe
        
        C:\Windows\{0CCF6237-5422-46d7-8920-575D47D28863}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{665A8354-1025-4b7e-B112-85D236A7C452}.exe
        
        C:\Windows\{665A8354-1025-4b7e-B112-85D236A7C452}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
        
        C:\Windows\{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
        
        C:\Windows\{F38601C7-01DA-4caf-841B-7D83154871FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
        
        C:\Windows\{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
        
        C:\Windows\{04C3BBA9-E253-417e-8927-63EF463CA107}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe
        
        C:\Windows\{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe
        13⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04C3B~1.EXE > nul
        13⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E29B0~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3860~1.EXE > nul
        11⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52D1C~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{665A8~1.EXE > nul
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CCF6~1.EXE > nul
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE02~1.EXE > nul
        7⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F601~1.EXE > nul
        6⤵
        
        PID:476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69327~1.EXE > nul
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{68270~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01235~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AFBD70~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01235392-FFD8-40ad-A95E-3B1BAAF93218}.exe

Filesize
213KB

MD5
c9c1675f8316cc70477346629977cd01

SHA1
32d1ee62b16245fe39ec0985172d930b64033303

SHA256
413b3920d3688fcfda8e11728030d71e5119d14df1e34c01be3114780054f5a7

SHA512
1a3b96c3b73aa96c34a4480ce15a1987f5a716e77e7c4968459f524c1b8c913660ec8247b36ef0ba587c7811feff3e668d6080fc475c276c47200064558acac9

Download Submit
C:\Windows\{04C3BBA9-E253-417e-8927-63EF463CA107}.exe

Filesize
213KB

MD5
1027efa56295b684bbd4c129677d866f

SHA1
1cdcc049b069e3762a986fe7254aa10c5b97a6be

SHA256
c5376821a221122e4a2252d5cf1df67dfe69296b46a332696a3946ff79daa51c

SHA512
636d141c901216e62bd4af6ceecdd9284a8b97908610649634c34366ebf0f8bd51ceab65c233169362b58c9fddedce811dd844ec141cb34a24bf65596ea5b784

Download Submit
C:\Windows\{0CCF6237-5422-46d7-8920-575D47D28863}.exe

Filesize
213KB

MD5
4a89c10b4bd30bf33273d243d8977d40

SHA1
9adf56ed943d4c8ddd84b543419b0482ee2845f9

SHA256
7d072b3ab3681753a4c40f59c180992aa7f465905c942820274d0b137082473b

SHA512
6f8d8862e85cce8dbbb57deb1f93ed95ff52c006d6e8a1588f4c3fb6f55bea7f523a736683d57ea1ad40b03300f79db3a983822541cf8345fbd3c779c6038e2b

Download Submit
C:\Windows\{0CE02DF5-7670-4111-9ADC-1D699AD91AE2}.exe

Filesize
213KB

MD5
dccdd0767bb37048482bc9388d7f6a2c

SHA1
139c6866673d6459e4c906d09d7413afaaf50761

SHA256
24404a8b0ac6676220fc17b2bf56391ed63d0ff0bb8722d56e97ad68c6bfc287

SHA512
21322a5afbab45dabb1f38e723c6f36d6c760bc3f1cc782b8a71d88da08baf1602896e6afbac81a0ea21f8aaa88ca7def7944171fe4efbbe88f6df5005456c21

Download Submit
C:\Windows\{4F601EEC-BABE-455a-92D2-018925A27D48}.exe

Filesize
213KB

MD5
44c2944a6392ce37fd2526d7eadb83e8

SHA1
02a5b1ec2ceaf8fa5fbaec5ed9801a541a29d6cf

SHA256
ffe3e0df1d30310ce3b531b76a4b1e5fcacf7fc2626edd6df36b331646c3ae99

SHA512
5d38c0ff5e84ebd8216a96051ab71c81ee4c6b579410486963c4f50e636bbfaf05bef42b5722d8994182e8c0cbb464d2b112c201ddc8dd1305c585c95c3d805c

Download Submit
C:\Windows\{52D1C7A6-40B9-491d-B329-AD21C16A9136}.exe

Filesize
213KB

MD5
f31a4dd9667f925637132d0d6b69f905

SHA1
f26b65fe14b0cdbad67f124d6611c4fdfcc4d96e

SHA256
fb1a04052ec34c57c524db83e5cfff88d38a5738a0ca551a75f40703411afd6a

SHA512
1a0b4063d748db839126000f6e78a69f94ff27b69cac62fc8979cc3db226e84babbc9941a91d837635165feb7cb4fdcf8df71860222c6667a0cbed179f9ed44c

Download Submit
C:\Windows\{665A8354-1025-4b7e-B112-85D236A7C452}.exe

Filesize
213KB

MD5
cea58972e12e7de063fb8bd132faef2f

SHA1
5d6cdaa7ce7e74b3d00f458cfedd51343b62ad5d

SHA256
087e8f61adfbd48ff3df0dca22f42c59c2336ea9d26e0bb473fc8ca9530206a6

SHA512
16115e0faa5df6c8c2e0c816de2866095f102054772e02311d5fa64bceef015cc4f4bf6eba5ae3735b06cd9bcc696497f7c5c2d44825eb452acab4024c1e8b4d

Download Submit
C:\Windows\{6827023D-B9C0-4012-A88F-44E65C77F576}.exe

Filesize
213KB

MD5
42fb89680b027d0564f388d459d99c55

SHA1
b48b8287325678ee831be21a9a4adb54e4193d98

SHA256
6332e90d9f97f99189c761d869ff9e892a690aabba055eda7d51da591e3e07f4

SHA512
90b12a84ea94f3774a8d032e62e86d0875a8661c4048ca5c5a056ea47a2d0c9095a9c8bd8a3c8eadd38d01dde22ba634dbc82e22abe11b52f4826bd924e5f43f

Download Submit
C:\Windows\{69327A37-3894-4bcc-A7AB-06CD0BABAA73}.exe

Filesize
213KB

MD5
062c4c3993dadfa5832e15e5f364d180

SHA1
17f962642e22847bd0968cdb82cf779a16b4587b

SHA256
5ed990ff4faacf036b0f46a45328c2f7b421e2a77f790cd17af99e3132bba01a

SHA512
1c04ebde44dea6f0b0439f2bbbf46c147703367e22a406ca081681887ad5fd6563b0559a4259782feaeeb219799befd82482730fd6646a2550a7c08f9677d2b9

Download Submit
C:\Windows\{6C829B94-4AE3-4af2-A970-540453BC87A9}.exe

Filesize
213KB

MD5
6b35a8f08f34e0a37d29a247137d1584

SHA1
2a6ba0ce0aa6e1a39c7f2cd528b00a0cabd2a168

SHA256
fa38e95b8a01935383a40c2dca210e102428216c272ff134c937093da4f6d3c7

SHA512
dd1d10f7ab74475af85f36371b487cdc6d3226583e8bbb736fc54340bb41afc5c74e386368c892c697ab1d85eb27b1af052ec36e408bde0120da37ef3082d5f3

Download Submit
C:\Windows\{E29B0A21-5A59-42ab-9893-68888C3559F0}.exe

Filesize
213KB

MD5
f15edc4575934d3e3404e6c1cbdd9a75

SHA1
c73fb12c91d56a6094b8df6bddfae70c1118631a

SHA256
c6931c260a93eb5056c24f20b33f4acc249fc2e182c0abd32f01ee5daa4b72f1

SHA512
5967c77d89402071b4457de2d9af2e78f2a2a1ab365e7ed8ff307d7648802884258e9fa4aa3b3f5cbf240773da97f53965d4c9fca0e7af8ed6e1bd2a17f94d77

Download Submit
C:\Windows\{F38601C7-01DA-4caf-841B-7D83154871FE}.exe

Filesize
213KB

MD5
c1bb62ac474ad371926c3755c3567a49

SHA1
8578819fb82608c1dc3e83617bd9713bd05a3d4e

SHA256
2689d3ddca16e132976801ec28f918e830e6e58326c5624a9ec8164d706af8d0

SHA512
4e64c37489c42c8050f7c2ec2c53f8e7c6c5f126ec4704984397e556a129e9408f7253d947069ebf3450e26e6e5b9bee53a49b4054030520ae12817a89586da4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads