b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Size

103KB
MD5

289b8b6f1c2be13ed1d637e0e249be3e
SHA1

e5d95f8acd5ea597a012e8e62932536918cd91ba
SHA256

b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b
SHA512

82d333e5af7182b7e7bc78bb12ca063b4e321275a5cb9bbe7aec9d91ccf1eee506f3e721ef833442029e2cbd15ce58b06561b0986fc51323c0cfc79a0249b4c9
SSDEEP

768:Qvw9816vhKQLroa4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0oal2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EA43EEA-066E-4d11-B963-804C1CB43036}	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39071C8C-6E31-4143-8428-FC4848582D8A}	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A706A0E3-321A-4516-B024-1EF6AE78A53A}\stubpath = "C:\\Windows\\{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe"	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE2111B-4653-493b-B292-1429935ADFEB}\stubpath = "C:\\Windows\\{8CE2111B-4653-493b-B292-1429935ADFEB}.exe"	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}	{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}\stubpath = "C:\\Windows\\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe"	{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{409A9461-E890-4218-897A-2AD2D9B68BC4}	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0666C35-4EFD-4330-BB7D-51F255317C3A}\stubpath = "C:\\Windows\\{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe"	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EA43EEA-066E-4d11-B963-804C1CB43036}\stubpath = "C:\\Windows\\{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe"	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39071C8C-6E31-4143-8428-FC4848582D8A}\stubpath = "C:\\Windows\\{39071C8C-6E31-4143-8428-FC4848582D8A}.exe"	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}	{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}\stubpath = "C:\\Windows\\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe"	{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{409A9461-E890-4218-897A-2AD2D9B68BC4}\stubpath = "C:\\Windows\\{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe"	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A706A0E3-321A-4516-B024-1EF6AE78A53A}	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE2111B-4653-493b-B292-1429935ADFEB}	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}	{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}\stubpath = "C:\\Windows\\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe"	{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0666C35-4EFD-4330-BB7D-51F255317C3A}	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}\stubpath = "C:\\Windows\\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe"	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50ADF782-2B17-48a6-8165-A8A61E63B691}	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50ADF782-2B17-48a6-8165-A8A61E63B691}\stubpath = "C:\\Windows\\{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe"	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
2432	{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
1820	{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
632	{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe
1164	{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
File created	C:\Windows\{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
File created	C:\Windows\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe	{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
File created	C:\Windows\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
File created	C:\Windows\{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
File created	C:\Windows\{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
File created	C:\Windows\{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
File created	C:\Windows\{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
File created	C:\Windows\{8CE2111B-4653-493b-B292-1429935ADFEB}.exe	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
File created	C:\Windows\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe	{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
File created	C:\Windows\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe	{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Token: SeIncBasePriorityPrivilege	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
Token: SeIncBasePriorityPrivilege	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
Token: SeIncBasePriorityPrivilege	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
Token: SeIncBasePriorityPrivilege	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
Token: SeIncBasePriorityPrivilege	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
Token: SeIncBasePriorityPrivilege	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
Token: SeIncBasePriorityPrivilege	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
Token: SeIncBasePriorityPrivilege	2432	{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
Token: SeIncBasePriorityPrivilege	1820	{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
Token: SeIncBasePriorityPrivilege	632	{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2172	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	28
PID 2368 wrote to memory of 2172	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	28
PID 2368 wrote to memory of 2172	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	28
PID 2368 wrote to memory of 2172	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	28
PID 2368 wrote to memory of 2208	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	29
PID 2368 wrote to memory of 2208	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	29
PID 2368 wrote to memory of 2208	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	29
PID 2368 wrote to memory of 2208	2368	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	29
PID 2172 wrote to memory of 2712	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	30
PID 2172 wrote to memory of 2712	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	30
PID 2172 wrote to memory of 2712	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	30
PID 2172 wrote to memory of 2712	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	30
PID 2172 wrote to memory of 2696	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	31
PID 2172 wrote to memory of 2696	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	31
PID 2172 wrote to memory of 2696	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	31
PID 2172 wrote to memory of 2696	2172	{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe	31
PID 2712 wrote to memory of 2788	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	32
PID 2712 wrote to memory of 2788	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	32
PID 2712 wrote to memory of 2788	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	32
PID 2712 wrote to memory of 2788	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	32
PID 2712 wrote to memory of 2816	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	33
PID 2712 wrote to memory of 2816	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	33
PID 2712 wrote to memory of 2816	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	33
PID 2712 wrote to memory of 2816	2712	{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe	33
PID 2788 wrote to memory of 2976	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	36
PID 2788 wrote to memory of 2976	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	36
PID 2788 wrote to memory of 2976	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	36
PID 2788 wrote to memory of 2976	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	36
PID 2788 wrote to memory of 2060	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	37
PID 2788 wrote to memory of 2060	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	37
PID 2788 wrote to memory of 2060	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	37
PID 2788 wrote to memory of 2060	2788	{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe	37
PID 2976 wrote to memory of 2656	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	38
PID 2976 wrote to memory of 2656	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	38
PID 2976 wrote to memory of 2656	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	38
PID 2976 wrote to memory of 2656	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	38
PID 2976 wrote to memory of 2752	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	39
PID 2976 wrote to memory of 2752	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	39
PID 2976 wrote to memory of 2752	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	39
PID 2976 wrote to memory of 2752	2976	{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe	39
PID 2656 wrote to memory of 1812	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	40
PID 2656 wrote to memory of 1812	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	40
PID 2656 wrote to memory of 1812	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	40
PID 2656 wrote to memory of 1812	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	40
PID 2656 wrote to memory of 2020	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	41
PID 2656 wrote to memory of 2020	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	41
PID 2656 wrote to memory of 2020	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	41
PID 2656 wrote to memory of 2020	2656	{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe	41
PID 1812 wrote to memory of 376	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	42
PID 1812 wrote to memory of 376	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	42
PID 1812 wrote to memory of 376	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	42
PID 1812 wrote to memory of 376	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	42
PID 1812 wrote to memory of 1968	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	43
PID 1812 wrote to memory of 1968	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	43
PID 1812 wrote to memory of 1968	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	43
PID 1812 wrote to memory of 1968	1812	{39071C8C-6E31-4143-8428-FC4848582D8A}.exe	43
PID 376 wrote to memory of 2432	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	44
PID 376 wrote to memory of 2432	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	44
PID 376 wrote to memory of 2432	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	44
PID 376 wrote to memory of 2432	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	44
PID 376 wrote to memory of 2544	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	45
PID 376 wrote to memory of 2544	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	45
PID 376 wrote to memory of 2544	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	45
PID 376 wrote to memory of 2544	376	{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe	45

C:\Users\Admin\AppData\Local\Temp\b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
"C:\Users\Admin\AppData\Local\Temp\b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
  C:\Windows\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
    C:\Windows\{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
      C:\Windows\{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
        
        C:\Windows\{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
        
        C:\Windows\{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
        
        C:\Windows\{39071C8C-6E31-4143-8428-FC4848582D8A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
        
        C:\Windows\{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
        
        C:\Windows\{8CE2111B-4653-493b-B292-1429935ADFEB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
        
        C:\Windows\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe
        
        C:\Windows\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe
        
        C:\Windows\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E7AE~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D76~1.EXE > nul
        11⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE21~1.EXE > nul
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A706A~1.EXE > nul
        9⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39071~1.EXE > nul
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EA43~1.EXE > nul
        7⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0666~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{409A9~1.EXE > nul
        5⤵
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50ADF~1.EXE > nul
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A5AA~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5E0BA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02FD914C-6FA5-414f-8F0B-2F7C5B100E3D}.exe

Filesize
103KB

MD5
8a695deab771bba8a9efccd469e2b16d

SHA1
395f9813220c56cd0637822d01a10e7643e8eda9

SHA256
c65f16fc399c9d1563e3abd48ade85fd49be6482899bdc490d864b47989762cf

SHA512
0a361552f925577b00ccc072ed4f44518d600330bf2ac085f5868631665fd8437561aeb9d658452ed739cbb2a3431dfbc52f7ec9df4ef59f362a8bcbf10931f2

Download Submit
C:\Windows\{2EA43EEA-066E-4d11-B963-804C1CB43036}.exe

Filesize
103KB

MD5
f43e908d5a5a12686bd9a38d5563331c

SHA1
3b07ce63f49d9de9c63ad3a95bbfb16bf84c859e

SHA256
dca3d1193e076e6738a28605addca14531039fb4c142ed257deb8cf5138b9bfa

SHA512
96b99dd30042236c33807b29b78dc791a05a8c5f9f3b6d0e9c4010d4e4ace64cfd4f4d24feeb67e7afa97d047056146d575a3c21bde1a4f0b6ef24cab0b30a6b

Download Submit
C:\Windows\{39071C8C-6E31-4143-8428-FC4848582D8A}.exe

Filesize
103KB

MD5
10688299ae02dcc8c675e5f770d9f776

SHA1
af2cbc228f303b6fa525a35089286cc43681af76

SHA256
0f1a15a9bb0866a077a36dcb9e2717f13dcb89ab1f9434896e02e31be013fe71

SHA512
55ed010ebd4feb6fa920cb86f987001469a4f881f505d20e78aee398710e3c8022892efc14fd1d00a45c55a2461f99e8b8b7a94607f7714a9f3b60b6ef164d35

Download Submit
C:\Windows\{409A9461-E890-4218-897A-2AD2D9B68BC4}.exe

Filesize
103KB

MD5
2b6e1533cb4d6ed97333bc72c6496618

SHA1
da88f666c4a58d7c9316a6d45b81114cd0ab59b9

SHA256
42c99f3e4c75e4d50036ac0e1ade12ffe5387a4100981b63b6a1c68b51a992b4

SHA512
925cf9a913cbe75fb80b454a5517960d4660870244de5c89451f76d03aca1a38443adbf0a6b28fd51951c3a4ba76003af7e6ebdee1d24b4f25b57a64f7b2f137

Download Submit
C:\Windows\{50ADF782-2B17-48a6-8165-A8A61E63B691}.exe

Filesize
103KB

MD5
e3c2aecbfb5ee886ec5acf3766cda14f

SHA1
a590905ca332b5cc1c52caad67644caea84a0387

SHA256
00098ff0993d6de6bb54ae4b17214c284d8eb0bde1f3fc7f51e8d1f796ef6da0

SHA512
183363efd69f9427f63f868ecf2736ee86f72fe0c8f1aaf57bb79a7e9eb450590c7297ea4718733cae167853505f49f55fcc97891ae09a2ce7b6f8b8aba16a38

Download Submit
C:\Windows\{5E7AECD3-5B70-4c57-9FAD-924832851CF4}.exe

Filesize
103KB

MD5
bddcc1b53d875f40ae8e44e6e150707d

SHA1
be1ebf15d0e65ee2d83621c41816dab7954a2ec1

SHA256
22bd7c86b7f5308c5b2aed269a891a07dc7b38db5929eecaffc677c9d5959f5f

SHA512
2b7fca7a2706f5c56385f4fb9da54a95e51a155cf5855dad7a52301fc7910c85bed1ebf7b9f5c362d02e97cb681f4f08dde70c7bba5720bbe6656b55296cf4d7

Download Submit
C:\Windows\{7A5AACAB-F2DE-4521-AB99-519A79CB6F68}.exe

Filesize
103KB

MD5
90800d138b79bc9657f2a03be1ab3e1a

SHA1
11b93126dfdbc8629ca3c5b02c5dd6a118339713

SHA256
4d1c4b49aeb4e817057f406fa4526b74811acc7aefd86887d2b3832c28e1b577

SHA512
79d84072da7849bb97d34e939fa6051f23178c7bb983e72f50d1ae924ac7ca9bffcca22788f4d665ed194a11698302cb3067d236569f9a4560f1dedbad4d5558

Download Submit
C:\Windows\{8CE2111B-4653-493b-B292-1429935ADFEB}.exe

Filesize
103KB

MD5
e2b2f42651c698ba869be48617b4d0df

SHA1
25cc763d82ad253a71ff23d12c3b762d571dd613

SHA256
cb2fe4ecb541f0ad85feb0e93c6bb3bf069a716174a5c616dc123039ec7bf954

SHA512
27875fce0587a6a0da733ca2e5d4fdd3b91f80e85212e8be4a60ebe46581d4a6ea1eebbaa04489d5e342165fccbfd8bf5bffdb3a51eb9236e5128b5ca8b640f4

Download Submit
C:\Windows\{A706A0E3-321A-4516-B024-1EF6AE78A53A}.exe

Filesize
103KB

MD5
5520af74fd90f77c0863cd22152370a5

SHA1
fe713e7dd401915eb29a2faebab2a563d44216f6

SHA256
2c10ebc84290520e10d23c5db62918b09d66856c196d732857cdc4fcf6bd6b53

SHA512
4643a8a45cb37d725779d413bafe796eb4f5944471a994cf9ed7abede920182301acf86e343678b3c52ae4f4c61d27c72fb4a945fb485c306ad1c679e02e395e

Download Submit
C:\Windows\{D0666C35-4EFD-4330-BB7D-51F255317C3A}.exe

Filesize
103KB

MD5
9a1dc6831e4327cf884e5ec784f74dde

SHA1
951b32bb1f7c941681f89a8a31f76192d5db477e

SHA256
09eec6d61d0b39c71659247ecdf990940a610f377455bcad290c2ee62c989f1f

SHA512
35b64de7b52747c0119b768ebc415a56ef100152dfd85a3c3db2cdb590706077c5973d7bb368636fae9fe27e5fa73b99e41e2d3f63ee9ed83dd479aadb1a05a3

Download Submit
C:\Windows\{E1D760DD-9F52-40f8-BEE3-62F09A48D1AE}.exe

Filesize
103KB

MD5
5e4ef3aa483be53ff9de6b6f25aefff6

SHA1
a94e9cdd2575fbfb14e7c605ba019d188cbbed64

SHA256
fd0e1e9520365129c89a2980ecdd92221abddf85880d86d85a6bce353e01e02c

SHA512
46ced32a72f856814b3a187dfea1ae6112a8310d34b7a9daae75f58d01538a5f471783f02a2e9cca7113e1375bc1476ab92c3a9df75387178be6a046fdc55692

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads