18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Size

90KB
MD5

5575a0915af0e6825bd09e3d1aaca202
SHA1

d44d7270a30088a4f189696961638aa887b082af
SHA256

18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6
SHA512

dd8a760f227f53941e142dcbad0cb8ee0d8618b27ffdf40fd977df94ed81a2e6938c11fecf1c2bc4ff0afd83256c701abc8e11cd6c761df18417174fbf821fa5
SSDEEP

768:Qvw9816vhKQLrok4/wQRNrfrunMxVFA3b7glw:YEGh0okl2unMxVS3Hg

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}\stubpath = "C:\\Windows\\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe"	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}	{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}\stubpath = "C:\\Windows\\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe"	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02B6C94-233F-476a-A451-D0B55121EE2A}\stubpath = "C:\\Windows\\{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe"	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0177F4-454D-4c5d-B266-74047BEDA72F}	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}\stubpath = "C:\\Windows\\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe"	{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}	{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}\stubpath = "C:\\Windows\\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe"	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}\stubpath = "C:\\Windows\\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe"	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0177F4-454D-4c5d-B266-74047BEDA72F}\stubpath = "C:\\Windows\\{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe"	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}\stubpath = "C:\\Windows\\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe"	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}\stubpath = "C:\\Windows\\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe"	{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}	{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}\stubpath = "C:\\Windows\\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe"	{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02B6C94-233F-476a-A451-D0B55121EE2A}	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}\stubpath = "C:\\Windows\\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe"	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
1384	{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
628	{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
2296	{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe
2052	{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
File created	C:\Windows\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
File created	C:\Windows\{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
File created	C:\Windows\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
File created	C:\Windows\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
File created	C:\Windows\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
File created	C:\Windows\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe	{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
File created	C:\Windows\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe	{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
File created	C:\Windows\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
File created	C:\Windows\{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
File created	C:\Windows\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe	{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Token: SeIncBasePriorityPrivilege	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
Token: SeIncBasePriorityPrivilege	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
Token: SeIncBasePriorityPrivilege	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
Token: SeIncBasePriorityPrivilege	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
Token: SeIncBasePriorityPrivilege	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
Token: SeIncBasePriorityPrivilege	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
Token: SeIncBasePriorityPrivilege	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
Token: SeIncBasePriorityPrivilege	1384	{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
Token: SeIncBasePriorityPrivilege	628	{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
Token: SeIncBasePriorityPrivilege	2296	{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2992	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	28
PID 2184 wrote to memory of 2992	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	28
PID 2184 wrote to memory of 2992	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	28
PID 2184 wrote to memory of 2992	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	28
PID 2184 wrote to memory of 3016	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	29
PID 2184 wrote to memory of 3016	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	29
PID 2184 wrote to memory of 3016	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	29
PID 2184 wrote to memory of 3016	2184	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	29
PID 2992 wrote to memory of 2840	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	30
PID 2992 wrote to memory of 2840	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	30
PID 2992 wrote to memory of 2840	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	30
PID 2992 wrote to memory of 2840	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	30
PID 2992 wrote to memory of 2432	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	31
PID 2992 wrote to memory of 2432	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	31
PID 2992 wrote to memory of 2432	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	31
PID 2992 wrote to memory of 2432	2992	{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe	31
PID 2840 wrote to memory of 2488	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	34
PID 2840 wrote to memory of 2488	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	34
PID 2840 wrote to memory of 2488	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	34
PID 2840 wrote to memory of 2488	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	34
PID 2840 wrote to memory of 2924	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	35
PID 2840 wrote to memory of 2924	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	35
PID 2840 wrote to memory of 2924	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	35
PID 2840 wrote to memory of 2924	2840	{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe	35
PID 2488 wrote to memory of 1972	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	36
PID 2488 wrote to memory of 1972	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	36
PID 2488 wrote to memory of 1972	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	36
PID 2488 wrote to memory of 1972	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	36
PID 2488 wrote to memory of 556	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	37
PID 2488 wrote to memory of 556	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	37
PID 2488 wrote to memory of 556	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	37
PID 2488 wrote to memory of 556	2488	{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe	37
PID 1972 wrote to memory of 2744	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	38
PID 1972 wrote to memory of 2744	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	38
PID 1972 wrote to memory of 2744	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	38
PID 1972 wrote to memory of 2744	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	38
PID 1972 wrote to memory of 2512	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	39
PID 1972 wrote to memory of 2512	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	39
PID 1972 wrote to memory of 2512	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	39
PID 1972 wrote to memory of 2512	1972	{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe	39
PID 2744 wrote to memory of 1532	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	40
PID 2744 wrote to memory of 1532	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	40
PID 2744 wrote to memory of 1532	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	40
PID 2744 wrote to memory of 1532	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	40
PID 2744 wrote to memory of 1292	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	41
PID 2744 wrote to memory of 1292	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	41
PID 2744 wrote to memory of 1292	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	41
PID 2744 wrote to memory of 1292	2744	{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe	41
PID 1532 wrote to memory of 2792	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	42
PID 1532 wrote to memory of 2792	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	42
PID 1532 wrote to memory of 2792	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	42
PID 1532 wrote to memory of 2792	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	42
PID 1532 wrote to memory of 2224	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	43
PID 1532 wrote to memory of 2224	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	43
PID 1532 wrote to memory of 2224	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	43
PID 1532 wrote to memory of 2224	1532	{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe	43
PID 2792 wrote to memory of 1384	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	44
PID 2792 wrote to memory of 1384	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	44
PID 2792 wrote to memory of 1384	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	44
PID 2792 wrote to memory of 1384	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	44
PID 2792 wrote to memory of 2412	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	45
PID 2792 wrote to memory of 2412	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	45
PID 2792 wrote to memory of 2412	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	45
PID 2792 wrote to memory of 2412	2792	{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe	45

C:\Users\Admin\AppData\Local\Temp\18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
"C:\Users\Admin\AppData\Local\Temp\18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
  C:\Windows\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
    C:\Windows\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
      C:\Windows\{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
        
        C:\Windows\{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
        
        C:\Windows\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
        
        C:\Windows\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
        
        C:\Windows\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
        
        C:\Windows\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
        
        C:\Windows\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe
        
        C:\Windows\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe
        
        C:\Windows\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AEC3~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92F4B~1.EXE > nul
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91987~1.EXE > nul
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2FDB~1.EXE > nul
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BD2~1.EXE > nul
        8⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FC74~1.EXE > nul
        7⤵
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F017~1.EXE > nul
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A02B6~1.EXE > nul
        5⤵
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E53A0~1.EXE > nul
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F5A~1.EXE > nul
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\18E0A3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AEC32ED-8D60-4071-A27D-01FBACA3D2C1}.exe

Filesize
90KB

MD5
6ead80f52c1754e43cabfcc806d8c843

SHA1
c2e36dc029f414538a0d0df8b464f7025b29d699

SHA256
a25c7f46dd974495f9cea76950113c30203d467c3f79f1e31fe783172992f667

SHA512
977e47b0c9dcc6bce6af7101fe55731107214089d75ad305656f5b81bb472b6152f2b3dcb8eb46a2863d60ad2dcb960c2ad8bb06b96851686c195f4201b1eee1

Download Submit
C:\Windows\{8F0177F4-454D-4c5d-B266-74047BEDA72F}.exe

Filesize
90KB

MD5
c9d3175e4fecad290736d6b3abdabd0a

SHA1
89d60e70915e2b6d50039a9378664ce43df0aadf

SHA256
ad1aa1bf8b4489e986c0a886ebab7b2033060dc8ecd8e7236370946379c83f3d

SHA512
72cd7aa647bab750d2d25b91b9418e2867b6a430bc621953f7f1dfe37fb8dda4e39d8bd80d27e79f313f33b87f7391bf5bec4d1e9e7cb405c48162dd8678baad

Download Submit
C:\Windows\{8FC742BF-DAB3-4691-8B41-D6298F1DC93A}.exe

Filesize
90KB

MD5
35da9e047bf9c1b45e4634e4d036abd2

SHA1
24f7d29183260f9e85417748585dbbccdf1b0f57

SHA256
a8452f1f157694a82a74552f2303d71949a74cc1563b35fb6fdcc499b6eaa2a3

SHA512
3b3fccd6518adee400a47786e8fc87a3c90ca5be533cfc3dd0f056b1680c7e09807cf52e34c64e3c8a38551e19cf9a0f3d61707dca32cbe56db7daa994b65d35

Download Submit
C:\Windows\{91987557-68FF-4f8f-BB42-D618D0BCA0B7}.exe

Filesize
90KB

MD5
c6a3589a3dc96a9f4db7c8e5aa36963a

SHA1
3c8f46cddd8ee298aae02e066ead15f4e5d7d717

SHA256
aaf9adb33ece1ceb32e2818188bfb85de6b97e2eafb1c6b5a0b9ed8954d5bba2

SHA512
84c090140609878040163ca7f90ca070773fc3987063f3fb8f609f325c3b0a31e1877c2ed8740487e3278f87c55b267d1a5e492da4dd6f5a7f19065d20a25f88

Download Submit
C:\Windows\{92F4BF3A-B5BD-4825-AC86-DBC72244EDD8}.exe

Filesize
90KB

MD5
d2e51413377e1aed1ea79dc5582c6ce9

SHA1
fc1bec577ede072a6a6fb3ab802dcaa56faa0f2c

SHA256
765f82306924948dcae62803adccd2d32a603f7070a7f5681650a27da4e20ebb

SHA512
80a62685430aa638229f605e5a11143c4bc744bb52f79cf7e33b068369645bf76c3328ad928382ffc615d1e28da2e12b8a501f912ade6232cd02691101d897db

Download Submit
C:\Windows\{A02B6C94-233F-476a-A451-D0B55121EE2A}.exe

Filesize
90KB

MD5
80f657540ac88ccfeedb6b2998f93041

SHA1
0d8e5638db23a7f4dd2566d9ac967fab705c2f86

SHA256
71c45374fa4601847a82e692462db51b99bc5fb5f0c1563822bf6b1fc2a49993

SHA512
359b6ad74706cd20988476e520c85c951b85af49b09a73ddb602f50570456b3dc32d92a9a82852f2be3c81ac0afda296bbd8a8b155a1b1d6cb3ca6744167925f

Download Submit
C:\Windows\{A8738231-7C00-41fb-BEBB-B0D234EA60E2}.exe

Filesize
90KB

MD5
3758bfa207c090c6d928228956f52c52

SHA1
98c894eeb2868bd1ba5f223fa55672e15ab08de9

SHA256
e3c5f44995bf335f04253ecad84b19fa6352b544ce165cf4fbe2bb768fb6ca52

SHA512
9093451cd9ca393b5b7701171c28b6bcfbed04d2ae0ab3e4a0686784f8d7c5bfd374f7cc276ba131494629b86304e93f15e5b82659d9d387e55629daaefc09bf

Download Submit
C:\Windows\{C6F5A357-71D9-4b73-A46B-0A63F6940E6D}.exe

Filesize
90KB

MD5
f23b52165f07c5bd210df16ecf5948ff

SHA1
7669e6bc083e113ccf2c6380e73bb1857d7ee43b

SHA256
b843745a0b20e15b7336662adfb6df32bce283708bed85a26ca4d24a9d98cab3

SHA512
1896211cefbb63391701ef24958c046a27ddfae63aee6fa230ad35931b9d190d5154fc54cb7000811ba44f6b8a352162790c3933d95a1653229960856524b082

Download Submit
C:\Windows\{D6BD2B47-35EB-4baf-A1CC-E6713D83D547}.exe

Filesize
90KB

MD5
104ae4115cff3bae8e72bb4a781b8246

SHA1
3020ea56fb58a43fe993b7439154a588ca6fe996

SHA256
ad2b721803eed9a052d8ae318b91dde763d0c63849eb4056d2f6591ddd82edf1

SHA512
666ddab84229a8523b7568ab6bdc9378dc341c413dfffb2ff79a2deaf61bccc19b10ffa573fd426a25a21df9af34454bb2263b6a75d768c4bbe9094e7bf2b0a1

Download Submit
C:\Windows\{E2FDB416-14B5-4e64-B845-7BE68DEB59DA}.exe

Filesize
90KB

MD5
b420da2e48333ce04464e8a339ec52ed

SHA1
0b9f603716442701a2c2a1a97b740a8765a5e180

SHA256
a7ee63d7d6cb5e8a8a4a544e5bdbb6f4882643203a2fba10ddc59b1b42adcd7b

SHA512
0912d95d43fb1e80cad45e8783dfb9a04cb9527858200db70f99795f216033797a771bead86355baa4b5958e754e7bda0ee38e2331d4f39fe4dc87248f1befd3

Download Submit
C:\Windows\{E53A0D9A-BA70-433f-840E-208F1EB3D7ED}.exe

Filesize
90KB

MD5
f473631568304cc3954c700b44dcc533

SHA1
d1bc63af1e290707761b9a060a5b29fd998760a5

SHA256
9e703045c6c6e81d77a7e2f8991766e41a696e8b77c64c8c116554d99ceb1b93

SHA512
42540928fb92595055ad9d84082138d68a9300d7d08e43f4d793f9d0435232cf8e0ddf97520e683062ebf9c0456a17ed3ee8784079a98a9274e0629b98ad5bc6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads