867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
Size

60KB
MD5

0b2f7e2bd23a01fce020b2eedb65d4a0
SHA1

2cf019777c4e0aa6214c96292130dfc405539c9f
SHA256

867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae
SHA512

dde1a5c339d8a398ac49277c8672506fc229361346ab6bce6484933da60b2f74f7348be040421769a9a737891647b6dbf1e8cd899ae847b96a2dc093d95a0d56
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroBBKT4/CFsrd:vvw9816vhKQLroBu4/wQ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F230D7-DC73-4b4d-A256-A5C134972E56}\stubpath = "C:\\Windows\\{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe"	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}\stubpath = "C:\\Windows\\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe"	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A89F604-21CE-431b-9518-6C409F3E87DD}\stubpath = "C:\\Windows\\{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe"	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB916FF1-D31F-412b-8494-B09C2AE5E239}\stubpath = "C:\\Windows\\{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe"	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}	{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}\stubpath = "C:\\Windows\\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe"	{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}\stubpath = "C:\\Windows\\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe"	{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57AACD62-C821-461a-9898-A2DAA105D3BF}\stubpath = "C:\\Windows\\{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe"	{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F230D7-DC73-4b4d-A256-A5C134972E56}	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFFD70A9-938F-46f8-9F52-3850219E2F50}\stubpath = "C:\\Windows\\{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe"	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}\stubpath = "C:\\Windows\\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe"	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A89F604-21CE-431b-9518-6C409F3E87DD}	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB916FF1-D31F-412b-8494-B09C2AE5E239}	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}\stubpath = "C:\\Windows\\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe"	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFFD70A9-938F-46f8-9F52-3850219E2F50}	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}\stubpath = "C:\\Windows\\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe"	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57AACD62-C821-461a-9898-A2DAA105D3BF}	{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}	{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe

Executes dropped EXE 11 IoCs

pid	Process
2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
1736	{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
2224	{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
2568	{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe
812	{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
File created	C:\Windows\{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
File created	C:\Windows\{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
File created	C:\Windows\{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
File created	C:\Windows\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
File created	C:\Windows\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
File created	C:\Windows\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe	{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
File created	C:\Windows\{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe	{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
File created	C:\Windows\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe	{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe
File created	C:\Windows\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
File created	C:\Windows\{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
Token: SeIncBasePriorityPrivilege	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
Token: SeIncBasePriorityPrivilege	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
Token: SeIncBasePriorityPrivilege	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
Token: SeIncBasePriorityPrivilege	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
Token: SeIncBasePriorityPrivilege	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
Token: SeIncBasePriorityPrivilege	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
Token: SeIncBasePriorityPrivilege	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
Token: SeIncBasePriorityPrivilege	1736	{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
Token: SeIncBasePriorityPrivilege	2224	{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
Token: SeIncBasePriorityPrivilege	2568	{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2556	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	28
PID 1928 wrote to memory of 2556	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	28
PID 1928 wrote to memory of 2556	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	28
PID 1928 wrote to memory of 2556	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	28
PID 1928 wrote to memory of 2756	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	29
PID 1928 wrote to memory of 2756	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	29
PID 1928 wrote to memory of 2756	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	29
PID 1928 wrote to memory of 2756	1928	867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe	29
PID 2556 wrote to memory of 2680	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	30
PID 2556 wrote to memory of 2680	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	30
PID 2556 wrote to memory of 2680	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	30
PID 2556 wrote to memory of 2680	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	30
PID 2556 wrote to memory of 2664	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	31
PID 2556 wrote to memory of 2664	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	31
PID 2556 wrote to memory of 2664	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	31
PID 2556 wrote to memory of 2664	2556	{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe	31
PID 2680 wrote to memory of 2744	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	32
PID 2680 wrote to memory of 2744	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	32
PID 2680 wrote to memory of 2744	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	32
PID 2680 wrote to memory of 2744	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	32
PID 2680 wrote to memory of 2788	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	33
PID 2680 wrote to memory of 2788	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	33
PID 2680 wrote to memory of 2788	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	33
PID 2680 wrote to memory of 2788	2680	{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe	33
PID 2744 wrote to memory of 2524	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	36
PID 2744 wrote to memory of 2524	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	36
PID 2744 wrote to memory of 2524	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	36
PID 2744 wrote to memory of 2524	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	36
PID 2744 wrote to memory of 2908	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	37
PID 2744 wrote to memory of 2908	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	37
PID 2744 wrote to memory of 2908	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	37
PID 2744 wrote to memory of 2908	2744	{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe	37
PID 2524 wrote to memory of 1564	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	38
PID 2524 wrote to memory of 1564	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	38
PID 2524 wrote to memory of 1564	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	38
PID 2524 wrote to memory of 1564	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	38
PID 2524 wrote to memory of 2760	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	39
PID 2524 wrote to memory of 2760	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	39
PID 2524 wrote to memory of 2760	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	39
PID 2524 wrote to memory of 2760	2524	{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe	39
PID 1564 wrote to memory of 2404	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	40
PID 1564 wrote to memory of 2404	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	40
PID 1564 wrote to memory of 2404	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	40
PID 1564 wrote to memory of 2404	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	40
PID 1564 wrote to memory of 1032	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	41
PID 1564 wrote to memory of 1032	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	41
PID 1564 wrote to memory of 1032	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	41
PID 1564 wrote to memory of 1032	1564	{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe	41
PID 2404 wrote to memory of 2360	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	42
PID 2404 wrote to memory of 2360	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	42
PID 2404 wrote to memory of 2360	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	42
PID 2404 wrote to memory of 2360	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	42
PID 2404 wrote to memory of 2376	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	43
PID 2404 wrote to memory of 2376	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	43
PID 2404 wrote to memory of 2376	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	43
PID 2404 wrote to memory of 2376	2404	{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe	43
PID 2360 wrote to memory of 1736	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	44
PID 2360 wrote to memory of 1736	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	44
PID 2360 wrote to memory of 1736	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	44
PID 2360 wrote to memory of 1736	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	44
PID 2360 wrote to memory of 1008	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	45
PID 2360 wrote to memory of 1008	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	45
PID 2360 wrote to memory of 1008	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	45
PID 2360 wrote to memory of 1008	2360	{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe	45

C:\Users\Admin\AppData\Local\Temp\867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
"C:\Users\Admin\AppData\Local\Temp\867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
  C:\Windows\{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
    C:\Windows\{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
      C:\Windows\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
        
        C:\Windows\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
        
        C:\Windows\{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
        
        C:\Windows\{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
        
        C:\Windows\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
        
        C:\Windows\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
        
        C:\Windows\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe
        
        C:\Windows\{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe
        
        C:\Windows\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe
        12⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57AAC~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E7F3~1.EXE > nul
        11⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E622D~1.EXE > nul
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468CE~1.EXE > nul
        9⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB916~1.EXE > nul
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A89F~1.EXE > nul
        7⤵
        
        PID:1032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08964~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{990E7~1.EXE > nul
        5⤵
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CFFD7~1.EXE > nul
      4⤵
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7F23~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\867D9A~1.EXE > nul
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08964F98-B1A0-49e6-8308-B7F0A1B4E729}.exe

Filesize
60KB

MD5
375e3a732dafd3f59e25889131140b8c

SHA1
4e29b4e1f30f277e304760d9b72ea5934fc97dd7

SHA256
a51bf751b8282aa0e9e87596fe59acc884c0eccc3b05cf90310bb08b766ded14

SHA512
1d820b92e22777efb4da70df6604a334a119c22b2cdf82df75a92da3364995d18be88bd73bb0adee084e90598a185d20a6c1b0e8243c825d0d4cfa21f5c1dfeb

Download Submit
C:\Windows\{468CE26B-9E20-4b3f-8613-5C248EBE0CCF}.exe

Filesize
60KB

MD5
fef2d5cfc667226e7751ad55d3375996

SHA1
389444fcb357e6f3e00f32f6b3d4e7adef695db5

SHA256
0f4f4ec207935eadb736b0ba1eda6340a1541ab3079abc32f5f1956cdf2d1642

SHA512
7c02fdbf97161a8d8195d5d17525aead32f5cd4e218b96ba594819d2817119e7d66c1ecc3468225f30b3d30b377e8a88d71502299e0ab94c0859a48b3f487032

Download Submit
C:\Windows\{57AACD62-C821-461a-9898-A2DAA105D3BF}.exe

Filesize
60KB

MD5
e6bc405f656e0e722395a807efe76471

SHA1
e9b3b93f341ebc5abcead8f33812b60119db8531

SHA256
54662872df4d19270a62f2ee96e25967e39d651eef51e7f3e1d3f1c26525caf4

SHA512
537f1d3b386f658bcdbefe0689724dce764a205c5042e1263d9d9d58b23903a10d29912ff88f3dbc5aa03e74771b686a4da00669bb3e06eb801d2cf31a49ad91

Download Submit
C:\Windows\{5A24B67F-ED2C-421d-AC45-2341CFBA8D09}.exe

Filesize
60KB

MD5
8867ffb8e743d9bddbda43b204f07fe5

SHA1
9f11d16906ce4a491f1769bda4d4d283acbebaa8

SHA256
0316113452b49a9857e6e17f6e02f0d1cc7eecdb4db1a6fe6e49ed265a5dd809

SHA512
7855168212e6b1285d0e50a1811a085e44185e5397d7b0cf305028ac4479c5a0bc3c475a486a11c101bf60c5454a7fc5aff12ad35f5a06e27f6c7696a95b3940

Download Submit
C:\Windows\{5A89F604-21CE-431b-9518-6C409F3E87DD}.exe

Filesize
60KB

MD5
0dbd3e7f32854d05e6a9e10dc5d85d32

SHA1
ec50748dcf165a8e09eda5680a7e73dfc7450ca6

SHA256
28bdc442d084428efe7ae71df00b1604ac07506f8fe08af889b9d47179ad8621

SHA512
41f4b2842a3131d019ae2848522fd84e728402c8ec29149e527553c2cd49d82905c166df3c2d7a9808521c77f1f89266e826adf78c3541b313d7389b0c3c8b13

Download Submit
C:\Windows\{5E7F30FE-5A6D-48d2-84BC-A89922508C03}.exe

Filesize
60KB

MD5
0b3c855ccaa639dfb4ea40a153847abc

SHA1
7ea5972812603345e78bce18e2eeb0196043df4a

SHA256
38dfaf161cfe40be1924f85c991b341d2ec5db33961e583923a8926924603bb1

SHA512
c6e2e673e0191da3b71929527bf2cd31e83da8a9c46380f740c69793031ddd3577c7c371b18c073ddcdba2f5957dbb906235063517dde2e38d0b1f0a313845b0

Download Submit
C:\Windows\{990E7B26-2591-4a65-B67D-4B8E7C4FBA62}.exe

Filesize
60KB

MD5
6eb14793528b4a0d73502a7976cdfc56

SHA1
6ec3883bc20d55b6b0782fbd431342a4b19ffa35

SHA256
4fbd0e0bc46b51d4c703811a4271c2d41ceb92d2dd7327d0d162226f6db9406c

SHA512
e0a13dd41f11a92dc1f1931ee3a4914c8f581c3b2a6e871adafe07ccff727c8aa7213dc20cc51af0f3d88e3002fbf943313dfcb5daf6b5c23cc9118e80c9e1e8

Download Submit
C:\Windows\{BB916FF1-D31F-412b-8494-B09C2AE5E239}.exe

Filesize
60KB

MD5
06f3725783c8b07de50b28595b47acae

SHA1
d06c27127b1bfc8cd5bf694ae23b84d4bd9e37e2

SHA256
55fcb048d7b8d0b006aa0dd13a9901630b15837a1cefcd37a22e76b79b55df7d

SHA512
e4e525b78a2661becdde3969c5317c7af6c151a14e3fc4d5d2fbbc23b1139fda5eed043e727e96ee7b5e059b4fad572b4dbf89a76a6e9ffbe67184890757fd1e

Download Submit
C:\Windows\{CFFD70A9-938F-46f8-9F52-3850219E2F50}.exe

Filesize
60KB

MD5
29913ff5bb5a245d5c4bb504911f55d9

SHA1
738219b264311758353ab7821368bcb3fcd7ab30

SHA256
8c7235d2d4c10f2579b620a3c99b423f7a8a6cf87750d46d2800d4510295290b

SHA512
b18b4f7f8317317bb205069175a8c003709eab99fceec1f9c168c3bae738b8a3bebbf844b2e01134801dcc50a7c70a39099177efdac37a3580214187674a4d9d

Download Submit
C:\Windows\{E622D55E-22DF-4885-ABC5-DCD5D3D41A02}.exe

Filesize
60KB

MD5
8034269e49e18d91a728df9d17228a19

SHA1
e2b88df8e8afb6fc5c5d6b92a5ed73ab3fcba3fc

SHA256
88cbe96d0819aa2a8d8cf27eb34da4ee77850351114ce45453d042e7df786a84

SHA512
842d456aafe37ae71736e7bd80bc7c6c8dc333d0d43172bda2e9c7397866d58dec873434f7928f18b1d1193c9191463f1bb5c673a841ed2112d8d312db077d90

Download Submit
C:\Windows\{E7F230D7-DC73-4b4d-A256-A5C134972E56}.exe

Filesize
60KB

MD5
5f5bf9a43fc66ed839e5952bf61bc74a

SHA1
96e3ff5dd5117990f6a54f661959a681233213ec

SHA256
1bd570564970113d8f63994fb1315e103889f2538cb3df038bcf639d2b972f72

SHA512
1f8da0f2d56b9076b2edc6c7632f2314b5c24195c4d8ce7e51d401da70033ea4bb8c9308f405428e2a8874fa7d3ab7a867847725397788c604f99bafa234f5e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads