bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Size

90KB
MD5

9b25967fba780be4080b4d71be3d2a2a
SHA1

fbef73eaf62f7a333728fd6560874056cee7863d
SHA256

bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78
SHA512

9f03f0d8ec3128792048e51ddad849fe4129f56ef814fcb5731083451a2b1b13bcec3242e60c7a6307aeb0dcc39869c67a1849660ee8ea59305244fecf5a05b5
SSDEEP

768:50w981IshKQLroDL4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzr:CEGI0oDLlVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}\stubpath = "C:\\Windows\\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe"	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}\stubpath = "C:\\Windows\\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe"	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}	{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}\stubpath = "C:\\Windows\\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe"	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}\stubpath = "C:\\Windows\\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe"	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B61800-E777-4408-9B99-C83C97B682C8}\stubpath = "C:\\Windows\\{F5B61800-E777-4408-9B99-C83C97B682C8}.exe"	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}\stubpath = "C:\\Windows\\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe"	{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}\stubpath = "C:\\Windows\\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe"	{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}\stubpath = "C:\\Windows\\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe"	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}\stubpath = "C:\\Windows\\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe"	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4E2018-7287-4806-87CD-9503C5709F5D}	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5B61800-E777-4408-9B99-C83C97B682C8}	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}	{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}\stubpath = "C:\\Windows\\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe"	{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4E2018-7287-4806-87CD-9503C5709F5D}\stubpath = "C:\\Windows\\{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe"	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}	{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe

Executes dropped EXE 11 IoCs

pid	Process
1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
948	{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
2700	{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
2120	{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
1284	{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
File created	C:\Windows\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe	{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
File created	C:\Windows\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe	{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
File created	C:\Windows\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe	{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
File created	C:\Windows\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
File created	C:\Windows\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
File created	C:\Windows\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
File created	C:\Windows\{F5B61800-E777-4408-9B99-C83C97B682C8}.exe	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
File created	C:\Windows\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
File created	C:\Windows\{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
File created	C:\Windows\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Token: SeIncBasePriorityPrivilege	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
Token: SeIncBasePriorityPrivilege	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
Token: SeIncBasePriorityPrivilege	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
Token: SeIncBasePriorityPrivilege	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
Token: SeIncBasePriorityPrivilege	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
Token: SeIncBasePriorityPrivilege	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
Token: SeIncBasePriorityPrivilege	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
Token: SeIncBasePriorityPrivilege	948	{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
Token: SeIncBasePriorityPrivilege	2700	{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
Token: SeIncBasePriorityPrivilege	2120	{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1784	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	28
PID 1932 wrote to memory of 1784	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	28
PID 1932 wrote to memory of 1784	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	28
PID 1932 wrote to memory of 1784	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	28
PID 1932 wrote to memory of 2212	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	29
PID 1932 wrote to memory of 2212	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	29
PID 1932 wrote to memory of 2212	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	29
PID 1932 wrote to memory of 2212	1932	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	29
PID 1784 wrote to memory of 848	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	32
PID 1784 wrote to memory of 848	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	32
PID 1784 wrote to memory of 848	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	32
PID 1784 wrote to memory of 848	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	32
PID 1784 wrote to memory of 2480	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	33
PID 1784 wrote to memory of 2480	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	33
PID 1784 wrote to memory of 2480	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	33
PID 1784 wrote to memory of 2480	1784	{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe	33
PID 848 wrote to memory of 1808	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	34
PID 848 wrote to memory of 1808	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	34
PID 848 wrote to memory of 1808	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	34
PID 848 wrote to memory of 1808	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	34
PID 848 wrote to memory of 2380	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	35
PID 848 wrote to memory of 2380	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	35
PID 848 wrote to memory of 2380	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	35
PID 848 wrote to memory of 2380	848	{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe	35
PID 1808 wrote to memory of 2852	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	36
PID 1808 wrote to memory of 2852	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	36
PID 1808 wrote to memory of 2852	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	36
PID 1808 wrote to memory of 2852	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	36
PID 1808 wrote to memory of 520	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	37
PID 1808 wrote to memory of 520	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	37
PID 1808 wrote to memory of 520	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	37
PID 1808 wrote to memory of 520	1808	{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe	37
PID 2852 wrote to memory of 1968	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	38
PID 2852 wrote to memory of 1968	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	38
PID 2852 wrote to memory of 1968	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	38
PID 2852 wrote to memory of 1968	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	38
PID 2852 wrote to memory of 2240	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	39
PID 2852 wrote to memory of 2240	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	39
PID 2852 wrote to memory of 2240	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	39
PID 2852 wrote to memory of 2240	2852	{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe	39
PID 1968 wrote to memory of 2196	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	40
PID 1968 wrote to memory of 2196	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	40
PID 1968 wrote to memory of 2196	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	40
PID 1968 wrote to memory of 2196	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	40
PID 1968 wrote to memory of 1104	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	41
PID 1968 wrote to memory of 1104	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	41
PID 1968 wrote to memory of 1104	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	41
PID 1968 wrote to memory of 1104	1968	{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe	41
PID 2196 wrote to memory of 1528	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	42
PID 2196 wrote to memory of 1528	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	42
PID 2196 wrote to memory of 1528	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	42
PID 2196 wrote to memory of 1528	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	42
PID 2196 wrote to memory of 2464	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	43
PID 2196 wrote to memory of 2464	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	43
PID 2196 wrote to memory of 2464	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	43
PID 2196 wrote to memory of 2464	2196	{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe	43
PID 1528 wrote to memory of 948	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	44
PID 1528 wrote to memory of 948	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	44
PID 1528 wrote to memory of 948	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	44
PID 1528 wrote to memory of 948	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	44
PID 1528 wrote to memory of 1772	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	45
PID 1528 wrote to memory of 1772	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	45
PID 1528 wrote to memory of 1772	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	45
PID 1528 wrote to memory of 1772	1528	{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe	45

C:\Users\Admin\AppData\Local\Temp\bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
"C:\Users\Admin\AppData\Local\Temp\bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
  C:\Windows\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
    C:\Windows\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
      C:\Windows\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
        
        C:\Windows\{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
        
        C:\Windows\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
        
        C:\Windows\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
        
        C:\Windows\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
        
        C:\Windows\{F5B61800-E777-4408-9B99-C83C97B682C8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
        
        C:\Windows\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
        
        C:\Windows\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe
        
        C:\Windows\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C6A~1.EXE > nul
        12⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B83A~1.EXE > nul
        11⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B61~1.EXE > nul
        10⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F566~1.EXE > nul
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF70~1.EXE > nul
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89E8A~1.EXE > nul
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C4E2~1.EXE > nul
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A5C~1.EXE > nul
        5⤵
        
        PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25F31~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2C34~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BCAE19~1.EXE > nul
  2⤵
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25F31B5A-1177-413d-92C3-3ACFAD461AE5}.exe

Filesize
90KB

MD5
541bbdc1221db050c6723ac5fa6dd222

SHA1
1e817d0f87a32bf99232525fa6faec78bdb08ca4

SHA256
a6469c42f38d8f996fbdc358258673859078eb24ca4e512410607cd2c13c8c88

SHA512
8037c73e1c4e735c06693d3572abddd78afee8c541fb5dd966dd2a317c8f2d3da323c52e0b75da5313cf37314bc10da882a5aec2f544b5f2efe4e264298e6b0a

Download Submit
C:\Windows\{6C4E2018-7287-4806-87CD-9503C5709F5D}.exe

Filesize
90KB

MD5
d7d682cc250561dafb036f14e5c3d280

SHA1
147390cfdb8efa3da4b204632ecb14d259911172

SHA256
fd5567f031ad1afa668024823db10c986040f5f3b7c902d64a5703b8722cb3c3

SHA512
05e23fc98d587848273cb7bd88a82ce89c2ea00940792c270e5dcca5309e9d89439e81cf35c0ac67e030c19f9cb0e0145a6ca53218298b7e4801f9a398a342b8

Download Submit
C:\Windows\{7B83A523-8E62-4ec3-8C11-BCE94CC3B115}.exe

Filesize
90KB

MD5
fcfdf031d61430684028f8451a973eb7

SHA1
074eecba08ae71addcd4c2813aed72613fe1fded

SHA256
bc426df13ca7cf48cb2e29acf54c1d2a56974b64b1437f0f2251d1c4fd3e0ad4

SHA512
1a69790dcf401f50f5d8eb1d1a7cbb34fe13a404124d63636002d2213b139d46df06f6f9a9741561079d0a98bb2187937abddff9c2caba30a327a5d46c638973

Download Submit
C:\Windows\{7F56664A-97E9-4998-80CA-BD1A29B20E8D}.exe

Filesize
90KB

MD5
054565e5c186531667717a6ac78c9864

SHA1
a11ba38ce082720c65066c864cbe5be8f3ac1c80

SHA256
28576627cf4e93f79238d0b1a4e6292772b4e53c66beeb774a49c1d6bd0f5151

SHA512
52dbd556c9489576e904fe5895864120a749182eafe6f3d1ee29f5087d66833cef572e7461b4e36879764933b9ea5fef394bac5357964d914f24c7d6162286af

Download Submit
C:\Windows\{89E8A9ED-7AA8-4efc-831A-6E09277386A6}.exe

Filesize
90KB

MD5
a71670f614c0921fa25080dcd3d2478a

SHA1
ea790fa4d838a9e074e14147029479a9b6c1e9ce

SHA256
b5a8b9885fcc6d026e48b0772b388012c3b6783ba7e0e3b270b4abb68441e0db

SHA512
9f587d48702881aaf84afb8c69876f46185b0ccf5bb7d49196e2bb56ba0815cb0430468c647590ec19ee017cf076d14f43508afbc504ed69e7a035757a698b9f

Download Submit
C:\Windows\{A1A5C406-72C3-4d10-911F-4D7F313D1DDC}.exe

Filesize
90KB

MD5
d08148046e1640788c6df3680df89392

SHA1
00740622403f7e4d18d75b8a4d30e76d0c13558f

SHA256
a08049ea88a25388c3ef0c89d04b5670aa0015859389dd88f62221cd365ea82f

SHA512
8c58595651e1b5e3ff1b09f8e448dd276fe07c0f666506e3726cd22c29fc6d16d1bf79ad8c9eb86d7d640e61df78163662c0c8078225090de1296362cf15157f

Download Submit
C:\Windows\{A5C6ACE9-C0A3-4e70-B9FB-40774EA53222}.exe

Filesize
90KB

MD5
a344b0c50a597921fa1940ba90aa0511

SHA1
9b2c6b5f62d3d4839f3b9b52414485e1daeeb61d

SHA256
05186841ce34a305ef37e58a7f92579806b19a145ce94f442fe0c26df2cb0cef

SHA512
c2ccc6b36215e9bf78943e9e19c3b0756358ad5b6b214f098d91f0f61ce525f99b6183671c66f7e95189fb3ab29fc9b27e3a4d14d4f43da929922cce73c81223

Download Submit
C:\Windows\{ACF70180-DB06-453b-8521-A7BF23FDBFE5}.exe

Filesize
90KB

MD5
3d04df914d990466d2f337ca102ef942

SHA1
f7a1b507bb9e53a50d1e6033bb5e50bb31349f8d

SHA256
216446df296db0b97914434282f28383fa032ea849c6a7646c54c81ea690c64a

SHA512
e9cd708439a6649920bf08f1bf1aa544b4a22f22f30389b548e993eee62581a420b4cd00846268715a1ecc65ce3237aabac7f55cc7e2c4d9802929c36b7b54a8

Download Submit
C:\Windows\{D2C341E1-BFF9-4561-9C4B-3FEBD93E1423}.exe

Filesize
90KB

MD5
62c60c0d87eab4bb07ffc0cda398bdf0

SHA1
3bf5b7953f9ccfc3c51914303cb5bf9c396fb560

SHA256
b02863f7ca744008f5743e338938eafd6882d6fa582a3e24d76d45e8eb0c2139

SHA512
89ea8ed73db44811cfac93030920aeec6c25a6a6978ea2a7d8f0c6754ea4ca972acd995724be4818d1a29fff4255792632bef42b6c5eb6694a54cb3eb64c0919

Download Submit
C:\Windows\{F5B61800-E777-4408-9B99-C83C97B682C8}.exe

Filesize
90KB

MD5
ff33fadbc02c4fdb4ffcca03a528eb56

SHA1
e68144f1570d77a9510ee4946ed131e83a97ba38

SHA256
3d8f146762f2b1e3c1ca70572463742d765296379c1ae8576f672ad767d40f6c

SHA512
e01fd9dc4410bb0484d4e6ddcea4c2a4473ad1caa7cf287932f003faec8f78b2c15bb1a49a8385673f41b0c421bb39292185e2261c9a1a7c219d87e89584346e

Download Submit
C:\Windows\{FFD3F3CC-4080-48b0-9099-37E6D90AC47E}.exe

Filesize
90KB

MD5
4aab2ad3a2e2645c354df0747e7423c5

SHA1
4fe8a10a5088ef4d4d4d010ef7c20122343ca5dd

SHA256
299c9c3bbbf71e5a737f02ad75cb0a37384a8a86b059fd6a71ac7316ae9b8680

SHA512
29589a3416f176ebed4bc74591330ed02358cd08a51f1c154db252d1a30367ccb15f384fe5c91acb437e2739a45f182740d7a9835a6146ca5cf672151096f485

Download Submit
memory/848-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-28-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/848-27-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/948-81-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/948-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-72-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1784-17-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1784-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1784-18-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1784-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-35-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1808-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-3-0x0000000000710000-0x0000000000721000-memory.dmp

Filesize
68KB

Download
memory/1932-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-8-0x0000000000710000-0x0000000000721000-memory.dmp

Filesize
68KB

Download
memory/1968-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1968-54-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/2120-99-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2120-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2196-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-90-0x0000000001CF0000-0x0000000001D01000-memory.dmp

Filesize
68KB

Download
memory/2700-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-45-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2852-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads