d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
Size

91KB
MD5

09592a38bd69e35cf78a4a0430970de4
SHA1

30d1e57d142094326b23beb58d45a42b3bacdee5
SHA256

d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4
SHA512

53a76c2e7bb4e2c06b1ad5778d6783d420b3af410f26375d6853c01df6d7a76f48b61267a5bbfda161eff9b3e59d675bc15bc24feb101ed58ac9b4106679d216
SSDEEP

768:5vw9816uhKiros4/wQNNrfrunMxVFA3b7t:lEGkmoslCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3914BD13-6714-4886-80D1-91EEF4D561FA}	{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46084DF4-AE46-4852-A452-8D1F7108E6BE}	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}\stubpath = "C:\\Windows\\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe"	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D92D7B7E-6316-499d-9996-347EE66A3190}\stubpath = "C:\\Windows\\{D92D7B7E-6316-499d-9996-347EE66A3190}.exe"	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869F3953-B225-4550-A1DB-E747FF15A935}	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{869F3953-B225-4550-A1DB-E747FF15A935}\stubpath = "C:\\Windows\\{869F3953-B225-4550-A1DB-E747FF15A935}.exe"	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}	{869F3953-B225-4550-A1DB-E747FF15A935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5127F65-F886-4c08-BB08-2499EBD3B03E}	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3914BD13-6714-4886-80D1-91EEF4D561FA}\stubpath = "C:\\Windows\\{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe"	{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}\stubpath = "C:\\Windows\\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe"	{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}\stubpath = "C:\\Windows\\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe"	{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D92D7B7E-6316-499d-9996-347EE66A3190}	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5127F65-F886-4c08-BB08-2499EBD3B03E}\stubpath = "C:\\Windows\\{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe"	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}\stubpath = "C:\\Windows\\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe"	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46084DF4-AE46-4852-A452-8D1F7108E6BE}\stubpath = "C:\\Windows\\{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe"	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}\stubpath = "C:\\Windows\\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe"	{869F3953-B225-4550-A1DB-E747FF15A935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}	{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}\stubpath = "C:\\Windows\\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe"	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}	{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe
1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
744	{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
2040	{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
1752	{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe
1500	{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
File created	C:\Windows\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
File created	C:\Windows\{869F3953-B225-4550-A1DB-E747FF15A935}.exe	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
File created	C:\Windows\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	{869F3953-B225-4550-A1DB-E747FF15A935}.exe
File created	C:\Windows\{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
File created	C:\Windows\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe	{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
File created	C:\Windows\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe	{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe
File created	C:\Windows\{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
File created	C:\Windows\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
File created	C:\Windows\{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
File created	C:\Windows\{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe	{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
Token: SeIncBasePriorityPrivilege	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
Token: SeIncBasePriorityPrivilege	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
Token: SeIncBasePriorityPrivilege	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
Token: SeIncBasePriorityPrivilege	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
Token: SeIncBasePriorityPrivilege	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe
Token: SeIncBasePriorityPrivilege	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
Token: SeIncBasePriorityPrivilege	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
Token: SeIncBasePriorityPrivilege	744	{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
Token: SeIncBasePriorityPrivilege	2040	{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
Token: SeIncBasePriorityPrivilege	1752	{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2592	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	28
PID 2192 wrote to memory of 2592	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	28
PID 2192 wrote to memory of 2592	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	28
PID 2192 wrote to memory of 2592	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	28
PID 2192 wrote to memory of 1996	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	29
PID 2192 wrote to memory of 1996	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	29
PID 2192 wrote to memory of 1996	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	29
PID 2192 wrote to memory of 1996	2192	d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe	29
PID 2592 wrote to memory of 2372	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	30
PID 2592 wrote to memory of 2372	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	30
PID 2592 wrote to memory of 2372	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	30
PID 2592 wrote to memory of 2372	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	30
PID 2592 wrote to memory of 2712	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	31
PID 2592 wrote to memory of 2712	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	31
PID 2592 wrote to memory of 2712	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	31
PID 2592 wrote to memory of 2712	2592	{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe	31
PID 2372 wrote to memory of 2440	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	32
PID 2372 wrote to memory of 2440	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	32
PID 2372 wrote to memory of 2440	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	32
PID 2372 wrote to memory of 2440	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	32
PID 2372 wrote to memory of 2568	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	33
PID 2372 wrote to memory of 2568	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	33
PID 2372 wrote to memory of 2568	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	33
PID 2372 wrote to memory of 2568	2372	{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe	33
PID 2440 wrote to memory of 1372	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	36
PID 2440 wrote to memory of 1372	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	36
PID 2440 wrote to memory of 1372	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	36
PID 2440 wrote to memory of 1372	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	36
PID 2440 wrote to memory of 2808	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	37
PID 2440 wrote to memory of 2808	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	37
PID 2440 wrote to memory of 2808	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	37
PID 2440 wrote to memory of 2808	2440	{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe	37
PID 1372 wrote to memory of 2952	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	38
PID 1372 wrote to memory of 2952	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	38
PID 1372 wrote to memory of 2952	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	38
PID 1372 wrote to memory of 2952	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	38
PID 1372 wrote to memory of 3008	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	39
PID 1372 wrote to memory of 3008	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	39
PID 1372 wrote to memory of 3008	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	39
PID 1372 wrote to memory of 3008	1372	{D92D7B7E-6316-499d-9996-347EE66A3190}.exe	39
PID 2952 wrote to memory of 1300	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	40
PID 2952 wrote to memory of 1300	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	40
PID 2952 wrote to memory of 1300	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	40
PID 2952 wrote to memory of 1300	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	40
PID 2952 wrote to memory of 2648	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	41
PID 2952 wrote to memory of 2648	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	41
PID 2952 wrote to memory of 2648	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	41
PID 2952 wrote to memory of 2648	2952	{869F3953-B225-4550-A1DB-E747FF15A935}.exe	41
PID 1300 wrote to memory of 536	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	42
PID 1300 wrote to memory of 536	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	42
PID 1300 wrote to memory of 536	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	42
PID 1300 wrote to memory of 536	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	42
PID 1300 wrote to memory of 484	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	43
PID 1300 wrote to memory of 484	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	43
PID 1300 wrote to memory of 484	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	43
PID 1300 wrote to memory of 484	1300	{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe	43
PID 536 wrote to memory of 744	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	44
PID 536 wrote to memory of 744	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	44
PID 536 wrote to memory of 744	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	44
PID 536 wrote to memory of 744	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	44
PID 536 wrote to memory of 1484	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	45
PID 536 wrote to memory of 1484	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	45
PID 536 wrote to memory of 1484	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	45
PID 536 wrote to memory of 1484	536	{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe	45

C:\Users\Admin\AppData\Local\Temp\d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe
"C:\Users\Admin\AppData\Local\Temp\d12b715a1844c67402d4df04e964ae42b4abf4bf6b0f30c4bdb773bde5e2c4d4.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
  C:\Windows\{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
    C:\Windows\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
      C:\Windows\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
        
        C:\Windows\{D92D7B7E-6316-499d-9996-347EE66A3190}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\{869F3953-B225-4550-A1DB-E747FF15A935}.exe
        
        C:\Windows\{869F3953-B225-4550-A1DB-E747FF15A935}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
        
        C:\Windows\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
        
        C:\Windows\{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
        
        C:\Windows\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
        
        C:\Windows\{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe
        
        C:\Windows\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe
        
        C:\Windows\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe
        12⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F98D6~1.EXE > nul
        12⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3914B~1.EXE > nul
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FA9~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5127~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A5F1~1.EXE > nul
        8⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{869F3~1.EXE > nul
        7⤵
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D92D7~1.EXE > nul
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B9E4~1.EXE > nul
        5⤵
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CB1~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46084~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D12B71~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3914BD13-6714-4886-80D1-91EEF4D561FA}.exe

Filesize
91KB

MD5
6326fcd1935ffa1d1f64cb608024bc5e

SHA1
2494b4678b7d2b0346dbdda831c86f1ad5f1829d

SHA256
751b647f03cbad9a47678f210b1c52cf6ea637370371488252231acdeb581f46

SHA512
553fea5bf63beb3dc9355f26c1f24569334b312a17ab14fa22db7e60c2c7db8bbdd82ce34ead880677d5c7083630654413f863dacf560b31881be84f86722c6e

Download Submit
C:\Windows\{3A5F1154-A9C2-44ba-AF32-BDE5FBA4CF6B}.exe

Filesize
91KB

MD5
e206460eea8af8a889d0f8af1072dc9d

SHA1
7775a2e9816a172472943494dcea9b504bfff219

SHA256
b54a96a2da60f0a2b6287c9b615db131c557e9b7b2a90ec98e47c94d8dd8d062

SHA512
dc3d4daa1ebb04f6c82cb34375239e64403e5972b91c7973f881a70c869dc8cd7f890c1d3e67e39c29effcb6f57bfd1853995dd2ff415830c6f4affde92e99d9

Download Submit
C:\Windows\{46084DF4-AE46-4852-A452-8D1F7108E6BE}.exe

Filesize
91KB

MD5
a1899e3d4764d94a9e1ef6d700369317

SHA1
99f73ff002359906251319f67a1134c6386cd4aa

SHA256
8de819d5372aefa995309ff4eddaba602172b7aeb0fa76d47f0004efd9f72749

SHA512
90a62e076be4773db588cbb4f0a4541bbe54696a9a5ec563d9eb7b1b849b5354a621728bb1111d9df6f422cca6a5451b194f38a99f214c429b705e76b79765f8

Download Submit
C:\Windows\{869F3953-B225-4550-A1DB-E747FF15A935}.exe

Filesize
91KB

MD5
278afe701c5b3a55a3d71519963b0020

SHA1
aae521ee94992e8e55eeb76504b97cad3ffebfcb

SHA256
2253bd03b5229bc332d79f4df2ff12fd8cb2112dc2d9ebbfd2a8df258e4f5b88

SHA512
3d2c7c3a2996899f10e5b7f349ddb55e5c64f1f0a224de1fd72aa4d37a0503db9b3de83cd876d681c443401c3c9865f6571c1a4e93ba7131be84a16b51afae93

Download Submit
C:\Windows\{8B9E4357-ED4C-4493-853E-6F8A0101A7E0}.exe

Filesize
91KB

MD5
69029cb23b4e46e1831e25597675ec20

SHA1
47a6b501e60d673697b30e37c203f49073d4f51f

SHA256
690ea02c362b8a3c7256aba810fb82aa7ff19df01525790603b7a7d39b22f474

SHA512
ce85a56003995ba25ce4b736b12ac745b6eef16f08142d014bb0173f94e29a317d3be9e05525db80785b529719cd91c9390aa3437254c71ab52b5d3d2e80bae0

Download Submit
C:\Windows\{A5127F65-F886-4c08-BB08-2499EBD3B03E}.exe

Filesize
91KB

MD5
8f1e86c8ba627eb7048fe1943efcbf35

SHA1
c8b03336ec644535405f4fdb3a5345210f3166bd

SHA256
eb7762257768c5daa450ff91d74df85c16ef0d51b591a6dc001d82dbca74c3a6

SHA512
14fc440813857adb6dd096724d51b9861a2ad6525342ad2274c1a9740a96c8906557349ead772b8e79611307cc63b4d71a598f94c5d847bc9bb6e64b9a1f9936

Download Submit
C:\Windows\{B330FB33-56E2-4af0-BF4B-E79FC9CA4189}.exe

Filesize
91KB

MD5
8d055107a7247c26a741098943ec8473

SHA1
86726a1f149c96717a6162c0a3e3a9f9afeff78d

SHA256
c79b142925fa5d07794d542107723979a43848ced9509ddedf0adbc784ad6bfc

SHA512
8e3b24b87e515bf88586d0df92c58dd2e1da0ec46aa1833716218aa1118b266f5f54693bf451320fb13c65580fbb50c02b9d20a45a195396b5624febaff6c584

Download Submit
C:\Windows\{C6FA90CD-7360-48b1-82EF-CEAC597880BF}.exe

Filesize
91KB

MD5
3ac70049785a9cef9fea4dbf5496c0ea

SHA1
504876643a50b7f0249eccff1363bf8b1a928a9b

SHA256
7add4acd7ae21679d42e26e4f86a46408f2b163a29b2b41b2b431ed938ae2113

SHA512
85a8fa7551c96b6fe33887f4a43444b1cb589d9d1b53c6cae8cd5be6146d635aa353af8d28d77ffda8e58f0d007e6b2721c4592f5fbfa59f99aa663fcae46f7a

Download Submit
C:\Windows\{D7CB19A7-C23C-4987-B93F-090650BB3FA1}.exe

Filesize
91KB

MD5
56abbc08de7bb9e08d17c64e1f909760

SHA1
e40f8ca0dd162f9a4d5d8b09e75d67e249752306

SHA256
44e8592f5ec1473b666685b5b0764ed43b25a8e40608cbdec69b6a949f6b41e4

SHA512
abe0eca88683b805da41a4c84db36073c44f131ddfb604a37606edb8fb3900ff0ebeb047ce36f171df89fa3e3b1eade7c93dc6d7095ae3f4d9be01cb50107cf6

Download Submit
C:\Windows\{D92D7B7E-6316-499d-9996-347EE66A3190}.exe

Filesize
91KB

MD5
134d6c1d6286de5af622dedfb5c4190f

SHA1
fe866c23e2d2980bb6dea1be66deb5fc05b46437

SHA256
c80978154a2ba0140b80826af20fe9565f8f76a26cb94c17071abce9e2d29025

SHA512
7accd0860cd31b3744e61b0b6b021f7771a66981aeb18df98895e16034041405c12159364c5e9a700ba7b6ad513ffd7bcf5c2baedaf8970ba6bb9bb57db57092

Download Submit
C:\Windows\{F98D6835-328F-4acf-BADC-0D6551F0B6B8}.exe

Filesize
91KB

MD5
111305e3e1c94448e7da9b31be97f397

SHA1
468362babe0f5c8f9aeb2b974c1c6df4b656d402

SHA256
274d25c1566176a11f7886283d83e7c7d1e2ef1a965c6fb40ea08454d9aa8f7f

SHA512
b3cc1865c75e0a44b446eda26280bad646abf392b584c51882cb18e79e0eef4141a6979abce48f0fc07890c25f48179614deac0ac45971f27d5ca8af2c7ce39e

Download Submit
memory/536-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/744-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1372-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1372-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-91-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2040-81-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2040-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2040-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2192-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2192-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2192-7-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2372-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2440-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2440-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads