eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Size

60KB
MD5

0cb26984751b0d13a2f33f6cb5cdbc26
SHA1

5dffcc35558598adab3f1b528835a623b701b416
SHA256

eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449
SHA512

8ab0ed44fc920c15a19dca277ed803c5d1cd14838bbbcdab1f0b4a2797b08777ee2b164ef910f034a15aaab066c71091c6e6feb97b0d75fb93ef0426fa592b70
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro54/CFsrdHWMZ:vvw9816vhKQLro54/wQpWMZ

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001226d-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0030000000014342-12.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b00000001226d-19.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0030000000014354-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c00000001226d-40.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-47.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d00000001226d-54.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e00000001226d-68.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-75.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}\stubpath = "C:\\Windows\\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe"	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94B81EF-3D28-4130-8E65-4F9BB5471592}	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF96FAEA-4869-4a90-8533-021218AFDC9B}\stubpath = "C:\\Windows\\{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe"	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D80947D-ABFF-4caa-9254-C91928467C8A}	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}\stubpath = "C:\\Windows\\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe"	{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221A65C3-25F6-4859-A1D5-D79D45419160}\stubpath = "C:\\Windows\\{221A65C3-25F6-4859-A1D5-D79D45419160}.exe"	{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54AE0E61-DB57-406f-A37B-48EA73072532}\stubpath = "C:\\Windows\\{54AE0E61-DB57-406f-A37B-48EA73072532}.exe"	{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034F222A-6972-44c2-94E2-35A5F1A2C532}\stubpath = "C:\\Windows\\{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe"	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}\stubpath = "C:\\Windows\\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe"	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D80947D-ABFF-4caa-9254-C91928467C8A}\stubpath = "C:\\Windows\\{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe"	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94B81EF-3D28-4130-8E65-4F9BB5471592}\stubpath = "C:\\Windows\\{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe"	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221A65C3-25F6-4859-A1D5-D79D45419160}	{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54AE0E61-DB57-406f-A37B-48EA73072532}	{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034F222A-6972-44c2-94E2-35A5F1A2C532}	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF96FAEA-4869-4a90-8533-021218AFDC9B}	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}\stubpath = "C:\\Windows\\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe"	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}	{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}\stubpath = "C:\\Windows\\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe"	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
2888	{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
2896	{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
528	{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
796	{54AE0E61-DB57-406f-A37B-48EA73072532}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe	{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
File created	C:\Windows\{221A65C3-25F6-4859-A1D5-D79D45419160}.exe	{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
File created	C:\Windows\{54AE0E61-DB57-406f-A37B-48EA73072532}.exe	{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
File created	C:\Windows\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
File created	C:\Windows\{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
File created	C:\Windows\{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
File created	C:\Windows\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
File created	C:\Windows\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
File created	C:\Windows\{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
File created	C:\Windows\{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
File created	C:\Windows\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
Token: SeIncBasePriorityPrivilege	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
Token: SeIncBasePriorityPrivilege	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
Token: SeIncBasePriorityPrivilege	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
Token: SeIncBasePriorityPrivilege	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
Token: SeIncBasePriorityPrivilege	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
Token: SeIncBasePriorityPrivilege	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
Token: SeIncBasePriorityPrivilege	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
Token: SeIncBasePriorityPrivilege	2888	{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
Token: SeIncBasePriorityPrivilege	2896	{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
Token: SeIncBasePriorityPrivilege	528	{221A65C3-25F6-4859-A1D5-D79D45419160}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3060	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	28
PID 1964 wrote to memory of 3060	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	28
PID 1964 wrote to memory of 3060	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	28
PID 1964 wrote to memory of 3060	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	28
PID 1964 wrote to memory of 2608	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	29
PID 1964 wrote to memory of 2608	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	29
PID 1964 wrote to memory of 2608	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	29
PID 1964 wrote to memory of 2608	1964	eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe	29
PID 3060 wrote to memory of 2588	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	30
PID 3060 wrote to memory of 2588	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	30
PID 3060 wrote to memory of 2588	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	30
PID 3060 wrote to memory of 2588	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	30
PID 3060 wrote to memory of 3024	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	31
PID 3060 wrote to memory of 3024	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	31
PID 3060 wrote to memory of 3024	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	31
PID 3060 wrote to memory of 3024	3060	{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe	31
PID 2588 wrote to memory of 2628	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	32
PID 2588 wrote to memory of 2628	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	32
PID 2588 wrote to memory of 2628	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	32
PID 2588 wrote to memory of 2628	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	32
PID 2588 wrote to memory of 2380	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	33
PID 2588 wrote to memory of 2380	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	33
PID 2588 wrote to memory of 2380	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	33
PID 2588 wrote to memory of 2380	2588	{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe	33
PID 2628 wrote to memory of 1216	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	36
PID 2628 wrote to memory of 1216	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	36
PID 2628 wrote to memory of 1216	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	36
PID 2628 wrote to memory of 1216	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	36
PID 2628 wrote to memory of 836	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	37
PID 2628 wrote to memory of 836	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	37
PID 2628 wrote to memory of 836	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	37
PID 2628 wrote to memory of 836	2628	{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe	37
PID 1216 wrote to memory of 2764	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	38
PID 1216 wrote to memory of 2764	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	38
PID 1216 wrote to memory of 2764	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	38
PID 1216 wrote to memory of 2764	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	38
PID 1216 wrote to memory of 2264	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	39
PID 1216 wrote to memory of 2264	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	39
PID 1216 wrote to memory of 2264	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	39
PID 1216 wrote to memory of 2264	1216	{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe	39
PID 2764 wrote to memory of 748	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	40
PID 2764 wrote to memory of 748	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	40
PID 2764 wrote to memory of 748	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	40
PID 2764 wrote to memory of 748	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	40
PID 2764 wrote to memory of 1020	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	41
PID 2764 wrote to memory of 1020	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	41
PID 2764 wrote to memory of 1020	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	41
PID 2764 wrote to memory of 1020	2764	{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe	41
PID 748 wrote to memory of 2136	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	42
PID 748 wrote to memory of 2136	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	42
PID 748 wrote to memory of 2136	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	42
PID 748 wrote to memory of 2136	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	42
PID 748 wrote to memory of 1616	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	43
PID 748 wrote to memory of 1616	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	43
PID 748 wrote to memory of 1616	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	43
PID 748 wrote to memory of 1616	748	{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe	43
PID 2136 wrote to memory of 2888	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	44
PID 2136 wrote to memory of 2888	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	44
PID 2136 wrote to memory of 2888	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	44
PID 2136 wrote to memory of 2888	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	44
PID 2136 wrote to memory of 2024	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	45
PID 2136 wrote to memory of 2024	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	45
PID 2136 wrote to memory of 2024	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	45
PID 2136 wrote to memory of 2024	2136	{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe	45

C:\Users\Admin\AppData\Local\Temp\eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe
"C:\Users\Admin\AppData\Local\Temp\eee7f841585c4f69643b53a448207288c82b968f1e2ec175cea4f25635277449.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
  C:\Windows\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
    C:\Windows\{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
      C:\Windows\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
        
        C:\Windows\{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
        
        C:\Windows\{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
        
        C:\Windows\{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
        
        C:\Windows\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
        
        C:\Windows\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
        
        C:\Windows\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
        
        C:\Windows\{221A65C3-25F6-4859-A1D5-D79D45419160}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{54AE0E61-DB57-406f-A37B-48EA73072532}.exe
        
        C:\Windows\{54AE0E61-DB57-406f-A37B-48EA73072532}.exe
        12⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{221A6~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD0D0~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31F0E~1.EXE > nul
        10⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60EA~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D809~1.EXE > nul
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF96F~1.EXE > nul
        7⤵
        
        PID:1020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E94B8~1.EXE > nul
        6⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE21~1.EXE > nul
        5⤵
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{034F2~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71A0A~1.EXE > nul
    3⤵
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEE7F8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{034F222A-6972-44c2-94E2-35A5F1A2C532}.exe

Filesize
60KB

MD5
7d5c2f9582f4e65eeed412628e491471

SHA1
2c473a4de103f7fe2cb2b449f9bb835a9688c5d5

SHA256
e67c9915cbe8febed157804cc0676bf8c3f8774714d0f449040ce61a6e2636c9

SHA512
88b5fa14ac9dac23618ea28224f2523e217a0534f92d16842307467df19976aac673aad40b7bcb60cedb427f5446be776badf7cdcff9c6dab1614f6dcfbb452a

Download Submit
C:\Windows\{221A65C3-25F6-4859-A1D5-D79D45419160}.exe

Filesize
60KB

MD5
fcf43c3842848384b335f1caa24a76e3

SHA1
c1536479ef37ab97a4327ccde4a6dfeae0e6d60b

SHA256
ea9909380951f817da4d49c3b1b906361de9f1f157711732e0257f93c88ba477

SHA512
b2428869619cf7e7c9f7e750d2a61c9ab685559da7bf6fda9cbb9442cc160dd295f4e381c55bfe917d54abed3f45a19f202501e070a1568ebe373e12e47f8300

Download Submit
C:\Windows\{31F0E3DE-3ED8-4af5-994C-B99A86AD1550}.exe

Filesize
60KB

MD5
4d6d4f39f44cb8493a7633abc996815b

SHA1
d93cff14f5076ae72f430d09ca0013a466a7c2fb

SHA256
16c09745bcc383454c2134461210f8c3a3a6f8353085024c7910dcb75785b8ac

SHA512
4f4a9c8467a08e928f65bd861485643006c43fd04ef64a85e7a87428da0f99e847bd3cf59c7ad1a70cd24013e5ec98bdf3533629d2d59877a118e8b0694d0315

Download Submit
C:\Windows\{3FE21998-3AF4-4bf0-ABC3-924C6B4CBF7D}.exe

Filesize
60KB

MD5
3724313eff8e7837044cbda1e5224bf6

SHA1
ecee23dbdffd0849412693618bc4d39a2536fea5

SHA256
bbeece4e84ac8081cb63d792bba2f5ae69c9bce9aa5ba536ce25483c86117fb8

SHA512
0cfdecdd238d1be97d3b710d6993409a865da1d912ae81087027068fb893b1107a8dcf78c59c434e58d043aa42c85a452f296e5d2a67aa7ea4cd7cb46f90e41f

Download Submit
C:\Windows\{54AE0E61-DB57-406f-A37B-48EA73072532}.exe

Filesize
60KB

MD5
4ff1f435f57bf088fee7038c3c4c348d

SHA1
282dd2a4a3762d6283f17e007bcf93338746c0c7

SHA256
bcd5a14701594be07fe3dc089ac73fac67026b724284845f74ca780c6bff06c5

SHA512
fe653f47208be2772c95075dd77a79eafebd5e2c32dc1d9e09467a95cba9674fa46f95cc1a3df14fb26ac4a9ef853f36ffd22af38f73b247dc2cae9fbd21bf22

Download Submit
C:\Windows\{71A0A7AE-E6D9-4d26-A5FF-2757EF701E1B}.exe

Filesize
60KB

MD5
8f8e74443dcc77e79e39b3cd11e17c97

SHA1
61897d10c6550d9b28246f35bc677acddb669807

SHA256
aa2db9e5381a026cfd70d5b2816fcb8288c2fb5c0da4e2f0235e04fbb6e426d1

SHA512
e617734b9d1557f61479a6e676b067bb6b1c97237a4982255d72d7e11a82c6a8bcfe183345ead3902ba8e4c7e8f802dfb0b8332d39a92e2f3b0ade64ee4123c4

Download Submit
C:\Windows\{9D80947D-ABFF-4caa-9254-C91928467C8A}.exe

Filesize
60KB

MD5
c20cce60dad758a1eaceccf1d1050c1d

SHA1
933ba487ea06e95c275301019fed8c74996550b3

SHA256
7d1ad5b2e03bdf002d0dc5ed135749f8be1226d4a1a12b510d94fb168b5ebd6b

SHA512
61e8e7347b5bf8e922477136969d58756aa8c4627451b2c3f49c026027541dfe53967414b9b834f2eb41322add59ba74c7f1fd2e173d05d519b6f7bf057e6fb0

Download Submit
C:\Windows\{B60EA9AA-2FEA-4b01-8CD6-F3DAFB4F3233}.exe

Filesize
60KB

MD5
d9f760416617bfee75a0970f64e8bde7

SHA1
748ed6429ff7cac200c1729fe8743be6ece5f9f3

SHA256
d668e7f6a7cfcc04339bb9f14f8a873aaae6f7821a1b0ae3e2e4a6c64a250dda

SHA512
7365f4e2f28301752dbd9337af54b6a661b9486efb6faa3618be2fb62b93bd1f810ca423dd830852506b9885de7f44c2e3af15a7a44dbe99ac532a13c20e430e

Download Submit
C:\Windows\{CF96FAEA-4869-4a90-8533-021218AFDC9B}.exe

Filesize
60KB

MD5
dead6d65c6daac77057dec0e36fd07c8

SHA1
ce4bf4e41982ea40e5e60ec902381e22b271ec20

SHA256
629a0245b957465c1c83fd782230251a30e1836f474ec646853a3d91b2c8b474

SHA512
c3d83d0f3aa2265853af7341916801038678e92981d64c7cc4a80bf162b40d0f483684bd0b1fef1f6d5f1bdb98a110326264d63b43504f3ec1eea5ba2ee54b69

Download Submit
C:\Windows\{E94B81EF-3D28-4130-8E65-4F9BB5471592}.exe

Filesize
60KB

MD5
ee85d83b89b31d2bb63bb39793d06992

SHA1
b47d4aba2cca114a1d42fbdcceca086438d0c13e

SHA256
4e4a7de504368646da232ce8f7e9d50c016d305e856785b46624dcdbeff968e2

SHA512
584158b9d16b3e660fb2b49a42c51c1a25bcd99d2beb8a6be1f0c02c59986c081a2d4921f64655be1af9f2abb1d2d18ed0b4aa64630c10e1688bbdaf992d1271

Download Submit
C:\Windows\{FD0D0700-AF9A-4b91-9E09-2D2D34D191FE}.exe

Filesize
60KB

MD5
44e4fe5e15c93538cbc892cab6684cc8

SHA1
a145359a9cca7cf766909fb2bce074a776535d5f

SHA256
f333084e9b783fe06504ad2a5c4e9ea222356935b1acd81d2ddce6f64ecf6205

SHA512
2571354fd4369072c445751be44a22e18136b31d8213f590b740d1ca74628c8d7c02145723eecea30f850151c3b30d85989c6ec1c8ae308dbdf1bf8b5d0e8b2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads