9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Size

90KB
MD5

31690d1be4b7bd2f5e651c660f63e8a0
SHA1

9f3ef0b804751115d31fe51b40a9defd2505bc46
SHA256

9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f
SHA512

a36e25d2149045ce97b503716970192ba9480cc031721a3565b3ec86274562d5bdad3ef14a714724edb6c07046b22b86b86701a55a657aaa8f50e180a99cda17
SSDEEP

768:Qvw9816vhKQLroY4/wQRNrfrunMxVFA3b7glws:YEGh0oYl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}\stubpath = "C:\\Windows\\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe"	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065611CE-6B45-41ed-B736-C4EA8D00F918}	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1BB2078-A045-4c71-AC77-9B43652555C6}	{3CD8D080-52D1-4298-A477-723F82488608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1BB2078-A045-4c71-AC77-9B43652555C6}\stubpath = "C:\\Windows\\{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe"	{3CD8D080-52D1-4298-A477-723F82488608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}\stubpath = "C:\\Windows\\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe"	{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B937DA57-5B5E-43d3-8504-D70574D3A628}	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}	{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DFB4F55-F283-4867-B969-79D94F60F125}	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065611CE-6B45-41ed-B736-C4EA8D00F918}\stubpath = "C:\\Windows\\{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe"	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}	{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}	{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}\stubpath = "C:\\Windows\\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe"	{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}\stubpath = "C:\\Windows\\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe"	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B937DA57-5B5E-43d3-8504-D70574D3A628}\stubpath = "C:\\Windows\\{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe"	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DFB4F55-F283-4867-B969-79D94F60F125}\stubpath = "C:\\Windows\\{5DFB4F55-F283-4867-B969-79D94F60F125}.exe"	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD8D080-52D1-4298-A477-723F82488608}\stubpath = "C:\\Windows\\{3CD8D080-52D1-4298-A477-723F82488608}.exe"	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}\stubpath = "C:\\Windows\\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe"	{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}\stubpath = "C:\\Windows\\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe"	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD8D080-52D1-4298-A477-723F82488608}	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe

Executes dropped EXE 11 IoCs

pid	Process
1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe
2988	{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
2264	{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
1164	{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
844	{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe	{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
File created	C:\Windows\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
File created	C:\Windows\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
File created	C:\Windows\{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
File created	C:\Windows\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe	{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
File created	C:\Windows\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe	{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
File created	C:\Windows\{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
File created	C:\Windows\{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
File created	C:\Windows\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
File created	C:\Windows\{3CD8D080-52D1-4298-A477-723F82488608}.exe	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
File created	C:\Windows\{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe	{3CD8D080-52D1-4298-A477-723F82488608}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Token: SeIncBasePriorityPrivilege	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
Token: SeIncBasePriorityPrivilege	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
Token: SeIncBasePriorityPrivilege	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
Token: SeIncBasePriorityPrivilege	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
Token: SeIncBasePriorityPrivilege	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
Token: SeIncBasePriorityPrivilege	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
Token: SeIncBasePriorityPrivilege	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe
Token: SeIncBasePriorityPrivilege	2988	{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
Token: SeIncBasePriorityPrivilege	2264	{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
Token: SeIncBasePriorityPrivilege	1164	{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1756	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	28
PID 2232 wrote to memory of 1756	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	28
PID 2232 wrote to memory of 1756	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	28
PID 2232 wrote to memory of 1756	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	28
PID 2232 wrote to memory of 2868	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	29
PID 2232 wrote to memory of 2868	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	29
PID 2232 wrote to memory of 2868	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	29
PID 2232 wrote to memory of 2868	2232	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	29
PID 1756 wrote to memory of 2904	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	30
PID 1756 wrote to memory of 2904	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	30
PID 1756 wrote to memory of 2904	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	30
PID 1756 wrote to memory of 2904	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	30
PID 1756 wrote to memory of 3064	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	31
PID 1756 wrote to memory of 3064	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	31
PID 1756 wrote to memory of 3064	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	31
PID 1756 wrote to memory of 3064	1756	{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe	31
PID 2904 wrote to memory of 2500	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	32
PID 2904 wrote to memory of 2500	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	32
PID 2904 wrote to memory of 2500	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	32
PID 2904 wrote to memory of 2500	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	32
PID 2904 wrote to memory of 2636	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	33
PID 2904 wrote to memory of 2636	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	33
PID 2904 wrote to memory of 2636	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	33
PID 2904 wrote to memory of 2636	2904	{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe	33
PID 2500 wrote to memory of 1236	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	36
PID 2500 wrote to memory of 1236	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	36
PID 2500 wrote to memory of 1236	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	36
PID 2500 wrote to memory of 1236	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	36
PID 2500 wrote to memory of 1916	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	37
PID 2500 wrote to memory of 1916	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	37
PID 2500 wrote to memory of 1916	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	37
PID 2500 wrote to memory of 1916	2500	{5DFB4F55-F283-4867-B969-79D94F60F125}.exe	37
PID 1236 wrote to memory of 1104	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	38
PID 1236 wrote to memory of 1104	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	38
PID 1236 wrote to memory of 1104	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	38
PID 1236 wrote to memory of 1104	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	38
PID 1236 wrote to memory of 1904	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	39
PID 1236 wrote to memory of 1904	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	39
PID 1236 wrote to memory of 1904	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	39
PID 1236 wrote to memory of 1904	1236	{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe	39
PID 1104 wrote to memory of 2540	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	40
PID 1104 wrote to memory of 2540	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	40
PID 1104 wrote to memory of 2540	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	40
PID 1104 wrote to memory of 2540	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	40
PID 1104 wrote to memory of 1656	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	41
PID 1104 wrote to memory of 1656	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	41
PID 1104 wrote to memory of 1656	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	41
PID 1104 wrote to memory of 1656	1104	{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe	41
PID 2540 wrote to memory of 2808	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	42
PID 2540 wrote to memory of 2808	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	42
PID 2540 wrote to memory of 2808	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	42
PID 2540 wrote to memory of 2808	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	42
PID 2540 wrote to memory of 1324	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	43
PID 2540 wrote to memory of 1324	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	43
PID 2540 wrote to memory of 1324	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	43
PID 2540 wrote to memory of 1324	2540	{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe	43
PID 2808 wrote to memory of 2988	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	44
PID 2808 wrote to memory of 2988	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	44
PID 2808 wrote to memory of 2988	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	44
PID 2808 wrote to memory of 2988	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	44
PID 2808 wrote to memory of 2860	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	45
PID 2808 wrote to memory of 2860	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	45
PID 2808 wrote to memory of 2860	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	45
PID 2808 wrote to memory of 2860	2808	{3CD8D080-52D1-4298-A477-723F82488608}.exe	45

C:\Users\Admin\AppData\Local\Temp\9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
"C:\Users\Admin\AppData\Local\Temp\9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
  C:\Windows\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
    C:\Windows\{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
      C:\Windows\{5DFB4F55-F283-4867-B969-79D94F60F125}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
        
        C:\Windows\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
        
        C:\Windows\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
        
        C:\Windows\{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{3CD8D080-52D1-4298-A477-723F82488608}.exe
        
        C:\Windows\{3CD8D080-52D1-4298-A477-723F82488608}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
        
        C:\Windows\{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
        
        C:\Windows\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
        
        C:\Windows\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe
        
        C:\Windows\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe
        12⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E23DF~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F1D~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1BB2~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD8D~1.EXE > nul
        9⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06561~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA92~1.EXE > nul
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AAA2~1.EXE > nul
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DFB4~1.EXE > nul
        5⤵
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B937D~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB8CF~1.EXE > nul
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9CD202~1.EXE > nul
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{065611CE-6B45-41ed-B736-C4EA8D00F918}.exe

Filesize
90KB

MD5
c2a27caa17f0bec3b7f421fdf28bae37

SHA1
97c07170b9f3e1efd78cadd4f7376e86675a65db

SHA256
cd2f0f570045f74c9e7425495924f0a0bfec256d4e86d78bf1f1a011944198c9

SHA512
34ccbf5ed1c3ddeed7c6f6fcd0df23ded048fcb43bad89a1435d93dac130ad99d725d395ce2e302acbfadd4c00acf4af0285087142cf0585e84ee2b903de2dfe

Download Submit
C:\Windows\{1CDC110C-7ED4-4cbd-AC61-D1B07F012EEC}.exe

Filesize
90KB

MD5
3f7b1d73081eb84f6ff2b6be9100b50d

SHA1
e596ef87f1615b3e4bec74db6036eee8bae17761

SHA256
ec047483add5ddaaf18b5072deb947b5ff517cf03ad9aab7a88e43ef685de8b4

SHA512
dfd24856c7a0a268f29a28ceba4bb7b86b88b257db5b8d876dc571b9063e505a0188ff30f6ff370ce4d0b7934e110d9b6024a83fc9f9dcea93aa7758d3d17f1c

Download Submit
C:\Windows\{2AAA2711-E355-4075-A016-C0F60DD3C7B8}.exe

Filesize
90KB

MD5
a387860aac6532341b8338974f061393

SHA1
aec7c8e469416c2ddf7fa21248bcfb9dd20a6310

SHA256
081c2987b087a3e348fea89313ae846516957c8552b4a1e5120460ac975472ab

SHA512
dccf89b018c2bff9c6d006143e570b50f42c48f6eca0ccb365e8153a841dce12a68cde60b61421103e58d65e8a3a47a252b4681831e5d70cf868188e261ebdc0

Download Submit
C:\Windows\{3CD8D080-52D1-4298-A477-723F82488608}.exe

Filesize
90KB

MD5
9fdd15e2772f2ac242606dd3fd2b9b93

SHA1
7463d455a867def9357acd8778ba50802b22ce02

SHA256
1eeaaa8fc9297a11ead8cf3ebe01ad647c45be24b06d5c90fa3eda5795012131

SHA512
bf41a556dc55a9f092c7ef970ed155a473dc0ae1f250c578cae9730ba64b13c2eea9fc73f59cd0b72703e3b0fa9d8dc2edd0b47b708395bed5f989260877bc31

Download Submit
C:\Windows\{5DFB4F55-F283-4867-B969-79D94F60F125}.exe

Filesize
90KB

MD5
c0568513f6eb77b3720242f0840a41c5

SHA1
6c66c8537b528deefd303910e1fc911af5c0ac3b

SHA256
cdea0a1fc2ac66d0f00c1ecce2138c0c8c96a3360e1b3b81dba2da9d2a2797c8

SHA512
38925e59cf0625bcb96f156ee58b339cedb48d513fdc85bdfc303d2173113f0e636736794eb4dceaa601e3114a26097840aab9ccd75c41f86f1517e0a95d60f1

Download Submit
C:\Windows\{6DA92C80-39D2-416e-B0E2-064EFEC6447C}.exe

Filesize
90KB

MD5
b993932b9e412a60b91f4d44af0d5952

SHA1
dced2f251ef600c2ab183b2d7a3828632a685059

SHA256
c51979e8c758c60a94908fbb982a8c9bce56e389b1bb82f83e8776ca24ca74b8

SHA512
07206907090129a18b2446f2d092ce7499207b2459a1220d1df35e94453df5ba8981a0a57520d04919062afbf6c15c143eb82ff0c22c5b69389e8e11aad95b77

Download Submit
C:\Windows\{B5F1D82A-F613-4c13-9CE5-69E854447B1F}.exe

Filesize
90KB

MD5
97aac88c24c815203b41b61f79f8bee6

SHA1
6be4c74a3de83143c5e288b3189258ca26ac4372

SHA256
967644ee80ae7e285206c7cb5cfbee9cf22630eb5e655125554aa11be7b98c1b

SHA512
0be31f6e41d6a775f217f9fbabe811d714b727daaa8d33e97033c4d326f4712bb86b4b277418bb3276254b68c7806961eadf29e27c3bd1e2f5d1d027b89bd442

Download Submit
C:\Windows\{B937DA57-5B5E-43d3-8504-D70574D3A628}.exe

Filesize
90KB

MD5
9e011d5e0279d6bafc56fd7868ce4afa

SHA1
4573c94b0bc3c51fcd4253d6ceb019e82b897047

SHA256
111e9d9d00acc03da4ac2a7c9560b07b59a7ccebe45cfc2eb48ffd098c6f0a01

SHA512
25e87d7cadc048e6670d3334eaabf52902a748428b05305fffadcfd59a4195726ac8c2d74364e19d0057c704458b9225d34bbbb1897a2bc55a400e3dfea0ec5c

Download Submit
C:\Windows\{C1BB2078-A045-4c71-AC77-9B43652555C6}.exe

Filesize
90KB

MD5
275567ab4c13734cfce9cbe4b878701e

SHA1
9b79fc30cf8156dcd7285ee9fac8499d096bdb8a

SHA256
6a17fcf54adba74f35614606a3c3b51ac25edf13cde47fccfdb60cd95f722315

SHA512
df7ead395e8f0b7b157c1236d6d4b868418989cb5f592b8e092104352e9cbde0c8eb477d9634b002947b37f487399800fac26d1840fb3b0a2df6f910eb51ef01

Download Submit
C:\Windows\{CB8CFA8B-66BF-4165-90D6-B85A519631FE}.exe

Filesize
90KB

MD5
8d88044517cd5850e07b4e45c6967a1d

SHA1
cae0550c200b33433d4754696b191930ad9b5104

SHA256
a1048d2a2276516e16a35019c806e62eb0648eb91c6028740b3ca89783bca5ae

SHA512
eace79fa35b61ab9aac22464a2d530917b3d35437e2901b8579282de4150bd4c606afafe45ffc63dacb1cc9bb738f08d11448e342f892c007205e09df294c0da

Download Submit
C:\Windows\{E23DFEE4-8EBD-4925-A07D-0B30703144F0}.exe

Filesize
90KB

MD5
de97bc538c1c6d0cb81127754a1fcb84

SHA1
b23e69c0f0c8334ff6c82610fecbd9da54083863

SHA256
13da3d844514a58a8d5998f19d759edc2d4a9ecb2dc5552bf4d903a574fa4758

SHA512
757e2e0c597e7f0412a9566bbd5076be63817f65aecfc30e15b3fa9740558daf76615845a2ac640d765b5baf507e747976a7a16a8f29173da5f0c3edc5ea0935

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads