ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
Size

89KB
MD5

1c113839452a4a47949726b8d95ae755
SHA1

53d1e1ea85e22437876f518bc74eec5ebecbd0bb
SHA256

ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b
SHA512

48ad6232d9b4c48a0ed9583d3483f92fb7f29bbd0d8d490ad0c57eea17adec0ab895242b2e297e3d04fb3cdacbd4c9580aa540cc66b6879bd7031767224d963e
SSDEEP

768:5vw9816thKQLroC4/wQkNrfrunMxVFA3v:lEG/0oClbunMxVS3v

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{449D0A1A-A402-4570-A223-689C81F95949}	{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}\stubpath = "C:\\Windows\\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe"	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}	{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E157EA6-9601-4a39-BBE1-99667A078D77}\stubpath = "C:\\Windows\\{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe"	{26380A66-363D-4b7e-B55D-5B7025745893}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{449D0A1A-A402-4570-A223-689C81F95949}\stubpath = "C:\\Windows\\{449D0A1A-A402-4570-A223-689C81F95949}.exe"	{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761EAD72-C2C8-422e-A73D-6F922008BF3E}	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}\stubpath = "C:\\Windows\\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe"	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}\stubpath = "C:\\Windows\\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe"	{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}	{449D0A1A-A402-4570-A223-689C81F95949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}\stubpath = "C:\\Windows\\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe"	{449D0A1A-A402-4570-A223-689C81F95949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761EAD72-C2C8-422e-A73D-6F922008BF3E}\stubpath = "C:\\Windows\\{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe"	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE53221-CD7C-4698-B4FB-07173813E44C}	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}\stubpath = "C:\\Windows\\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe"	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26380A66-363D-4b7e-B55D-5B7025745893}	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26380A66-363D-4b7e-B55D-5B7025745893}\stubpath = "C:\\Windows\\{26380A66-363D-4b7e-B55D-5B7025745893}.exe"	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E157EA6-9601-4a39-BBE1-99667A078D77}	{26380A66-363D-4b7e-B55D-5B7025745893}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE53221-CD7C-4698-B4FB-07173813E44C}\stubpath = "C:\\Windows\\{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe"	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}\stubpath = "C:\\Windows\\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe"	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe

Deletes itself 1 IoCs

pid	Process
1756	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe
2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
1348	{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
2884	{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
704	{449D0A1A-A402-4570-A223-689C81F95949}.exe
1972	{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
File created	C:\Windows\{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	{26380A66-363D-4b7e-B55D-5B7025745893}.exe
File created	C:\Windows\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe	{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
File created	C:\Windows\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe	{449D0A1A-A402-4570-A223-689C81F95949}.exe
File created	C:\Windows\{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
File created	C:\Windows\{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
File created	C:\Windows\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
File created	C:\Windows\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
File created	C:\Windows\{26380A66-363D-4b7e-B55D-5B7025745893}.exe	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
File created	C:\Windows\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
File created	C:\Windows\{449D0A1A-A402-4570-A223-689C81F95949}.exe	{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
Token: SeIncBasePriorityPrivilege	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
Token: SeIncBasePriorityPrivilege	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
Token: SeIncBasePriorityPrivilege	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
Token: SeIncBasePriorityPrivilege	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
Token: SeIncBasePriorityPrivilege	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
Token: SeIncBasePriorityPrivilege	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe
Token: SeIncBasePriorityPrivilege	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
Token: SeIncBasePriorityPrivilege	1348	{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
Token: SeIncBasePriorityPrivilege	2884	{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
Token: SeIncBasePriorityPrivilege	704	{449D0A1A-A402-4570-A223-689C81F95949}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2372	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	28
PID 2416 wrote to memory of 2372	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	28
PID 2416 wrote to memory of 2372	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	28
PID 2416 wrote to memory of 2372	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	28
PID 2416 wrote to memory of 1756	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	29
PID 2416 wrote to memory of 1756	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	29
PID 2416 wrote to memory of 1756	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	29
PID 2416 wrote to memory of 1756	2416	ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe	29
PID 2372 wrote to memory of 2876	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	30
PID 2372 wrote to memory of 2876	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	30
PID 2372 wrote to memory of 2876	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	30
PID 2372 wrote to memory of 2876	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	30
PID 2372 wrote to memory of 2864	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	31
PID 2372 wrote to memory of 2864	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	31
PID 2372 wrote to memory of 2864	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	31
PID 2372 wrote to memory of 2864	2372	{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe	31
PID 2876 wrote to memory of 2704	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	32
PID 2876 wrote to memory of 2704	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	32
PID 2876 wrote to memory of 2704	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	32
PID 2876 wrote to memory of 2704	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	32
PID 2876 wrote to memory of 2808	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	33
PID 2876 wrote to memory of 2808	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	33
PID 2876 wrote to memory of 2808	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	33
PID 2876 wrote to memory of 2808	2876	{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe	33
PID 2704 wrote to memory of 2124	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	36
PID 2704 wrote to memory of 2124	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	36
PID 2704 wrote to memory of 2124	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	36
PID 2704 wrote to memory of 2124	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	36
PID 2704 wrote to memory of 2792	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	37
PID 2704 wrote to memory of 2792	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	37
PID 2704 wrote to memory of 2792	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	37
PID 2704 wrote to memory of 2792	2704	{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe	37
PID 2124 wrote to memory of 2944	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	38
PID 2124 wrote to memory of 2944	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	38
PID 2124 wrote to memory of 2944	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	38
PID 2124 wrote to memory of 2944	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	38
PID 2124 wrote to memory of 1640	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	39
PID 2124 wrote to memory of 1640	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	39
PID 2124 wrote to memory of 1640	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	39
PID 2124 wrote to memory of 1640	2124	{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe	39
PID 2944 wrote to memory of 2520	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	40
PID 2944 wrote to memory of 2520	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	40
PID 2944 wrote to memory of 2520	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	40
PID 2944 wrote to memory of 2520	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	40
PID 2944 wrote to memory of 1668	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	41
PID 2944 wrote to memory of 1668	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	41
PID 2944 wrote to memory of 1668	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	41
PID 2944 wrote to memory of 1668	2944	{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe	41
PID 2520 wrote to memory of 2680	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	42
PID 2520 wrote to memory of 2680	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	42
PID 2520 wrote to memory of 2680	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	42
PID 2520 wrote to memory of 2680	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	42
PID 2520 wrote to memory of 1028	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	43
PID 2520 wrote to memory of 1028	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	43
PID 2520 wrote to memory of 1028	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	43
PID 2520 wrote to memory of 1028	2520	{26380A66-363D-4b7e-B55D-5B7025745893}.exe	43
PID 2680 wrote to memory of 1348	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	44
PID 2680 wrote to memory of 1348	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	44
PID 2680 wrote to memory of 1348	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	44
PID 2680 wrote to memory of 1348	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	44
PID 2680 wrote to memory of 768	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	45
PID 2680 wrote to memory of 768	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	45
PID 2680 wrote to memory of 768	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	45
PID 2680 wrote to memory of 768	2680	{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe	45

C:\Users\Admin\AppData\Local\Temp\ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe
"C:\Users\Admin\AppData\Local\Temp\ca6d4342bdc4dde557fe313fe8fb61984b6cf698e691ca6fd425f32dcfd8495b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
  C:\Windows\{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
    C:\Windows\{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
      C:\Windows\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
        
        C:\Windows\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
        
        C:\Windows\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{26380A66-363D-4b7e-B55D-5B7025745893}.exe
        
        C:\Windows\{26380A66-363D-4b7e-B55D-5B7025745893}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
        
        C:\Windows\{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
        
        C:\Windows\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
        
        C:\Windows\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{449D0A1A-A402-4570-A223-689C81F95949}.exe
        
        C:\Windows\{449D0A1A-A402-4570-A223-689C81F95949}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe
        
        C:\Windows\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{449D0~1.EXE > nul
        12⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E0DF~1.EXE > nul
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01160~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E157~1.EXE > nul
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26380~1.EXE > nul
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9A2D~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2932B~1.EXE > nul
        6⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6571~1.EXE > nul
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE53~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{761EA~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CA6D43~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0116004E-8496-493a-8F0E-1B1DAD0E6A7A}.exe

Filesize
89KB

MD5
5d1151a92e97eed491bc45a8488ac85b

SHA1
c0bcb44dba82d6269ab4ea64b72e8656b91bef07

SHA256
5283ac595485149998820c7a98ce814c3cfbf34fea2f209a81716caf7a4ff3a0

SHA512
ed9fa1b77e8b9a9b3062bbb37ba77cb1ffb2138268c5552338c928566f4520e5983c32339f034e784905707aaadfdd9e0a72ff98075701a56efa8a4640d56c0b

Download Submit
C:\Windows\{26380A66-363D-4b7e-B55D-5B7025745893}.exe

Filesize
89KB

MD5
783dde5edb8201daa2a50cbbf3bb25e9

SHA1
23fb8218aad7912999f473f910c8d12c2cdba5ba

SHA256
ded08442e1f59341678127e67b89831ef531810988b82f7ee2b934a63ac645cb

SHA512
2a5610df91ca284571d3ceab7813c5d557434057671ecd5b1bc70aa7623991e811f0e29f9b100736613751a648c7be14c8c3510bef140472dcc0c0968c8ba685

Download Submit
C:\Windows\{2932BE2A-6DEA-4452-BFE9-8CE4CD12F6CC}.exe

Filesize
89KB

MD5
f35eaa90711dd655d46339fbffc60239

SHA1
37a0981f72a023edaa52b53e6367a16f65a68942

SHA256
e89a5152d6d1edd803270598697c83c11285fe7b91d7f3f6e9a6f73247ff3e01

SHA512
8f615ea9e74243a1ed5307bb3811ca4c4e5d0f263bba7d2e0790361612e34b50f2160c05a3d6f4dacaaac987821224067bf5f5f1e2eefaea98973469db1c6367

Download Submit
C:\Windows\{3EE53221-CD7C-4698-B4FB-07173813E44C}.exe

Filesize
89KB

MD5
ee012463e9913e15c9ff761eca4401ec

SHA1
a927a0a08dcef2c9debe672a14fc5aadef5a5b50

SHA256
87465155b1a9f8b0b7eae65ba48c78f7ec76680b5cb44fd9477544bf0b6b170a

SHA512
3a64ab709005ed08ee886634f2981c592f67096ae682f998866c4520d464217722b3612cbeb08a473f078dce01ce0ee0ac31f24ce7aa8c1a36d2bf575f16f019

Download Submit
C:\Windows\{449D0A1A-A402-4570-A223-689C81F95949}.exe

Filesize
89KB

MD5
29730e8e1c791d3b80daef53237fe126

SHA1
cfe53c05d4c6f6450a01b7cbe9eb2493733668d4

SHA256
c3380c1ee3a6e7765b5681e3884ac220ee1d295de5288c94e922d8811eb460c6

SHA512
c14666588b4f645f2dcf3872d04fa108aa497b3209bfb53d0a69a41951acd22662f998c9e7b70210606d875501ffefed6b04f4240770eb67bc5bcbbbb228d32c

Download Submit
C:\Windows\{761EAD72-C2C8-422e-A73D-6F922008BF3E}.exe

Filesize
89KB

MD5
63222dabc910c41e0daeed48e73ff2a1

SHA1
e6f1b7235ec7f93ff09dd2e39faa508b723d8dac

SHA256
0da7f0d5f7a26322427e5ae91448a550addd17a05ff45cbcebd577c6544e554d

SHA512
89b9ff16a7039aee9e7d373cd8c740ae59f952bf604373c245b2779cba7fb0bccff2f0e64cfdb711b9b1eecc7afbb90cab163653af515f353d068aabc9d2cec0

Download Submit
C:\Windows\{7E157EA6-9601-4a39-BBE1-99667A078D77}.exe

Filesize
89KB

MD5
ae860732ee1d341e5d3e9eb7f4abec60

SHA1
b5c25ee0a1ce9cbf0885ea46d98b004e9e96c32a

SHA256
1c8f4b7a5607d349a3ab9b34a9501c05d1885834fdda86eed2531923440c40fd

SHA512
9614d85b2f8dfb6b8eeb0e65483ae258f41f157314019cf15e09e37245c91c08511a27833054572527687bbdcdfec4c8caa974b34b591308a05e8ee865e5eb11

Download Submit
C:\Windows\{996E69DF-A90A-4e02-BD2B-E7684D66E0B5}.exe

Filesize
89KB

MD5
3c1f9c4bda70cdef9d8d7739fab82e50

SHA1
c85d5b1632e51d05e68d6489002d67ae3031c30f

SHA256
780def840baaa30405bfdd820f20493551867d8dd509987df540f1b4d6795367

SHA512
639a508676406e29d63b004cd9073687543a567f95080d0be7c202ee4aec183c4daf6794da8ee947b46102ba02941f1754f21645cca0f9b7fad1c2548dd2772c

Download Submit
C:\Windows\{9E0DF8D8-DAB8-4f50-88F9-0C43EA9E78B3}.exe

Filesize
89KB

MD5
7d98e9837584862c3ca8d6c57b4c6ece

SHA1
94ad8428065c1b78228f6e02f8a244ae0143db63

SHA256
0c08eaef000023fe1dfe40169e01160c7c4f33fffa41301bfef6f8c15f37ebc8

SHA512
c4dde88afc79a8a08b66a30ed01ff681653ab3448a83ef4472277f7f6ce75726dddf2980bf6732fd63b676777f8ceba95bfa7e934db1c0c6e01e4c0f5439658b

Download Submit
C:\Windows\{A9A2D940-C391-49b9-A5AA-C6A2A0EED3FB}.exe

Filesize
89KB

MD5
c75e8b52664f196ab9e5438fb4cda498

SHA1
0ded907a4eeabe821a943fd1903be97e62ac55ea

SHA256
b808db44e00f7448d799765bfdf8763dd9830fdccb320a87d81d717336c34e04

SHA512
d0eb8d4d1e1706927b7bb3b9c1c9095f62b10bc94425e79a425ccd235c17ce7f12242a957a7d8a1d0336366fdd3829e90fd22c4408b6357338dac569258e36de

Download Submit
C:\Windows\{D6571A0C-0F1B-44fd-AD65-76A642DCBE1E}.exe

Filesize
89KB

MD5
d8883ee5b61a4a4777e26afd5d558c4c

SHA1
7299dbe817d58a1bcb3de0b5defbe14c9323a139

SHA256
986a31120b4ccb792693b24bef3cf7c3016c8b5c257f22ce479cb2ea5c669f66

SHA512
d338936076be371e4d69cd8d3ce68856f263c686bc042da71a87580ab2e3e98db787ad016a3e626cb078cace5b5f01da3364c6b55040c59b7b4b1d38c10b5a55

Download Submit
memory/704-89-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/704-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/704-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1348-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2124-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-3-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2416-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2680-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-30-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2704-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads