3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
Size

89KB
MD5

390ea50492c626af9a8bc2676b56402f
SHA1

609e9d9682e4ca01771749df06831d0a5a8fe70c
SHA256

3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30
SHA512

568d9ff539a578c8f9ea3a91853e67ce8fd301540a898eefc603650875f8d2e322c5eac2c425c23e5d7069217f12d26c19cf6ae8d40dba41d492e9b0f857a2f4
SSDEEP

768:5vw981UMhKQLro54/wQ4pNrfrunMxVFA3v:lEG00o5l3zunMxVS3v

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}\stubpath = "C:\\Windows\\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe"	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FB5932-CA7C-482b-B718-1A805B83188A}\stubpath = "C:\\Windows\\{33FB5932-CA7C-482b-B718-1A805B83188A}.exe"	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71549EFF-3727-4b98-A0C9-52580C6DADC5}	{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B31912B6-D517-42f3-BF36-884DE0BFEF69}	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71549EFF-3727-4b98-A0C9-52580C6DADC5}\stubpath = "C:\\Windows\\{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe"	{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}\stubpath = "C:\\Windows\\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe"	{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE1BDFDF-E670-487e-8D1A-B50B49463958}	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34091F50-ECD8-467a-BB6A-88C80F027277}	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}\stubpath = "C:\\Windows\\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe"	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}	{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34091F50-ECD8-467a-BB6A-88C80F027277}\stubpath = "C:\\Windows\\{34091F50-ECD8-467a-BB6A-88C80F027277}.exe"	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}\stubpath = "C:\\Windows\\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe"	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B31912B6-D517-42f3-BF36-884DE0BFEF69}\stubpath = "C:\\Windows\\{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe"	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D6FCFD-A580-436d-A33A-60BFF177E10F}	{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D6FCFD-A580-436d-A33A-60BFF177E10F}\stubpath = "C:\\Windows\\{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe"	{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}\stubpath = "C:\\Windows\\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe"	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE1BDFDF-E670-487e-8D1A-B50B49463958}\stubpath = "C:\\Windows\\{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe"	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FB5932-CA7C-482b-B718-1A805B83188A}	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
1432	{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
2280	{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
788	{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe
1616	{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
File created	C:\Windows\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
File created	C:\Windows\{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
File created	C:\Windows\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
File created	C:\Windows\{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
File created	C:\Windows\{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe	{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
File created	C:\Windows\{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
File created	C:\Windows\{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
File created	C:\Windows\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
File created	C:\Windows\{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe	{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
File created	C:\Windows\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe	{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
Token: SeIncBasePriorityPrivilege	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
Token: SeIncBasePriorityPrivilege	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
Token: SeIncBasePriorityPrivilege	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
Token: SeIncBasePriorityPrivilege	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
Token: SeIncBasePriorityPrivilege	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
Token: SeIncBasePriorityPrivilege	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
Token: SeIncBasePriorityPrivilege	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
Token: SeIncBasePriorityPrivilege	1432	{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
Token: SeIncBasePriorityPrivilege	2280	{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
Token: SeIncBasePriorityPrivilege	788	{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2080	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	28
PID 2244 wrote to memory of 2080	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	28
PID 2244 wrote to memory of 2080	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	28
PID 2244 wrote to memory of 2080	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	28
PID 2244 wrote to memory of 2384	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	29
PID 2244 wrote to memory of 2384	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	29
PID 2244 wrote to memory of 2384	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	29
PID 2244 wrote to memory of 2384	2244	3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe	29
PID 2080 wrote to memory of 2764	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	30
PID 2080 wrote to memory of 2764	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	30
PID 2080 wrote to memory of 2764	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	30
PID 2080 wrote to memory of 2764	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	30
PID 2080 wrote to memory of 2524	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	31
PID 2080 wrote to memory of 2524	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	31
PID 2080 wrote to memory of 2524	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	31
PID 2080 wrote to memory of 2524	2080	{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe	31
PID 2764 wrote to memory of 2704	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	32
PID 2764 wrote to memory of 2704	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	32
PID 2764 wrote to memory of 2704	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	32
PID 2764 wrote to memory of 2704	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	32
PID 2764 wrote to memory of 2652	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	33
PID 2764 wrote to memory of 2652	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	33
PID 2764 wrote to memory of 2652	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	33
PID 2764 wrote to memory of 2652	2764	{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe	33
PID 2704 wrote to memory of 2560	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	36
PID 2704 wrote to memory of 2560	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	36
PID 2704 wrote to memory of 2560	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	36
PID 2704 wrote to memory of 2560	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	36
PID 2704 wrote to memory of 340	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	37
PID 2704 wrote to memory of 340	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	37
PID 2704 wrote to memory of 340	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	37
PID 2704 wrote to memory of 340	2704	{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe	37
PID 2560 wrote to memory of 2504	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	38
PID 2560 wrote to memory of 2504	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	38
PID 2560 wrote to memory of 2504	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	38
PID 2560 wrote to memory of 2504	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	38
PID 2560 wrote to memory of 2164	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	39
PID 2560 wrote to memory of 2164	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	39
PID 2560 wrote to memory of 2164	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	39
PID 2560 wrote to memory of 2164	2560	{34091F50-ECD8-467a-BB6A-88C80F027277}.exe	39
PID 2504 wrote to memory of 844	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	40
PID 2504 wrote to memory of 844	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	40
PID 2504 wrote to memory of 844	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	40
PID 2504 wrote to memory of 844	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	40
PID 2504 wrote to memory of 1988	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	41
PID 2504 wrote to memory of 1988	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	41
PID 2504 wrote to memory of 1988	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	41
PID 2504 wrote to memory of 1988	2504	{33FB5932-CA7C-482b-B718-1A805B83188A}.exe	41
PID 844 wrote to memory of 2800	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	42
PID 844 wrote to memory of 2800	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	42
PID 844 wrote to memory of 2800	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	42
PID 844 wrote to memory of 2800	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	42
PID 844 wrote to memory of 2320	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	43
PID 844 wrote to memory of 2320	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	43
PID 844 wrote to memory of 2320	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	43
PID 844 wrote to memory of 2320	844	{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe	43
PID 2800 wrote to memory of 1432	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	44
PID 2800 wrote to memory of 1432	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	44
PID 2800 wrote to memory of 1432	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	44
PID 2800 wrote to memory of 1432	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	44
PID 2800 wrote to memory of 2344	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	45
PID 2800 wrote to memory of 2344	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	45
PID 2800 wrote to memory of 2344	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	45
PID 2800 wrote to memory of 2344	2800	{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe	45

C:\Users\Admin\AppData\Local\Temp\3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe
"C:\Users\Admin\AppData\Local\Temp\3cb1175abec2d278945a05f66682737e6b50bbee00d17f13c1cf6fd128001b30.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
  C:\Windows\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
    C:\Windows\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
      C:\Windows\{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
        
        C:\Windows\{34091F50-ECD8-467a-BB6A-88C80F027277}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
        
        C:\Windows\{33FB5932-CA7C-482b-B718-1A805B83188A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
        
        C:\Windows\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
        
        C:\Windows\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
        
        C:\Windows\{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
        
        C:\Windows\{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe
        
        C:\Windows\{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe
        
        C:\Windows\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe
        12⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52D6F~1.EXE > nul
        12⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71549~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3191~1.EXE > nul
        10⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3474D~1.EXE > nul
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94EDC~1.EXE > nul
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33FB5~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34091~1.EXE > nul
        6⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE1BD~1.EXE > nul
        5⤵
        
        PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8963~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA01~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3CB117~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33FB5932-CA7C-482b-B718-1A805B83188A}.exe

Filesize
89KB

MD5
745ea76242d6459197510cb67181c248

SHA1
bac31317c9d6f83db5ebbc198449869a6d4c0f49

SHA256
6748497db57bdef480b7e0e39fd058a372c93aa2883458d96fcfc7b1c4d9dea3

SHA512
7b5575c350afce553e32ed752e7579412c0eb4c63b006faa99a973651649a963892e92fbe5df67c996175c995eb51f2f94bc7c8bae84c8fe9aa4458016d58403

Download Submit
C:\Windows\{34091F50-ECD8-467a-BB6A-88C80F027277}.exe

Filesize
89KB

MD5
416d0eadd0aee5c86825cfa8cd517267

SHA1
b3591adbd63936452682ac7065e6cfc4e1c4d219

SHA256
d2b2313ff990b71a162e38fe08c46c10e1d2f722364bab9c654c0605be13cff2

SHA512
aa257504b0309ff3aab52895f1aeb971b869e0afbe6cb20a1ff4940fc6c9a7fe775291170ae1c17c28abbf41fb0e4ed77a658c504c4f6d01c360b238bbf25b0c

Download Submit
C:\Windows\{3474DBC8-B013-4da7-8FBC-4C4A62C58880}.exe

Filesize
89KB

MD5
88acc86e7dbbdbfd14c17a04aa3aaa3d

SHA1
9e4a23b57c158a3b0126e74a01dcc40c2415e774

SHA256
05d23bbe011fdf663c31817ea878657047bfa127bd8fc73731f4431f028c9211

SHA512
213082ee314065c5c09d2adf40da100741f9f3f70008f2b047a5736542c87312edd7e518c95f4f77e70b36faecaad39c4374d104d66a19f7f1e45a6d988d6bd4

Download Submit
C:\Windows\{52D6FCFD-A580-436d-A33A-60BFF177E10F}.exe

Filesize
89KB

MD5
3309dd5c3201131b33472d103ebd2906

SHA1
eea8f9f41f7b17e2efee3f096b85db7bdd16e3d0

SHA256
085a673ce3b286c2efe4152404be291f38635a238805af5cc728a11180fcafc2

SHA512
bfbdb42424b9bdaf492ce0709b1602553c3172f2d0193f779e595b00436828a8ca19268ca9b41f16043d78d89e7383e5ec928ebd561b7b6b96578ee5f9bd054d

Download Submit
C:\Windows\{71549EFF-3727-4b98-A0C9-52580C6DADC5}.exe

Filesize
89KB

MD5
e12b58a6a660b3f3715e36cf70ac955d

SHA1
28a23fc3943afcd90c757ea1a434a5b14ef86665

SHA256
ee4c5982b5ff1691b2c7e276ebc258eba648ee3a4ae169d50a7e12ecef4fd1ed

SHA512
0bd359df076796e33dd11458059c386921ad52f95849c61fed105cb2ebbc65456a3ee4bc81b2e2b32f3244f85fd21728c87555e5e6f301d46d95771a24e621d6

Download Submit
C:\Windows\{94BE02DD-3948-465f-97FF-A9B8B43C0A35}.exe

Filesize
89KB

MD5
c853116ffc47e8074f03f87ea1bf4e8b

SHA1
1cbbfc7761ddbbfe08a74064ffd6c87006743651

SHA256
9722078a0d96604b81e2191a199350979afc3c71447bf49b6c8ce4051bfbc315

SHA512
5f0dace642d95d3195009b3389b051a92f1bcacbcb545e9891d02e567105baf716352df5447792d538e529ca1d9f540341bca4d27161620fa15e04adf9505f3d

Download Submit
C:\Windows\{94EDC2D5-B2D7-4b71-9DF4-3A7022491BE2}.exe

Filesize
89KB

MD5
ceb17c1a8baeba2ab307ced3e058f870

SHA1
562220a607c8ba1c8f182744c7c98234cb8ac745

SHA256
695305c1fef864575980f0a5f85a5066e2ead132b2912ab7c8e445afdfa30bdb

SHA512
06ed39dc3c9a015fb75c287a8c0309e59297b2a69407d4ce689b61551c75cf997e12ebe88d78e60e1c6010be224360af8f6c576b4c8e0181ca2d697a1e7cec83

Download Submit
C:\Windows\{B31912B6-D517-42f3-BF36-884DE0BFEF69}.exe

Filesize
89KB

MD5
7d883f06b25e1546f4905f6003ffad23

SHA1
f13f2dfbbd7aa8215c5df76beec77f02346c1fb2

SHA256
c4a1c172a0039a5a6e73338992ab2969c7238313dc7c7a6a641cc91fd113f482

SHA512
557fbebb43cd4af4e5fb2bce527cf40e0afdeebd07cf8bb68d0497dfc6a59832d71eded99094d7bcd20e3e7b9ea1ed96877139b244d7c6314ee53667b044a17a

Download Submit
C:\Windows\{CEA01C62-F4B8-49e3-867C-BC8A757C5F27}.exe

Filesize
89KB

MD5
8451e40847d7a61d05c29d5952b5f963

SHA1
20ba3c4fc5451f069e7459ef1233295683bfef81

SHA256
7262c1138050752b8b69eb403fe2a2a4c3d54998905f6bbf85c6174b18c38ef8

SHA512
ad42a393603ac8284deba253fc144ed32ec8571e4c8dbfc738a3abd9165374c6f49bfb94a01c5d28611f17178c0509dc46eba3308e9066a2f946184dfdfad809

Download Submit
C:\Windows\{E8963883-24A1-4c7d-9F9E-EE1D456D889A}.exe

Filesize
89KB

MD5
948831e7a2066def78c2cbb10ae87b56

SHA1
6d8aa5b0a6bc3ee077eb13d4e4027e03d663d8fb

SHA256
95ab3e504c200b77f57fcf668a27deecec7f83bb69d580d6f44db5426942a9e5

SHA512
776ad4da1f09a8e39cbeebc160d04857c15e7f47e662f3b1fb0a45d7812b768bd9243a6e2a7b52100ab37980ba3c50aeb73fbac5218fa856e7261859f2084130

Download Submit
C:\Windows\{EE1BDFDF-E670-487e-8D1A-B50B49463958}.exe

Filesize
89KB

MD5
043b63235389756a018a9075f03797f0

SHA1
a9b836085d0961875946d194c1f27e405477738c

SHA256
01c0468ae3f27eb3ceb5b7f130b737b364e8b6df263107a887808e408c40f6f8

SHA512
8b7d69484d017ac6bd353b763b80896ab20fea43d95c5021cfa50b6ee4913eb98af91d26b94516bca356a509e77797a778ba0c74ee573ae20b8ad5a1a913d719

Download Submit
memory/788-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/844-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/844-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2080-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2080-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2244-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2244-8-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2244-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2244-7-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2280-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2280-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2504-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-41-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2560-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-33-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2704-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-34-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2764-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads