49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
Size

89KB
MD5

5670d5ecc21070f24dc03de4676f0c10
SHA1

0ab5d8e6cc06340b7022cd5fe26d4980df0e5108
SHA256

49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6
SHA512

899fe65586bb4c5288f611fe2da614c1d52026deee62f1f3c420f4b5be7612e39c0b550fb10c1340271b89def342607eba0ae08d69a7953433bcb5bc3fc70657
SSDEEP

768:Qvw9816vhKQLroX4/wQRNrfrunMxVFA3b7gl5:YEGh0oXl2unMxVS3HgX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}	{00A60168-21D7-4169-A382-67E04CF49825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}	{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B600A994-58DA-4326-8374-F55B24F6681E}	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABB3494-EEA4-4923-B478-FFDB4E098577}\stubpath = "C:\\Windows\\{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe"	{B600A994-58DA-4326-8374-F55B24F6681E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}\stubpath = "C:\\Windows\\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe"	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A60168-21D7-4169-A382-67E04CF49825}	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABB3494-EEA4-4923-B478-FFDB4E098577}	{B600A994-58DA-4326-8374-F55B24F6681E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{995AE6E8-1B4E-491f-95D2-62BA78912762}	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}\stubpath = "C:\\Windows\\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe"	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A60168-21D7-4169-A382-67E04CF49825}\stubpath = "C:\\Windows\\{00A60168-21D7-4169-A382-67E04CF49825}.exe"	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}\stubpath = "C:\\Windows\\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe"	{00A60168-21D7-4169-A382-67E04CF49825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29154D07-B172-4171-BC4E-EE2833482F45}	{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}\stubpath = "C:\\Windows\\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe"	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}\stubpath = "C:\\Windows\\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe"	{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29154D07-B172-4171-BC4E-EE2833482F45}\stubpath = "C:\\Windows\\{29154D07-B172-4171-BC4E-EE2833482F45}.exe"	{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B600A994-58DA-4326-8374-F55B24F6681E}\stubpath = "C:\\Windows\\{B600A994-58DA-4326-8374-F55B24F6681E}.exe"	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}\stubpath = "C:\\Windows\\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe"	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{995AE6E8-1B4E-491f-95D2-62BA78912762}\stubpath = "C:\\Windows\\{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe"	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe
2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
1848	{00A60168-21D7-4169-A382-67E04CF49825}.exe
2092	{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
2096	{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
1436	{29154D07-B172-4171-BC4E-EE2833482F45}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	{B600A994-58DA-4326-8374-F55B24F6681E}.exe
File created	C:\Windows\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
File created	C:\Windows\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
File created	C:\Windows\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
File created	C:\Windows\{00A60168-21D7-4169-A382-67E04CF49825}.exe	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
File created	C:\Windows\{29154D07-B172-4171-BC4E-EE2833482F45}.exe	{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
File created	C:\Windows\{B600A994-58DA-4326-8374-F55B24F6681E}.exe	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
File created	C:\Windows\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
File created	C:\Windows\{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
File created	C:\Windows\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe	{00A60168-21D7-4169-A382-67E04CF49825}.exe
File created	C:\Windows\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe	{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
Token: SeIncBasePriorityPrivilege	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe
Token: SeIncBasePriorityPrivilege	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
Token: SeIncBasePriorityPrivilege	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
Token: SeIncBasePriorityPrivilege	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
Token: SeIncBasePriorityPrivilege	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
Token: SeIncBasePriorityPrivilege	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
Token: SeIncBasePriorityPrivilege	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
Token: SeIncBasePriorityPrivilege	1848	{00A60168-21D7-4169-A382-67E04CF49825}.exe
Token: SeIncBasePriorityPrivilege	2092	{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
Token: SeIncBasePriorityPrivilege	2096	{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2832	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	28
PID 2332 wrote to memory of 2832	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	28
PID 2332 wrote to memory of 2832	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	28
PID 2332 wrote to memory of 2832	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	28
PID 2332 wrote to memory of 2896	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	29
PID 2332 wrote to memory of 2896	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	29
PID 2332 wrote to memory of 2896	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	29
PID 2332 wrote to memory of 2896	2332	49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe	29
PID 2832 wrote to memory of 2528	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	30
PID 2832 wrote to memory of 2528	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	30
PID 2832 wrote to memory of 2528	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	30
PID 2832 wrote to memory of 2528	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	30
PID 2832 wrote to memory of 2636	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	31
PID 2832 wrote to memory of 2636	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	31
PID 2832 wrote to memory of 2636	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	31
PID 2832 wrote to memory of 2636	2832	{B600A994-58DA-4326-8374-F55B24F6681E}.exe	31
PID 2528 wrote to memory of 2680	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	32
PID 2528 wrote to memory of 2680	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	32
PID 2528 wrote to memory of 2680	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	32
PID 2528 wrote to memory of 2680	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	32
PID 2528 wrote to memory of 2784	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	33
PID 2528 wrote to memory of 2784	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	33
PID 2528 wrote to memory of 2784	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	33
PID 2528 wrote to memory of 2784	2528	{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe	33
PID 2680 wrote to memory of 2500	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	36
PID 2680 wrote to memory of 2500	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	36
PID 2680 wrote to memory of 2500	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	36
PID 2680 wrote to memory of 2500	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	36
PID 2680 wrote to memory of 2872	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	37
PID 2680 wrote to memory of 2872	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	37
PID 2680 wrote to memory of 2872	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	37
PID 2680 wrote to memory of 2872	2680	{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe	37
PID 2500 wrote to memory of 1824	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	38
PID 2500 wrote to memory of 1824	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	38
PID 2500 wrote to memory of 1824	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	38
PID 2500 wrote to memory of 1824	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	38
PID 2500 wrote to memory of 1208	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	39
PID 2500 wrote to memory of 1208	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	39
PID 2500 wrote to memory of 1208	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	39
PID 2500 wrote to memory of 1208	2500	{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe	39
PID 1824 wrote to memory of 2312	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	40
PID 1824 wrote to memory of 2312	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	40
PID 1824 wrote to memory of 2312	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	40
PID 1824 wrote to memory of 2312	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	40
PID 1824 wrote to memory of 2308	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	41
PID 1824 wrote to memory of 2308	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	41
PID 1824 wrote to memory of 2308	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	41
PID 1824 wrote to memory of 2308	1824	{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe	41
PID 2312 wrote to memory of 1944	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	42
PID 2312 wrote to memory of 1944	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	42
PID 2312 wrote to memory of 1944	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	42
PID 2312 wrote to memory of 1944	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	42
PID 2312 wrote to memory of 1316	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	43
PID 2312 wrote to memory of 1316	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	43
PID 2312 wrote to memory of 1316	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	43
PID 2312 wrote to memory of 1316	2312	{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe	43
PID 1944 wrote to memory of 1848	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	44
PID 1944 wrote to memory of 1848	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	44
PID 1944 wrote to memory of 1848	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	44
PID 1944 wrote to memory of 1848	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	44
PID 1944 wrote to memory of 1392	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	45
PID 1944 wrote to memory of 1392	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	45
PID 1944 wrote to memory of 1392	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	45
PID 1944 wrote to memory of 1392	1944	{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe	45

C:\Users\Admin\AppData\Local\Temp\49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe
"C:\Users\Admin\AppData\Local\Temp\49e465358af0fa83fe6617d4c35a2d231af4f544bebb9dbf40cec52462dbf0a6.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{B600A994-58DA-4326-8374-F55B24F6681E}.exe
  C:\Windows\{B600A994-58DA-4326-8374-F55B24F6681E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
    C:\Windows\{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
      C:\Windows\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
        
        C:\Windows\{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
        
        C:\Windows\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
        
        C:\Windows\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
        
        C:\Windows\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{00A60168-21D7-4169-A382-67E04CF49825}.exe
        
        C:\Windows\{00A60168-21D7-4169-A382-67E04CF49825}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
        
        C:\Windows\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
        
        C:\Windows\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{29154D07-B172-4171-BC4E-EE2833482F45}.exe
        
        C:\Windows\{29154D07-B172-4171-BC4E-EE2833482F45}.exe
        12⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A6B~1.EXE > nul
        12⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B32D3~1.EXE > nul
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00A60~1.EXE > nul
        10⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA57C~1.EXE > nul
        9⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82C8A~1.EXE > nul
        8⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76A09~1.EXE > nul
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{995AE~1.EXE > nul
        6⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3CA4~1.EXE > nul
        5⤵
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CABB3~1.EXE > nul
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B600A~1.EXE > nul
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\49E465~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A60168-21D7-4169-A382-67E04CF49825}.exe

Filesize
89KB

MD5
e338c9bc3fe62415f89ccc619f55a888

SHA1
0e92da38ad8651e256ba722fb776a6ad4a9ab29c

SHA256
00e7d814c771f7d22f6ab4d4fd8fe1e60b8ba2323e741f3d6398fcbe81ea53e1

SHA512
941dfe9fc2124fe569ec40e64be74d9f3764a4b4e4c2b9f4d9dff0cf16a577a6cd50852870c1f2fb1f31c39d5d960a6feaa57264ed5f6d868fff0a3e946cce44

Download Submit
C:\Windows\{29154D07-B172-4171-BC4E-EE2833482F45}.exe

Filesize
89KB

MD5
de75e8503d8820f0eaae6088db3ff885

SHA1
a442adae3873725cfa82533cee58608869408272

SHA256
3c3e4a223fab22c354527d1292b61b3a361807fa67a17ed94d6ee7a1c655db07

SHA512
ff0a6d5128306f237e92ce5aa097b2ea2f3b203d9b4249882ac1de5ee2f6f4b3bd3769aa1bf61391c2900be19950121bfc826f6aa3ac79089188585087d9f4e0

Download Submit
C:\Windows\{72A6BC08-DD1D-45af-849A-14DE1CEC120C}.exe

Filesize
89KB

MD5
3ed912bb471ea3d7168cf844125c644a

SHA1
f48b8c700a2eddaf960cf7ba1310fa861afc7d9a

SHA256
cbc89687c36830d71a47b8cee02f0252feef55bfdbfb8a0a8aa39838a8088ca7

SHA512
132bf65c64e96d73a4275abd1be4ba8d426081cb168894631f4c69ff7fa97198db5e21969d5888261433904561868dff8b1c5e05390ac6e255b655d3b1e769b4

Download Submit
C:\Windows\{76A09308-58C6-42ed-BFA5-E3A34B15EF96}.exe

Filesize
89KB

MD5
4e4f28f9f44e9872bb87f345861fa554

SHA1
f65c11c81e84cffbfa7024576e1cac613e861dcf

SHA256
a0f33b9d61a186e41baeaef63feab87171e40a7ed9fed9e79f830d4cf68a35a6

SHA512
4a258cdc9841b0d40a636359b2ed40747a99f0cce6f37fb482d264d95976051103705e910b9e22a9042c392b177ac01b9cbe79316435bf3ed877a6562d2741ff

Download Submit
C:\Windows\{82C8AC82-EE78-4dc6-84C2-FAB5BAF24AFD}.exe

Filesize
89KB

MD5
ec2c76806b2f94fb2944b10a2ec65118

SHA1
ef26d4eab70f87140359bf459c8a64c8eefe6ce2

SHA256
b355718f3c93cb41a69a3007584fbfaa0dfbbb1884a141effd18963d5e70ba64

SHA512
7a055ed49bca7dc13e66c5d0bafc379e499c68a131bdacdd793f6df3459d84f52eb8ca8a4ef3164692183351d5fb6746ca30b1cd4c9b0b1050c791d4b629a2fc

Download Submit
C:\Windows\{995AE6E8-1B4E-491f-95D2-62BA78912762}.exe

Filesize
89KB

MD5
b4b8911dc0d49833612c961ff48d3ce3

SHA1
cada0bf382196c13f445c859a57b7b8934d32f35

SHA256
605df71361e37d9c5994c7faec1adc75cd487291826fc943ac04bb46d59fa037

SHA512
52ea1102ca1d96cc19c4a39787fe4c9a9cd15a69fa6a27eb4d28a3392655abdfdad126a62032b75895839f1bb279d9fbee3cbc0a542cdbdcd0a3aa43e5735c82

Download Submit
C:\Windows\{A3CA4CDF-A8B7-4301-B162-A72DB8B7AA76}.exe

Filesize
89KB

MD5
50069f7a38418dcbd752484bbfe4407b

SHA1
810f529f7370ffa6ab26b45e8b69fea72050dc0f

SHA256
9dc5c12cf8bd8621503302963a279d6d82106652b4b44ff35d38bcbaad3e3029

SHA512
a5c4a4cd2181185a5585e71263b012175f676d7a0961e68502d55228505af8126018ed76babbb213428ef77439085c7761159b9e6f876396caf046f4fb0813c2

Download Submit
C:\Windows\{B32D3629-8C4B-4eef-9132-8455A0EA87CA}.exe

Filesize
89KB

MD5
a9a19851c511ddea6ea3ccc198b940d2

SHA1
e5ccb1b6f3b375dea2eb98737b3501f8b3ff3788

SHA256
ff5bcd4a0da538d53a3b1e7bb1fa99c7e72d220e321364313f2d596d490427b3

SHA512
56b887b520330361153661f7914a9529821a20449c09f6366af9f3b45047bcc00c9ccda6bfc16622bed1c104ecd65af8b8862290170ba2e220f9204a1b6eaa31

Download Submit
C:\Windows\{B600A994-58DA-4326-8374-F55B24F6681E}.exe

Filesize
89KB

MD5
b1a8637ae5099e512fff45875a8fcd10

SHA1
d9f6c93c4696a7aa263e86afd39565163684e907

SHA256
2b00239177f35d0b6870bd8c136573b35d21f2dcf933a2defac4c6f93acab59c

SHA512
1fce4333810e6953a29376a57a7b3a52e4175ba9ed0cf7d24341f6b32c517c759c2696ac869fbf8a134ad4eae8a62cda2abd063d3f33969afffec674595251ef

Download Submit
C:\Windows\{CABB3494-EEA4-4923-B478-FFDB4E098577}.exe

Filesize
89KB

MD5
1aa7c8a8f1b840ca7262321ed96605e5

SHA1
b94d50e78c2df8f1e7e369e09efb1ad72fd79aef

SHA256
80166f134a1639b972ed1e5d74a3bc6d94a0151f00504dd7a38e9aa9545abdc0

SHA512
44280cc53711e450f7da273fb27a6709601de77730224ec29d3050621f524eef70864b613fcbdfb9038d55c940bb29e4c476dc8a5f921d421ce975fc3e1bce89

Download Submit
C:\Windows\{FA57C090-6DCA-4760-8BF2-59866EBDA3B8}.exe

Filesize
89KB

MD5
b42f01a693f22d1a62f3bb2b812f9647

SHA1
3c86b16c268cbc09adc212f8195a40c66c3f1834

SHA256
db8ab6f038b9f82adf8885cda87416422dc02654c87b7644baa653540fd277c3

SHA512
c097268a1dc4e8afd4961a9f1d41f7d63645eef89bc14c30871c526f44932c47e9f153bc6e93846bb9b724975f276bf1ffde9964d84480065fbc24d5383a5d40

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads