535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Size

90KB
MD5

1ed9e91b83ae91caf826ffb923e3d1fc
SHA1

d3ff75ee9415a637c47dd78885f1e1eb0068dd23
SHA256

535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3
SHA512

c6fc59b83f4d7f4a407fdeabb74b5554f75c4c0da614741af78a9eab5685495f446c50dac9ea0b750b9484a46c9dfd2759d023b9b4452c2ad675772eba79b081
SSDEEP

768:5vw9816uhKiroQ4/wQNNrfrunMxVFA3bA:lEGkmoQlCunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}\stubpath = "C:\\Windows\\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe"	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2913AA01-6641-4dfa-A54A-6A971CED978E}	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB07301-B93C-40b8-8C16-468470C115B8}\stubpath = "C:\\Windows\\{EDB07301-B93C-40b8-8C16-468470C115B8}.exe"	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE6FCACD-63EB-493d-93BD-52712FFB1764}	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B92A7C-08AD-4244-8F47-6B087377C657}\stubpath = "C:\\Windows\\{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe"	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2303CF-6812-4825-9978-2817D49D2C3A}	{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}\stubpath = "C:\\Windows\\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe"	{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2913AA01-6641-4dfa-A54A-6A971CED978E}\stubpath = "C:\\Windows\\{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe"	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE6FCACD-63EB-493d-93BD-52712FFB1764}\stubpath = "C:\\Windows\\{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe"	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061E0882-54C4-47de-AA59-B0A6935D0D12}\stubpath = "C:\\Windows\\{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe"	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B92A7C-08AD-4244-8F47-6B087377C657}	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2303CF-6812-4825-9978-2817D49D2C3A}\stubpath = "C:\\Windows\\{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe"	{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}	{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA6D495-6508-42c3-B319-AEE9080C42BF}	{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB07301-B93C-40b8-8C16-468470C115B8}	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}\stubpath = "C:\\Windows\\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe"	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}\stubpath = "C:\\Windows\\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe"	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061E0882-54C4-47de-AA59-B0A6935D0D12}	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA6D495-6508-42c3-B319-AEE9080C42BF}\stubpath = "C:\\Windows\\{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe"	{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe

Deletes itself 1 IoCs

pid	Process
1176	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
2972	{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
1192	{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
1464	{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe
1128	{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe	{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe
File created	C:\Windows\{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
File created	C:\Windows\{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
File created	C:\Windows\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
File created	C:\Windows\{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
File created	C:\Windows\{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
File created	C:\Windows\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe	{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
File created	C:\Windows\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
File created	C:\Windows\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
File created	C:\Windows\{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
File created	C:\Windows\{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe	{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Token: SeIncBasePriorityPrivilege	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
Token: SeIncBasePriorityPrivilege	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
Token: SeIncBasePriorityPrivilege	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
Token: SeIncBasePriorityPrivilege	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
Token: SeIncBasePriorityPrivilege	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
Token: SeIncBasePriorityPrivilege	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
Token: SeIncBasePriorityPrivilege	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
Token: SeIncBasePriorityPrivilege	2972	{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
Token: SeIncBasePriorityPrivilege	1192	{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
Token: SeIncBasePriorityPrivilege	1464	{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 940	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	28
PID 2884 wrote to memory of 940	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	28
PID 2884 wrote to memory of 940	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	28
PID 2884 wrote to memory of 940	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	28
PID 2884 wrote to memory of 1176	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	29
PID 2884 wrote to memory of 1176	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	29
PID 2884 wrote to memory of 1176	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	29
PID 2884 wrote to memory of 1176	2884	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	29
PID 940 wrote to memory of 2672	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	30
PID 940 wrote to memory of 2672	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	30
PID 940 wrote to memory of 2672	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	30
PID 940 wrote to memory of 2672	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	30
PID 940 wrote to memory of 2604	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	31
PID 940 wrote to memory of 2604	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	31
PID 940 wrote to memory of 2604	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	31
PID 940 wrote to memory of 2604	940	{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe	31
PID 2672 wrote to memory of 2612	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	32
PID 2672 wrote to memory of 2612	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	32
PID 2672 wrote to memory of 2612	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	32
PID 2672 wrote to memory of 2612	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	32
PID 2672 wrote to memory of 2636	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	33
PID 2672 wrote to memory of 2636	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	33
PID 2672 wrote to memory of 2636	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	33
PID 2672 wrote to memory of 2636	2672	{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe	33
PID 2612 wrote to memory of 2100	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	36
PID 2612 wrote to memory of 2100	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	36
PID 2612 wrote to memory of 2100	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	36
PID 2612 wrote to memory of 2100	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	36
PID 2612 wrote to memory of 2984	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	37
PID 2612 wrote to memory of 2984	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	37
PID 2612 wrote to memory of 2984	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	37
PID 2612 wrote to memory of 2984	2612	{EDB07301-B93C-40b8-8C16-468470C115B8}.exe	37
PID 2100 wrote to memory of 2044	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	38
PID 2100 wrote to memory of 2044	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	38
PID 2100 wrote to memory of 2044	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	38
PID 2100 wrote to memory of 2044	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	38
PID 2100 wrote to memory of 1048	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	39
PID 2100 wrote to memory of 1048	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	39
PID 2100 wrote to memory of 1048	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	39
PID 2100 wrote to memory of 1048	2100	{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe	39
PID 2044 wrote to memory of 1188	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	40
PID 2044 wrote to memory of 1188	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	40
PID 2044 wrote to memory of 1188	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	40
PID 2044 wrote to memory of 1188	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	40
PID 2044 wrote to memory of 1332	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	41
PID 2044 wrote to memory of 1332	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	41
PID 2044 wrote to memory of 1332	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	41
PID 2044 wrote to memory of 1332	2044	{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe	41
PID 1188 wrote to memory of 1060	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	42
PID 1188 wrote to memory of 1060	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	42
PID 1188 wrote to memory of 1060	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	42
PID 1188 wrote to memory of 1060	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	42
PID 1188 wrote to memory of 1808	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	43
PID 1188 wrote to memory of 1808	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	43
PID 1188 wrote to memory of 1808	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	43
PID 1188 wrote to memory of 1808	1188	{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe	43
PID 1060 wrote to memory of 2972	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	44
PID 1060 wrote to memory of 2972	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	44
PID 1060 wrote to memory of 2972	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	44
PID 1060 wrote to memory of 2972	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	44
PID 1060 wrote to memory of 2952	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	45
PID 1060 wrote to memory of 2952	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	45
PID 1060 wrote to memory of 2952	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	45
PID 1060 wrote to memory of 2952	1060	{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe	45

C:\Users\Admin\AppData\Local\Temp\535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
"C:\Users\Admin\AppData\Local\Temp\535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
  C:\Windows\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
    C:\Windows\{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
      C:\Windows\{EDB07301-B93C-40b8-8C16-468470C115B8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
        
        C:\Windows\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
        
        C:\Windows\{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
        
        C:\Windows\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
        
        C:\Windows\{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
        
        C:\Windows\{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
        
        C:\Windows\{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe
        
        C:\Windows\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe
        
        C:\Windows\{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E77~1.EXE > nul
        12⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A230~1.EXE > nul
        11⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B92~1.EXE > nul
        10⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{061E0~1.EXE > nul
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2CBD~1.EXE > nul
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE6FC~1.EXE > nul
        7⤵
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9286~1.EXE > nul
        6⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDB07~1.EXE > nul
        5⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2913A~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F8573~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\535A02~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{061E0882-54C4-47de-AA59-B0A6935D0D12}.exe

Filesize
90KB

MD5
39f928dbbd8d95daffba37eb9109e040

SHA1
9b72ee066db15d4a10f2e7bd28cba359e21736d9

SHA256
6f5492fdc3155c8988b2729a2c4993da0103cffa289d3d29f24affbb98456418

SHA512
c3e464287bb775d179f12587babd3f7e90198065d395b0aeffb0d6447b54a31fa2551883fb90fefce95c2df2e28cbd3d8961d27df11bf6b3f63fc669f6a07466

Download Submit
C:\Windows\{2913AA01-6641-4dfa-A54A-6A971CED978E}.exe

Filesize
90KB

MD5
b896239885b52cff3d19075660592deb

SHA1
e36fb8fb20052a0786bb9cc99c5a9429f68307cc

SHA256
4a9856ff0b80f0f3a909e070b94588a1d867eb28035dd935c97b81d51a6c8102

SHA512
157cc00090c9808cd5866bb9cd49ecb40847de783a4844ee4433b900782ad0d25b2f83e5e2e0cf921b22ad9481fd730caf5ac3e51278c8c6742f98ef56a26075

Download Submit
C:\Windows\{2A2303CF-6812-4825-9978-2817D49D2C3A}.exe

Filesize
90KB

MD5
027d50768d8dbe419fd9fce133561266

SHA1
09cf60da9687f72385e3b9a3713a26c4dc2ea0ac

SHA256
957612e8fcd9b81568046c019b92fc06a7ce4249f0afc6cba059933ba6647d23

SHA512
7cff3623a5384ba6ea57a33a361be0d05b706cc9f451db3a60e7bd041397c663d636b406d7b40f06b862fae9fe755465ca47ebba939726554f290a33d1d27bd1

Download Submit
C:\Windows\{9AA6D495-6508-42c3-B319-AEE9080C42BF}.exe

Filesize
90KB

MD5
9e4f21e66760b220d589f8e84361c97d

SHA1
98e62c5217585269c6dc4a75f1d83701341cb08a

SHA256
f4aa1e135de897396cca4d9e1035f092084470b8e77c82dda41adc1bde415037

SHA512
01822c935f534b48f79fb786443f4d27d1479d523fe7cf19d01dd1dbaf639da7f80aa2dc0c083d4c42137404202b1ba795974f987d6ab22bc949053b16bb7c98

Download Submit
C:\Windows\{A2CBD5C8-C981-4c6d-AE81-60BED5064370}.exe

Filesize
90KB

MD5
fa2e324215422bed57883f1a2ba0261c

SHA1
f7ed9b959c5bd27a2c270ef287be6ebd5ecaa9da

SHA256
14214a94475900cf9d599a43985ba06b553b3c4bc7a162439017a9b00f2c3966

SHA512
f37089cc75885d87989d47deb884a1fa7046a165054e7229990ab49c968ff055a15dbb22a3db62f1abbb5de2a1141c9835a4d47e04cd98ec6cb181eb27629c64

Download Submit
C:\Windows\{B9286838-688A-4fef-95B6-4C5C28FDBEA7}.exe

Filesize
90KB

MD5
2bcdf01e46bd1d8ee7cc3eebcff49683

SHA1
cc7d2afff9757a072d7dd0a3c6f27ed54ad21a68

SHA256
654c201e18441170bdd42b7c270388d18a04e7a029466bdaca4c937b0aeb1b2d

SHA512
be0b3067578196140f88658132c805a4747f856941b75e6ea3e1614aac7fa22c0383e15f125e2473640d1e9dc1328815ae9a62f11385e41f76207ef15ff1de9e

Download Submit
C:\Windows\{C1E775E3-8A4C-44d6-BA81-0437F0C4C46C}.exe

Filesize
90KB

MD5
8855abe1e52d9bbab62f470c72b85f93

SHA1
dec1c4170114e22ba6a473c0197ecc45e568c9a9

SHA256
2d80cb06450b0fedc5b0b982043309c82e0b8d0b86be6f398a72fbd5ec1836f0

SHA512
bf9b85fe1f81c7a92d04dc269b4058509c111f5be755b4dfd2a97c42da09d20d13d343224ab2fb527888c25fddaebe07e92973cfda7a7fcfcc38d5ff1f8eda7e

Download Submit
C:\Windows\{EDB07301-B93C-40b8-8C16-468470C115B8}.exe

Filesize
90KB

MD5
b9a672686146270622b3649b5c338d4d

SHA1
869045f80c5dd0dd8b3e7a9ec549cc5021bd1df4

SHA256
4e9bf6cac00c2b5fa630dc18bae3b6099d5f793ddf7af1f7f62e138433e2f945

SHA512
541fff47f72b0246ae1e8c19ec43be67de45471cdddbb786c4614ac2887a5a8658a8f6577f1dccd7194ed9c689d2fc5ba1cf52f06ebcbb9f1396e93b1c1727e5

Download Submit
C:\Windows\{EE6FCACD-63EB-493d-93BD-52712FFB1764}.exe

Filesize
90KB

MD5
96ca6ecfbd61016bc88e7ca39dc4a70d

SHA1
5b095e2bf6bfdb46be4727607aecd13d07cb791c

SHA256
4f1d67f4c3614421ff7a53cc5e6412495d6ed3a28be285ce7e5825a9ee1577bc

SHA512
04a38f23a787db3cfc169f4fdf9278926e12134d0c0a4f704f9265b25207a5106818546c91897db518348f8e73f8c1e0e9ed49b4b78b69d4f29fec8ea13c5e5f

Download Submit
C:\Windows\{F6B92A7C-08AD-4244-8F47-6B087377C657}.exe

Filesize
90KB

MD5
6cae5f10e21e15c9965f3bd1ddeb1b12

SHA1
c24b9ed29c41a45eb4d43316c0846b80c4bd1781

SHA256
16219c1eae8dcc165467140bc91602bf68ef870ba1e9ef860ae35cad133a6ebf

SHA512
b2775f06ed5f11c2db5f18d185418544887a6f73b1c04c17ac5ca0daa84958e4785bf29f2e5be08c509272e32d2bd6fc69da922347cef77d3662dacd5464c99c

Download Submit
C:\Windows\{F8573F9E-EFB6-42ed-B282-449501D6B4C9}.exe

Filesize
90KB

MD5
229becbcd0d922e39154d7ac249a7661

SHA1
8a62f4b6d30cb3d0ee678ed740ca29a3913c95e3

SHA256
80d467c472e95533cdbb68c1f134e97b3daae45f7034fdbf78324add5628082a

SHA512
43644657a73b929f47aadac3274ce0a9e06e2dd909d68bd7b0b45f9246f2a93c9c936d21646838e9dc4bde1c2c5953b8f605303e2ac28a0524a36ef3f70386e8

Download Submit
memory/940-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/940-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1060-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1188-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1192-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1464-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1464-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2044-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2044-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2100-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2672-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2672-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-7-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2884-8-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2884-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads