d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
Size

60KB
MD5

171e1aa8d7fec081b9a5ed4d2782f2fe
SHA1

920136501a81f9de21e72d39718676f9d4abf0fd
SHA256

d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef
SHA512

7fe84d28a7d0c9436bdab79b28adafdfb36d562b11fa12584f839a03557825ccea0f6b57b3e4c8cc5187f78bc72cded8b9fb813ff6b41d71bd2bd299cdd96b6c
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwmh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroC4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67B1457-C02E-4b50-8694-758A381620D1}	{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}	{C67B1457-C02E-4b50-8694-758A381620D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}	{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EA47931-3B23-408a-B244-C64D847537AD}\stubpath = "C:\\Windows\\{9EA47931-3B23-408a-B244-C64D847537AD}.exe"	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A53D21C2-B026-47b9-ABC2-17BAE570880E}\stubpath = "C:\\Windows\\{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe"	{9EA47931-3B23-408a-B244-C64D847537AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}\stubpath = "C:\\Windows\\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe"	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}\stubpath = "C:\\Windows\\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe"	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}\stubpath = "C:\\Windows\\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe"	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184EB326-4873-4e84-BC45-C0FA67FFD512}\stubpath = "C:\\Windows\\{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe"	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}\stubpath = "C:\\Windows\\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe"	{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EA47931-3B23-408a-B244-C64D847537AD}	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E11C889-D045-4296-8462-72E374E43DCF}	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E11C889-D045-4296-8462-72E374E43DCF}\stubpath = "C:\\Windows\\{3E11C889-D045-4296-8462-72E374E43DCF}.exe"	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184EB326-4873-4e84-BC45-C0FA67FFD512}	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}\stubpath = "C:\\Windows\\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe"	{C67B1457-C02E-4b50-8694-758A381620D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A53D21C2-B026-47b9-ABC2-17BAE570880E}	{9EA47931-3B23-408a-B244-C64D847537AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}	{3E11C889-D045-4296-8462-72E374E43DCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}\stubpath = "C:\\Windows\\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe"	{3E11C889-D045-4296-8462-72E374E43DCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67B1457-C02E-4b50-8694-758A381620D1}\stubpath = "C:\\Windows\\{C67B1457-C02E-4b50-8694-758A381620D1}.exe"	{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe
2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe
752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
1452	{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
760	{C67B1457-C02E-4b50-8694-758A381620D1}.exe
2416	{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
2092	{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
File created	C:\Windows\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe	{C67B1457-C02E-4b50-8694-758A381620D1}.exe
File created	C:\Windows\{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	{9EA47931-3B23-408a-B244-C64D847537AD}.exe
File created	C:\Windows\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
File created	C:\Windows\{3E11C889-D045-4296-8462-72E374E43DCF}.exe	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
File created	C:\Windows\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	{3E11C889-D045-4296-8462-72E374E43DCF}.exe
File created	C:\Windows\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
File created	C:\Windows\{C67B1457-C02E-4b50-8694-758A381620D1}.exe	{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
File created	C:\Windows\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe	{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
File created	C:\Windows\{9EA47931-3B23-408a-B244-C64D847537AD}.exe	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
File created	C:\Windows\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
Token: SeIncBasePriorityPrivilege	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe
Token: SeIncBasePriorityPrivilege	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
Token: SeIncBasePriorityPrivilege	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
Token: SeIncBasePriorityPrivilege	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe
Token: SeIncBasePriorityPrivilege	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
Token: SeIncBasePriorityPrivilege	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
Token: SeIncBasePriorityPrivilege	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
Token: SeIncBasePriorityPrivilege	1452	{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
Token: SeIncBasePriorityPrivilege	760	{C67B1457-C02E-4b50-8694-758A381620D1}.exe
Token: SeIncBasePriorityPrivilege	2416	{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3068	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	28
PID 2556 wrote to memory of 3068	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	28
PID 2556 wrote to memory of 3068	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	28
PID 2556 wrote to memory of 3068	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	28
PID 2556 wrote to memory of 2680	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	29
PID 2556 wrote to memory of 2680	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	29
PID 2556 wrote to memory of 2680	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	29
PID 2556 wrote to memory of 2680	2556	d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe	29
PID 3068 wrote to memory of 2592	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	30
PID 3068 wrote to memory of 2592	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	30
PID 3068 wrote to memory of 2592	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	30
PID 3068 wrote to memory of 2592	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	30
PID 3068 wrote to memory of 2736	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	31
PID 3068 wrote to memory of 2736	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	31
PID 3068 wrote to memory of 2736	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	31
PID 3068 wrote to memory of 2736	3068	{9EA47931-3B23-408a-B244-C64D847537AD}.exe	31
PID 2592 wrote to memory of 2728	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	32
PID 2592 wrote to memory of 2728	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	32
PID 2592 wrote to memory of 2728	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	32
PID 2592 wrote to memory of 2728	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	32
PID 2592 wrote to memory of 2472	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	33
PID 2592 wrote to memory of 2472	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	33
PID 2592 wrote to memory of 2472	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	33
PID 2592 wrote to memory of 2472	2592	{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe	33
PID 2728 wrote to memory of 1596	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	36
PID 2728 wrote to memory of 1596	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	36
PID 2728 wrote to memory of 1596	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	36
PID 2728 wrote to memory of 1596	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	36
PID 2728 wrote to memory of 2536	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	37
PID 2728 wrote to memory of 2536	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	37
PID 2728 wrote to memory of 2536	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	37
PID 2728 wrote to memory of 2536	2728	{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe	37
PID 1596 wrote to memory of 752	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	38
PID 1596 wrote to memory of 752	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	38
PID 1596 wrote to memory of 752	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	38
PID 1596 wrote to memory of 752	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	38
PID 1596 wrote to memory of 2716	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	39
PID 1596 wrote to memory of 2716	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	39
PID 1596 wrote to memory of 2716	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	39
PID 1596 wrote to memory of 2716	1596	{3E11C889-D045-4296-8462-72E374E43DCF}.exe	39
PID 752 wrote to memory of 2140	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	40
PID 752 wrote to memory of 2140	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	40
PID 752 wrote to memory of 2140	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	40
PID 752 wrote to memory of 2140	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	40
PID 752 wrote to memory of 1884	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	41
PID 752 wrote to memory of 1884	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	41
PID 752 wrote to memory of 1884	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	41
PID 752 wrote to memory of 1884	752	{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe	41
PID 2140 wrote to memory of 2360	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	42
PID 2140 wrote to memory of 2360	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	42
PID 2140 wrote to memory of 2360	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	42
PID 2140 wrote to memory of 2360	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	42
PID 2140 wrote to memory of 788	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	43
PID 2140 wrote to memory of 788	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	43
PID 2140 wrote to memory of 788	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	43
PID 2140 wrote to memory of 788	2140	{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe	43
PID 2360 wrote to memory of 1452	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	44
PID 2360 wrote to memory of 1452	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	44
PID 2360 wrote to memory of 1452	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	44
PID 2360 wrote to memory of 1452	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	44
PID 2360 wrote to memory of 1248	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	45
PID 2360 wrote to memory of 1248	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	45
PID 2360 wrote to memory of 1248	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	45
PID 2360 wrote to memory of 1248	2360	{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe	45

C:\Users\Admin\AppData\Local\Temp\d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe
"C:\Users\Admin\AppData\Local\Temp\d5dafaa687474bbdab771d01ff5b69ecc8fb5c1ad6029bc16d2bf7c3d4dbb8ef.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\{9EA47931-3B23-408a-B244-C64D847537AD}.exe
  C:\Windows\{9EA47931-3B23-408a-B244-C64D847537AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
    C:\Windows\{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
      C:\Windows\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{3E11C889-D045-4296-8462-72E374E43DCF}.exe
        
        C:\Windows\{3E11C889-D045-4296-8462-72E374E43DCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
        
        C:\Windows\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
        
        C:\Windows\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
        
        C:\Windows\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
        
        C:\Windows\{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\{C67B1457-C02E-4b50-8694-758A381620D1}.exe
        
        C:\Windows\{C67B1457-C02E-4b50-8694-758A381620D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
        
        C:\Windows\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe
        
        C:\Windows\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E9C~1.EXE > nul
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C67B1~1.EXE > nul
        11⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{184EB~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E577F~1.EXE > nul
        9⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C58~1.EXE > nul
        8⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F3BC~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E11C~1.EXE > nul
        6⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC090~1.EXE > nul
        5⤵
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A53D2~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9EA47~1.EXE > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D5DAFA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F3BC8F4-E5CE-44cd-9650-05C18A98BD8C}.exe

Filesize
60KB

MD5
11a4a2c579078f28a17f1d1b38a40ef9

SHA1
a66cfd0a37848b62d69703db5938cbf3e8f4608c

SHA256
ef0744ae6212c5e07c2f3a4429bbad5075fe7c8fc2276d9d94234b3668d0ba6a

SHA512
fc4e698051cf3e582df9fdb5f2fe5e3d50836019b5142666f6da55205b55d9f1cebe43438651a2dae22628657ef7d21cbc14ac247ccba2f32fb902e4b4963395

Download Submit
C:\Windows\{184EB326-4873-4e84-BC45-C0FA67FFD512}.exe

Filesize
60KB

MD5
38e0f555a48821095261ddfba9f20ef8

SHA1
d443995850daace18bd0ffd53ecefb3c3ef09a75

SHA256
5df609e01b10f0064e82d5a8a92c06b24eff43ed97e60179eafa48cd7c99ccb8

SHA512
6b42377ca4f85315aa55e01cfdab9b43dbde5b66668698f68ffe078c0ca2e456ed1dbc9b7ae389f61542ba79645aa437c7236fffe176f1e99816e1479d8f7a93

Download Submit
C:\Windows\{3E11C889-D045-4296-8462-72E374E43DCF}.exe

Filesize
60KB

MD5
01dba0000a344d90814b0793bc791dee

SHA1
ea77e09ea0d7c09a84e80ae4bc8c8535f2821dc9

SHA256
01c491925be541bf8b1db2cadc9a20166b6b4398da3f9855dc9496b869fce443

SHA512
26b6cc48ddf7092b017bbc60af3d7971577f9d24defabbc2fd8767fef8a24f5625c86b3e2f44c4b39da0930ed57e6401a5064fd8cd64e819c6b6fd65f7c2601f

Download Submit
C:\Windows\{9EA47931-3B23-408a-B244-C64D847537AD}.exe

Filesize
60KB

MD5
0a08fa42a44217ad133c7761011398af

SHA1
d8379bd6e683c53debde1bdaf38184f6cf4ca2e8

SHA256
c0bb8ddcc9afbfc9223aeddd6c67bb15b6c86f53b6ddbb67e2f79938458a4735

SHA512
97b08a029c55968551c94ac9ba7ee1438c47dba6ce66674b4b26d9304b3ecaa20c91490ce54dd6fc9e7dcadf229a75b966afbf7e299ac50c50a1d11e4f68d4d0

Download Submit
C:\Windows\{A53D21C2-B026-47b9-ABC2-17BAE570880E}.exe

Filesize
60KB

MD5
f7ddd3c2b305720124cac1784a33be54

SHA1
1876264d51ef40bbfb695a44c3b85aaeb84c3c95

SHA256
166899a27e03b37d4f14307388b5db900987b0dc97f221ac365259caeef1f2f8

SHA512
6b278e5b7cad2be6ccf050b6080de0780aa03fc4ed071ebb854a7d01cc3c3f2bd28d940e9e18085789f9d39000744f55cb488b83520449a9836f270ab56cd00a

Download Submit
C:\Windows\{C67B1457-C02E-4b50-8694-758A381620D1}.exe

Filesize
60KB

MD5
7622fcd5493d637dbd7173a307bde6ef

SHA1
a5442e17b83e012935c9b450d8b1499753312e35

SHA256
8f7b35eb74b04fe542d6663a72d0a9e1282c69158ea528929e8d41815a9e1f37

SHA512
7ea622473f041212af3168b2e140edc39955eeeeebaa191af117f43357b68ed015e4093e448ac83dc0d6ab21397d376e1793862c029b730e9d3daef3425ad04e

Download Submit
C:\Windows\{C76F08D5-8AC0-4ce0-93D5-5A59E1B1E4E3}.exe

Filesize
60KB

MD5
925a16e6702d20da2d322dca769f047f

SHA1
2610b005e76b70ce626f5c4ef5803798d1516a01

SHA256
c8369278a39b05d4817803a82a47bf1c8a10e6dc56051ec1ca4721e9a21e06d5

SHA512
10ac0b8c87040413355266a5f147f815c0b49f2fa9842c14cd82317d9b0adbb834c726156852926011b08fc13cb26b48aa62fa0246ef70e6539bf1e1ba6b3991

Download Submit
C:\Windows\{D0E9C2E7-509E-4193-83E5-D30E416A4B1C}.exe

Filesize
60KB

MD5
63964bc6ced1efcd78548f27eea2c0f3

SHA1
2b41b4d2188213077142ef2f9b0164b23fa9bf1b

SHA256
cdc5687a4aab09d3a6aa839b93dbf51c1da94af115cc2c0e3a0a1776fe9fb14e

SHA512
7e4eef7358dc8eda0a35de59f5f56684a27dd3bae5b54bcb85aab48c492c8357ae4f2343481e96fdc0b308669734c867f6b5e13d6e7cb32b9a15e52b44f9d60b

Download Submit
C:\Windows\{DC090B79-4EDC-4566-95AE-2BA2089A3DC1}.exe

Filesize
60KB

MD5
336e9eeb06d6afe6b3b145147f91b764

SHA1
e29cf884149db35caeb9323f6cceed21d7f58e0d

SHA256
10a8c6da833d7bbbc57766f8b997780f33ace155ce22152d72166e72a5ca2eaf

SHA512
78eb826377af69ac2709bf262532cd91eaf14b980e572d05bd83cde7d7319b14a6a404eec582387fec9fbe57a62c5fe78c51c713de4848a7214df12a1d70b778

Download Submit
C:\Windows\{E577F4E4-A02C-4c46-992C-96B4B6AED9C7}.exe

Filesize
60KB

MD5
5114aaaf3354cb651ba1039863d7df3a

SHA1
e469aa79789780f55acaa4f20bed3c33e0312598

SHA256
e2dea2b261f2df483f641238c3f7c7510831ae14ae9ec4e7ec339903c854b009

SHA512
ca0e1d0d4d700555b93ed2797b653c51d68252df4ee54d6d0c70bd2ee9d833038cb8a84672e4c84bcf14301ff129bb3c7af72b018eabf5ed0bf8f61ca6bb4645

Download Submit
C:\Windows\{F6C584EA-9C64-41f5-B8E4-38C15DFBC69B}.exe

Filesize
60KB

MD5
29f68dd60d7ce4d8bc74db5e42087140

SHA1
48cecf2fd6e271955d35018437221f017a2bb52f

SHA256
9df535b69706223f843b49e7714b3bdd054ee7ce456a45556fc4d0e47d0416ec

SHA512
ebf239801874c4183fee554b535bfbed744b68d92e32a8c4a657ab16a7a0a6d31c3ee68b5c3228ac70b1b86aa50c52987fec5b3c5ce2b7a45171db0045aed61b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads