5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
Size

79KB
MD5

0c8d320a1db1aaf29599053baff755aa
SHA1

d6aadff847e0f3b7c23c8d1cf75154c4427a30c5
SHA256

5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b
SHA512

8ea4751c8a7a6395806d5c3f9509cfb520d0af1899646b8e149e3f225912f134b189fbb694cfbb478f5278c926d9185e7c8335fb35bbf52c61de1c6945910baf
SSDEEP

768:4vw9816vhKQLroK4/wQzXOQ69zbjlAAX5e9zz:wEGh0oKlGizbR9Xwzz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}\stubpath = "C:\\Windows\\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe"	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}\stubpath = "C:\\Windows\\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe"	{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}	{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B58CA299-8CA0-43dc-8D40-95256546CBF8}\stubpath = "C:\\Windows\\{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe"	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80E4D53-C5CB-432b-9825-999FB8A90F77}\stubpath = "C:\\Windows\\{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe"	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}	{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B7F559-51FC-4639-98D5-AC748AA30B27}\stubpath = "C:\\Windows\\{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe"	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}\stubpath = "C:\\Windows\\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe"	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80E4D53-C5CB-432b-9825-999FB8A90F77}	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}\stubpath = "C:\\Windows\\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe"	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B7F559-51FC-4639-98D5-AC748AA30B27}	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363A616C-FAC6-4bed-9037-EDA98345C053}	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363A616C-FAC6-4bed-9037-EDA98345C053}\stubpath = "C:\\Windows\\{363A616C-FAC6-4bed-9037-EDA98345C053}.exe"	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}\stubpath = "C:\\Windows\\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe"	{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B58CA299-8CA0-43dc-8D40-95256546CBF8}	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}\stubpath = "C:\\Windows\\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe"	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}	{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}\stubpath = "C:\\Windows\\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe"	{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
1612	{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
2788	{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe
2408	{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
1016	{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe	{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
File created	C:\Windows\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe	{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
File created	C:\Windows\{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
File created	C:\Windows\{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
File created	C:\Windows\{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
File created	C:\Windows\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
File created	C:\Windows\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
File created	C:\Windows\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
File created	C:\Windows\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
File created	C:\Windows\{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
File created	C:\Windows\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe	{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
Token: SeIncBasePriorityPrivilege	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
Token: SeIncBasePriorityPrivilege	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
Token: SeIncBasePriorityPrivilege	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
Token: SeIncBasePriorityPrivilege	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
Token: SeIncBasePriorityPrivilege	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
Token: SeIncBasePriorityPrivilege	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
Token: SeIncBasePriorityPrivilege	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
Token: SeIncBasePriorityPrivilege	1612	{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
Token: SeIncBasePriorityPrivilege	2788	{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe
Token: SeIncBasePriorityPrivilege	2408	{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3068	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	31
PID 1584 wrote to memory of 3068	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	31
PID 1584 wrote to memory of 3068	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	31
PID 1584 wrote to memory of 3068	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	31
PID 1584 wrote to memory of 2264	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	32
PID 1584 wrote to memory of 2264	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	32
PID 1584 wrote to memory of 2264	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	32
PID 1584 wrote to memory of 2264	1584	5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe	32
PID 3068 wrote to memory of 2208	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	33
PID 3068 wrote to memory of 2208	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	33
PID 3068 wrote to memory of 2208	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	33
PID 3068 wrote to memory of 2208	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	33
PID 3068 wrote to memory of 2728	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	34
PID 3068 wrote to memory of 2728	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	34
PID 3068 wrote to memory of 2728	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	34
PID 3068 wrote to memory of 2728	3068	{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe	34
PID 2208 wrote to memory of 1428	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	35
PID 2208 wrote to memory of 1428	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	35
PID 2208 wrote to memory of 1428	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	35
PID 2208 wrote to memory of 1428	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	35
PID 2208 wrote to memory of 2568	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	36
PID 2208 wrote to memory of 2568	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	36
PID 2208 wrote to memory of 2568	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	36
PID 2208 wrote to memory of 2568	2208	{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe	36
PID 1428 wrote to memory of 2668	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	37
PID 1428 wrote to memory of 2668	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	37
PID 1428 wrote to memory of 2668	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	37
PID 1428 wrote to memory of 2668	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	37
PID 1428 wrote to memory of 2644	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	38
PID 1428 wrote to memory of 2644	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	38
PID 1428 wrote to memory of 2644	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	38
PID 1428 wrote to memory of 2644	1428	{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe	38
PID 2668 wrote to memory of 2604	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	39
PID 2668 wrote to memory of 2604	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	39
PID 2668 wrote to memory of 2604	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	39
PID 2668 wrote to memory of 2604	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	39
PID 2668 wrote to memory of 2960	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	40
PID 2668 wrote to memory of 2960	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	40
PID 2668 wrote to memory of 2960	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	40
PID 2668 wrote to memory of 2960	2668	{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe	40
PID 2604 wrote to memory of 1856	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	41
PID 2604 wrote to memory of 1856	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	41
PID 2604 wrote to memory of 1856	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	41
PID 2604 wrote to memory of 1856	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	41
PID 2604 wrote to memory of 1556	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	42
PID 2604 wrote to memory of 1556	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	42
PID 2604 wrote to memory of 1556	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	42
PID 2604 wrote to memory of 1556	2604	{363A616C-FAC6-4bed-9037-EDA98345C053}.exe	42
PID 1856 wrote to memory of 2096	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	43
PID 1856 wrote to memory of 2096	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	43
PID 1856 wrote to memory of 2096	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	43
PID 1856 wrote to memory of 2096	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	43
PID 1856 wrote to memory of 2280	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	44
PID 1856 wrote to memory of 2280	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	44
PID 1856 wrote to memory of 2280	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	44
PID 1856 wrote to memory of 2280	1856	{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe	44
PID 2096 wrote to memory of 1612	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	45
PID 2096 wrote to memory of 1612	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	45
PID 2096 wrote to memory of 1612	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	45
PID 2096 wrote to memory of 1612	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	45
PID 2096 wrote to memory of 1760	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	46
PID 2096 wrote to memory of 1760	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	46
PID 2096 wrote to memory of 1760	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	46
PID 2096 wrote to memory of 1760	2096	{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe	46

C:\Users\Admin\AppData\Local\Temp\5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
"C:\Users\Admin\AppData\Local\Temp\5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
  C:\Windows\{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
    C:\Windows\{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
      C:\Windows\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
        
        C:\Windows\{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
        
        C:\Windows\{363A616C-FAC6-4bed-9037-EDA98345C053}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
        
        C:\Windows\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
        
        C:\Windows\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
        
        C:\Windows\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe
        
        C:\Windows\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
        
        C:\Windows\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe
        
        C:\Windows\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe
        12⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20844~1.EXE > nul
        12⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC3D6~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78FAE~1.EXE > nul
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F4AF~1.EXE > nul
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF0E~1.EXE > nul
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{363A6~1.EXE > nul
        7⤵
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D80E4~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCF0~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34B7F~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B58CA~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5951C5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2084467B-A67C-4c83-9BC1-6AB03757C8F1}.exe

Filesize
79KB

MD5
e0dac41355a2c6ab244fcf75f48833cf

SHA1
38b6867fef933c4fe621e0abda3d1ff449037b42

SHA256
408a14dc2bddf6af7362a63c48e2187a83e06204905043e97d2ef9b641582d7f

SHA512
aac956bfe6c290d3045dfaf0891c873378ec27eaaaa3a3e5ba5ff2d3912db617ed80a0160f600f0ab5aee6dde99b1165c23c14a4a83460226d3d610c7d0c484f

Download Submit
C:\Windows\{2F4AFE4E-84DE-4469-9F8D-BB3D398740D8}.exe

Filesize
79KB

MD5
825377a6bb5912eb9ebfc96820b8184d

SHA1
48748b92596112474b54e8a0864a89d0127bf774

SHA256
115d52efbe3c9544e3576ada83c925fdeb9d6c0be85c607af048a0dc55c2d17d

SHA512
a5c805bc9a4f54faeeb4a8c19c486d189477c68806b5980e43e434af8acb789e994f5573b9f932a24a36567ca4dd5949429df5a54e91b17ee0cdd72514681920

Download Submit
C:\Windows\{34B7F559-51FC-4639-98D5-AC748AA30B27}.exe

Filesize
79KB

MD5
aacfe171d78698cb765b980abe31d482

SHA1
12d2379bf50f3fc16fada39da7bc285ff95b9bca

SHA256
b35334b348fd2deb0d5eac57b1622700faff7296bad28ce563ed9f7221d865ee

SHA512
d0eabb6c9e528a3134dd440a55774c4e816bdc83a11bb387f5e9060a0bee5292f450aab558df07592a5e1f512db32b201de25871c4aa7d7019e76b2d6dfe0350

Download Submit
C:\Windows\{363A616C-FAC6-4bed-9037-EDA98345C053}.exe

Filesize
79KB

MD5
c28195fde28a788671f38c0fd15e15fe

SHA1
a5a9ab765cdf4df79c89ba35e87556f6b903a4b5

SHA256
2fd4a7112879405a686b8ae31c13ed316a782fdcb0abaf5e8768cc9ab92f94b9

SHA512
1b3b27a9f02c70addbedc226a8ea6be7c4c2a6ada4f033b5bb5c6831de8c265bd1bc342472d3d2bd5e8ad64733bd6a21a0d10fd6f4b0db43805625a49f30919e

Download Submit
C:\Windows\{78FAE3E3-C8CF-4cd8-8254-3CE012559784}.exe

Filesize
79KB

MD5
3f12bfa8e67d4590f8b0e77ceb307dcd

SHA1
6f94caa3b7397867d24edd48c3ce624c553f6dd8

SHA256
7258dbf217aeccf9e0a008146b177734eaa8329718a5812ce67986905fd2d60a

SHA512
d66fe865b57189db71acc52263ee8c2148fd9dda809ad1fca615de5a3a4b054bf5b2d816ab41b0a833c59415b03603e44b3a4c1520362ecc78bd3324cc1dd709

Download Submit
C:\Windows\{B58CA299-8CA0-43dc-8D40-95256546CBF8}.exe

Filesize
79KB

MD5
3ee48476d90ccc6cd6c4e8a065659a0e

SHA1
f228c0b67307f09f3d3bfc63a1e81078d79f600c

SHA256
2853a9bfcabc7fef073bbfa82e995cbcc9bc777a9c90c9104998799447001b01

SHA512
26c76a88aed4123e34d911b8d5fcea0a8e36c6f61cecddfcee6f2f1b3662375a17bfa49f424323137270271e86f2070acfd5bf189bdd28fdc6eaaf618b1d6849

Download Submit
C:\Windows\{BEF0E859-00BE-43dc-9CD3-46CE33B28618}.exe

Filesize
79KB

MD5
8b8856d457537dfa18b626b2f3873d15

SHA1
39d495ecc2783633137a50c8b03a751468b1be62

SHA256
e6452102d11936217358295216e27c06e78ff1a54feaa6f07c93e378f910c643

SHA512
083e1498c52b5d34a4484000771ea8bd171697f77fc98fe019bc16eb6fd6ab19cda383ecf7baa0c1c50899a75128448797cb0d45b074a2774e3d38919b4ae1d0

Download Submit
C:\Windows\{D5D204BE-7645-472a-8D36-A5AB6E7DBF14}.exe

Filesize
79KB

MD5
e130ba4c6ea22589b02155a11dd558bf

SHA1
e95e66d699567ff9c92b629eb58ebe05297e314b

SHA256
a24b3e40a21e5062a90bfbdfc56d75688ccb35180ce18a526ea4dc687d8c49ed

SHA512
77b0867080a21764c2e888eb74d21dfa09ab9dd8e8fcab56d2c63c8ad1c62d4720b971bb494957ea02c9556d7ad6a2c39f7e7db3de3f0580730253ca21fec69c

Download Submit
C:\Windows\{D80E4D53-C5CB-432b-9825-999FB8A90F77}.exe

Filesize
79KB

MD5
1039f9b9043158a0e699c5a165edd3cb

SHA1
1e963fe53147ed28a3104fa747aca654432664a9

SHA256
90a8239bf5dfdba6819e4496a254d4e7a45dfb93531e02ec2bbd87f259a096db

SHA512
a731e8524d9fa213c03939d90e55fcfe3acbac055d1909e8e3d9ce0559206e7ef64930289fbf6c7baac7bd13e8d3bcc122d3aab993aeccedcc97ca4bca89676d

Download Submit
C:\Windows\{DFCF017B-62AE-4752-9A04-5C7902D6E95A}.exe

Filesize
79KB

MD5
8d46c1d1088a941ce12fcdf7a39e2d08

SHA1
1b9d58d125ab52a04156ddbd1dd8b1dd1121103f

SHA256
83338ad53c24f7900e788174e255fd45d1308d9ffec92b404fcde47d8cef5dba

SHA512
180cc0dbc289c73091d3f1c1a36455c7a2eb0978ee895050cf710e27b6e1d0b6a0cbb4199277df1723a4237b9814687bb76a36a8225711b90ffa9df59edab5be

Download Submit
C:\Windows\{FC3D61A5-5182-461d-A82A-6ADA12E30CA1}.exe

Filesize
79KB

MD5
f95376dcf6098a87d6f4079c858c0e46

SHA1
7d1d98e5b4759a738c5bda1c42a1c960a7a1fe93

SHA256
5a54ee7f8cc1fecc6cdbd797786683450b6aaa917c780c863e9567f13e88c991

SHA512
0bcf71142b60a6017d77ed538a7f0bf040e91f6d9895fac2f9050c37ecfc12ce405380f854d463525b6a37737cd93925c2debbc83e34e0b16a7a550e9adeccc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads