cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Size

98KB
MD5

993226698b477deb23492867f3ddd1a0
SHA1

a5ef831a87f3360dacca2bd73a45d9b77031f1f5
SHA256

cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf
SHA512

68f6b27062f354f92f630e03bf001ebb899e4b30868287ca5eb54d4cfb62efd0c78270f1233c58f84a62de1851f2021ae5776fafcad058572d219860ba01a12d
SSDEEP

768:5vw9816thKQLro/4/wQkNrfrunMxVFA3b7glws:lEG/0o/lbunMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D039DB15-D8F3-40ae-8E34-46E100349AB1}	{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}	{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C698C69-64E9-4e7c-8FEF-222742E463C4}	{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C698C69-64E9-4e7c-8FEF-222742E463C4}\stubpath = "C:\\Windows\\{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe"	{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}\stubpath = "C:\\Windows\\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe"	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}\stubpath = "C:\\Windows\\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe"	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44555EAE-F08E-474a-B306-C79FDA9C073D}	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96ACEE0-650B-4634-A24C-1450033B1002}\stubpath = "C:\\Windows\\{F96ACEE0-650B-4634-A24C-1450033B1002}.exe"	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}\stubpath = "C:\\Windows\\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe"	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96ACEE0-650B-4634-A24C-1450033B1002}	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}\stubpath = "C:\\Windows\\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe"	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}\stubpath = "C:\\Windows\\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe"	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}\stubpath = "C:\\Windows\\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe"	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44555EAE-F08E-474a-B306-C79FDA9C073D}\stubpath = "C:\\Windows\\{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe"	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D039DB15-D8F3-40ae-8E34-46E100349AB1}\stubpath = "C:\\Windows\\{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe"	{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}\stubpath = "C:\\Windows\\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe"	{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
2084	{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
2852	{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
2900	{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
696	{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
File created	C:\Windows\{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe	{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
File created	C:\Windows\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
File created	C:\Windows\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
File created	C:\Windows\{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
File created	C:\Windows\{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
File created	C:\Windows\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
File created	C:\Windows\{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe	{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
File created	C:\Windows\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe	{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
File created	C:\Windows\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
File created	C:\Windows\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Token: SeIncBasePriorityPrivilege	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
Token: SeIncBasePriorityPrivilege	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
Token: SeIncBasePriorityPrivilege	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
Token: SeIncBasePriorityPrivilege	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
Token: SeIncBasePriorityPrivilege	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
Token: SeIncBasePriorityPrivilege	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
Token: SeIncBasePriorityPrivilege	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
Token: SeIncBasePriorityPrivilege	2084	{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
Token: SeIncBasePriorityPrivilege	2852	{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
Token: SeIncBasePriorityPrivilege	2900	{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2112	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	28
PID 2156 wrote to memory of 2112	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	28
PID 2156 wrote to memory of 2112	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	28
PID 2156 wrote to memory of 2112	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	28
PID 2156 wrote to memory of 2632	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	29
PID 2156 wrote to memory of 2632	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	29
PID 2156 wrote to memory of 2632	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	29
PID 2156 wrote to memory of 2632	2156	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	29
PID 2112 wrote to memory of 2720	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	30
PID 2112 wrote to memory of 2720	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	30
PID 2112 wrote to memory of 2720	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	30
PID 2112 wrote to memory of 2720	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	30
PID 2112 wrote to memory of 2724	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	31
PID 2112 wrote to memory of 2724	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	31
PID 2112 wrote to memory of 2724	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	31
PID 2112 wrote to memory of 2724	2112	{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe	31
PID 2720 wrote to memory of 2596	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	32
PID 2720 wrote to memory of 2596	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	32
PID 2720 wrote to memory of 2596	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	32
PID 2720 wrote to memory of 2596	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	32
PID 2720 wrote to memory of 2432	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	33
PID 2720 wrote to memory of 2432	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	33
PID 2720 wrote to memory of 2432	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	33
PID 2720 wrote to memory of 2432	2720	{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe	33
PID 2596 wrote to memory of 2700	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	36
PID 2596 wrote to memory of 2700	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	36
PID 2596 wrote to memory of 2700	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	36
PID 2596 wrote to memory of 2700	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	36
PID 2596 wrote to memory of 2784	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	37
PID 2596 wrote to memory of 2784	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	37
PID 2596 wrote to memory of 2784	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	37
PID 2596 wrote to memory of 2784	2596	{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe	37
PID 2700 wrote to memory of 1604	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	38
PID 2700 wrote to memory of 1604	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	38
PID 2700 wrote to memory of 1604	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	38
PID 2700 wrote to memory of 1604	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	38
PID 2700 wrote to memory of 1940	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	39
PID 2700 wrote to memory of 1940	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	39
PID 2700 wrote to memory of 1940	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	39
PID 2700 wrote to memory of 1940	2700	{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe	39
PID 1604 wrote to memory of 1748	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	40
PID 1604 wrote to memory of 1748	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	40
PID 1604 wrote to memory of 1748	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	40
PID 1604 wrote to memory of 1748	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	40
PID 1604 wrote to memory of 2292	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	41
PID 1604 wrote to memory of 2292	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	41
PID 1604 wrote to memory of 2292	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	41
PID 1604 wrote to memory of 2292	1604	{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe	41
PID 1748 wrote to memory of 1540	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	42
PID 1748 wrote to memory of 1540	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	42
PID 1748 wrote to memory of 1540	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	42
PID 1748 wrote to memory of 1540	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	42
PID 1748 wrote to memory of 1584	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	43
PID 1748 wrote to memory of 1584	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	43
PID 1748 wrote to memory of 1584	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	43
PID 1748 wrote to memory of 1584	1748	{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe	43
PID 1540 wrote to memory of 2084	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	44
PID 1540 wrote to memory of 2084	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	44
PID 1540 wrote to memory of 2084	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	44
PID 1540 wrote to memory of 2084	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	44
PID 1540 wrote to memory of 1608	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	45
PID 1540 wrote to memory of 1608	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	45
PID 1540 wrote to memory of 1608	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	45
PID 1540 wrote to memory of 1608	1540	{F96ACEE0-650B-4634-A24C-1450033B1002}.exe	45

C:\Users\Admin\AppData\Local\Temp\cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
"C:\Users\Admin\AppData\Local\Temp\cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
  C:\Windows\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
    C:\Windows\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
      C:\Windows\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
        
        C:\Windows\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
        
        C:\Windows\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
        
        C:\Windows\{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
        
        C:\Windows\{F96ACEE0-650B-4634-A24C-1450033B1002}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
        
        C:\Windows\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
        
        C:\Windows\{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
        
        C:\Windows\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe
        
        C:\Windows\{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe
        12⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4B63~1.EXE > nul
        12⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D039D~1.EXE > nul
        11⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FD70~1.EXE > nul
        10⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F96AC~1.EXE > nul
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44555~1.EXE > nul
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC7F~1.EXE > nul
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD54~1.EXE > nul
        6⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F6D8~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D83A7~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F81D~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CC9351~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FD70E95-4B8A-4c6e-B382-763A84CB0C70}.exe

Filesize
98KB

MD5
22cfe8bfe5c551d376e3e0e346e84662

SHA1
30d40c66d2add68aafff478d4c77a957799ea704

SHA256
c666bbd57504ffe96d0ef9ad9947e6c6e50288285b47acd862c8330a0edb3fa4

SHA512
ca2e6920836922826b0b878f55bda2901e56a4bb72151f78833283b66ebeb6b42faeaf1922f0f7cec6812acc5bda8b2690f4b969becae3e7eb90f3ea632f8ac0

Download Submit
C:\Windows\{1F81D6BF-3A17-4506-88CA-C2E3E47BD662}.exe

Filesize
98KB

MD5
0bf4b793cadfc7a5eaa2226931954bf1

SHA1
711063362fb498092d29bba013088629bf81f955

SHA256
2ca2d281a9f251cd725bc38d3a5c332e16ab1d6fb2c8456f61c9a68f7ee60311

SHA512
fa1de0d7e57670a2135eefc2706f476fde77988aad41264f2dd6c0532572e0e7ffb693feabccb70faf45503fca233b8853ab2f1732e32404a0e00640d0bc5830

Download Submit
C:\Windows\{2F6D8FA2-2A12-4a2c-A05B-6988CEE741E1}.exe

Filesize
98KB

MD5
e1ae2a52d32bcdadb989edbea0026345

SHA1
90931e6da94187ee3407e4ca3db113b60b9097fc

SHA256
d497783fc2118cddea5f59c4f14964fe44d3093fead1a023e40aae018719dfc4

SHA512
7dff87aa744220f3ada5dbec7c02bf2e1e4c3f4ba9d04891b0dbbdc7cab09d9aa6dadce5c440049efda9714e4c69b7010279d4bdd5705b67452068442eb8b198

Download Submit
C:\Windows\{44555EAE-F08E-474a-B306-C79FDA9C073D}.exe

Filesize
98KB

MD5
861cab643ded6bccad61c2ac58913606

SHA1
9ec2b1f2b2512820a2f694555a099e9c1baadb14

SHA256
ad684fdc3b00602c467381b0c4fb195f36cf29e26fc8905d1276c8601e75e030

SHA512
002d305c4493e18a3cefe8c094281fa0a0ca984d4ee455c8d3e3682f7c26945cb7eb7edda0a4de0c9c61252f82a241af8aa150cefa13c197402207984b47823e

Download Submit
C:\Windows\{4AD54AC9-6DA3-41cb-B0CA-5C91B73AE54E}.exe

Filesize
98KB

MD5
3d2d2f9e9fbebc2d02d94aa315103350

SHA1
8e82ddf45aa338d7d9397abc1645f264d130a8b0

SHA256
bbdcf2add0e103536bc86988aa94ac9a05839051df724ff9b0e9259053165fdb

SHA512
151401330824ee89d933076848137124980cdf3f4dd194b9121a8250bab7521cdd562d74b20a28569ad01ff45a16e7977374f8a094078385a9f043bd68a24655

Download Submit
C:\Windows\{6BC7F2FD-CADC-4089-B58F-688EFA30920A}.exe

Filesize
98KB

MD5
b206db9a0df06b93c47fbe096cb34572

SHA1
839952b343bc45d28b74043dd0dd3d16c3c80a31

SHA256
b1e677200a0a06892078633e9f8d4923a14ef83b52577a118b5c324bca23bcdb

SHA512
4336b2a722b08e11d7effa581a9c984ea74bb4a42347e65aca992dc9697d22533a613d10db6e7ab7b848c72fa9c3deb57f574af1ed0dd91bc824038fed2e45ea

Download Submit
C:\Windows\{6C698C69-64E9-4e7c-8FEF-222742E463C4}.exe

Filesize
98KB

MD5
6945573dffed96cb980e6f4d638c5551

SHA1
5cd3ae57d2faff0af9ebee0412d78a92b06a6b5b

SHA256
f9edb0fedaf221f619cb30b5424d4763ee71ca1ed2db2834e23d8d44af23739e

SHA512
31a7a417cacfe5420ff8159465ef95c6e5596351e9f9f9244981487207e8e5fe3d86f8402d44fa11ba923f4bf9c73b10e6fc6d2fcfe3edd60a83da9a1e4e90d5

Download Submit
C:\Windows\{A4B63933-A4DF-4cd9-8BA9-2565D58450AB}.exe

Filesize
98KB

MD5
5bcb2fb8e745cbcfafee6d13e0e7c4ff

SHA1
b3a094b7494cce0acf1c15539142451cf35d434d

SHA256
591cb09e8f6ba2906efa8088b32c761020fdae4ef9f55db7511efce7a9eef318

SHA512
5c5848d59103366dff062e541a524476d5f0788c47321434235d121b78925b687cc8fe81780a2df4fa4e7f739c5ec62afe0b7a90abe8596f4120321e07e420bb

Download Submit
C:\Windows\{D039DB15-D8F3-40ae-8E34-46E100349AB1}.exe

Filesize
98KB

MD5
eb8b4c341d2e1a8307063e7e25ec8241

SHA1
54b614353e1b41990278f20b6fc7d722c82f7a28

SHA256
aeaf0e1f2cebe9ac424eb410a1bbb8698a3a90ac7b917257e1424d343be5c487

SHA512
39a507f193939662b475f8b5c1022434a43955275018a051cb9c1c9e1b22ec4775de8d1cf7e3466866d038b7788a50c90f32b799b29af93bc784751f9ddeca8a

Download Submit
C:\Windows\{D83A7EDA-63D4-44fb-942C-5A7412BE89EC}.exe

Filesize
98KB

MD5
37c2ebae0c6b65ae34565dba1e0c270f

SHA1
a5ab6e33fcb0c806059e62c781d8670dd3f26a22

SHA256
2e3cd2e3dd551acc016ca38a323be4325817238c69599b5b1dd77da038c53f1a

SHA512
951eb2e6264806b6e8b64116c8c7003cd2c9655dcd7e964f9300f5aecaafc2fbb05f396099c510ad4c2f65cd7b695901ca4516d5abba7e5b205f5e4072df5bd9

Download Submit
C:\Windows\{F96ACEE0-650B-4634-A24C-1450033B1002}.exe

Filesize
98KB

MD5
73574115dd47070b5e1cdc33908bd90c

SHA1
95a2e7402bf6dba65383251e404fe2b72c2a815a

SHA256
d3fb203ea908da401cc0e56465128b94205db7ba3c8a748810eb40de58eb3bf6

SHA512
00038b9db00b8e94fe354f5253a9e8d8980cea601f9642ec0bcb7493f30a81d4f43ddb9223fccead8459890a469970cd2ff72f8019870cf25482681a22cb72c6

Download Submit
memory/696-105-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-75-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/1540-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-74-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/1604-55-0x0000000001C30000-0x0000000001C41000-memory.dmp

Filesize
68KB

Download
memory/1604-56-0x0000000001C30000-0x0000000001C41000-memory.dmp

Filesize
68KB

Download
memory/1604-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1604-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1748-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2084-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-17-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2112-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-8-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2156-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-3-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2156-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-37-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2700-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2720-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2720-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-94-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2852-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-93-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2900-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2900-103-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads