8b1163e9d210bec6e9e666faa9a626e131d382cdcc21a545a6d786b972460763

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01448fb0f53dc44af596646793f89e60N.exe
Size

90KB
MD5

01448fb0f53dc44af596646793f89e60
SHA1

050aa832d1b214435c81feca808a17213bcb648c
SHA256

8b1163e9d210bec6e9e666faa9a626e131d382cdcc21a545a6d786b972460763
SHA512

e06e424a1706dcaca32b7045f3791813356e266c3737354e0893ec44a081f8cc09f26fd212bed359426afdc876db9a77811a4bbb6e842b534034226d785fb3d6
SSDEEP

768:Qvw9816vhKQLro34/wQRNrfrunMxVFA3b7glw:YEGh0o3l2unMxVS3Hg

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA153E9-CD97-41c9-84B0-0269F28493F5}\stubpath = "C:\\Windows\\{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe"	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}\stubpath = "C:\\Windows\\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe"	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD0C213-2254-42ac-883E-A3A4031442F8}	{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}\stubpath = "C:\\Windows\\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe"	{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C647959E-924B-4ee1-8794-4412A0121F57}\stubpath = "C:\\Windows\\{C647959E-924B-4ee1-8794-4412A0121F57}.exe"	{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E354E0F3-DB3F-4223-87E4-B39E4B604645}\stubpath = "C:\\Windows\\{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe"	01448fb0f53dc44af596646793f89e60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44314707-E44B-4759-B433-66B63B3B7BA3}\stubpath = "C:\\Windows\\{44314707-E44B-4759-B433-66B63B3B7BA3}.exe"	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA153E9-CD97-41c9-84B0-0269F28493F5}	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A7E644-4EFA-4352-A619-DE1E4E97F607}	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A7E644-4EFA-4352-A619-DE1E4E97F607}\stubpath = "C:\\Windows\\{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe"	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D9A0CB-542B-4995-88D7-ACD7E415C314}	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D9A0CB-542B-4995-88D7-ACD7E415C314}\stubpath = "C:\\Windows\\{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe"	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}\stubpath = "C:\\Windows\\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe"	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}	{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}\stubpath = "C:\\Windows\\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe"	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C647959E-924B-4ee1-8794-4412A0121F57}	{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E354E0F3-DB3F-4223-87E4-B39E4B604645}	01448fb0f53dc44af596646793f89e60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44314707-E44B-4759-B433-66B63B3B7BA3}	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD0C213-2254-42ac-883E-A3A4031442F8}\stubpath = "C:\\Windows\\{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe"	{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
620	{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
2432	{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
332	{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
1736	{C647959E-924B-4ee1-8794-4412A0121F57}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
File created	C:\Windows\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe	{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
File created	C:\Windows\{C647959E-924B-4ee1-8794-4412A0121F57}.exe	{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
File created	C:\Windows\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
File created	C:\Windows\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
File created	C:\Windows\{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe	{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
File created	C:\Windows\{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	01448fb0f53dc44af596646793f89e60N.exe
File created	C:\Windows\{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
File created	C:\Windows\{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
File created	C:\Windows\{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
File created	C:\Windows\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1920	01448fb0f53dc44af596646793f89e60N.exe
Token: SeIncBasePriorityPrivilege	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
Token: SeIncBasePriorityPrivilege	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
Token: SeIncBasePriorityPrivilege	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
Token: SeIncBasePriorityPrivilege	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
Token: SeIncBasePriorityPrivilege	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
Token: SeIncBasePriorityPrivilege	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
Token: SeIncBasePriorityPrivilege	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
Token: SeIncBasePriorityPrivilege	620	{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
Token: SeIncBasePriorityPrivilege	2432	{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
Token: SeIncBasePriorityPrivilege	332	{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1752	1920	01448fb0f53dc44af596646793f89e60N.exe	28
PID 1920 wrote to memory of 1752	1920	01448fb0f53dc44af596646793f89e60N.exe	28
PID 1920 wrote to memory of 1752	1920	01448fb0f53dc44af596646793f89e60N.exe	28
PID 1920 wrote to memory of 1752	1920	01448fb0f53dc44af596646793f89e60N.exe	28
PID 1920 wrote to memory of 2976	1920	01448fb0f53dc44af596646793f89e60N.exe	29
PID 1920 wrote to memory of 2976	1920	01448fb0f53dc44af596646793f89e60N.exe	29
PID 1920 wrote to memory of 2976	1920	01448fb0f53dc44af596646793f89e60N.exe	29
PID 1920 wrote to memory of 2976	1920	01448fb0f53dc44af596646793f89e60N.exe	29
PID 1752 wrote to memory of 2704	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	30
PID 1752 wrote to memory of 2704	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	30
PID 1752 wrote to memory of 2704	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	30
PID 1752 wrote to memory of 2704	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	30
PID 1752 wrote to memory of 2688	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	31
PID 1752 wrote to memory of 2688	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	31
PID 1752 wrote to memory of 2688	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	31
PID 1752 wrote to memory of 2688	1752	{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe	31
PID 2704 wrote to memory of 2768	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	32
PID 2704 wrote to memory of 2768	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	32
PID 2704 wrote to memory of 2768	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	32
PID 2704 wrote to memory of 2768	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	32
PID 2704 wrote to memory of 2772	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	33
PID 2704 wrote to memory of 2772	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	33
PID 2704 wrote to memory of 2772	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	33
PID 2704 wrote to memory of 2772	2704	{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe	33
PID 2768 wrote to memory of 2896	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	36
PID 2768 wrote to memory of 2896	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	36
PID 2768 wrote to memory of 2896	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	36
PID 2768 wrote to memory of 2896	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	36
PID 2768 wrote to memory of 1980	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	37
PID 2768 wrote to memory of 1980	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	37
PID 2768 wrote to memory of 1980	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	37
PID 2768 wrote to memory of 1980	2768	{44314707-E44B-4759-B433-66B63B3B7BA3}.exe	37
PID 2896 wrote to memory of 1544	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	38
PID 2896 wrote to memory of 1544	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	38
PID 2896 wrote to memory of 1544	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	38
PID 2896 wrote to memory of 1544	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	38
PID 2896 wrote to memory of 876	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	39
PID 2896 wrote to memory of 876	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	39
PID 2896 wrote to memory of 876	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	39
PID 2896 wrote to memory of 876	2896	{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe	39
PID 1544 wrote to memory of 908	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	40
PID 1544 wrote to memory of 908	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	40
PID 1544 wrote to memory of 908	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	40
PID 1544 wrote to memory of 908	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	40
PID 1544 wrote to memory of 804	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	41
PID 1544 wrote to memory of 804	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	41
PID 1544 wrote to memory of 804	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	41
PID 1544 wrote to memory of 804	1544	{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe	41
PID 908 wrote to memory of 1372	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	42
PID 908 wrote to memory of 1372	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	42
PID 908 wrote to memory of 1372	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	42
PID 908 wrote to memory of 1372	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	42
PID 908 wrote to memory of 1436	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	43
PID 908 wrote to memory of 1436	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	43
PID 908 wrote to memory of 1436	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	43
PID 908 wrote to memory of 1436	908	{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe	43
PID 1372 wrote to memory of 620	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	44
PID 1372 wrote to memory of 620	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	44
PID 1372 wrote to memory of 620	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	44
PID 1372 wrote to memory of 620	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	44
PID 1372 wrote to memory of 1696	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	45
PID 1372 wrote to memory of 1696	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	45
PID 1372 wrote to memory of 1696	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	45
PID 1372 wrote to memory of 1696	1372	{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe	45

C:\Users\Admin\AppData\Local\Temp\01448fb0f53dc44af596646793f89e60N.exe
"C:\Users\Admin\AppData\Local\Temp\01448fb0f53dc44af596646793f89e60N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
  C:\Windows\{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
    C:\Windows\{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
      C:\Windows\{44314707-E44B-4759-B433-66B63B3B7BA3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
        
        C:\Windows\{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
        
        C:\Windows\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
        
        C:\Windows\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
        
        C:\Windows\{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
        
        C:\Windows\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
        
        C:\Windows\{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
        
        C:\Windows\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\{C647959E-924B-4ee1-8794-4412A0121F57}.exe
        
        C:\Windows\{C647959E-924B-4ee1-8794-4412A0121F57}.exe
        12⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70BD5~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DD0C~1.EXE > nul
        11⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F40~1.EXE > nul
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A7E~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93C64~1.EXE > nul
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED1B~1.EXE > nul
        7⤵
        
        PID:804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCA15~1.EXE > nul
        6⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44314~1.EXE > nul
        5⤵
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75D9A~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E354E~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\01448F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19A7E644-4EFA-4352-A619-DE1E4E97F607}.exe

Filesize
90KB

MD5
4bc7803690a71eba5fc76fea8af6fd64

SHA1
ade44d790007fce81e5405e45a072c4615c21034

SHA256
51d957d6f5022d4ee3bc538c4074087e00cbc19062e86fb558a43a8072a1e008

SHA512
b5beb99517ead9e250c403675ad5aa0fa92598581a3a0500bb8eebc16f6f3484e48a43d052ba1c08ab5707a3f363bfdecdcba1959b9baeb438874001337abcaf

Download Submit
C:\Windows\{44314707-E44B-4759-B433-66B63B3B7BA3}.exe

Filesize
90KB

MD5
a08faa24cbba0ffa1ba20e0aec0abd6a

SHA1
2d4fee6d5969f2aad0ecf85604f928d6dbcd1296

SHA256
aebf2a27d23ff00f6e6258c4f604c0b6f35c9c29b2312fa7b88b49d4f5bc0082

SHA512
dbc26c2811e8da94f08fd3caa8e8decf83d077760380404b82899209f381c86acf4f2f6544a28205523ee260dbd4c93e9aa99d3fa4be00633faa27d74edf19a9

Download Submit
C:\Windows\{6DD0C213-2254-42ac-883E-A3A4031442F8}.exe

Filesize
90KB

MD5
92f4b361db39ef46bd35fbe52a79218c

SHA1
63b6a5c3d106c3fefe73d2a1652295b77cc38e95

SHA256
66bd275d6c4e348049cf6376642249605435304b07198f51f96cd5fa3a4ddbe4

SHA512
8555a815530741e9d3ee966b3b669ee4592cc61d68aa021c9e38fb352c0e14143d05a8b8c60924bc23a50756fe635e3cf0c91bbf31259842a2415aabec27956e

Download Submit
C:\Windows\{70BD5410-9ECE-4c69-B42B-634C98C1FD01}.exe

Filesize
90KB

MD5
16ec7ef65f03abff8d0c57a0c5ad4634

SHA1
3ffb984ddc0f0a9c2e9b95f86f2fe066fb716145

SHA256
2a82eba7c29b9ecf1d2d2661f95c0d3b1626357c57b88d5b46c5746d041c016c

SHA512
6dd9c0affc91ff0b6e015e97c3cc603faab3e701622a28937f65cc37e4826a0b37d0bce1bf5769061a97441b15385818c5c37ca1eb4e2b91344905dbd0e16043

Download Submit
C:\Windows\{75D9A0CB-542B-4995-88D7-ACD7E415C314}.exe

Filesize
90KB

MD5
27ba116c09fc557c835b28b6895889e4

SHA1
5fcb0f2fe1bbfcc242fc3ca78b274a5cb6fb9b5c

SHA256
4c634a3f5e059c298429648f6c523fb970f0957f50c3799f9abe4154f6278238

SHA512
a9724cad725d33aff60b0d944f3822ea300ecaed57c2f138f83b1e789c15034ce6002f4c04fb4d4e6b2d52202a775d2f784b127b38d11cebedb2970380a1f835

Download Submit
C:\Windows\{93C64AFD-2EEA-4927-9B9A-432175CEFEDE}.exe

Filesize
90KB

MD5
f86eeab6f81b391810a8e39d31138e53

SHA1
2dbcb6044cfed443fb26cb17b66673c04cb41ccc

SHA256
2be4bb7d2b9199fa4e7c7cc89e1985511eb5658dd1d8a1584b4a5c8d87eef40c

SHA512
cf88b75feff0de7132adb2e1dc657f42f9850c6beb2566f7a7c1900dcc554c1b28df2edc1caadc8b769c96a4c20302d80ae295172966d2bebfe7ad02114d3131

Download Submit
C:\Windows\{C647959E-924B-4ee1-8794-4412A0121F57}.exe

Filesize
90KB

MD5
416e5a68ef215ee8d6e8fb285c48ba36

SHA1
85cdb58d16ca2fe9dab56dfc4868d0dfc818433a

SHA256
0d407d8fc2d4bf9e3f4627aed2b4162eda75a2734d03b0bc094f6e6c795508e4

SHA512
b46259771deb9e944c0c292ae386da63e6a2a91cbd58f88e0bcf0234fd58e799e6d2a4a2782b864c6c6e15b2f5ee2957465515a6fb595e1d78deb3d5e3f83a2a

Download Submit
C:\Windows\{DED1B18E-C07F-4f6f-8BB5-F005D0A85193}.exe

Filesize
90KB

MD5
25389ce3f5706b1b1184e050ba225cc3

SHA1
ebbd1dccc68c569d1e3e197625ce47ca6a3226c2

SHA256
4e05d605ea327f6305f58a89a77b8fbe295f84f736a35d900c8cb3f3629c8152

SHA512
58707d052b9eeafcefd5176587f4346452421b28f2b5e21706592827f26b8b4f177840e0855d82569cfbd9c9c11a2d7567d1c88fb6d3e54422d3c23e46f3ba79

Download Submit
C:\Windows\{E1F4036B-75A9-4876-A5A6-F630F3253BBC}.exe

Filesize
90KB

MD5
540af7d74afef70ba07a4667fe89e92b

SHA1
cd83e1154e91a0508c283471f093611339b65968

SHA256
0cacac798ca00d62da529c01543c6828bc880100f17d0770aed048c0b6298979

SHA512
48a70db7af6dccc29007c80586c95011308bfc7db953a933e5a0a92eb2cc71201d6d3eb0c522ea22371ec46a7f0c8ad0ed4eb8150c53c4f792b72581966df256

Download Submit
C:\Windows\{E354E0F3-DB3F-4223-87E4-B39E4B604645}.exe

Filesize
90KB

MD5
d8d03a27738929c3918546d1e0ae76ef

SHA1
8f68cd0305f147383ed14218e138271197eb75ac

SHA256
fe2576f411dd471d4041380820420d8c3d4a74a4081d8b9aee87682b45264c8c

SHA512
a56b9f1a568bfbffe41fd2f0f67e480c180196e68a04f9f80907c146a8f9da04b566c8003ee6054c1b654763eef8a15260a8963e19e865393c5a654b19b93c29

Download Submit
C:\Windows\{FCA153E9-CD97-41c9-84B0-0269F28493F5}.exe

Filesize
90KB

MD5
9abfe7eb517bea68eb19f87fd5770bfc

SHA1
93273aa7f68163b524a607c68cfa357e410405bd

SHA256
794d8fc7b40e080756b763e8758b96bcb1fb554e31445f92afd9fc0d006e02f6

SHA512
931b3a798e17ce85b8cbd9017ed9afdeb60086a82c99c25fc89cfe2c7fbd843959f5675c14a030236c8505627d6da273efb5fd1f7587730f1106963917d6a2ad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads