151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
Size

76KB
MD5

0de25c67272191a0012583ac4fd24a85
SHA1

b9d5b95d32a5b90165172798544b7ae201e3f342
SHA256

151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72
SHA512

a0bcd359bdf86fd8bc6abbb453ca8a63f4f9d4e068c8ed0a20ec62a605a0e4f780f76b0a068f76ba806ed3751e155864e2a65953d4e00761a638564a66581823
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroq4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroq4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B326E110-3FF1-4772-964F-76025ACB0B41}	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}\stubpath = "C:\\Windows\\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe"	{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}	{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}	{9FC6785A-A679-40eb-9647-6833260793F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}\stubpath = "C:\\Windows\\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe"	{9FC6785A-A679-40eb-9647-6833260793F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FC6785A-A679-40eb-9647-6833260793F2}	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}\stubpath = "C:\\Windows\\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe"	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768FA905-A8F8-40e5-A812-A0FC70B064C8}	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}\stubpath = "C:\\Windows\\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe"	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26084563-269A-4ad4-AC2A-25E720AC8869}	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26084563-269A-4ad4-AC2A-25E720AC8869}\stubpath = "C:\\Windows\\{26084563-269A-4ad4-AC2A-25E720AC8869}.exe"	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768FA905-A8F8-40e5-A812-A0FC70B064C8}\stubpath = "C:\\Windows\\{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe"	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B326E110-3FF1-4772-964F-76025ACB0B41}\stubpath = "C:\\Windows\\{B326E110-3FF1-4772-964F-76025ACB0B41}.exe"	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}\stubpath = "C:\\Windows\\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe"	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}	{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FC6785A-A679-40eb-9647-6833260793F2}\stubpath = "C:\\Windows\\{9FC6785A-A679-40eb-9647-6833260793F2}.exe"	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}	{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}\stubpath = "C:\\Windows\\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe"	{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}\stubpath = "C:\\Windows\\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe"	{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe
2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
2028	{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
2944	{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
2940	{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
2232	{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe	{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
File created	C:\Windows\{9FC6785A-A679-40eb-9647-6833260793F2}.exe	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
File created	C:\Windows\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	{9FC6785A-A679-40eb-9647-6833260793F2}.exe
File created	C:\Windows\{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
File created	C:\Windows\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe	{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
File created	C:\Windows\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
File created	C:\Windows\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe	{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
File created	C:\Windows\{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
File created	C:\Windows\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
File created	C:\Windows\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
File created	C:\Windows\{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
Token: SeIncBasePriorityPrivilege	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe
Token: SeIncBasePriorityPrivilege	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
Token: SeIncBasePriorityPrivilege	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
Token: SeIncBasePriorityPrivilege	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
Token: SeIncBasePriorityPrivilege	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
Token: SeIncBasePriorityPrivilege	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
Token: SeIncBasePriorityPrivilege	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
Token: SeIncBasePriorityPrivilege	2028	{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
Token: SeIncBasePriorityPrivilege	2944	{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
Token: SeIncBasePriorityPrivilege	2940	{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2084	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	31
PID 1828 wrote to memory of 2084	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	31
PID 1828 wrote to memory of 2084	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	31
PID 1828 wrote to memory of 2084	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	31
PID 1828 wrote to memory of 2528	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	32
PID 1828 wrote to memory of 2528	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	32
PID 1828 wrote to memory of 2528	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	32
PID 1828 wrote to memory of 2528	1828	151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe	32
PID 2084 wrote to memory of 2724	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	33
PID 2084 wrote to memory of 2724	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	33
PID 2084 wrote to memory of 2724	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	33
PID 2084 wrote to memory of 2724	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	33
PID 2084 wrote to memory of 2856	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	34
PID 2084 wrote to memory of 2856	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	34
PID 2084 wrote to memory of 2856	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	34
PID 2084 wrote to memory of 2856	2084	{9FC6785A-A679-40eb-9647-6833260793F2}.exe	34
PID 2724 wrote to memory of 2300	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	35
PID 2724 wrote to memory of 2300	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	35
PID 2724 wrote to memory of 2300	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	35
PID 2724 wrote to memory of 2300	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	35
PID 2724 wrote to memory of 2896	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	36
PID 2724 wrote to memory of 2896	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	36
PID 2724 wrote to memory of 2896	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	36
PID 2724 wrote to memory of 2896	2724	{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe	36
PID 2300 wrote to memory of 2732	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	37
PID 2300 wrote to memory of 2732	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	37
PID 2300 wrote to memory of 2732	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	37
PID 2300 wrote to memory of 2732	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	37
PID 2300 wrote to memory of 1896	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	38
PID 2300 wrote to memory of 1896	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	38
PID 2300 wrote to memory of 1896	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	38
PID 2300 wrote to memory of 1896	2300	{26084563-269A-4ad4-AC2A-25E720AC8869}.exe	38
PID 2732 wrote to memory of 1412	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	39
PID 2732 wrote to memory of 1412	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	39
PID 2732 wrote to memory of 1412	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	39
PID 2732 wrote to memory of 1412	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	39
PID 2732 wrote to memory of 2644	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	40
PID 2732 wrote to memory of 2644	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	40
PID 2732 wrote to memory of 2644	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	40
PID 2732 wrote to memory of 2644	2732	{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe	40
PID 1412 wrote to memory of 1576	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	41
PID 1412 wrote to memory of 1576	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	41
PID 1412 wrote to memory of 1576	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	41
PID 1412 wrote to memory of 1576	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	41
PID 1412 wrote to memory of 1904	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	42
PID 1412 wrote to memory of 1904	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	42
PID 1412 wrote to memory of 1904	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	42
PID 1412 wrote to memory of 1904	1412	{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe	42
PID 1576 wrote to memory of 2360	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	43
PID 1576 wrote to memory of 2360	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	43
PID 1576 wrote to memory of 2360	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	43
PID 1576 wrote to memory of 2360	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	43
PID 1576 wrote to memory of 1620	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	44
PID 1576 wrote to memory of 1620	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	44
PID 1576 wrote to memory of 1620	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	44
PID 1576 wrote to memory of 1620	1576	{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe	44
PID 2360 wrote to memory of 2028	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	45
PID 2360 wrote to memory of 2028	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	45
PID 2360 wrote to memory of 2028	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	45
PID 2360 wrote to memory of 2028	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	45
PID 2360 wrote to memory of 1552	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	46
PID 2360 wrote to memory of 1552	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	46
PID 2360 wrote to memory of 1552	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	46
PID 2360 wrote to memory of 1552	2360	{B326E110-3FF1-4772-964F-76025ACB0B41}.exe	46

C:\Users\Admin\AppData\Local\Temp\151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe
"C:\Users\Admin\AppData\Local\Temp\151e49c46e023062566a92a7c866355bdc1525698cf614944686efc51ca26f72.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\{9FC6785A-A679-40eb-9647-6833260793F2}.exe
  C:\Windows\{9FC6785A-A679-40eb-9647-6833260793F2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
    C:\Windows\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
      C:\Windows\{26084563-269A-4ad4-AC2A-25E720AC8869}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
        
        C:\Windows\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
        
        C:\Windows\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
        
        C:\Windows\{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
        
        C:\Windows\{B326E110-3FF1-4772-964F-76025ACB0B41}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
        
        C:\Windows\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
        
        C:\Windows\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
        
        C:\Windows\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe
        
        C:\Windows\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F4E5~1.EXE > nul
        12⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BACBD~1.EXE > nul
        11⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A052D~1.EXE > nul
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B326E~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{768FA~1.EXE > nul
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BEE7~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{664BA~1.EXE > nul
        6⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26084~1.EXE > nul
        5⤵
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44B91~1.EXE > nul
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FC67~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\151E49~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26084563-269A-4ad4-AC2A-25E720AC8869}.exe

Filesize
76KB

MD5
1e77c936eab2d060a8d19ae556b3ade5

SHA1
8e2015215043e42956c6f9682249fd97c19e29b0

SHA256
855761ba16d325867a0eb04e5159f8828fbe68f231b7708260f8e282ce8266ac

SHA512
23c86dbf6eff7725773b7eb128cb5c917d61f8784058d9b70cf3388e20e4fb714a087e419f384283e0f3c758fd450adc12b6583ba48064504edbb9608fc9ec6e

Download Submit
C:\Windows\{44B91F13-393F-4c4e-A1FB-9CE2BA77976F}.exe

Filesize
76KB

MD5
5f411e42f1604e953be8fe36fa944b43

SHA1
aba5105eb78a7e904cf86b5825a289bb86a2b05f

SHA256
ad944fd22f493fc24e94f8c8afd8b57f53e480c4adf610ece9f2ab928cb36917

SHA512
1f319064d689196381041a7de1f96f2d69de34bdbd665620c5e744cbe0e5557d55a0e18957693f1fdda3b979d98e26a72c3efab8cc1c7c7cb06e1266b4212124

Download Submit
C:\Windows\{5F4E5B09-1AFD-4fcc-9E2A-FBDF8C9ED43F}.exe

Filesize
76KB

MD5
2e651ad78803737121f30188800cd439

SHA1
39c9530f0e6c1049186259004fa0370560ee6720

SHA256
931c2ccf2960cfce51edf113b8a6461fa5442ad5340cb162cbd041ad7efadc93

SHA512
798144328eda51274d5991ec1e736fbe8dabb0f0c6e95471d3433bdb331a5e6aacfd8f1cf30541b89a9be758091ad8eabc99b33a496f5d71fd0633a9005635fa

Download Submit
C:\Windows\{664BAB43-8751-4f71-B0DF-951DC57FD5D9}.exe

Filesize
76KB

MD5
c50b61e7a6a1e565c166abd38a9008cd

SHA1
9a14d26ba2e874fbd84e73d2b16c55a4d4c1449c

SHA256
7bceed9c07f305fcea63fe473c5d0fd500960359d5382f1e054317ab07e2a774

SHA512
b9fb9cc1aa53d16e650864c37492d96777a40a5b74c3cf50f35e8c20eeb32587c8b45adc749b1811ddc05dc241a03453d9d02432bf310ed1fd2da3670ba7de4c

Download Submit
C:\Windows\{768FA905-A8F8-40e5-A812-A0FC70B064C8}.exe

Filesize
76KB

MD5
2232a86a608c30fb84d1bd216e2e14af

SHA1
01722d623a3287073cda027b6582c92b484ecde2

SHA256
5a2cae8dfd2b29e4b5353438fccd834a927ec4bd88da4d980ca43e4d030a2d65

SHA512
8172d667fe4c997eb8e160187cd5564c875e1166f7ab006961830786cf72cafa11fe5586ef51000a6ca0ba523418f85191a9bdda2a279c06888fe6eb47d2caec

Download Submit
C:\Windows\{8BEE70C7-DEEF-41a3-887E-F7102F9DD60D}.exe

Filesize
76KB

MD5
683ce25c1b4c64cbb54f8352250b3d06

SHA1
fa0bea5fef3f544c73067fe4ee1df8eb2be13a02

SHA256
f0278608ad5d8d6385fcf9f660dddba91a9b4d4a7512da20837b9924ccacb788

SHA512
e89ea3d24cce524cfa1f920b263f3bcd1f91471bfe8f54cd1b2ada864911b21bc2a70a4782dcf39dd5ce2e1c21b227c9d972b3ffa296918cbad2e954a89ea927

Download Submit
C:\Windows\{9FC6785A-A679-40eb-9647-6833260793F2}.exe

Filesize
76KB

MD5
ed6637e61df5dcf9a04bc0d06ea401ef

SHA1
c6eebbf01f1df1d1b3ef6eb607b6e4929f7b1876

SHA256
ac9c9890f315d8959a1cb703041dd809e84bd6ee48c863f7db99a879eb3a7b5c

SHA512
023f10dd8517ac5de096cff432894a8a8c306f5466e510949c6d523e2fa15a6182b95dd7c87d2f9cb48a5b0b650268fd7178babe097a64e60a633e297e41e626

Download Submit
C:\Windows\{A052D5C5-A5B0-466a-899D-5E40E25BEA20}.exe

Filesize
76KB

MD5
eb517967d70031f982dcb70f3f13e6b8

SHA1
68a53074a0d740a33fe494586525db548fdd1ff5

SHA256
96da8e672ca0a17fc1a4882b9731787456bea3fe83ff470bede936bde3c85a0d

SHA512
26a61919d630a076aafb3d5872acef31fe0204ff851fefd88d0114562ef8fa744926151e02bb06abaf3c66f7263a007fbad74a0f77ea88ed64a0781f67b9c932

Download Submit
C:\Windows\{B326E110-3FF1-4772-964F-76025ACB0B41}.exe

Filesize
76KB

MD5
a5747ae95d29fbfb6a6bd3c8d59abfac

SHA1
d23f35fc36fc06e7bc496bfafd8d2d71b388d429

SHA256
8fcfb170979e50bb17a7da1f91e40a088228690c9d5ff4d67737ec1f10b71264

SHA512
b6cbea072066e79db425a4d930c067c2ab9ede5f10f575cfb7db03145e67fcb28f1d2043e0a692ed81991bdf41e8294ac6b59772dc03a3fc3db4b20ad7b2e141

Download Submit
C:\Windows\{BACBDA4C-7A62-47c9-A0EA-497A695E59AE}.exe

Filesize
76KB

MD5
c5b097bcb79be84a2120057baee6fb19

SHA1
90cc0f658825ba1ccb8fdb31353927f8e0dd9486

SHA256
64069643115e708da06ec651d4c4b9387a08b6d9059761be49292dfb8d1b05ae

SHA512
6532362ff74b070b50300b9066df45a4038283abca68827c293d8bcb8506510eb2473aa5915439d14049d232d7971e4c88c211fc6916632871a44be9121c2a2b

Download Submit
C:\Windows\{E92CCED6-8773-4cab-A882-B2D3AAE6FF6E}.exe

Filesize
76KB

MD5
06990f3a78589d5991aa98fc4f21b41c

SHA1
d780110979fbc89926f9acb71c8bb5c4887b2044

SHA256
db56a871d2c70e5838e333dfa9a784d2223c33d3cbf9f688770b4299070727ab

SHA512
9f40d52d09a322f1bc2862b7f1321081a77c09aad76d6c6d26861011323c47f808a16bbfdff0f1864b50e47cd248908e445d65371941d782a1512e43ea1b0ed9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads