762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe
Size

89KB
MD5

d5f06c6e9813253e38549e4a03b87bba
SHA1

437ba055e523abb47ef0cd0773139d102a12f4f7
SHA256

762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840
SHA512

204a0be96a5c59605c3dddb4574f8e1b97c97fe742f97c246f9816281f43c8a63dbdb423ed02062006f6fdb9b7bedf606eb6e45e1d1688eb30f6e9717bf2999a
SSDEEP

768:5vw9816thKQLroF4/wQkNrfrunMxVFA3k:lEG/0oFlbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0DC069-101E-4850-8159-94F579BC92E1}	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5FD9646-9B4E-41d9-8055-D275CE51010C}\stubpath = "C:\\Windows\\{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe"	{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}\stubpath = "C:\\Windows\\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe"	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}\stubpath = "C:\\Windows\\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe"	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}	{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}\stubpath = "C:\\Windows\\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe"	{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}\stubpath = "C:\\Windows\\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe"	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}\stubpath = "C:\\Windows\\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe"	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5EF8330-382F-47cf-B540-8A356BEF425B}\stubpath = "C:\\Windows\\{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe"	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0169F12A-6900-44e6-8B9F-87CC195D485C}	{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0DC069-101E-4850-8159-94F579BC92E1}\stubpath = "C:\\Windows\\{DB0DC069-101E-4850-8159-94F579BC92E1}.exe"	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5FD9646-9B4E-41d9-8055-D275CE51010C}	{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5EF8330-382F-47cf-B540-8A356BEF425B}	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}\stubpath = "C:\\Windows\\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe"	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}\stubpath = "C:\\Windows\\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe"	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0169F12A-6900-44e6-8B9F-87CC195D485C}\stubpath = "C:\\Windows\\{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe"	{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
1544	{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
2408	{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
3032	{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe
932	{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
File created	C:\Windows\{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
File created	C:\Windows\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
File created	C:\Windows\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
File created	C:\Windows\{DB0DC069-101E-4850-8159-94F579BC92E1}.exe	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
File created	C:\Windows\{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe	{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
File created	C:\Windows\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe	{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
File created	C:\Windows\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
File created	C:\Windows\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
File created	C:\Windows\{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe	{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe
File created	C:\Windows\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe
Token: SeIncBasePriorityPrivilege	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
Token: SeIncBasePriorityPrivilege	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
Token: SeIncBasePriorityPrivilege	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
Token: SeIncBasePriorityPrivilege	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
Token: SeIncBasePriorityPrivilege	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
Token: SeIncBasePriorityPrivilege	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
Token: SeIncBasePriorityPrivilege	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
Token: SeIncBasePriorityPrivilege	1544	{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
Token: SeIncBasePriorityPrivilege	2408	{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
Token: SeIncBasePriorityPrivilege	3032	{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 848	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	29
PID 2552 wrote to memory of 848	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	29
PID 2552 wrote to memory of 848	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	29
PID 2552 wrote to memory of 848	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	29
PID 2552 wrote to memory of 1724	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	30
PID 2552 wrote to memory of 1724	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	30
PID 2552 wrote to memory of 1724	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	30
PID 2552 wrote to memory of 1724	2552	762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe	30
PID 848 wrote to memory of 3008	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	31
PID 848 wrote to memory of 3008	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	31
PID 848 wrote to memory of 3008	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	31
PID 848 wrote to memory of 3008	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	31
PID 848 wrote to memory of 2852	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	32
PID 848 wrote to memory of 2852	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	32
PID 848 wrote to memory of 2852	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	32
PID 848 wrote to memory of 2852	848	{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe	32
PID 3008 wrote to memory of 2900	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	33
PID 3008 wrote to memory of 2900	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	33
PID 3008 wrote to memory of 2900	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	33
PID 3008 wrote to memory of 2900	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	33
PID 3008 wrote to memory of 2928	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	34
PID 3008 wrote to memory of 2928	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	34
PID 3008 wrote to memory of 2928	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	34
PID 3008 wrote to memory of 2928	3008	{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe	34
PID 2900 wrote to memory of 2692	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	35
PID 2900 wrote to memory of 2692	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	35
PID 2900 wrote to memory of 2692	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	35
PID 2900 wrote to memory of 2692	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	35
PID 2900 wrote to memory of 2660	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	36
PID 2900 wrote to memory of 2660	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	36
PID 2900 wrote to memory of 2660	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	36
PID 2900 wrote to memory of 2660	2900	{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe	36
PID 2692 wrote to memory of 1784	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	37
PID 2692 wrote to memory of 1784	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	37
PID 2692 wrote to memory of 1784	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	37
PID 2692 wrote to memory of 1784	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	37
PID 2692 wrote to memory of 2336	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	38
PID 2692 wrote to memory of 2336	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	38
PID 2692 wrote to memory of 2336	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	38
PID 2692 wrote to memory of 2336	2692	{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe	38
PID 1784 wrote to memory of 588	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	39
PID 1784 wrote to memory of 588	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	39
PID 1784 wrote to memory of 588	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	39
PID 1784 wrote to memory of 588	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	39
PID 1784 wrote to memory of 1692	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	40
PID 1784 wrote to memory of 1692	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	40
PID 1784 wrote to memory of 1692	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	40
PID 1784 wrote to memory of 1692	1784	{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe	40
PID 588 wrote to memory of 2056	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	41
PID 588 wrote to memory of 2056	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	41
PID 588 wrote to memory of 2056	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	41
PID 588 wrote to memory of 2056	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	41
PID 588 wrote to memory of 2980	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	42
PID 588 wrote to memory of 2980	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	42
PID 588 wrote to memory of 2980	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	42
PID 588 wrote to memory of 2980	588	{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe	42
PID 2056 wrote to memory of 1544	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	43
PID 2056 wrote to memory of 1544	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	43
PID 2056 wrote to memory of 1544	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	43
PID 2056 wrote to memory of 1544	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	43
PID 2056 wrote to memory of 1484	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	44
PID 2056 wrote to memory of 1484	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	44
PID 2056 wrote to memory of 1484	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	44
PID 2056 wrote to memory of 1484	2056	{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe	44

C:\Users\Admin\AppData\Local\Temp\762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe
"C:\Users\Admin\AppData\Local\Temp\762f33830c5e0d4b668b4ec8f2f2f487b09810aee0ff9f1af9cce8b42e567840.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
  C:\Windows\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
    C:\Windows\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
      C:\Windows\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
        
        C:\Windows\{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
        
        C:\Windows\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
        
        C:\Windows\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
        
        C:\Windows\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
        
        C:\Windows\{DB0DC069-101E-4850-8159-94F579BC92E1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
        
        C:\Windows\{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe
        
        C:\Windows\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe
        
        C:\Windows\{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe
        12⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8472C~1.EXE > nul
        12⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5FD9~1.EXE > nul
        11⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB0DC~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{766B3~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38198~1.EXE > nul
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7069C~1.EXE > nul
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5EF8~1.EXE > nul
        6⤵
        
        PID:2336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5404F~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{042FC~1.EXE > nul
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA7D5~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\762F33~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0169F12A-6900-44e6-8B9F-87CC195D485C}.exe

Filesize
89KB

MD5
de640728f1577db7fa87f9c61ab55dda

SHA1
afc05769bd8f399f78a2daa1e84313c733af0d78

SHA256
1ff4d5fd605deffda16488a826c8c48682150a90626f38cf1de5e331c6a85172

SHA512
d4066bef70601f677cfeca44fc4f8b7c5792eb4a08221cc7b78f25ba1134d000ca02658de6bba6a359acbd813ff5bed14614898687e0ed919707fab6667eec57

Download Submit
C:\Windows\{042FC2D3-68BC-41dd-88EC-CD648174FEBA}.exe

Filesize
89KB

MD5
73298c70a0f42c2fbc1a1cd19c57cd6a

SHA1
4100fafb51327d457fb353dbbe44cc1c0224fd32

SHA256
2b35aebcb787d02675557778a2976213e1ed1b3b3bb4e1d75e8eb5823de88e2c

SHA512
8f9c9e0295cd41eb831c0ec9c60521bd4266bd66d9ad36637d2910c605297719619a253b6af52245451887f8d818ba4a9a18cd92a77a6af4a430c1aa6106480f

Download Submit
C:\Windows\{38198AA9-A02B-4fc7-B5ED-E7871C8AD4E6}.exe

Filesize
89KB

MD5
d0494384025173c4e881eeb2b2090712

SHA1
0ebb9ffe48a9e7b06bb68d76011789865a38a706

SHA256
e1e000fed26f2a33fae2025161301221bd90ec2f5219f0d56f248d94bbf7e758

SHA512
9c0112eeaef2841b4060ff154504482b6d6ccfe62c0cc6390d63ba9a196b1c1562cf71dee5651ff06cfc7a7c5ac847e24d9960637c4c3dfcd95ffbff7ebe3d3b

Download Submit
C:\Windows\{5404FEC8-ABB2-4c9a-A0DD-22DD2083E9DF}.exe

Filesize
89KB

MD5
b53ccc42cabfa447b89ff0be777ef9ec

SHA1
468a682e379f6eb5d3a1cacc94bdd1143ea98b92

SHA256
aafc945e24bfc8d3c2d278d843ddea4f11f28b53a09b7ae7987789caf2d86fbe

SHA512
1944509c73d1d627d768746b8f71905a4fa529af85cd53ac0a36e193150a4dba5f1c0606ecf65fc7ae635ca17117a16624783ab1c886fdfa9ca74572f5acff2b

Download Submit
C:\Windows\{7069C7D1-FD36-4a53-894B-F89A9D6F81F7}.exe

Filesize
89KB

MD5
56cf4de4fe3e1d61fda95616ddd00d2e

SHA1
d09eba799e39ff3d1a741154be85088929dd3372

SHA256
209b112f9b1c7202017959dfc03a663ab373af0c2f791855c09103cffd9e8b96

SHA512
076fe10840821bdda54ba69d059b04e805d126a1c001b690ffe822fc5d72c88d536ba5f40772d51d387b44c29263260e903de4be448b47bc2e3657c80eb0c34e

Download Submit
C:\Windows\{766B383D-8E51-41a6-8D6D-BF0A7FC95558}.exe

Filesize
89KB

MD5
557510843f16a27e8fd95e41d3220f2b

SHA1
9b783589ca01fbb13911839670727a2a2f6c2214

SHA256
07c316e44736dc6c2531c198bee1c2a6b2140188ba6e762e6c2263778f8b1c5b

SHA512
e6f8e5a6b964c9e388e041c0c77dac45383a7b3a5332960f5147a4c646000864a2509cf79d8275bd6ac4c2fb816b5f3418da059452a3cf123fb57131030c7a36

Download Submit
C:\Windows\{8472C145-CAB8-4f58-9C73-E92EE9C64B7C}.exe

Filesize
89KB

MD5
ed80b13d26ed5828b465235c07aebcd4

SHA1
286af49a8d01229dde50f98deec14ebf1c8573a2

SHA256
bc584f1ff727278bcfb9858061c45c238792426c4905ee9d3469f82ffa0a623a

SHA512
c65ef0ec890d51677904ffc0f97e438f62f9418f2221f4bd036148a277b155a5b3f34053dc6abf6b4c28b876daf9ec6e9f855a21e8e676299a58765002daac4e

Download Submit
C:\Windows\{AA7D50FF-7D14-469f-9A9E-9ACF942D7034}.exe

Filesize
89KB

MD5
9216626606772e690bf4fb2a41d794ea

SHA1
346430e4da6ae61572749a2fc5f85fbe2e6604b9

SHA256
5471922a99a09fbbaf27a5f6dd1f50f3ee90b8f8c7fa4ea533995099e61ca96d

SHA512
123fd58fada4d5f31377414dd9222cba58f9f5db9bd363f393523d6cd1516ea7ef25c4046e7ee4639e1a371fceced87ff938b4d6368381e71e717178f4be0f02

Download Submit
C:\Windows\{B5FD9646-9B4E-41d9-8055-D275CE51010C}.exe

Filesize
89KB

MD5
ea61fa685217d68d9d32b77d78d213e2

SHA1
8d40a8b0e07945d9f1deddd7509871710396605e

SHA256
1afb7d85618ea404fe78facb7f7bf0f0ff763e5950a585311d74f4dd263d83eb

SHA512
1d5b5ff8164e1b67c8a4be16f1b4b2c4e18cb48d58dc988156b404ca5a08bc234f9d71d4931a678c2348d85d5ba3f9bc5fbd5d13a58b2f2b34a33e57afa9c0a2

Download Submit
C:\Windows\{D5EF8330-382F-47cf-B540-8A356BEF425B}.exe

Filesize
89KB

MD5
c0d3f702e34d07cd1a92ca1f09615533

SHA1
64b04f1d08b79b978ec2237acca0192e19f197c0

SHA256
0ea737cdc5d16e18ffbe52e07a044e9f09dd6f379a9bcd5d5c05c295b4b7f39c

SHA512
7179f770bd49896e2d69e9c19f5f53812a6524d495c7f54e3b7ed33c68d819eb3dad24131293f7cc373aca4b696eacd5dde60ec385bf49b2c77d98280ff3f986

Download Submit
C:\Windows\{DB0DC069-101E-4850-8159-94F579BC92E1}.exe

Filesize
89KB

MD5
125711bdc346d54c84c665e18396013b

SHA1
f9be9fd25177de1bd5e918bfcb620c0e26f8ee2b

SHA256
624bdde2cc9b617d9742cca4cc9d7d37d595a11f1b0945889e143b038e5586a4

SHA512
7e2ea06d7495eb299158b2fc5f2accec2ecd1c66559880268c5927b2b600d9f76f13884f8ab8e9ada7cc3d36fbb091681cc9553e7baede13c98cd8310234cd1e

Download Submit
memory/588-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/588-61-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/588-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/932-106-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1544-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1544-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1784-54-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/1784-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1784-53-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2056-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2056-71-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2056-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2408-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2408-93-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2408-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-3-0x0000000001BD0000-0x0000000001BE1000-memory.dmp

Filesize
68KB

Download
memory/2692-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-41-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2900-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2900-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2900-31-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/3008-21-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/3008-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-103-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/3032-105-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-101-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads