57ef12291255aeb681d66cfa1e9ccc06821be22250117ffc0e3de85915d08c68

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1633053419e1c2a18825bad1c586b341.exe
Size

197KB
MD5

1633053419e1c2a18825bad1c586b341
SHA1

d2aaa2289bbda52a7bbeab4142574ff91bb22403
SHA256

57ef12291255aeb681d66cfa1e9ccc06821be22250117ffc0e3de85915d08c68
SHA512

27722782456e119867ebd131ad18ad9a1c76c274d26ceaa538e2aaa10938bf7b64bf02ef1cf5aa6a9bb883bce95f0dfe07be4cab9188d2af6cfd7fda547af4cc
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}\stubpath = "C:\\Windows\\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe"	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}\stubpath = "C:\\Windows\\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe"	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}\stubpath = "C:\\Windows\\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe"	1633053419e1c2a18825bad1c586b341.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F9598ED-189C-4830-8694-D8A436798E09}	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E82CFF-49D3-4112-9534-8009B368D2ED}\stubpath = "C:\\Windows\\{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe"	{9F9598ED-189C-4830-8694-D8A436798E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}\stubpath = "C:\\Windows\\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe"	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}\stubpath = "C:\\Windows\\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe"	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C571D0-122C-42af-A1FC-0A72E12387A5}	{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C571D0-122C-42af-A1FC-0A72E12387A5}\stubpath = "C:\\Windows\\{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe"	{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}	1633053419e1c2a18825bad1c586b341.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E82CFF-49D3-4112-9534-8009B368D2ED}	{9F9598ED-189C-4830-8694-D8A436798E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F9598ED-189C-4830-8694-D8A436798E09}\stubpath = "C:\\Windows\\{9F9598ED-189C-4830-8694-D8A436798E09}.exe"	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}\stubpath = "C:\\Windows\\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe"	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}\stubpath = "C:\\Windows\\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe"	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E032EA57-FC2B-4105-A02B-10E78C44034E}	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E032EA57-FC2B-4105-A02B-10E78C44034E}\stubpath = "C:\\Windows\\{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe"	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66D421DD-8980-4337-B22A-30E5C680E14C}\stubpath = "C:\\Windows\\{66D421DD-8980-4337-B22A-30E5C680E14C}.exe"	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66D421DD-8980-4337-B22A-30E5C680E14C}	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe
3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe
3352	{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
2412	{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
File created	C:\Windows\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
File created	C:\Windows\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
File created	C:\Windows\{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe	{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
File created	C:\Windows\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	1633053419e1c2a18825bad1c586b341.exe
File created	C:\Windows\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
File created	C:\Windows\{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
File created	C:\Windows\{9F9598ED-189C-4830-8694-D8A436798E09}.exe	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
File created	C:\Windows\{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	{9F9598ED-189C-4830-8694-D8A436798E09}.exe
File created	C:\Windows\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
File created	C:\Windows\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
File created	C:\Windows\{66D421DD-8980-4337-B22A-30E5C680E14C}.exe	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3632	1633053419e1c2a18825bad1c586b341.exe
Token: SeIncBasePriorityPrivilege	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
Token: SeIncBasePriorityPrivilege	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
Token: SeIncBasePriorityPrivilege	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
Token: SeIncBasePriorityPrivilege	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe
Token: SeIncBasePriorityPrivilege	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
Token: SeIncBasePriorityPrivilege	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
Token: SeIncBasePriorityPrivilege	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
Token: SeIncBasePriorityPrivilege	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
Token: SeIncBasePriorityPrivilege	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
Token: SeIncBasePriorityPrivilege	3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe
Token: SeIncBasePriorityPrivilege	3352	{66D421DD-8980-4337-B22A-30E5C680E14C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4844	3632	1633053419e1c2a18825bad1c586b341.exe	88
PID 3632 wrote to memory of 4844	3632	1633053419e1c2a18825bad1c586b341.exe	88
PID 3632 wrote to memory of 4844	3632	1633053419e1c2a18825bad1c586b341.exe	88
PID 3632 wrote to memory of 1828	3632	1633053419e1c2a18825bad1c586b341.exe	89
PID 3632 wrote to memory of 1828	3632	1633053419e1c2a18825bad1c586b341.exe	89
PID 3632 wrote to memory of 1828	3632	1633053419e1c2a18825bad1c586b341.exe	89
PID 4844 wrote to memory of 1200	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	97
PID 4844 wrote to memory of 1200	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	97
PID 4844 wrote to memory of 1200	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	97
PID 4844 wrote to memory of 1372	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	98
PID 4844 wrote to memory of 1372	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	98
PID 4844 wrote to memory of 1372	4844	{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe	98
PID 1200 wrote to memory of 4924	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	101
PID 1200 wrote to memory of 4924	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	101
PID 1200 wrote to memory of 4924	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	101
PID 1200 wrote to memory of 4344	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	100
PID 1200 wrote to memory of 4344	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	100
PID 1200 wrote to memory of 4344	1200	{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe	100
PID 4924 wrote to memory of 1264	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	102
PID 4924 wrote to memory of 1264	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	102
PID 4924 wrote to memory of 1264	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	102
PID 4924 wrote to memory of 2804	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	103
PID 4924 wrote to memory of 2804	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	103
PID 4924 wrote to memory of 2804	4924	{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe	103
PID 1264 wrote to memory of 3288	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	104
PID 1264 wrote to memory of 3288	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	104
PID 1264 wrote to memory of 3288	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	104
PID 1264 wrote to memory of 1468	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	105
PID 1264 wrote to memory of 1468	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	105
PID 1264 wrote to memory of 1468	1264	{9F9598ED-189C-4830-8694-D8A436798E09}.exe	105
PID 3288 wrote to memory of 220	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	106
PID 3288 wrote to memory of 220	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	106
PID 3288 wrote to memory of 220	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	106
PID 3288 wrote to memory of 892	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	107
PID 3288 wrote to memory of 892	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	107
PID 3288 wrote to memory of 892	3288	{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe	107
PID 220 wrote to memory of 1952	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	108
PID 220 wrote to memory of 1952	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	108
PID 220 wrote to memory of 1952	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	108
PID 220 wrote to memory of 4676	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	109
PID 220 wrote to memory of 4676	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	109
PID 220 wrote to memory of 4676	220	{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe	109
PID 1952 wrote to memory of 2692	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	110
PID 1952 wrote to memory of 2692	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	110
PID 1952 wrote to memory of 2692	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	110
PID 1952 wrote to memory of 2164	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	111
PID 1952 wrote to memory of 2164	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	111
PID 1952 wrote to memory of 2164	1952	{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe	111
PID 2692 wrote to memory of 3268	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	112
PID 2692 wrote to memory of 3268	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	112
PID 2692 wrote to memory of 3268	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	112
PID 2692 wrote to memory of 808	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	113
PID 2692 wrote to memory of 808	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	113
PID 2692 wrote to memory of 808	2692	{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe	113
PID 3268 wrote to memory of 3852	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	114
PID 3268 wrote to memory of 3852	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	114
PID 3268 wrote to memory of 3852	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	114
PID 3268 wrote to memory of 5016	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	115
PID 3268 wrote to memory of 5016	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	115
PID 3268 wrote to memory of 5016	3268	{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe	115
PID 3852 wrote to memory of 3352	3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe	116
PID 3852 wrote to memory of 3352	3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe	116
PID 3852 wrote to memory of 3352	3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe	116
PID 3852 wrote to memory of 3640	3852	{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe	117

C:\Users\Admin\AppData\Local\Temp\1633053419e1c2a18825bad1c586b341.exe
"C:\Users\Admin\AppData\Local\Temp\1633053419e1c2a18825bad1c586b341.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
  C:\Windows\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
    C:\Windows\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E468~1.EXE > nul
      4⤵
      PID:4344
  - - C:\Windows\{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
      C:\Windows\{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\{9F9598ED-189C-4830-8694-D8A436798E09}.exe
        
        C:\Windows\{9F9598ED-189C-4830-8694-D8A436798E09}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
        
        C:\Windows\{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
        
        C:\Windows\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
        
        C:\Windows\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
        
        C:\Windows\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
        
        C:\Windows\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe
        
        C:\Windows\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
        
        C:\Windows\{66D421DD-8980-4337-B22A-30E5C680E14C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe
        
        C:\Windows\{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66D42~1.EXE > nul
        13⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E15C6~1.EXE > nul
        12⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EF2D~1.EXE > nul
        11⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12DFE~1.EXE > nul
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69FF2~1.EXE > nul
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BBFE~1.EXE > nul
        8⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E82~1.EXE > nul
        7⤵
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F959~1.EXE > nul
        6⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E032E~1.EXE > nul
        5⤵
        
        PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B97E~1.EXE > nul
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\163305~1.EXE > nul
  2⤵
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12DFEE90-2DDE-4dcb-8916-02CFB5236B30}.exe

Filesize
197KB

MD5
b0cda874ea1f8f15e73da6425a271c09

SHA1
40ecba2f353b5d76e3557cdc74a72ef43ba896d1

SHA256
3891102027d93ac8b1a04cac6262052eee53c900de3a95c1b3d37cbc974f25d7

SHA512
76f3ef68259733c5744ed8aea9fdcb4f2fac200c25d4529de688dd5cacb53f6e173053065802d4c8d0606a24a5aa58cf5eb05ef1996cbdc32bfb294e91252dee

Download Submit
C:\Windows\{2E4686FF-D3A7-4cdc-B5D2-C2736464958E}.exe

Filesize
197KB

MD5
a2ea76de410f3187d4b840a868baf393

SHA1
9c6fc613c418ea93b058367c3faf026e0c88498c

SHA256
6e47edf12194a82df67d4b79e921fd4674f2e5b99a54e28c69d08625b650d64a

SHA512
04f0b18f02e9d4ca94491e5d25c0628d53e3b6484ad66eb523e0c3f5706ba8f39774fcfbbc65940889334a47e25176cc38af250c07de7cdb936a5ab043b6de24

Download Submit
C:\Windows\{66D421DD-8980-4337-B22A-30E5C680E14C}.exe

Filesize
197KB

MD5
207861234cb49f90b0d0e773d34989b9

SHA1
312167e08e4cc5aa9cd3fa4236c4ac51eb482117

SHA256
de77d7f9a0a8235180c18e5233ae9a93afdaa462e0be4ab7af4530dea6b79670

SHA512
63b34657371d7ecefdb65fcb313f31e9b8f82ca76fe067592baf0f1525883c541b0a52b39f13c22190456a54c569878355ae2127e56ca50aeb2485fddb54c370

Download Submit
C:\Windows\{69FF2E01-0696-4bec-8D17-9AD8E1B7FFCF}.exe

Filesize
197KB

MD5
ba934a234532268d2f9c1a12b80b9b15

SHA1
6906badb5911f2f702e4bc2f0276405c75069db6

SHA256
2ffb09760ab1771626c0776c36e6a2bb7cc59b344d31fb55a7c098ab08662720

SHA512
22465a732364ecc51ddd516442f5adc2041e36e22fe63c0d656a940895712fb718777250ddf652a3af60130d7ef0fe4162cde1212f6750ed5d2fe570e28d8983

Download Submit
C:\Windows\{6BBFEF3C-7CDA-4294-8533-346FA114FBFE}.exe

Filesize
197KB

MD5
1b3255403bd4dd31488cb2dcf4dc0931

SHA1
37ed6c3069f0260812282f30fc74ffba94f4c63f

SHA256
4e34ac34d79d54c127bfe3b5927c9c99fadd857240b960f87e074f7c014a829b

SHA512
d7790d47dfeccfdf0328e55dbef7c0cb87a713280e57e8e85d72109fe396f7e2c38bd3ee3940f52b98b99937841818a5abbb4e6e44ae85c0594c20275a603d36

Download Submit
C:\Windows\{73C571D0-122C-42af-A1FC-0A72E12387A5}.exe

Filesize
197KB

MD5
207d5a3c16ca1f38e5e42fcc5ff2a528

SHA1
ec999e9a11d1c7b95503d4fe302f2e39ac4f1ed4

SHA256
e6e0f176d65dbad6d4b8c2ece8b5bf0493f3b1236141e4aa91aed32b36b3649c

SHA512
7731f0107bf3570b6eaf9c1beb884e2b6c7ba32d320af6a343bf39d59672d579ca0b4bec85c7f8a41db4c27ba9c94a70f1f6d4c2abbfb3a7c813a9c2cd92070a

Download Submit
C:\Windows\{7B97E46F-3ACC-4bcb-A991-F668D37EB979}.exe

Filesize
197KB

MD5
c0bc834f5ddbcdb0d5d8fa40464af299

SHA1
d142fc6eaf7cd99f81412ac08f32758124bf9bbf

SHA256
9fc712a2d60ed7f60583c93bef8ddc8960f4681ef2e018e6ffdccf9d1d8343ca

SHA512
5b1a0e71e3995e9f4ef2c98d35f390e74fb9fe21232c7cdcd78ce374d6a92f7967ad7681c1c0ba08149de8428de3fe59394ea89ec2db03c22a0f98f978c0a614

Download Submit
C:\Windows\{8EF2D6EC-50E6-4a1e-A1BB-AA267621CEF2}.exe

Filesize
197KB

MD5
7de4d9753734dec6a2897c09fb3f40ba

SHA1
c9fed9a053b46b2a25f0f08ec0934e639c4e7a85

SHA256
dfba75b6d6d0672541ec82f129f056810d625bbb69a368ff505ca48fc3ec9a91

SHA512
9dd2e76ecd13ac36e0b7797cf14e4d4c2fa7e49419708295b9a59837c50f3b921945177cf7f08b7bdb1d53af7926cbd7f302c41f4b073ae672610146798610a5

Download Submit
C:\Windows\{9F9598ED-189C-4830-8694-D8A436798E09}.exe

Filesize
197KB

MD5
77c7db2fef5713a72309199f453aafd8

SHA1
bc23d28d47d07a5ccf6d6089123ec2d3727c9c83

SHA256
0031ecf70d40bdc1193a7a021f8114beb0b6a2cf251057a77038746ea08e36cd

SHA512
edf85e9887281a5a4e4e6ba8a7e104db7d58c1d2a487e4c41992963eff6681c3c9c6d80697daf39c322f240ffcb40283a588bfb0fa3b88c9e9076765e0cc1499

Download Submit
C:\Windows\{C4E82CFF-49D3-4112-9534-8009B368D2ED}.exe

Filesize
197KB

MD5
82e65418e40b24ad2f71777a2fa8b2e8

SHA1
62284d1f6d177114d07d47e037ddac6f1519d200

SHA256
e2185719763759c8408ba91f87464871fdfc09b17c8564969dc55aaf9ee9d137

SHA512
a461a0787ef24b8791c657dac3b773ca3f311dd06b89a4556c6cd2f27a83eff60361e0a23764529208a40f44e0519f120c1e7923dc6dbe4353d8c49c1baa3121

Download Submit
C:\Windows\{E032EA57-FC2B-4105-A02B-10E78C44034E}.exe

Filesize
197KB

MD5
1f8069b1bebff79cd6d2a770e6086ef9

SHA1
29c970c15af68dd57e624c36b96ba3700514ccac

SHA256
f1ae2ab1c0b5716da7e980bd195ba66d3bf2c4118aaaeda3f3eeb79ffdb00b73

SHA512
5892e7b9e4e4b092d7b3b348dca546c8c286efadf6c65ca1bcdaa3e890f98135edad771564847e0788288a18bdf96fda05f0d22a521f7392cd56eb8180e90d83

Download Submit
C:\Windows\{E15C6D73-0F1F-4fe9-A2A2-EC4032C6769D}.exe

Filesize
197KB

MD5
508b403366dcbddb3522c217a4d6e557

SHA1
b7eecdd3f90f4c4ce1f60930b5808b7226b8bdea

SHA256
d8763024d94c40112d95e4f0d9fd0ed89dbc6d5747cf4614b45131a513bd3c8f

SHA512
2a86ff75344369f0240272c9fb3216c34bf66c7c6142012c532262eed47c0563169e6138d54aa392ca22f7ba4b3b88a1feceadbd649f2565720ff6a5bd08ee4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads