ea356661afb783886dbbafaebc946de408bba1e37fade1377620395ff8c58bae

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce7c8807d103d8658927e1c64be9d41f.exe
Size

180KB
MD5

ce7c8807d103d8658927e1c64be9d41f
SHA1

9be0433277bc2d7ca510ce31f3b94f47eb91e162
SHA256

ea356661afb783886dbbafaebc946de408bba1e37fade1377620395ff8c58bae
SHA512

94ae165fc095f47946f64b57b4aecfd725f1d03d9cddea93893d62fef5b625807d93636022e5dd273e0e12240308692a208c4621fe99f43c1b7fc92f2cfec058
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGCl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}	{523F458D-71DD-421a-8B13-D582983D3835}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31E8A46C-B256-400e-A73D-296D4D536493}\stubpath = "C:\\Windows\\{31E8A46C-B256-400e-A73D-296D4D536493}.exe"	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C51EC04-E52D-4e83-947B-E213199C7DA9}	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C51EC04-E52D-4e83-947B-E213199C7DA9}\stubpath = "C:\\Windows\\{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe"	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8823E0F5-497A-47b6-8E4C-0C96F3097657}	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B12FA056-2F95-40b7-86B1-9595415364B4}	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B12FA056-2F95-40b7-86B1-9595415364B4}\stubpath = "C:\\Windows\\{B12FA056-2F95-40b7-86B1-9595415364B4}.exe"	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{523F458D-71DD-421a-8B13-D582983D3835}	ce7c8807d103d8658927e1c64be9d41f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3CA57-1517-4756-A09F-44AA12E731E4}\stubpath = "C:\\Windows\\{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe"	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B1338F-E657-478e-8799-3F3371F5BBD6}\stubpath = "C:\\Windows\\{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe"	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3CA57-1517-4756-A09F-44AA12E731E4}	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8097251-5270-4c36-B708-4E02A3A3295B}\stubpath = "C:\\Windows\\{E8097251-5270-4c36-B708-4E02A3A3295B}.exe"	{31E8A46C-B256-400e-A73D-296D4D536493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8823E0F5-497A-47b6-8E4C-0C96F3097657}\stubpath = "C:\\Windows\\{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe"	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}\stubpath = "C:\\Windows\\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe"	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}\stubpath = "C:\\Windows\\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe"	{523F458D-71DD-421a-8B13-D582983D3835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31E8A46C-B256-400e-A73D-296D4D536493}	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8097251-5270-4c36-B708-4E02A3A3295B}	{31E8A46C-B256-400e-A73D-296D4D536493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}\stubpath = "C:\\Windows\\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe"	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B1338F-E657-478e-8799-3F3371F5BBD6}	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{523F458D-71DD-421a-8B13-D582983D3835}\stubpath = "C:\\Windows\\{523F458D-71DD-421a-8B13-D582983D3835}.exe"	ce7c8807d103d8658927e1c64be9d41f.exe

Executes dropped EXE 11 IoCs

pid	Process
840	{523F458D-71DD-421a-8B13-D582983D3835}.exe
3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe
2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe
400	{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{523F458D-71DD-421a-8B13-D582983D3835}.exe	ce7c8807d103d8658927e1c64be9d41f.exe
File created	C:\Windows\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	{523F458D-71DD-421a-8B13-D582983D3835}.exe
File created	C:\Windows\{31E8A46C-B256-400e-A73D-296D4D536493}.exe	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
File created	C:\Windows\{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
File created	C:\Windows\{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
File created	C:\Windows\{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	{31E8A46C-B256-400e-A73D-296D4D536493}.exe
File created	C:\Windows\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
File created	C:\Windows\{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
File created	C:\Windows\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
File created	C:\Windows\{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
File created	C:\Windows\{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3540	ce7c8807d103d8658927e1c64be9d41f.exe
Token: SeIncBasePriorityPrivilege	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe
Token: SeIncBasePriorityPrivilege	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
Token: SeIncBasePriorityPrivilege	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe
Token: SeIncBasePriorityPrivilege	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
Token: SeIncBasePriorityPrivilege	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
Token: SeIncBasePriorityPrivilege	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
Token: SeIncBasePriorityPrivilege	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
Token: SeIncBasePriorityPrivilege	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
Token: SeIncBasePriorityPrivilege	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
Token: SeIncBasePriorityPrivilege	1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 840	3540	ce7c8807d103d8658927e1c64be9d41f.exe	83
PID 3540 wrote to memory of 840	3540	ce7c8807d103d8658927e1c64be9d41f.exe	83
PID 3540 wrote to memory of 840	3540	ce7c8807d103d8658927e1c64be9d41f.exe	83
PID 3540 wrote to memory of 4508	3540	ce7c8807d103d8658927e1c64be9d41f.exe	84
PID 3540 wrote to memory of 4508	3540	ce7c8807d103d8658927e1c64be9d41f.exe	84
PID 3540 wrote to memory of 4508	3540	ce7c8807d103d8658927e1c64be9d41f.exe	84
PID 840 wrote to memory of 3484	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	88
PID 840 wrote to memory of 3484	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	88
PID 840 wrote to memory of 3484	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	88
PID 840 wrote to memory of 1824	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	87
PID 840 wrote to memory of 1824	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	87
PID 840 wrote to memory of 1824	840	{523F458D-71DD-421a-8B13-D582983D3835}.exe	87
PID 3484 wrote to memory of 1128	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	94
PID 3484 wrote to memory of 1128	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	94
PID 3484 wrote to memory of 1128	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	94
PID 3484 wrote to memory of 1700	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	93
PID 3484 wrote to memory of 1700	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	93
PID 3484 wrote to memory of 1700	3484	{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe	93
PID 1128 wrote to memory of 2320	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	98
PID 1128 wrote to memory of 2320	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	98
PID 1128 wrote to memory of 2320	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	98
PID 1128 wrote to memory of 952	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	99
PID 1128 wrote to memory of 952	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	99
PID 1128 wrote to memory of 952	1128	{31E8A46C-B256-400e-A73D-296D4D536493}.exe	99
PID 2320 wrote to memory of 1740	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	101
PID 2320 wrote to memory of 1740	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	101
PID 2320 wrote to memory of 1740	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	101
PID 2320 wrote to memory of 4988	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	100
PID 2320 wrote to memory of 4988	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	100
PID 2320 wrote to memory of 4988	2320	{E8097251-5270-4c36-B708-4E02A3A3295B}.exe	100
PID 1740 wrote to memory of 5012	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	103
PID 1740 wrote to memory of 5012	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	103
PID 1740 wrote to memory of 5012	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	103
PID 1740 wrote to memory of 1332	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	102
PID 1740 wrote to memory of 1332	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	102
PID 1740 wrote to memory of 1332	1740	{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe	102
PID 5012 wrote to memory of 4180	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	104
PID 5012 wrote to memory of 4180	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	104
PID 5012 wrote to memory of 4180	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	104
PID 5012 wrote to memory of 4048	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	105
PID 5012 wrote to memory of 4048	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	105
PID 5012 wrote to memory of 4048	5012	{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe	105
PID 4180 wrote to memory of 1132	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	106
PID 4180 wrote to memory of 1132	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	106
PID 4180 wrote to memory of 1132	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	106
PID 4180 wrote to memory of 928	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	107
PID 4180 wrote to memory of 928	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	107
PID 4180 wrote to memory of 928	4180	{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe	107
PID 1132 wrote to memory of 1140	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	108
PID 1132 wrote to memory of 1140	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	108
PID 1132 wrote to memory of 1140	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	108
PID 1132 wrote to memory of 4260	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	109
PID 1132 wrote to memory of 4260	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	109
PID 1132 wrote to memory of 4260	1132	{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe	109
PID 1140 wrote to memory of 1944	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	110
PID 1140 wrote to memory of 1944	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	110
PID 1140 wrote to memory of 1944	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	110
PID 1140 wrote to memory of 4724	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	111
PID 1140 wrote to memory of 4724	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	111
PID 1140 wrote to memory of 4724	1140	{B12FA056-2F95-40b7-86B1-9595415364B4}.exe	111
PID 1944 wrote to memory of 400	1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe	112
PID 1944 wrote to memory of 400	1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe	112
PID 1944 wrote to memory of 400	1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe	112
PID 1944 wrote to memory of 4012	1944	{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe	113

C:\Users\Admin\AppData\Local\Temp\ce7c8807d103d8658927e1c64be9d41f.exe
"C:\Users\Admin\AppData\Local\Temp\ce7c8807d103d8658927e1c64be9d41f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\{523F458D-71DD-421a-8B13-D582983D3835}.exe
  C:\Windows\{523F458D-71DD-421a-8B13-D582983D3835}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{523F4~1.EXE > nul
    3⤵
    PID:1824
- - C:\Windows\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
    C:\Windows\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D35~1.EXE > nul
      4⤵
      PID:1700
  - - C:\Windows\{31E8A46C-B256-400e-A73D-296D4D536493}.exe
      C:\Windows\{31E8A46C-B256-400e-A73D-296D4D536493}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
        
        C:\Windows\{E8097251-5270-4c36-B708-4E02A3A3295B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8097~1.EXE > nul
        6⤵
        
        PID:4988
      - C:\Windows\{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
        
        C:\Windows\{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C51E~1.EXE > nul
        7⤵
        
        PID:1332
        
        C:\Windows\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
        
        C:\Windows\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
        
        C:\Windows\{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
        
        C:\Windows\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
        
        C:\Windows\{B12FA056-2F95-40b7-86B1-9595415364B4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe
        
        C:\Windows\{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe
        
        C:\Windows\{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe
        12⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46D3C~1.EXE > nul
        12⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B12FA~1.EXE > nul
        11⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CBF~1.EXE > nul
        10⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8823E~1.EXE > nul
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{506C5~1.EXE > nul
        8⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31E8A~1.EXE > nul
        5⤵
        
        PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CE7C88~1.EXE > nul
  2⤵
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C51EC04-E52D-4e83-947B-E213199C7DA9}.exe

Filesize
180KB

MD5
7688a201b344cac5d23068ad803d70ea

SHA1
8714a02c0d168dd40b368e62abbc8b100feff6fc

SHA256
8413886e1fae998946e43494e31380050d01adc86292dd0e70782393aa2af924

SHA512
1776a90d87f62d10f1b58ccd9c543c8ef521ef5d2189f2c56fc2f6db801dcdcfef293c43b9e257a35d56c5ec460ef4a9e650d5c9fec2051257ee6bf9c6e76ec3

Download Submit
C:\Windows\{31E8A46C-B256-400e-A73D-296D4D536493}.exe

Filesize
180KB

MD5
68fb16d5ce5aad71c5d79a8534073009

SHA1
78bc20dfc146012ccd33ca989d45ebfa1436239f

SHA256
a4b1d3b81b2c0e63a95ca749f6d7acc982dea3a8c729d185024128ecc522a3b0

SHA512
f28a3e84eb910613e2081abede2dab2e669774e6b39b1ef4dc7ad0ce06516b24969e86cdc4c2b496097e875fa0d55df0e80323a31e735b946c5eb34f246f13b0

Download Submit
C:\Windows\{46D3CA57-1517-4756-A09F-44AA12E731E4}.exe

Filesize
180KB

MD5
ae02126330b7472d8104314442815a95

SHA1
1a3c163434aa85a2ea8d5e7eb8d770d733cb4948

SHA256
ee8868e1f1d7e5368aa87fa0316215355f0d0c5c2b2e8852e914ccbc607f7a84

SHA512
2af9c504661773731207f9f4a0013fe31965f8656777b1851dc41dd49efb163d0d479aeae98a223109d3d8731de944515bad6a5e076cbfbbcc446dcff124215f

Download Submit
C:\Windows\{506C51D7-8E14-470a-AFFF-73EBBDD54FFB}.exe

Filesize
180KB

MD5
147dfb151be9321a8c06e980eaf74084

SHA1
43140ba35dd6da080d3ce0a83f3cc132fd804f34

SHA256
d5189fec6f2cde4dfaaf8f86aa8bd7dc15d6271ef74bac4c23530a5e87ec6f1e

SHA512
fcde6b64c005bc6cd05d465c5799c7e7cc0b58d3fc6f69a438f708ecf173cdf3d9b2278a1c1fd6a27b8f5199faf82d21d2802c411c3c2cdc2317d743db2cfb3b

Download Submit
C:\Windows\{523F458D-71DD-421a-8B13-D582983D3835}.exe

Filesize
180KB

MD5
7252d76a4a028adc9a64f007050d143e

SHA1
a338fe74ffea2c04fa929dfb1125afa620dc067f

SHA256
c1d1ee010fda130ec93fa8aa2f83c3dca39a1d69641da5ffb03b663f2471d626

SHA512
88cff8585c56c64807ed19d588cff5a043d04c9b723d925b78356bdda5bfe4f0309cafa7c3688a409c573d4ca013b02becb154227b78b2ff5dcd3614e8427414

Download Submit
C:\Windows\{8823E0F5-497A-47b6-8E4C-0C96F3097657}.exe

Filesize
180KB

MD5
68403993cd456010ebbbc81ed8c671e7

SHA1
de4ba5f4617b7eaf3a9a5ddd478b96f937dcccbc

SHA256
e2e6c1ff3e8117ec35f9cc57f9d16fbbd66fb31119bddd67cf6834f0901b1bde

SHA512
278a91f325911bb0c03378f2136d1cf6ea6a49b2629480693115d69e83fbfcd0be265aebbf5f87f57fbe284a2033699305a462a29559ff8081ca97676af94cda

Download Submit
C:\Windows\{B12FA056-2F95-40b7-86B1-9595415364B4}.exe

Filesize
180KB

MD5
7e64dcd780b08079a6b7c1b895a80034

SHA1
9d7f65f5521ed4b5223994f6c6b909ffda46d0de

SHA256
21971632906e0b9775903337114515ef5ef95fd3e90839250d699d1cbb61ea18

SHA512
23c51534f0a58f5acdaa578edd647d53b354f50171896ff6a2caafe50e77b2292f49eaf15b06ffd3c40e33e5e492bba2decf6d9cfc4ddc75db775ff8d739f790

Download Submit
C:\Windows\{C5B1338F-E657-478e-8799-3F3371F5BBD6}.exe

Filesize
180KB

MD5
d4d112b1db938d3f47a688c114de6de0

SHA1
023cec04312f543953398f280c381c9ddf14483b

SHA256
718923dca0a8721fc71b43218fbbb82b379e7f17eab796265afe04a8313c5298

SHA512
dbd9ccb7e7a04d6733f747fdd5b756cf07cc6cd361b5a51531d5318e8bad67f2fd40edc15ef0d150a677123da9c1e8813b5b5595d36f1470d06dfdd09e5459b9

Download Submit
C:\Windows\{C6CBFEEE-914D-4f15-936F-F1E738DD2946}.exe

Filesize
180KB

MD5
32fb00859dd060b6c10adbeac00a5281

SHA1
c68e26887854a114f032486c0e3e4f4c3c087982

SHA256
57cdaf3b09de65d8870979d43da4d4d4e3ae654b4bcc3ca3c604e1d144e44e14

SHA512
42b3e5f9110d3820cb082532a6ce9bda635f0255321aee6c8dbcb0386b305c68af0f4573558ecd7c90bbc0145a07be8df68750840a4f8c785b1cde196c1133bb

Download Submit
C:\Windows\{E7D35341-165B-4fd7-A9E4-2A1E8B8ED404}.exe

Filesize
180KB

MD5
ead9695a85b756b468ba67806580cc2e

SHA1
08aa0fab1095de9e6bbb1bb53a582b4765ebbe30

SHA256
36d8e4ea3d53eb1589d6b6bc4ee972cd7d29966b30eaf51417e823f5232d8076

SHA512
13be9da6a589fd133dc33f881311c37ed469f29037bf0f03a758a97d77d92a6ae6014aba40a7ebeb4e31399cf1dcef46bfcb4ff69c490b64d9b19bc2f813d2ec

Download Submit
C:\Windows\{E8097251-5270-4c36-B708-4E02A3A3295B}.exe

Filesize
180KB

MD5
687d84748e665036affc8e08ee86317d

SHA1
287c7115486969c21dcd1bac2bfa43eb49c46381

SHA256
77e1b31ab1a9c5739e49adce0f109b83f2e40cefaa515c0c772aa234cc158e28

SHA512
a39ae43c19e106a39e9d83d97ff7643bdf736574f89e3c278294cdae8c98c91d851f2781775cfa590a9e4d47483669405e9df6b9688b0e623b89172052c2ec8c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads