016332e80c05ed3d10840283fea5633e6a3ab5a6aa11a676f2756b5f5764ede4

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Size

380KB
MD5

dbc4b8f4f5e1bf2cd35ff794a32286c3
SHA1

cd721adf50b65a69563d20d25943460a4bd927e9
SHA256

016332e80c05ed3d10840283fea5633e6a3ab5a6aa11a676f2756b5f5764ede4
SHA512

6788ec3e4e9425907eb1e0127c414efd054a403c5992d5de6f20076aa6e154b6cb7dad5a654b45b9bd94022d29bf9da503cbbcb82dd4d67465f10a498ebecac6
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FD3607D-622D-4d05-8E74-6BB98356DE41}\stubpath = "C:\\Windows\\{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe"	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D117241-8B86-4738-A61E-7AE13555AA88}\stubpath = "C:\\Windows\\{6D117241-8B86-4738-A61E-7AE13555AA88}.exe"	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}\stubpath = "C:\\Windows\\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe"	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FD3607D-622D-4d05-8E74-6BB98356DE41}	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F96FB787-950A-4426-AD76-DE557E6CC39A}\stubpath = "C:\\Windows\\{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe"	{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D117241-8B86-4738-A61E-7AE13555AA88}	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}\stubpath = "C:\\Windows\\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe"	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82457A21-75B6-462f-9C8B-282E4A6DBE42}\stubpath = "C:\\Windows\\{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe"	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0D57CF-4083-4194-8584-3F129F513FF2}\stubpath = "C:\\Windows\\{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe"	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA0667B-5672-4a21-AD69-7115CF044A69}	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA0667B-5672-4a21-AD69-7115CF044A69}\stubpath = "C:\\Windows\\{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe"	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F96FB787-950A-4426-AD76-DE557E6CC39A}	{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}\stubpath = "C:\\Windows\\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe"	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}\stubpath = "C:\\Windows\\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe"	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82457A21-75B6-462f-9C8B-282E4A6DBE42}	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}\stubpath = "C:\\Windows\\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe"	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0D57CF-4083-4194-8584-3F129F513FF2}	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}\stubpath = "C:\\Windows\\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe"	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe

Executes dropped EXE 12 IoCs

pid	Process
1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
3508	{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
5104	{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
File created	C:\Windows\{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
File created	C:\Windows\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
File created	C:\Windows\{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
File created	C:\Windows\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
File created	C:\Windows\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
File created	C:\Windows\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
File created	C:\Windows\{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
File created	C:\Windows\{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
File created	C:\Windows\{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe	{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
File created	C:\Windows\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
File created	C:\Windows\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Token: SeIncBasePriorityPrivilege	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
Token: SeIncBasePriorityPrivilege	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
Token: SeIncBasePriorityPrivilege	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
Token: SeIncBasePriorityPrivilege	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
Token: SeIncBasePriorityPrivilege	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
Token: SeIncBasePriorityPrivilege	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
Token: SeIncBasePriorityPrivilege	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
Token: SeIncBasePriorityPrivilege	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
Token: SeIncBasePriorityPrivilege	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
Token: SeIncBasePriorityPrivilege	4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
Token: SeIncBasePriorityPrivilege	3508	{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1052	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	87
PID 2856 wrote to memory of 1052	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	87
PID 2856 wrote to memory of 1052	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	87
PID 2856 wrote to memory of 1108	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	88
PID 2856 wrote to memory of 1108	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	88
PID 2856 wrote to memory of 1108	2856	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	88
PID 1052 wrote to memory of 2996	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	94
PID 1052 wrote to memory of 2996	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	94
PID 1052 wrote to memory of 2996	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	94
PID 1052 wrote to memory of 4028	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	95
PID 1052 wrote to memory of 4028	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	95
PID 1052 wrote to memory of 4028	1052	{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe	95
PID 2996 wrote to memory of 4796	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	98
PID 2996 wrote to memory of 4796	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	98
PID 2996 wrote to memory of 4796	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	98
PID 2996 wrote to memory of 4324	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	97
PID 2996 wrote to memory of 4324	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	97
PID 2996 wrote to memory of 4324	2996	{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe	97
PID 4796 wrote to memory of 4460	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	99
PID 4796 wrote to memory of 4460	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	99
PID 4796 wrote to memory of 4460	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	99
PID 4796 wrote to memory of 3624	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	100
PID 4796 wrote to memory of 3624	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	100
PID 4796 wrote to memory of 3624	4796	{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe	100
PID 4460 wrote to memory of 1556	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	101
PID 4460 wrote to memory of 1556	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	101
PID 4460 wrote to memory of 1556	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	101
PID 4460 wrote to memory of 3752	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	102
PID 4460 wrote to memory of 3752	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	102
PID 4460 wrote to memory of 3752	4460	{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe	102
PID 1556 wrote to memory of 4032	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	103
PID 1556 wrote to memory of 4032	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	103
PID 1556 wrote to memory of 4032	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	103
PID 1556 wrote to memory of 4392	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	104
PID 1556 wrote to memory of 4392	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	104
PID 1556 wrote to memory of 4392	1556	{6D117241-8B86-4738-A61E-7AE13555AA88}.exe	104
PID 4032 wrote to memory of 3140	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	105
PID 4032 wrote to memory of 3140	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	105
PID 4032 wrote to memory of 3140	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	105
PID 4032 wrote to memory of 3392	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	106
PID 4032 wrote to memory of 3392	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	106
PID 4032 wrote to memory of 3392	4032	{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe	106
PID 3140 wrote to memory of 684	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	107
PID 3140 wrote to memory of 684	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	107
PID 3140 wrote to memory of 684	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	107
PID 3140 wrote to memory of 4480	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	108
PID 3140 wrote to memory of 4480	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	108
PID 3140 wrote to memory of 4480	3140	{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe	108
PID 684 wrote to memory of 4316	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	109
PID 684 wrote to memory of 4316	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	109
PID 684 wrote to memory of 4316	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	109
PID 684 wrote to memory of 2892	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	110
PID 684 wrote to memory of 2892	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	110
PID 684 wrote to memory of 2892	684	{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe	110
PID 4316 wrote to memory of 4364	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	111
PID 4316 wrote to memory of 4364	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	111
PID 4316 wrote to memory of 4364	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	111
PID 4316 wrote to memory of 4896	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	112
PID 4316 wrote to memory of 4896	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	112
PID 4316 wrote to memory of 4896	4316	{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe	112
PID 4364 wrote to memory of 3508	4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe	113
PID 4364 wrote to memory of 3508	4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe	113
PID 4364 wrote to memory of 3508	4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe	113
PID 4364 wrote to memory of 2544	4364	{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe	114

C:\Users\Admin\AppData\Local\Temp\dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
"C:\Users\Admin\AppData\Local\Temp\dbc4b8f4f5e1bf2cd35ff794a32286c3.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
  C:\Windows\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
    C:\Windows\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5DD~1.EXE > nul
      4⤵
      PID:4324
  - - C:\Windows\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
      C:\Windows\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
        
        C:\Windows\{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
        
        C:\Windows\{6D117241-8B86-4738-A61E-7AE13555AA88}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
        
        C:\Windows\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
        
        C:\Windows\{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
        
        C:\Windows\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
        
        C:\Windows\{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
        
        C:\Windows\{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
        
        C:\Windows\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe
        
        C:\Windows\{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe
        13⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8517A~1.EXE > nul
        13⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA06~1.EXE > nul
        12⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD0D5~1.EXE > nul
        11⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E630~1.EXE > nul
        10⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82457~1.EXE > nul
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{364A6~1.EXE > nul
        8⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D117~1.EXE > nul
        7⤵
        
        PID:4392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FD36~1.EXE > nul
        6⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{386F1~1.EXE > nul
        5⤵
        
        PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E22D1~1.EXE > nul
    3⤵
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DBC4B8~1.EXE > nul
  2⤵
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E6303DF-57F7-41f4-ADDA-479F0F407A54}.exe

Filesize
380KB

MD5
40c3f3337fdbb28afd56a518e9609605

SHA1
cc159889e65dc9c146de1fc46ecc0af550706a82

SHA256
aab89c742fd68aa1a566952d56ae94b8f4ff0361ee8bfa4f8a97196f58aa50d7

SHA512
4acc507f96d2a9a3d8b3c18bc73978ea22578ce80896f47de7e7f7252331d69ebfdabfaddd167d7504b40dfdb5edb0055aa4af7c364a92386c3d1cb33e835c4f

Download Submit
C:\Windows\{364A6CDA-A501-4c46-B0B2-B4C245D49B01}.exe

Filesize
380KB

MD5
914ff180bbc72690d27f395bd72dc5fd

SHA1
cc3d24049ad539e446b7fbc6209f010a21bf3fb2

SHA256
f250d857f649dc53cfd4453e68513c1d17322253f950442d5101ae1814ba0686

SHA512
2c43469dbcf41230ea6fbf8dd5f88f9d0f7322cb1f78d1ca7104186181d22faaae036d5995121ee8176a694e8dd52159761e2ca1a5875f77c055ca5a2e7beb50

Download Submit
C:\Windows\{386F19AE-21D7-457e-A72E-EFA027CD7BD0}.exe

Filesize
380KB

MD5
356295c5e7a1669bf967d3da79e2a72a

SHA1
5d19fc3a26476b764bd20f969683f981373bad8f

SHA256
f74eadd9fd2eafe74fdbaf3963a39ab8de41a6cd6c1ce0b6b26b444d80d99efd

SHA512
3e9a4ad106c0df88be1105226f9c2da713ec5580dc642742ab504f9943ba49fe0f917ae91241ef6fc0ee398ac0c7e4c8f6a67995c8acff2d0f2e8d15e09986ff

Download Submit
C:\Windows\{3FD3607D-622D-4d05-8E74-6BB98356DE41}.exe

Filesize
380KB

MD5
8063b3afe11a9eafc51d88f58d65ca60

SHA1
f6d81015eabe030e55fab48bee4f783a555f0395

SHA256
13a74857b637bb2ef291f9aab0a26b8c13269d18c2fab06fdff1e4ac76eb91be

SHA512
68fd5bde7d42d327d0cb0dd762668ed865d42d3b7b9f6192072e77a808c04d3286defccfccdd10c8f7e5c0198ce70387fc6b34376f2373932eb12eba58c1fc1c

Download Submit
C:\Windows\{5D5DDF08-8527-42fb-B6DD-537D372E4B3E}.exe

Filesize
380KB

MD5
d83a9a816f2eb690c97d2f1d32a220cc

SHA1
66db367962d3e163fe8d1f3cc076f5ad093f31aa

SHA256
03a3993111574e83e6c1c21e46471b84ca3a9ee1baf276c8d8af1fcc29b9e712

SHA512
f5fbdeddcfac1dca1ced91e17bf46b7c96cfacfc987367770a49864badb881125eaafd7b238131e9e0757189c709523884e759f6d411e6a0c1dd5fa69b3a66d1

Download Submit
C:\Windows\{6D117241-8B86-4738-A61E-7AE13555AA88}.exe

Filesize
380KB

MD5
fa5e0fbf2d6f72485c12555eae736ca9

SHA1
64b3edc1eb2243de75e8efb5a04a8ea87b16e879

SHA256
ddc7a8800a7feb20cee5e3587c855ba23c9d667a3a5d6d1cf14e7fdfdba851fa

SHA512
d0fbb37a5f84f3ad985adb431d31bb7254ed26538676a1e77b5a5b26d18b6816822eaec9e26e8c6ada379dfbfb289391806d34d6c9785c37e9e2034bc1d908e2

Download Submit
C:\Windows\{82457A21-75B6-462f-9C8B-282E4A6DBE42}.exe

Filesize
380KB

MD5
f3f593603ef7c24e1cf5104bac58c29b

SHA1
17aef8e2440aa8e17169be64a838672c152bfabc

SHA256
a50bb4b35888a97b6b683ede5bcafa0a1b9d4669e0a2d225424a44a0b79418b6

SHA512
95d29e068543d1d9007811af9d094dd8440467a3b1d0a8baf592a2b2ef8ddff527ae106305ea834a7fc26a3de45ad7ef9045f6895bf6132406c4bb2e60b8f35a

Download Submit
C:\Windows\{8517A635-CCD7-4c36-AACD-E06F52CF4E1C}.exe

Filesize
380KB

MD5
dfdcc14d35b267438b5151b2d1a94ada

SHA1
9cb97de2c0635b2e2dda2bd753c6d589427a2543

SHA256
ce05c5166285163436c517b14afc531b60a5fa05a42dbf92ee7aac494dfe9f29

SHA512
a4c89929fec705139dc6dc29e28aa78a6cab03e9cbf8d6774b38b1a4f01dc9ba1982177c2cdb7c9d95f9545ad70909ab856f24e38fad34f776eda8e9920d65db

Download Submit
C:\Windows\{BBA0667B-5672-4a21-AD69-7115CF044A69}.exe

Filesize
380KB

MD5
7afd4aa31bea22d5428c66f8e03b5012

SHA1
ac08a29af94fe95648a269e1827d704a65dcf4d1

SHA256
f8c0a15c3b8d987c7fa0ecb7abe53134cd172d7ec55f5440ffdff264f11decdd

SHA512
14251e770d1317833c5943ef7d89f15a0963e3445cdd7e5f7f23770b2290ae5b15400e7780840e529be1b039f78c94804d750012c08df61686377cbc5f732c94

Download Submit
C:\Windows\{BD0D57CF-4083-4194-8584-3F129F513FF2}.exe

Filesize
380KB

MD5
9a4f57747a4a58d8a84b01e4da446705

SHA1
d470bd5b929fd23a276dab04c33d5e1e87dabe5f

SHA256
f06f514f523f395a6935ee22928fe97e4f5f50a28adf36b4e86255b120acf23d

SHA512
780d769e36dd6055fdfdd3a8a5879277986b7c209e745ce3a021922b53c2d566203b741dd3818c5ce6438eaae3d9d6c9764327e866853b12c7f962c41f6a7937

Download Submit
C:\Windows\{E22D1C4D-8682-4b96-90D2-3B7B60F0AF3F}.exe

Filesize
380KB

MD5
4084a3e993e957870f1b239e5cf0260b

SHA1
fcf9ae10ca95bffd593cced60dfc6c1acfc81c6e

SHA256
2c8487406c69f19381b376a7f42250a3acfcd17ceb9efe91a4f66b3b6a077c2d

SHA512
dcba041ffb16d2f521f464e268f20c06c99b05e258157216365efdc1f1fdf746e3b576fb5c5cdf7acca32447e48a5758cda64f5c5f7c13d7ea647a8d9c8163d7

Download Submit
C:\Windows\{F96FB787-950A-4426-AD76-DE557E6CC39A}.exe

Filesize
380KB

MD5
c373e5ba04a4e486a4fa35e7386e2df2

SHA1
eab7299dd0c2cbdb51561b524d4db58b5500a784

SHA256
f0da6a71b22c1352f1fef44f3683c37c45937d17f646fa6413c71bca3968049f

SHA512
751d5ae487799da9ac1c820d841f76ff4364b690f473a76661a264efe7cb4dce6f60cdcb9550ca109cfb60dbabe43e7d1b25e4360080dc4a668ab3db99d5da0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads