7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6538f3adde737517d34a8746dadeaff7.exe
Size

192KB
MD5

6538f3adde737517d34a8746dadeaff7
SHA1

34795b3256e1c1cc3f214b77a65b97e259844822
SHA256

7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2
SHA512

0926e6dc2274144ca76f5e3e6c315ab24c50e9e52cfc8a1c14a7fd4dce551d0ef974713f19afc8f325a6db52c8209b311d13dbc4b526f5f28b4501887a1e9822
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507B0706-535B-4a6a-B00E-39FFA1116775}\stubpath = "C:\\Windows\\{507B0706-535B-4a6a-B00E-39FFA1116775}.exe"	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0905AD72-FA22-450a-9627-B33CBD35822F}\stubpath = "C:\\Windows\\{0905AD72-FA22-450a-9627-B33CBD35822F}.exe"	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EEFBFDE-38B8-496b-AB8E-71336446277C}\stubpath = "C:\\Windows\\{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe"	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}\stubpath = "C:\\Windows\\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe"	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6262BB29-185A-41e5-93D9-561371E8149A}	{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}\stubpath = "C:\\Windows\\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe"	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77384281-576A-4bad-AC82-F34C1AC35168}\stubpath = "C:\\Windows\\{77384281-576A-4bad-AC82-F34C1AC35168}.exe"	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507B0706-535B-4a6a-B00E-39FFA1116775}	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{423061DB-3090-4436-B8BA-8237AF7CB7F5}\stubpath = "C:\\Windows\\{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe"	6538f3adde737517d34a8746dadeaff7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EEFBFDE-38B8-496b-AB8E-71336446277C}	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}\stubpath = "C:\\Windows\\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe"	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}\stubpath = "C:\\Windows\\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe"	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EC2D0E-8517-4efa-B04A-031A6962D555}	{77384281-576A-4bad-AC82-F34C1AC35168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EC2D0E-8517-4efa-B04A-031A6962D555}\stubpath = "C:\\Windows\\{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe"	{77384281-576A-4bad-AC82-F34C1AC35168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0905AD72-FA22-450a-9627-B33CBD35822F}	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{423061DB-3090-4436-B8BA-8237AF7CB7F5}	6538f3adde737517d34a8746dadeaff7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6262BB29-185A-41e5-93D9-561371E8149A}\stubpath = "C:\\Windows\\{6262BB29-185A-41e5-93D9-561371E8149A}.exe"	{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}	{6262BB29-185A-41e5-93D9-561371E8149A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}\stubpath = "C:\\Windows\\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe"	{6262BB29-185A-41e5-93D9-561371E8149A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77384281-576A-4bad-AC82-F34C1AC35168}	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe

Executes dropped EXE 11 IoCs

pid	Process
380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
388	{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe
4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe
3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
3952	{0905AD72-FA22-450a-9627-B33CBD35822F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	6538f3adde737517d34a8746dadeaff7.exe
File created	C:\Windows\{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
File created	C:\Windows\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
File created	C:\Windows\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
File created	C:\Windows\{0905AD72-FA22-450a-9627-B33CBD35822F}.exe	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
File created	C:\Windows\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
File created	C:\Windows\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	{6262BB29-185A-41e5-93D9-561371E8149A}.exe
File created	C:\Windows\{77384281-576A-4bad-AC82-F34C1AC35168}.exe	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
File created	C:\Windows\{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	{77384281-576A-4bad-AC82-F34C1AC35168}.exe
File created	C:\Windows\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
File created	C:\Windows\{507B0706-535B-4a6a-B00E-39FFA1116775}.exe	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4936	6538f3adde737517d34a8746dadeaff7.exe
Token: SeIncBasePriorityPrivilege	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
Token: SeIncBasePriorityPrivilege	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
Token: SeIncBasePriorityPrivilege	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
Token: SeIncBasePriorityPrivilege	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
Token: SeIncBasePriorityPrivilege	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe
Token: SeIncBasePriorityPrivilege	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
Token: SeIncBasePriorityPrivilege	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe
Token: SeIncBasePriorityPrivilege	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
Token: SeIncBasePriorityPrivilege	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
Token: SeIncBasePriorityPrivilege	3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 380	4936	6538f3adde737517d34a8746dadeaff7.exe	97
PID 4936 wrote to memory of 380	4936	6538f3adde737517d34a8746dadeaff7.exe	97
PID 4936 wrote to memory of 380	4936	6538f3adde737517d34a8746dadeaff7.exe	97
PID 4936 wrote to memory of 4468	4936	6538f3adde737517d34a8746dadeaff7.exe	98
PID 4936 wrote to memory of 4468	4936	6538f3adde737517d34a8746dadeaff7.exe	98
PID 4936 wrote to memory of 4468	4936	6538f3adde737517d34a8746dadeaff7.exe	98
PID 380 wrote to memory of 5080	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	101
PID 380 wrote to memory of 5080	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	101
PID 380 wrote to memory of 5080	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	101
PID 380 wrote to memory of 3588	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	102
PID 380 wrote to memory of 3588	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	102
PID 380 wrote to memory of 3588	380	{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe	102
PID 5080 wrote to memory of 1072	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	104
PID 5080 wrote to memory of 1072	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	104
PID 5080 wrote to memory of 1072	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	104
PID 5080 wrote to memory of 1636	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	105
PID 5080 wrote to memory of 1636	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	105
PID 5080 wrote to memory of 1636	5080	{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe	105
PID 1072 wrote to memory of 3820	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	108
PID 1072 wrote to memory of 3820	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	108
PID 1072 wrote to memory of 3820	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	108
PID 1072 wrote to memory of 3112	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	109
PID 1072 wrote to memory of 3112	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	109
PID 1072 wrote to memory of 3112	1072	{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe	109
PID 3820 wrote to memory of 388	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	110
PID 3820 wrote to memory of 388	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	110
PID 3820 wrote to memory of 388	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	110
PID 3820 wrote to memory of 4332	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	111
PID 3820 wrote to memory of 4332	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	111
PID 3820 wrote to memory of 4332	3820	{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe	111
PID 924 wrote to memory of 4788	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	115
PID 924 wrote to memory of 4788	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	115
PID 924 wrote to memory of 4788	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	115
PID 924 wrote to memory of 3804	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	116
PID 924 wrote to memory of 3804	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	116
PID 924 wrote to memory of 3804	924	{6262BB29-185A-41e5-93D9-561371E8149A}.exe	116
PID 4788 wrote to memory of 1580	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	117
PID 4788 wrote to memory of 1580	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	117
PID 4788 wrote to memory of 1580	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	117
PID 4788 wrote to memory of 2324	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	118
PID 4788 wrote to memory of 2324	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	118
PID 4788 wrote to memory of 2324	4788	{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe	118
PID 1580 wrote to memory of 3044	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	123
PID 1580 wrote to memory of 3044	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	123
PID 1580 wrote to memory of 3044	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	123
PID 1580 wrote to memory of 4616	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	124
PID 1580 wrote to memory of 4616	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	124
PID 1580 wrote to memory of 4616	1580	{77384281-576A-4bad-AC82-F34C1AC35168}.exe	124
PID 3044 wrote to memory of 3496	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	125
PID 3044 wrote to memory of 3496	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	125
PID 3044 wrote to memory of 3496	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	125
PID 3044 wrote to memory of 1016	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	126
PID 3044 wrote to memory of 1016	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	126
PID 3044 wrote to memory of 1016	3044	{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe	126
PID 3496 wrote to memory of 3776	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	127
PID 3496 wrote to memory of 3776	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	127
PID 3496 wrote to memory of 3776	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	127
PID 3496 wrote to memory of 4744	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	128
PID 3496 wrote to memory of 4744	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	128
PID 3496 wrote to memory of 4744	3496	{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe	128
PID 3776 wrote to memory of 3952	3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe	132
PID 3776 wrote to memory of 3952	3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe	132
PID 3776 wrote to memory of 3952	3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe	132
PID 3776 wrote to memory of 2880	3776	{507B0706-535B-4a6a-B00E-39FFA1116775}.exe	133

C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe
"C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
  C:\Windows\{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
    C:\Windows\{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
      C:\Windows\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
        
        C:\Windows\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
      - C:\Windows\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe
        
        C:\Windows\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\{6262BB29-185A-41e5-93D9-561371E8149A}.exe
        
        C:\Windows\{6262BB29-185A-41e5-93D9-561371E8149A}.exe
        7⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
        
        C:\Windows\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{77384281-576A-4bad-AC82-F34C1AC35168}.exe
        
        C:\Windows\{77384281-576A-4bad-AC82-F34C1AC35168}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
        
        C:\Windows\{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
        
        C:\Windows\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
        
        C:\Windows\{507B0706-535B-4a6a-B00E-39FFA1116775}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{0905AD72-FA22-450a-9627-B33CBD35822F}.exe
        
        C:\Windows\{0905AD72-FA22-450a-9627-B33CBD35822F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{507B0~1.EXE > nul
        13⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79FE9~1.EXE > nul
        12⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11EC2~1.EXE > nul
        11⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77384~1.EXE > nul
        10⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22B10~1.EXE > nul
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6262B~1.EXE > nul
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF75~1.EXE > nul
        7⤵
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0944B~1.EXE > nul
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C48A9~1.EXE > nul
        5⤵
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4EEFB~1.EXE > nul
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{42306~1.EXE > nul
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6538F3~1.EXE > nul
  2⤵
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0905AD72-FA22-450a-9627-B33CBD35822F}.exe

Filesize
192KB

MD5
3f772292f3a6326848edf37b0daedf97

SHA1
44a205369d8d37dad83779ed9f32a0a89c558ad8

SHA256
6ca02c206115694df2fc0d4d5dce9648d86fc565fd1048defe0d989756a1c0fd

SHA512
b246554565f1e5000d57cf8d8a0d7a2aa1a6663a23b385ee8fc2edf7eb773d0bdaff914ee4251b88c957d6929616eb0de1d55f842b175193519068d4940a3902

Download Submit
C:\Windows\{0944B8B6-9553-4e2f-8380-FB11BA8C6429}.exe

Filesize
192KB

MD5
39ed8f9df0914e9e5bdcece6d8750eae

SHA1
2a027154ccdab20a561e204ad987ad92b258e4ff

SHA256
68644939f499ce3b2fec6ab1fe7df8f73365baa169e9138c85d3b587f586d908

SHA512
9c9469e5d99b2b3a423246599a58edbafc6910297c29a46031416bbe68f88ecb9b7f3fd03bd101183a2108a67ada22c1c8230e9ffcac3ff87e29dfe305d14cc1

Download Submit
C:\Windows\{11EC2D0E-8517-4efa-B04A-031A6962D555}.exe

Filesize
192KB

MD5
ae4b34a58a8dd6cb69d9e341d8bc4aa2

SHA1
a71ef86c5e937cf30473601908cd4af5fb3b5e6b

SHA256
e6e6356997a6197433d7c0bc6dc0f09656ba8ea453d5618b706a8aff2e6577f1

SHA512
f30fdf3c2cb70a850737878ba0f51aad19a58b30d079d6d98c4ca49439e9749d9da0dfd9217bbc5e944358191ac968b9ee8fbaec95ec15befe15830d9adb0fa9

Download Submit
C:\Windows\{22B1098D-3A89-4218-9980-C5A82DFFFCA5}.exe

Filesize
192KB

MD5
0e9bc2b45ccf18d19d38af9db59ef767

SHA1
76471bda8500b17409b22af71ccd647b123701c2

SHA256
09e19d130e10bcc2ad2adbb0ceccdb7d8c13e5a91f37e341e3c08c30c613f3fb

SHA512
03e14f9114216859b8c69049c28a52fe6bb36d3bc6078763ab4186e25db0936eb1615480951ac115df363405571592e0c62f1764514beaec433fb132286aba40

Download Submit
C:\Windows\{423061DB-3090-4436-B8BA-8237AF7CB7F5}.exe

Filesize
192KB

MD5
1fc632f1b03260972f0be3207d4e808b

SHA1
c190f52be1286df65a457120d9d17384c5d4ed47

SHA256
a0a376fd6e58a749f3491c60c9d8406a50c6f22d9272bbfe66ce99d819e80cb4

SHA512
2862ccd97d97b483de9490ac6bb9ebc3920e7c63fb1218165e0377f703d53ae842b4120c0de3d577ff694aeebc2509665938ec379b29bb59d0cee0b7e695f303

Download Submit
C:\Windows\{4EEFBFDE-38B8-496b-AB8E-71336446277C}.exe

Filesize
192KB

MD5
ff0106997cad3a139075be23b847b1e4

SHA1
5af894b3f1ec24fb399fb63369fba7efd3d66e6e

SHA256
d6a434acef3152813fa0cd3e37d764c6616c26586d74ef238f54603664177291

SHA512
7232fa22a74bba22ab0cb6e7ddbbf9b7fbdae5d15fb0ba3f160a3b3418336c438c589d51140de99536c8997f23845cba39028096b1eaf713b80110683011cbed

Download Submit
C:\Windows\{507B0706-535B-4a6a-B00E-39FFA1116775}.exe

Filesize
192KB

MD5
f28444fc8c508bcb0da15a3d80a35bf7

SHA1
da1bfbd55ccecc187d63ec1bb7fff6bc7395cbac

SHA256
5f1fa6237e3a580d2a1f059acbea3483e3bf0ff05598c9421ca4f0582f644c5c

SHA512
00daab6fc046cc6c03e32ff0c7a2eb9d0d5b608bdd6fb9b136eff1ba3d0e275763fdaf3a53a0441087f38bd44032f7b3ecb455b790778594e11de6a98571b29d

Download Submit
C:\Windows\{6EF75F75-E4A7-44f8-8DCB-CE85B486891D}.exe

Filesize
192KB

MD5
ec75346801f5f9bcb5d4dae47b04da72

SHA1
fca495957e051c5693d189b494c1817dc9742d8e

SHA256
e255c081703d85152c3a7762fbbc1e55149074f28d057f523cd360430e112b1f

SHA512
85091089d41d109c4c41c7defcc07d0f10338a70636da309015de968c5829c54aa7b7204b03ad2b0c8f904c22a81c686e157f27c543e994413602dc69bd26d7e

Download Submit
C:\Windows\{77384281-576A-4bad-AC82-F34C1AC35168}.exe

Filesize
192KB

MD5
8ef0b8c21b3f0b7d81a3fb4eff6cdade

SHA1
aa8cd6f8ec46c200d78c61d03a67916451ba1609

SHA256
1c629b085dcd00ef3674a7b88561e6c4c1dea3a4e1fc7581143f4f9512fece6d

SHA512
38ddc471313327d358e0eb974d46d01bd84368305991d22c7c507c44f929b2df5e0c38e42fa95142e16a719eacd2ec376ed9ca57695217e74ac9e268ef1aa787

Download Submit
C:\Windows\{79FE95EB-F5A1-4c79-BFC8-7F02E493BA33}.exe

Filesize
192KB

MD5
c646ab037df9845da24f50abba1e3e27

SHA1
853c07d2ed9044af408202be365063fd6d001b59

SHA256
40ae4909269f60b1d887e7d75375797ee52360cf0170127660d10456b84bb541

SHA512
d81dce0219c6aba4fdfa825e8e6be04a32b4a68daf38a384dcc6d21072119b614c79150773970bd8acbc79e9f594155099e5ab63354f44ffc1a93a0bbecc4a85

Download Submit
C:\Windows\{C48A9432-8AFE-4e2b-A4BD-A289AC41B858}.exe

Filesize
192KB

MD5
77a0782688546a5c5692658762eb0c2e

SHA1
436f79ba5cada91ef94ab3baa38a52c5ae642a3f

SHA256
429f5a5724a5d73f93b83f71693744db2c3d2f1cfa1a5c2ee4cf8b856f4f0112

SHA512
9ede69a4176749ad8142c63814c95d3924fa7e6eff73d4bf0d61571146dd2df5024aafeaf309ef9d7ec05b8eec9920173e218ef524c917123853e6e73de40715

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads