18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Size

90KB
MD5

5575a0915af0e6825bd09e3d1aaca202
SHA1

d44d7270a30088a4f189696961638aa887b082af
SHA256

18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6
SHA512

dd8a760f227f53941e142dcbad0cb8ee0d8618b27ffdf40fd977df94ed81a2e6938c11fecf1c2bc4ff0afd83256c701abc8e11cd6c761df18417174fbf821fa5
SSDEEP

768:Qvw9816vhKQLrok4/wQRNrfrunMxVFA3b7glw:YEGh0okl2unMxVS3Hg

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}\stubpath = "C:\\Windows\\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe"	{DD637351-3357-482d-8001-C267BAC09190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD637351-3357-482d-8001-C267BAC09190}\stubpath = "C:\\Windows\\{DD637351-3357-482d-8001-C267BAC09190}.exe"	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67DBB14F-F8B5-460a-A24F-981552F29744}	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67DBB14F-F8B5-460a-A24F-981552F29744}\stubpath = "C:\\Windows\\{67DBB14F-F8B5-460a-A24F-981552F29744}.exe"	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}\stubpath = "C:\\Windows\\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe"	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502267D4-1274-4df8-B7B8-AA668EFFC26D}	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}\stubpath = "C:\\Windows\\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe"	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FFC9836-5161-430f-80A2-A432F25B62F5}	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}\stubpath = "C:\\Windows\\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe"	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD637351-3357-482d-8001-C267BAC09190}	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}	{DD637351-3357-482d-8001-C267BAC09190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}\stubpath = "C:\\Windows\\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe"	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}\stubpath = "C:\\Windows\\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe"	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}\stubpath = "C:\\Windows\\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe"	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}\stubpath = "C:\\Windows\\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe"	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502267D4-1274-4df8-B7B8-AA668EFFC26D}\stubpath = "C:\\Windows\\{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe"	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FFC9836-5161-430f-80A2-A432F25B62F5}\stubpath = "C:\\Windows\\{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe"	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
3264	{DD637351-3357-482d-8001-C267BAC09190}.exe
1996	{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DD637351-3357-482d-8001-C267BAC09190}.exe	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
File created	C:\Windows\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe	{DD637351-3357-482d-8001-C267BAC09190}.exe
File created	C:\Windows\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
File created	C:\Windows\{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
File created	C:\Windows\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
File created	C:\Windows\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
File created	C:\Windows\{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
File created	C:\Windows\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
File created	C:\Windows\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
File created	C:\Windows\{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
File created	C:\Windows\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
File created	C:\Windows\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
Token: SeIncBasePriorityPrivilege	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
Token: SeIncBasePriorityPrivilege	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
Token: SeIncBasePriorityPrivilege	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
Token: SeIncBasePriorityPrivilege	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
Token: SeIncBasePriorityPrivilege	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
Token: SeIncBasePriorityPrivilege	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
Token: SeIncBasePriorityPrivilege	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
Token: SeIncBasePriorityPrivilege	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
Token: SeIncBasePriorityPrivilege	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
Token: SeIncBasePriorityPrivilege	3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
Token: SeIncBasePriorityPrivilege	3264	{DD637351-3357-482d-8001-C267BAC09190}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1044	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	96
PID 3536 wrote to memory of 1044	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	96
PID 3536 wrote to memory of 1044	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	96
PID 3536 wrote to memory of 2916	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	97
PID 3536 wrote to memory of 2916	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	97
PID 3536 wrote to memory of 2916	3536	18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe	97
PID 1044 wrote to memory of 5020	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	98
PID 1044 wrote to memory of 5020	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	98
PID 1044 wrote to memory of 5020	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	98
PID 1044 wrote to memory of 2212	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	99
PID 1044 wrote to memory of 2212	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	99
PID 1044 wrote to memory of 2212	1044	{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe	99
PID 5020 wrote to memory of 3828	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	101
PID 5020 wrote to memory of 3828	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	101
PID 5020 wrote to memory of 3828	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	101
PID 5020 wrote to memory of 2928	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	102
PID 5020 wrote to memory of 2928	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	102
PID 5020 wrote to memory of 2928	5020	{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe	102
PID 3828 wrote to memory of 1524	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	103
PID 3828 wrote to memory of 1524	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	103
PID 3828 wrote to memory of 1524	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	103
PID 3828 wrote to memory of 4504	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	104
PID 3828 wrote to memory of 4504	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	104
PID 3828 wrote to memory of 4504	3828	{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe	104
PID 1524 wrote to memory of 1224	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	105
PID 1524 wrote to memory of 1224	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	105
PID 1524 wrote to memory of 1224	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	105
PID 1524 wrote to memory of 3424	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	106
PID 1524 wrote to memory of 3424	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	106
PID 1524 wrote to memory of 3424	1524	{67DBB14F-F8B5-460a-A24F-981552F29744}.exe	106
PID 1224 wrote to memory of 960	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	107
PID 1224 wrote to memory of 960	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	107
PID 1224 wrote to memory of 960	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	107
PID 1224 wrote to memory of 1340	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	108
PID 1224 wrote to memory of 1340	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	108
PID 1224 wrote to memory of 1340	1224	{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe	108
PID 960 wrote to memory of 752	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	109
PID 960 wrote to memory of 752	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	109
PID 960 wrote to memory of 752	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	109
PID 960 wrote to memory of 2260	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	110
PID 960 wrote to memory of 2260	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	110
PID 960 wrote to memory of 2260	960	{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe	110
PID 752 wrote to memory of 5060	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	111
PID 752 wrote to memory of 5060	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	111
PID 752 wrote to memory of 5060	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	111
PID 752 wrote to memory of 3280	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	112
PID 752 wrote to memory of 3280	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	112
PID 752 wrote to memory of 3280	752	{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe	112
PID 5060 wrote to memory of 1644	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	113
PID 5060 wrote to memory of 1644	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	113
PID 5060 wrote to memory of 1644	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	113
PID 5060 wrote to memory of 3004	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	114
PID 5060 wrote to memory of 3004	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	114
PID 5060 wrote to memory of 3004	5060	{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe	114
PID 1644 wrote to memory of 3304	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	115
PID 1644 wrote to memory of 3304	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	115
PID 1644 wrote to memory of 3304	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	115
PID 1644 wrote to memory of 636	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	116
PID 1644 wrote to memory of 636	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	116
PID 1644 wrote to memory of 636	1644	{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe	116
PID 3304 wrote to memory of 3264	3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe	117
PID 3304 wrote to memory of 3264	3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe	117
PID 3304 wrote to memory of 3264	3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe	117
PID 3304 wrote to memory of 2364	3304	{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe	118

C:\Users\Admin\AppData\Local\Temp\18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe
"C:\Users\Admin\AppData\Local\Temp\18e0a36fa46ef4cbbdca069fd4689558f5fcc9edca3207bc753636c1143d5fe6.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
  C:\Windows\{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
    C:\Windows\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
      C:\Windows\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
        
        C:\Windows\{67DBB14F-F8B5-460a-A24F-981552F29744}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
        
        C:\Windows\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
        
        C:\Windows\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
        
        C:\Windows\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
        
        C:\Windows\{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
        
        C:\Windows\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
        
        C:\Windows\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{DD637351-3357-482d-8001-C267BAC09190}.exe
        
        C:\Windows\{DD637351-3357-482d-8001-C267BAC09190}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe
        
        C:\Windows\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe
        13⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD637~1.EXE > nul
        13⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1423~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA0DF~1.EXE > nul
        11⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50226~1.EXE > nul
        10⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F70E~1.EXE > nul
        9⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0988C~1.EXE > nul
        8⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77E14~1.EXE > nul
        7⤵
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67DBB~1.EXE > nul
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D635~1.EXE > nul
        5⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC5E~1.EXE > nul
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFC9~1.EXE > nul
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\18E0A3~1.EXE > nul
  2⤵
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0988C034-1C24-4273-A5F0-72F33E0CA0D7}.exe

Filesize
90KB

MD5
7ee6a3398f3679681a3fe87d40a9fe07

SHA1
c64c6bcdba248b84a69948404351c15798218cb2

SHA256
78926be21c981b0481e48b3a306c1fd2d9fe7a9a1a5f8c25d88c4b4d45f95447

SHA512
eea1e941e91575d5fddfd867df0ea2bc882c61525eabd8e3c84702c55b9cdb7873622f8a762b891e09ab0dd7ed9ca77a4ddb75fd50d34536894ead74da639864

Download Submit
C:\Windows\{0F70E938-58A0-4c65-A612-0FA1CCC6E8AE}.exe

Filesize
90KB

MD5
873eef11ce86e3ec010f786ca76186f9

SHA1
55f35f7ef2348e4032d85564b620f6ce94d4310e

SHA256
fd79a27b71966921888f0cbfb8b1f2dcba9ae543f46a39e5efc90e80235ffea7

SHA512
3de248e82ffb3f9a5962b0763473c1465e29f469929c087bffe8d0cfa783da3cd8190797cc249d0a44727c238c3d7a1d1c4aa0ef12012f79778c6ed7503100cb

Download Submit
C:\Windows\{3FFC9836-5161-430f-80A2-A432F25B62F5}.exe

Filesize
90KB

MD5
0cba91e38016a8d065f5f3bbb16ada9c

SHA1
3bd97a722cb4dd38d8649dfc14dbb42dec186097

SHA256
25b7a0b74882052f3ff482b4a78960758459ee22e85f2a25e2b9b3c06f72497a

SHA512
85b25a146f2c095e18e1ce4bb840871e0f4f23bcb72cd7ff996ade690e83bc72220796caf7652b8a9d596baa37e56888e860374ed88de6696a6cbbd7ebe68509

Download Submit
C:\Windows\{502267D4-1274-4df8-B7B8-AA668EFFC26D}.exe

Filesize
90KB

MD5
eeddd209e6af7ecfaadcf1f3b9695aad

SHA1
4e521faef5b937635f54547d7832915cdaf4cdda

SHA256
dd56c301ca7a424e39a889039ff58691765a5f14e1825fe167995950840c3721

SHA512
893effbf998ff4d16766666effd82afdf895b74b4467ce1cfde7eee1558834ce10be93d0db6bb55fd7902edd32828d7f8f4e9ad86dfe36a6f142433278f2ad4c

Download Submit
C:\Windows\{5CC5ED8D-85FB-4027-8CD5-B941B1472E18}.exe

Filesize
90KB

MD5
022baf4476b02109b3166598f922702a

SHA1
9678cd441b8c2fb51f68ff2991ec815389140f45

SHA256
ace36f7e0cb9b565fab2a641fb006a2bd537fda86202947672db78f2c8e04087

SHA512
0dfcd170a9111edc5a59c9654048be22baff13df85a16332a4455f310bdd466d398d6658e0038b81175d98a7813b92f3dc36c07ce240b278483d8ee284134c67

Download Submit
C:\Windows\{5D635A65-C5B1-49b3-92AE-4ABF23DC8660}.exe

Filesize
90KB

MD5
935e0fcf5b60139c9f8dbdf49a0bbc2e

SHA1
59bfe370fd936f0f984f1a14f957ee30b08e851d

SHA256
2e68ff066031b941b237a42e7f478e8bd4f2dee243799cc209a147994177c2f6

SHA512
7748423b45f58d3536a12c17c1bcf18a9519a38d9dc6b237be988842bd862b447e5918888a37fb01d3eb224998c9fff059fef0eb9911d6b85fd6de043d4d9a2b

Download Submit
C:\Windows\{67DBB14F-F8B5-460a-A24F-981552F29744}.exe

Filesize
90KB

MD5
ec0de863eb263c0b5091eae67a7537e8

SHA1
12e025b24d7b180ebb2e916a7528c4ae398b6b4a

SHA256
75b9e903485de3fb8d64f3b35623aa8aa3785159515c83104f19bae08577e7b1

SHA512
6b117e17bd5758b5fd236b1025d14d1b6e5d9d4cb3c375d8ba25f83c683289632bc7e5311ea462533767c5319b63b4bd8776718ad283fe4bc92312d712758ab7

Download Submit
C:\Windows\{77E1457A-9D0D-49ff-AFB5-D61CC023D4B7}.exe

Filesize
90KB

MD5
3f1d49c19615ec20b3432a43a888fb0f

SHA1
ea0d2beada3ff321a1b782795b16525c7cb8257e

SHA256
d920144bdf8e26bbcd596d79c50123a8e57e732917a560da13993d4684e0ac5a

SHA512
29a07a093596b2211788c55bb5e9200909f696503d52ab9ba4195c917b8420c311ca48b1fa7cec6016c7e27727807de5a653860bf9d574107df3dd3cb4b2e60e

Download Submit
C:\Windows\{DD637351-3357-482d-8001-C267BAC09190}.exe

Filesize
90KB

MD5
2fd59196c6c3bd2aaada769cd831dc29

SHA1
c8bb9671d2cd1bd6f2590fdb2f24dc148e64ff3e

SHA256
46039ce0bed95e1d96909240b0d701837aef696063ab5e46efca8ac3fa2968d4

SHA512
a69fa2ec5d715574753f0cefa6d6e012f861cf7fada200eea2a390dc08523a57640b70f58fca869bbdca0752899b536a6cbddd4c325e6ae437b5072d4441b687

Download Submit
C:\Windows\{E1423618-B58F-47bd-9ECE-C6B6C37DD1E7}.exe

Filesize
90KB

MD5
90b9f9ac5d3defe58ea4344eab4f3802

SHA1
a4f55f5ef6149fc1097e7d654486ca99fd3d845a

SHA256
b3e25b5b293fdad668c26b20078f56d7a5398e34b2a45d319285f332d3825636

SHA512
747c7579855a86b584c839c6585b40cc1e1e726872b360798a021286ebdf8fee6fd13d46be33aef57544a68e246cc8ebbc018db7ed751b67273627683508bb42

Download Submit
C:\Windows\{EA0DFC60-0404-49ce-B2EE-C528C6FB0A78}.exe

Filesize
90KB

MD5
f17c571321eebda781e580d3ada618ac

SHA1
728e455a36357b25911bdad30a570beff3a8a516

SHA256
a6d3db0c73d890c5d52e7aa0969d05d5ea57d03f4fcdc7d6a578000c04c9c0d0

SHA512
d19f9f67e1af6bc2c3617bf5a8d0b3276d497e227f7c3ba9856a7354a1aa3f2851283040f11789c070f56da68cae4b71c36f23b432f56cb86f375e2035a08fc7

Download Submit
C:\Windows\{F0FB3B4F-340D-4dd0-9972-6B75C1966E74}.exe

Filesize
90KB

MD5
ca08ce99e2ebd4d174370fea48134731

SHA1
8ed545af1e390b4cae5dff014bdfa823f1f2fadb

SHA256
92ffc1e1ae7baf54997771a34ed0b02ddb7d894388c0aaa001ae46c9912a34fa

SHA512
b70c7206b8f4fa85f9a86a8692afefe9389c20200e7bec32d18f7a7ebfc9b0c351e961f2b23bd6e04c74b47a2355571826c6fdade17fe0f16cf44ee82962a959

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads