516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
Size

116KB
MD5

20e901be4bd4be95e2d0b2c92d0ea05c
SHA1

cf2a3d8367095ecaa39e0261fdc2c8e6e6f8315e
SHA256

516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf
SHA512

158ec9c321c49e276ce088caacdb6e8885966e3ff8011f9fc4eef2b1d34114c3898757c0dbc6523bc2d54a516706ec540e34f698fb7ec929b977d1eab08f6b65
SSDEEP

768:Qvw9816vhKQLrozj4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiL3:YEGh0ozjl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}\stubpath = "C:\\Windows\\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe"	{7047190F-C062-4624-825E-339856369B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}	{F471E84C-2E75-4222-AE09-30403C08B820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}\stubpath = "C:\\Windows\\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe"	{5A03D215-4703-417d-936F-0F64109C05BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}\stubpath = "C:\\Windows\\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe"	{F471E84C-2E75-4222-AE09-30403C08B820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}\stubpath = "C:\\Windows\\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe"	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}	{5A03D215-4703-417d-936F-0F64109C05BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}	{7047190F-C062-4624-825E-339856369B66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E4CB95-F050-449e-87E5-380B6C980462}\stubpath = "C:\\Windows\\{05E4CB95-F050-449e-87E5-380B6C980462}.exe"	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}\stubpath = "C:\\Windows\\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe"	{05E4CB95-F050-449e-87E5-380B6C980462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57F70C48-D66C-4916-B80C-563D5DD1B02A}\stubpath = "C:\\Windows\\{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe"	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F471E84C-2E75-4222-AE09-30403C08B820}\stubpath = "C:\\Windows\\{F471E84C-2E75-4222-AE09-30403C08B820}.exe"	{35C58501-2890-44a3-8A74-296AD17093F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7047190F-C062-4624-825E-339856369B66}	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E4CB95-F050-449e-87E5-380B6C980462}	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}	{05E4CB95-F050-449e-87E5-380B6C980462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C58501-2890-44a3-8A74-296AD17093F2}	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C58501-2890-44a3-8A74-296AD17093F2}\stubpath = "C:\\Windows\\{35C58501-2890-44a3-8A74-296AD17093F2}.exe"	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A03D215-4703-417d-936F-0F64109C05BE}	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A03D215-4703-417d-936F-0F64109C05BE}\stubpath = "C:\\Windows\\{5A03D215-4703-417d-936F-0F64109C05BE}.exe"	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7047190F-C062-4624-825E-339856369B66}\stubpath = "C:\\Windows\\{7047190F-C062-4624-825E-339856369B66}.exe"	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}\stubpath = "C:\\Windows\\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe"	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57F70C48-D66C-4916-B80C-563D5DD1B02A}	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F471E84C-2E75-4222-AE09-30403C08B820}	{35C58501-2890-44a3-8A74-296AD17093F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe

Executes dropped EXE 12 IoCs

pid	Process
884	{7047190F-C062-4624-825E-339856369B66}.exe
1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe
748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe
2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe
4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
4192	{5A03D215-4703-417d-936F-0F64109C05BE}.exe
5064	{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
File created	C:\Windows\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe	{5A03D215-4703-417d-936F-0F64109C05BE}.exe
File created	C:\Windows\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	{7047190F-C062-4624-825E-339856369B66}.exe
File created	C:\Windows\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
File created	C:\Windows\{35C58501-2890-44a3-8A74-296AD17093F2}.exe	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
File created	C:\Windows\{F471E84C-2E75-4222-AE09-30403C08B820}.exe	{35C58501-2890-44a3-8A74-296AD17093F2}.exe
File created	C:\Windows\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	{F471E84C-2E75-4222-AE09-30403C08B820}.exe
File created	C:\Windows\{7047190F-C062-4624-825E-339856369B66}.exe	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
File created	C:\Windows\{05E4CB95-F050-449e-87E5-380B6C980462}.exe	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
File created	C:\Windows\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	{05E4CB95-F050-449e-87E5-380B6C980462}.exe
File created	C:\Windows\{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
File created	C:\Windows\{5A03D215-4703-417d-936F-0F64109C05BE}.exe	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
Token: SeIncBasePriorityPrivilege	884	{7047190F-C062-4624-825E-339856369B66}.exe
Token: SeIncBasePriorityPrivilege	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
Token: SeIncBasePriorityPrivilege	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe
Token: SeIncBasePriorityPrivilege	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
Token: SeIncBasePriorityPrivilege	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
Token: SeIncBasePriorityPrivilege	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
Token: SeIncBasePriorityPrivilege	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe
Token: SeIncBasePriorityPrivilege	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe
Token: SeIncBasePriorityPrivilege	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
Token: SeIncBasePriorityPrivilege	3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
Token: SeIncBasePriorityPrivilege	4192	{5A03D215-4703-417d-936F-0F64109C05BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 884	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	98
PID 1980 wrote to memory of 884	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	98
PID 1980 wrote to memory of 884	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	98
PID 1980 wrote to memory of 4624	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	99
PID 1980 wrote to memory of 4624	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	99
PID 1980 wrote to memory of 4624	1980	516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe	99
PID 884 wrote to memory of 1640	884	{7047190F-C062-4624-825E-339856369B66}.exe	101
PID 884 wrote to memory of 1640	884	{7047190F-C062-4624-825E-339856369B66}.exe	101
PID 884 wrote to memory of 1640	884	{7047190F-C062-4624-825E-339856369B66}.exe	101
PID 884 wrote to memory of 3544	884	{7047190F-C062-4624-825E-339856369B66}.exe	102
PID 884 wrote to memory of 3544	884	{7047190F-C062-4624-825E-339856369B66}.exe	102
PID 884 wrote to memory of 3544	884	{7047190F-C062-4624-825E-339856369B66}.exe	102
PID 1640 wrote to memory of 2392	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	106
PID 1640 wrote to memory of 2392	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	106
PID 1640 wrote to memory of 2392	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	106
PID 1640 wrote to memory of 2340	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	107
PID 1640 wrote to memory of 2340	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	107
PID 1640 wrote to memory of 2340	1640	{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe	107
PID 2392 wrote to memory of 748	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	108
PID 2392 wrote to memory of 748	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	108
PID 2392 wrote to memory of 748	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	108
PID 2392 wrote to memory of 4872	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	109
PID 2392 wrote to memory of 4872	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	109
PID 2392 wrote to memory of 4872	2392	{05E4CB95-F050-449e-87E5-380B6C980462}.exe	109
PID 748 wrote to memory of 2492	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	110
PID 748 wrote to memory of 2492	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	110
PID 748 wrote to memory of 2492	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	110
PID 748 wrote to memory of 4372	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	111
PID 748 wrote to memory of 4372	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	111
PID 748 wrote to memory of 4372	748	{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe	111
PID 2492 wrote to memory of 3732	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	117
PID 2492 wrote to memory of 3732	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	117
PID 2492 wrote to memory of 3732	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	117
PID 2492 wrote to memory of 4980	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	118
PID 2492 wrote to memory of 4980	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	118
PID 2492 wrote to memory of 4980	2492	{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe	118
PID 3732 wrote to memory of 3936	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	119
PID 3732 wrote to memory of 3936	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	119
PID 3732 wrote to memory of 3936	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	119
PID 3732 wrote to memory of 2164	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	120
PID 3732 wrote to memory of 2164	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	120
PID 3732 wrote to memory of 2164	3732	{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe	120
PID 3936 wrote to memory of 2080	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	121
PID 3936 wrote to memory of 2080	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	121
PID 3936 wrote to memory of 2080	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	121
PID 3936 wrote to memory of 2576	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	122
PID 3936 wrote to memory of 2576	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	122
PID 3936 wrote to memory of 2576	3936	{35C58501-2890-44a3-8A74-296AD17093F2}.exe	122
PID 2080 wrote to memory of 4188	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	127
PID 2080 wrote to memory of 4188	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	127
PID 2080 wrote to memory of 4188	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	127
PID 2080 wrote to memory of 2256	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	128
PID 2080 wrote to memory of 2256	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	128
PID 2080 wrote to memory of 2256	2080	{F471E84C-2E75-4222-AE09-30403C08B820}.exe	128
PID 4188 wrote to memory of 3500	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	129
PID 4188 wrote to memory of 3500	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	129
PID 4188 wrote to memory of 3500	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	129
PID 4188 wrote to memory of 2040	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	130
PID 4188 wrote to memory of 2040	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	130
PID 4188 wrote to memory of 2040	4188	{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe	130
PID 3500 wrote to memory of 4192	3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe	131
PID 3500 wrote to memory of 4192	3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe	131
PID 3500 wrote to memory of 4192	3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe	131
PID 3500 wrote to memory of 4604	3500	{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe	132

C:\Users\Admin\AppData\Local\Temp\516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe
"C:\Users\Admin\AppData\Local\Temp\516399a5e8b1f0b601f8a6c0f58c7bb868877b4bbcbf851acd46c04e3c5da2bf.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\{7047190F-C062-4624-825E-339856369B66}.exe
  C:\Windows\{7047190F-C062-4624-825E-339856369B66}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
    C:\Windows\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\{05E4CB95-F050-449e-87E5-380B6C980462}.exe
      C:\Windows\{05E4CB95-F050-449e-87E5-380B6C980462}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
        
        C:\Windows\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
        
        C:\Windows\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
        
        C:\Windows\{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{35C58501-2890-44a3-8A74-296AD17093F2}.exe
        
        C:\Windows\{35C58501-2890-44a3-8A74-296AD17093F2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\{F471E84C-2E75-4222-AE09-30403C08B820}.exe
        
        C:\Windows\{F471E84C-2E75-4222-AE09-30403C08B820}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
        
        C:\Windows\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
        
        C:\Windows\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{5A03D215-4703-417d-936F-0F64109C05BE}.exe
        
        C:\Windows\{5A03D215-4703-417d-936F-0F64109C05BE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe
        
        C:\Windows\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe
        13⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A03D~1.EXE > nul
        13⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAE8~1.EXE > nul
        12⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ED9B~1.EXE > nul
        11⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F471E~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C58~1.EXE > nul
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57F70~1.EXE > nul
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC7E~1.EXE > nul
        7⤵
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EFBC~1.EXE > nul
        6⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05E4C~1.EXE > nul
        5⤵
        
        PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{511FB~1.EXE > nul
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70471~1.EXE > nul
    3⤵
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\516399~1.EXE > nul
  2⤵
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05E4CB95-F050-449e-87E5-380B6C980462}.exe

Filesize
116KB

MD5
88c0ad1c3da735ab4cd0fa9dcf0f666f

SHA1
f0702c9a6daee29888a3ee24efc17ea8ee8c0a80

SHA256
e825c489dd4ac6666f95b436a87de2c18ec4c7669b34ea39f48050911162d49e

SHA512
2e11e0e18d00150dd2977fa99e3d8155323b420f6e0912e898d323c8623c9a95052f60ce95a663aed9ad9e93df0b35c8dcb23a035dd6ee156da69bac5fbc9774

Download Submit
C:\Windows\{35C58501-2890-44a3-8A74-296AD17093F2}.exe

Filesize
116KB

MD5
e5216086b1c81c32affd8b78dc034ae7

SHA1
cb78e349ce76be431bf2584276d6eabc7d3c767c

SHA256
d8d220ad356ef3de11cab738346074cfe8ede4a8b0db2135c8c8e7062954669d

SHA512
2a1eab1cc6cdb6aaf1a8e03974c04b10ce063f25689981d176152a77e292bd761f8c6b16419d964b153b7cc3d54d3b7cf034a415c69e51262b028f6211942cb3

Download Submit
C:\Windows\{3ED9B0B7-1A21-4d0c-94F0-756C3BBD395E}.exe

Filesize
116KB

MD5
8e45d875b2abf2562807397374d34138

SHA1
c2e027d70e3407f98285eec6dc32e3c199b612f8

SHA256
6155f472eb41ca202ddb8bdc5a88c27ec2f904b6fc78c66f7c0f8051ca9ed0c6

SHA512
f395ecbe37fcfecc8aad46b6d62080735be30e8355632ae5288414f052cccffa6a5ea451ffff14bce26862f393e523bf2d54b0e4ab2408bfcb3ae7f562e5f128

Download Submit
C:\Windows\{4EFBCB75-ECCF-4cdd-BF68-EC9FA4108C5A}.exe

Filesize
116KB

MD5
32bb47deb54c6605207e3363f8600683

SHA1
cad87fbb605e4012874c73cd93852d99a588a3e8

SHA256
bfe0b7f0f8359c2e59682d4dadb152944dad2cb2b43ba3d3107eac9a1e4343e9

SHA512
9777583944a07d2cd5d1b4bd24758baed2c92b4fcc4a36743d68153a2005bc71c724a1e40200785b91af1039dc14bcd948207bc1b41f79306b8c21bbc2607075

Download Submit
C:\Windows\{511FB1CB-BCC5-4e7b-981A-D3BF0FB07286}.exe

Filesize
116KB

MD5
fb65bc7476a24024707b9f7c24c606a2

SHA1
eb950d17328fd41ae044eb255ab783819f469f6b

SHA256
03e6cb04f2b635282d5042c859dfb569da1e1c37ef2bf22644b7b4a909d49b61

SHA512
8b7d4232e77b2ed50d830bb2b7f5a9b0a8e8d023a2a33bef0ffa0682df540cffc919e153617caa0f97f68779eb92f5715376936348ddddbbc1bfde9370955205

Download Submit
C:\Windows\{57F70C48-D66C-4916-B80C-563D5DD1B02A}.exe

Filesize
116KB

MD5
710546a203c29197cfd94f9b41cd0d39

SHA1
9c497c81acf6157768cc90ea87cd6b0e02e5e814

SHA256
14e9b34370123855e49eaabe2671897200f9cb0b8eaeeb655ca5bba7b1091e19

SHA512
8eec36ebefbf861f64989af428ce9419d5961e68e2ef5401a86d73a13f8257f338fbe2c6a88be28e64e82f83957eca691b1b083dd39b19f5a7c88cbafdfbab76

Download Submit
C:\Windows\{5A03D215-4703-417d-936F-0F64109C05BE}.exe

Filesize
116KB

MD5
c0cd07ee9bf8f9f0f2fbb4ce8142792a

SHA1
0acc05e695c4cb0f5274def37f12650d67802e7f

SHA256
bd0a8b800c952056ad0b0626f4b859799e293fd7f012c433d035e1c8bbf738f5

SHA512
a083c9012de6a484a7941cbd409cbb6c4946baca7d389c2c8667169adf7b143a46d5e007fbe687ecb437a933552b8745b2f2f1e76d9f7f28d7143f25dd491d53

Download Submit
C:\Windows\{7047190F-C062-4624-825E-339856369B66}.exe

Filesize
116KB

MD5
c86a3d7cf2d8c4d062cb2fb9a36cddad

SHA1
f0fbecf8f83b35b75a2c31bd03014e9b1131dc65

SHA256
b1b8e009e285f7a64fbb07f81e7cc50fda8aec8c08101a242e8d009e719c2fff

SHA512
68f6e267ea549264dc5b97a7ca7acd1f3e5401ab00307f3476d20fdbfab581ba21c2be318ce1ab4c1be2b88d006c668cbe7b981ac39ff0f11409cd4c493e7107

Download Submit
C:\Windows\{B4E34BDC-82B1-4b41-A874-3ECD83CE3F2C}.exe

Filesize
116KB

MD5
b7bf8988ccfa34a58b7cb1bdec4e7c03

SHA1
fae902a53529d91dd2b27a1351ea86e545756804

SHA256
48076f2e7032a6123e5dee5be543835deab0f446b949760897c2f86e7f7dac64

SHA512
360c17194d109897aa58e501a5716bb84996d541553a1270172eca66f3dfcdd9f261bb336e1fc92edf967d1a16b818a307cafe8b04011149c106b9664022c809

Download Submit
C:\Windows\{CCAE8988-7B47-43ef-B70E-66E583C3E5A8}.exe

Filesize
116KB

MD5
1cf0acabec1c392927a3f94af4eeeb49

SHA1
d885ad15aad60b2385d92a277b55204cd68fd77b

SHA256
d6235ae0447b84a1bac1c8b5c33dd557373e0121f41c1f51b15c3518644b97bd

SHA512
f801eb9e600567c9c2d4ad66a2c34cfc48e8e4a9c0652a184e95628a38e2b89e1a83db578c1d38e3fb2f7028ef928aa833a9dd5eadf07d0355adf5e6dff2cdfa

Download Submit
C:\Windows\{ECC7EB6B-B7D8-48e3-AD4C-32E69DF996A4}.exe

Filesize
116KB

MD5
3b5a5b515444eb3ee0c2473c208712ab

SHA1
f093e263f6c9ea47add137ac2f7f2b09afb3cf70

SHA256
c3a59045b894376b2ebb051feebb86998b6f98c24bb542611f63c117c7e835c0

SHA512
f071e06bd26a8e6b71bc466c28072622e5e66a7003581cfc62fb39b6384e6e6aba3c989cc57b2dbac15dcca6dda3281a07628197a5290e49034bea6d6fa1f3d1

Download Submit
C:\Windows\{F471E84C-2E75-4222-AE09-30403C08B820}.exe

Filesize
116KB

MD5
1f01bdae094459df67871708e4031439

SHA1
a31614fe8f7909268291eab128ac14f211fe8e0f

SHA256
f5e4d376cf5f15e301e28ee09a2f0c9de30bcd4cd0719c9fed3dee6a7b71f901

SHA512
7b1bd61b84bcaa344b335c11caf34788dd314a7aaed37588335388653c7b4fcf710e64afe7bcc347a02dbff1a81f0c5cd677f1ce3a53f481e3580f652e24d323

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads