9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Size

90KB
MD5

31690d1be4b7bd2f5e651c660f63e8a0
SHA1

9f3ef0b804751115d31fe51b40a9defd2505bc46
SHA256

9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f
SHA512

a36e25d2149045ce97b503716970192ba9480cc031721a3565b3ec86274562d5bdad3ef14a714724edb6c07046b22b86b86701a55a657aaa8f50e180a99cda17
SSDEEP

768:Qvw9816vhKQLroY4/wQRNrfrunMxVFA3b7glws:YEGh0oYl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}\stubpath = "C:\\Windows\\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe"	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07A6B4C4-A960-4fce-A027-C2C1140D7818}	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D3EA32-71D9-43ed-B15D-BA23629959B1}	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}\stubpath = "C:\\Windows\\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe"	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}\stubpath = "C:\\Windows\\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe"	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6284049-160D-4349-BE40-B3D3B40599A0}	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}\stubpath = "C:\\Windows\\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe"	{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E01069F2-B786-4ede-BC88-91B59C4F11AB}\stubpath = "C:\\Windows\\{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe"	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}\stubpath = "C:\\Windows\\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe"	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}	{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50CB5D21-C085-4ecb-B3C1-7153996CF609}	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50CB5D21-C085-4ecb-B3C1-7153996CF609}\stubpath = "C:\\Windows\\{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe"	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E01069F2-B786-4ede-BC88-91B59C4F11AB}	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07A6B4C4-A960-4fce-A027-C2C1140D7818}\stubpath = "C:\\Windows\\{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe"	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}\stubpath = "C:\\Windows\\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe"	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D3EA32-71D9-43ed-B15D-BA23629959B1}\stubpath = "C:\\Windows\\{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe"	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6284049-160D-4349-BE40-B3D3B40599A0}\stubpath = "C:\\Windows\\{C6284049-160D-4349-BE40-B3D3B40599A0}.exe"	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}\stubpath = "C:\\Windows\\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe"	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe
3768	{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
4564	{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
File created	C:\Windows\{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
File created	C:\Windows\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
File created	C:\Windows\{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
File created	C:\Windows\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
File created	C:\Windows\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe	{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
File created	C:\Windows\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
File created	C:\Windows\{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
File created	C:\Windows\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
File created	C:\Windows\{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
File created	C:\Windows\{C6284049-160D-4349-BE40-B3D3B40599A0}.exe	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
File created	C:\Windows\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
Token: SeIncBasePriorityPrivilege	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
Token: SeIncBasePriorityPrivilege	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
Token: SeIncBasePriorityPrivilege	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
Token: SeIncBasePriorityPrivilege	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
Token: SeIncBasePriorityPrivilege	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
Token: SeIncBasePriorityPrivilege	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
Token: SeIncBasePriorityPrivilege	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
Token: SeIncBasePriorityPrivilege	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
Token: SeIncBasePriorityPrivilege	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
Token: SeIncBasePriorityPrivilege	3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe
Token: SeIncBasePriorityPrivilege	3768	{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2316	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	99
PID 3596 wrote to memory of 2316	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	99
PID 3596 wrote to memory of 2316	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	99
PID 3596 wrote to memory of 1940	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	100
PID 3596 wrote to memory of 1940	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	100
PID 3596 wrote to memory of 1940	3596	9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe	100
PID 2316 wrote to memory of 2896	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	101
PID 2316 wrote to memory of 2896	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	101
PID 2316 wrote to memory of 2896	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	101
PID 2316 wrote to memory of 5064	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	102
PID 2316 wrote to memory of 5064	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	102
PID 2316 wrote to memory of 5064	2316	{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe	102
PID 2896 wrote to memory of 1380	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	105
PID 2896 wrote to memory of 1380	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	105
PID 2896 wrote to memory of 1380	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	105
PID 2896 wrote to memory of 4316	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	106
PID 2896 wrote to memory of 4316	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	106
PID 2896 wrote to memory of 4316	2896	{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe	106
PID 1380 wrote to memory of 4204	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	107
PID 1380 wrote to memory of 4204	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	107
PID 1380 wrote to memory of 4204	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	107
PID 1380 wrote to memory of 1000	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	108
PID 1380 wrote to memory of 1000	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	108
PID 1380 wrote to memory of 1000	1380	{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe	108
PID 4204 wrote to memory of 4920	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	109
PID 4204 wrote to memory of 4920	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	109
PID 4204 wrote to memory of 4920	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	109
PID 4204 wrote to memory of 4396	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	110
PID 4204 wrote to memory of 4396	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	110
PID 4204 wrote to memory of 4396	4204	{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe	110
PID 4920 wrote to memory of 1960	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	112
PID 4920 wrote to memory of 1960	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	112
PID 4920 wrote to memory of 1960	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	112
PID 4920 wrote to memory of 5060	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	113
PID 4920 wrote to memory of 5060	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	113
PID 4920 wrote to memory of 5060	4920	{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe	113
PID 1960 wrote to memory of 3060	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	114
PID 1960 wrote to memory of 3060	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	114
PID 1960 wrote to memory of 3060	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	114
PID 1960 wrote to memory of 2232	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	115
PID 1960 wrote to memory of 2232	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	115
PID 1960 wrote to memory of 2232	1960	{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe	115
PID 3060 wrote to memory of 3024	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	122
PID 3060 wrote to memory of 3024	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	122
PID 3060 wrote to memory of 3024	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	122
PID 3060 wrote to memory of 3712	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	123
PID 3060 wrote to memory of 3712	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	123
PID 3060 wrote to memory of 3712	3060	{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe	123
PID 3024 wrote to memory of 4824	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	124
PID 3024 wrote to memory of 4824	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	124
PID 3024 wrote to memory of 4824	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	124
PID 3024 wrote to memory of 2612	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	125
PID 3024 wrote to memory of 2612	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	125
PID 3024 wrote to memory of 2612	3024	{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe	125
PID 4824 wrote to memory of 3772	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	126
PID 4824 wrote to memory of 3772	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	126
PID 4824 wrote to memory of 3772	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	126
PID 4824 wrote to memory of 3600	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	127
PID 4824 wrote to memory of 3600	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	127
PID 4824 wrote to memory of 3600	4824	{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe	127
PID 3772 wrote to memory of 3768	3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe	130
PID 3772 wrote to memory of 3768	3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe	130
PID 3772 wrote to memory of 3768	3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe	130
PID 3772 wrote to memory of 1068	3772	{C6284049-160D-4349-BE40-B3D3B40599A0}.exe	131

C:\Users\Admin\AppData\Local\Temp\9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe
"C:\Users\Admin\AppData\Local\Temp\9cd202f3ddc75b61a17266c72cbf3718fa957826c8ecca694f5d768f4e797b1f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
  C:\Windows\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
    C:\Windows\{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
      C:\Windows\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
        
        C:\Windows\{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Windows\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
        
        C:\Windows\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
        
        C:\Windows\{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
        
        C:\Windows\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
        
        C:\Windows\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
        
        C:\Windows\{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{C6284049-160D-4349-BE40-B3D3B40599A0}.exe
        
        C:\Windows\{C6284049-160D-4349-BE40-B3D3B40599A0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
        
        C:\Windows\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe
        
        C:\Windows\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe
        13⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE6D~1.EXE > nul
        13⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6284~1.EXE > nul
        12⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07A6B~1.EXE > nul
        11⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE1C~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C68D~1.EXE > nul
        9⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0106~1.EXE > nul
        8⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE985~1.EXE > nul
        7⤵
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50CB5~1.EXE > nul
        6⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0FA~1.EXE > nul
        5⤵
        
        PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47D3E~1.EXE > nul
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D9C3~1.EXE > nul
    3⤵
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9CD202~1.EXE > nul
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07A6B4C4-A960-4fce-A027-C2C1140D7818}.exe

Filesize
90KB

MD5
9c336089b6dff8c299a6d50f8409f3e3

SHA1
2038c8f4345e8cfe408d8478039441982d3bbe1f

SHA256
9597df31e896f9713173aedb3e6283bb2f21e8457f8943335bb62d96b1a62e35

SHA512
bc019c9c6bd7c9b36bd4816618661143baf270b2125051e6e7684c99e2cef090fb63d82cc398f5887b82d04c0ef2f34d98d45abd83eec89afa30a6515a1657e7

Download Submit
C:\Windows\{1BE6D45C-EEC4-4685-998C-5315FCF825D0}.exe

Filesize
90KB

MD5
1337f152b707d1e0c6887be46d3be392

SHA1
d079bf78ec246c3ba91426cfdab4ec2e1a8cdf5b

SHA256
ecf1f85133ee21a1611cd917f01c997c838afc947127ec413f8f9332cf38ade3

SHA512
7482b8238af2d5d335fd98dea2ba3b0d223d889bb996330cca9fa714d2f1a277e3401eaf98d9db0abcbcc2d91dd7cce69622e1adfcb27f90b45c9a81b93e3b26

Download Submit
C:\Windows\{47D3EA32-71D9-43ed-B15D-BA23629959B1}.exe

Filesize
90KB

MD5
724b187794f7adf795882b381dcc9710

SHA1
07dade6dbf1aedd8f2de59d751d0dd1882211372

SHA256
cb8f2381bf6a762fc05418dca3327f4b3e54a5b2413ecc8cd52917b19fd40722

SHA512
18e0d49191689c85bdbea7a762ab0f3ab7ee8972b88627fd5314b118c7454bb5a8eaa9c3283789ee0b54a6b32580caff51f60726cae4170647930e06e3eb5d04

Download Submit
C:\Windows\{4B22E8DE-D9D6-432e-944B-FAA7B736A777}.exe

Filesize
90KB

MD5
ef2883ec101e628c0b31d0d424f6ad68

SHA1
1b9175b2aad6d1865ce875560840471316a46459

SHA256
5ab8056bd0dfb6755b935c933db41e635ad15e1a3a029f5c44dade3f84fdc7eb

SHA512
03af7fc1be4f2e3e731fb7792fa8655f20eedb02538c555c926005cce268ff4c03bb119f908a41ddcd06d4fc0ae3d1d8b58d01de96599cf671e552d2c68b21d5

Download Submit
C:\Windows\{50CB5D21-C085-4ecb-B3C1-7153996CF609}.exe

Filesize
90KB

MD5
785d9053ab2d74aeeb7e4491dcae4672

SHA1
9bfaea645f3a323f8ef9ca1628139a58102d0c0e

SHA256
6a78fd72aa96538c716747604cb26bbbad9e69e6fa28cf20b1e0dfa28d939fe1

SHA512
3d461d1018ae18b82d41a5ec74d4363ff6d901437b405f1d52e60ac18a6f3d4cdb455286e756ca9059f2e0edef2ff02adcc88647d93c3ca2802f513b50d079b0

Download Submit
C:\Windows\{6C68DCA6-8F43-4bdd-B957-A6AE56E5EF92}.exe

Filesize
90KB

MD5
c9df0bd7173b42ae3b0e478f08cbbb46

SHA1
8f721281e0ec89c44e96808d0649f4a8548e40b6

SHA256
da77e4962ebd23e5b739dd5565dff9bcd7d843771ec463fdfeb0eee033502199

SHA512
783c19adfdd7788f5bd43c8db2f18ede02d7b00742fda46a7de2d0ba71a89959cf364e57ad41b493370a9fe946fbf2ad96a5445e85c40d86854111df590836c5

Download Submit
C:\Windows\{6D9C336E-FFCD-4e6f-B3D9-11420534A7F5}.exe

Filesize
90KB

MD5
d59f32fdb41c2b26dd0564add4bf8855

SHA1
a34931f7c08c00fece5bf6e08bdf6d610412a32c

SHA256
4d713393dd65dcd8e9917684ad057c71f22b404dbba77d817c4db2ed8a623d0a

SHA512
f3c924c0ffa8191acfd9672c3ae64778c25a4fcac78340f65c6ab31d1c7379a124275a8d0b430802c42c58869efd56b6452202a8ea7490a3d9ed25639eab90ac

Download Submit
C:\Windows\{8C0FA3F4-5890-45c6-B7D1-4BF815A13561}.exe

Filesize
90KB

MD5
769ba29f46f2bc11125f12089453bf47

SHA1
58ea4c63c2cf7dc3514310c3aae76da3a4db0629

SHA256
a9077638bd99cfb03ad2251cbcaf7a0ba1f17c05181bf7d5aa8a134ea930a5cd

SHA512
0179b132c89d100f450b2f78bb76e681991d2980f9380f3e6ff52894e36d0662c6e75a39988691d88834a4dc52d29bd4d9d1b421362bcfaecd58fa1271038a8a

Download Submit
C:\Windows\{8CE1C6A3-D7E5-4ceb-B277-52F50713EE9E}.exe

Filesize
90KB

MD5
db10a78b0909cc33b90b31a06ff433f8

SHA1
81f7d7b105f7969de490ab4dba7d12741be72acc

SHA256
06369925b1a01b2278327a650077fb73fa33f7f539427650f456df6503ab8a19

SHA512
ae10691ea36906fd361e3f7097bc431161dedc0219f1524e32b5c8101f95bf629441a99c40c7273d9f76a4a778d43d90f6fa7ac243c6daffac49286485492b01

Download Submit
C:\Windows\{AE985255-03F6-4d49-86A3-A8E7D8DB944A}.exe

Filesize
90KB

MD5
7195e09234150001209aa07da5c63974

SHA1
dc5c8f882f94d92b772a29d00f49ef4c7b992717

SHA256
ebc7f4e0fb07156f08574ec7a1fbe67a9a106f3ba4956ee9710410e7c29d5e99

SHA512
8504e237983bff93c44e95564a70caf7d296b7f8bbefd117f50beae9fd05e0251433b91986bdbe50ffbb0bf51271c7553d1d8850d09a0e76e707c2ffa5434045

Download Submit
C:\Windows\{C6284049-160D-4349-BE40-B3D3B40599A0}.exe

Filesize
90KB

MD5
77f70c24f95b138bae90d470b7638642

SHA1
dce8e879d6b948b68da1c53f4dab3ade0bb0ed6b

SHA256
da7fa4974d4d690d256d09c22c528746b3f537c469f7cdc85a6266a426910880

SHA512
7242d6cd27dedd36867c78d8de1371246c0a58bcfe4bccfdf7c02883a14a8f56711e72bdf208f0c785e657400ca3798a8f8ea41ab639f66a42d080639fd54277

Download Submit
C:\Windows\{E01069F2-B786-4ede-BC88-91B59C4F11AB}.exe

Filesize
90KB

MD5
a846e377de3aee4b3016a0a0976c1788

SHA1
5f99c14a14e49ace68e2152b085351babd45fbc4

SHA256
9dc9355d9e946aa47bb3265ad9be3592a01134a34fb45911114dabaf83a6bd58

SHA512
71ff2af4cde06370bc6ed41978f2727f6275ea073bda04803c3f26ea1b0725c95e358bd62074945e460ed3f3ff51cfc674b8a6e376aaad09feaab5778d5fefad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads