0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
Size

90KB
MD5

c755779b16544ba5235eead7c30268ba
SHA1

2a771b3c811a07e50bdc5ddce0a30275493dbdca
SHA256

0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78
SHA512

d33a588d2e83a750d95670ff80e636fcbfeaac76824d1226c7062a15213a9860298df9680dca3671af477cf99c2f25a320eeb2379b21855e896daf9a7937db46
SSDEEP

768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glw:YEGh0oul2unMxVS3Hg

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A282136-0FDD-4c7c-A978-084C0349AEE4}\stubpath = "C:\\Windows\\{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe"	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D980FCAF-1595-42ca-A145-A8351F31C3E4}	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}\stubpath = "C:\\Windows\\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe"	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D050646A-0158-48dd-806A-7BBED70B75FD}	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}\stubpath = "C:\\Windows\\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe"	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}\stubpath = "C:\\Windows\\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe"	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}\stubpath = "C:\\Windows\\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe"	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}\stubpath = "C:\\Windows\\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe"	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEE65CDA-9F96-4b3d-A463-8509306584DE}\stubpath = "C:\\Windows\\{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe"	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}\stubpath = "C:\\Windows\\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe"	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D050646A-0158-48dd-806A-7BBED70B75FD}\stubpath = "C:\\Windows\\{D050646A-0158-48dd-806A-7BBED70B75FD}.exe"	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEE65CDA-9F96-4b3d-A463-8509306584DE}	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}	{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}\stubpath = "C:\\Windows\\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe"	{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A282136-0FDD-4c7c-A978-084C0349AEE4}	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D980FCAF-1595-42ca-A145-A8351F31C3E4}\stubpath = "C:\\Windows\\{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe"	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}\stubpath = "C:\\Windows\\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe"	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
3312	{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
3796	{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
File created	C:\Windows\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
File created	C:\Windows\{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
File created	C:\Windows\{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
File created	C:\Windows\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
File created	C:\Windows\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe	{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
File created	C:\Windows\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
File created	C:\Windows\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
File created	C:\Windows\{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
File created	C:\Windows\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
File created	C:\Windows\{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
File created	C:\Windows\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
Token: SeIncBasePriorityPrivilege	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
Token: SeIncBasePriorityPrivilege	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
Token: SeIncBasePriorityPrivilege	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
Token: SeIncBasePriorityPrivilege	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
Token: SeIncBasePriorityPrivilege	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
Token: SeIncBasePriorityPrivilege	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
Token: SeIncBasePriorityPrivilege	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
Token: SeIncBasePriorityPrivilege	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
Token: SeIncBasePriorityPrivilege	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
Token: SeIncBasePriorityPrivilege	4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
Token: SeIncBasePriorityPrivilege	3312	{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2116	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	88
PID 1844 wrote to memory of 2116	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	88
PID 1844 wrote to memory of 2116	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	88
PID 1844 wrote to memory of 2792	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	89
PID 1844 wrote to memory of 2792	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	89
PID 1844 wrote to memory of 2792	1844	0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe	89
PID 2116 wrote to memory of 4108	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	90
PID 2116 wrote to memory of 4108	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	90
PID 2116 wrote to memory of 4108	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	90
PID 2116 wrote to memory of 3200	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	91
PID 2116 wrote to memory of 3200	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	91
PID 2116 wrote to memory of 3200	2116	{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe	91
PID 4108 wrote to memory of 1112	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	94
PID 4108 wrote to memory of 1112	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	94
PID 4108 wrote to memory of 1112	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	94
PID 4108 wrote to memory of 3260	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	95
PID 4108 wrote to memory of 3260	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	95
PID 4108 wrote to memory of 3260	4108	{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe	95
PID 1112 wrote to memory of 2096	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	96
PID 1112 wrote to memory of 2096	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	96
PID 1112 wrote to memory of 2096	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	96
PID 1112 wrote to memory of 1980	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	97
PID 1112 wrote to memory of 1980	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	97
PID 1112 wrote to memory of 1980	1112	{D050646A-0158-48dd-806A-7BBED70B75FD}.exe	97
PID 2096 wrote to memory of 4328	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	98
PID 2096 wrote to memory of 4328	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	98
PID 2096 wrote to memory of 4328	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	98
PID 2096 wrote to memory of 4720	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	99
PID 2096 wrote to memory of 4720	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	99
PID 2096 wrote to memory of 4720	2096	{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe	99
PID 4328 wrote to memory of 1908	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	100
PID 4328 wrote to memory of 1908	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	100
PID 4328 wrote to memory of 1908	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	100
PID 4328 wrote to memory of 2072	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	101
PID 4328 wrote to memory of 2072	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	101
PID 4328 wrote to memory of 2072	4328	{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe	101
PID 1908 wrote to memory of 3852	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	102
PID 1908 wrote to memory of 3852	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	102
PID 1908 wrote to memory of 3852	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	102
PID 1908 wrote to memory of 4780	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	103
PID 1908 wrote to memory of 4780	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	103
PID 1908 wrote to memory of 4780	1908	{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe	103
PID 3852 wrote to memory of 3276	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	104
PID 3852 wrote to memory of 3276	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	104
PID 3852 wrote to memory of 3276	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	104
PID 3852 wrote to memory of 1872	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	105
PID 3852 wrote to memory of 1872	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	105
PID 3852 wrote to memory of 1872	3852	{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe	105
PID 3276 wrote to memory of 2980	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	106
PID 3276 wrote to memory of 2980	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	106
PID 3276 wrote to memory of 2980	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	106
PID 3276 wrote to memory of 4152	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	107
PID 3276 wrote to memory of 4152	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	107
PID 3276 wrote to memory of 4152	3276	{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe	107
PID 2980 wrote to memory of 4408	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	108
PID 2980 wrote to memory of 4408	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	108
PID 2980 wrote to memory of 4408	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	108
PID 2980 wrote to memory of 4288	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	109
PID 2980 wrote to memory of 4288	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	109
PID 2980 wrote to memory of 4288	2980	{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe	109
PID 4408 wrote to memory of 3312	4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe	110
PID 4408 wrote to memory of 3312	4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe	110
PID 4408 wrote to memory of 3312	4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe	110
PID 4408 wrote to memory of 1536	4408	{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe	111

C:\Users\Admin\AppData\Local\Temp\0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe
"C:\Users\Admin\AppData\Local\Temp\0306d83d64d4b1c62c79f37aace80b80ed29729006de6008087c1c438388ef78.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
  C:\Windows\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
    C:\Windows\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
      C:\Windows\{D050646A-0158-48dd-806A-7BBED70B75FD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
        
        C:\Windows\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
        
        C:\Windows\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
        
        C:\Windows\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
        
        C:\Windows\{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
        
        C:\Windows\{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
        
        C:\Windows\{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
        
        C:\Windows\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
        
        C:\Windows\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe
        
        C:\Windows\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe
        13⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B180~1.EXE > nul
        13⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D1A3~1.EXE > nul
        12⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEE65~1.EXE > nul
        11⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D980F~1.EXE > nul
        10⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A282~1.EXE > nul
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB49~1.EXE > nul
        8⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E70E~1.EXE > nul
        7⤵
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05217~1.EXE > nul
        6⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0506~1.EXE > nul
        5⤵
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{388AF~1.EXE > nul
      4⤵
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C27E~1.EXE > nul
    3⤵
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0306D8~1.EXE > nul
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05217A61-CFD7-4211-8745-F15CBE7DD8B4}.exe

Filesize
90KB

MD5
0b4256f26c0b0cfc091bcd29b854b671

SHA1
ac682e33f4008b7c350d4b5fce55a900a61bd773

SHA256
b4fd795cb6a6c2788aa1ddc08b5764b0f50c3a195d3479a86de89aa5fca4578c

SHA512
f4d64791a78fa64ee8af323e446dd3a0a70e7e9f26a27443f4e60566cdb725ec99eeebb108c4f7b587c24a5733741af193880f153c861b1b31ed5c1f3153eafd

Download Submit
C:\Windows\{388AFFB3-D6CE-44d6-AB1A-EBB279C8A983}.exe

Filesize
90KB

MD5
22474eb12c3c1260983f0548e069108a

SHA1
dea337aa999f9f31cc9501fce3ff3b0146dd1b16

SHA256
682ef1d2dffd8e6201a2250592df4aee7f8abbfff97dc316e7d86b12b54cc2b5

SHA512
18c0bebe95a4aeb55af6112568973486deae925cf6ac2383eea9c25e8e942cf1812c5635d5bb9ee12ea0a9971aab83c26f75d1713213263d818251709b0a7455

Download Submit
C:\Windows\{3A282136-0FDD-4c7c-A978-084C0349AEE4}.exe

Filesize
90KB

MD5
35c21fb2ecfaf3536a2abc62de4d39ff

SHA1
5ae25b31d476176693bb9cefc9a348323a1e32e8

SHA256
a79742f952daca1981d239890e1e6eaece908f6e0203683834308e7a17c18670

SHA512
52185e93535762e85d43778edb292974f0ef09d1c73bab070ab47c420d1eb124da49dce9c494c09545f3df7e4bacc27575a1e7fb57c7ac3e1d96239e0eb380d3

Download Submit
C:\Windows\{3E70EDDC-83C9-412a-99BF-2BEC35ED004B}.exe

Filesize
90KB

MD5
2fabfec24745297df3e96ef9266b61d4

SHA1
76adf433dd77c3fe72a9ac7aad33c6a44c19d453

SHA256
aafda268e29c6b46989043e2d81363f04f740a8c2a82f6f3bbdc627bfa84456d

SHA512
b96ca99f546c6669e401d13a1e8851c459095cf77aa66b669ad44a1e7a3dc00cc0978f18a201bf74f2ec3946bcd32c3b0dedf44eb0bb287a1ab5ebcd381e693d

Download Submit
C:\Windows\{5F73FC7B-A0D4-460b-9F0E-1FD062C08EB8}.exe

Filesize
90KB

MD5
bd75eb95291949e95246ffdef672c7e6

SHA1
5c6c1e2405a5157dc86188d5a0456714bac2bd02

SHA256
3237c4861807998ecc28609c632d0e234f306c6947fceaa40b292acd1615f1dd

SHA512
abfd0f6437e211582b8c1420950518fdf8b884153f1eaee7c06b13bf0f40c83133bbfb557ad20991059e2542169167bb89bd309ee3e97309824c72c67deca5d6

Download Submit
C:\Windows\{6D1A3C22-3729-46bc-AD59-A58B476B92EF}.exe

Filesize
90KB

MD5
5f8ab0d08c922998f6d4e4361bbfaa8a

SHA1
d31308dae73513f9ea2566a6a002f6b4e51f58b1

SHA256
f4c636f3bf455b5f0d260ac253b6915e0c2ea08b7927bc1d7c06afaae3caaaa6

SHA512
00c8cd610fa4cec69feaf4edbcb7eb53107accee9d7ca6cfa871bb54130338ae500c2840b56aa7f64cb4793860fa290edcd924205fcd72f730a29f92a34a433a

Download Submit
C:\Windows\{7B180B9D-5C7B-4c0e-AB54-080A1586CBDD}.exe

Filesize
90KB

MD5
7d3f11f3d01b46f77295e52ef1996485

SHA1
cb22190321282039f6f467619a2f9fe6fbcbc87e

SHA256
5cc24209c3b95b298fb560be8b9b3ca0311b3e74c285d42f82abf0a1d8dc1d4f

SHA512
6b641fe9919eb0b2f78b74ee97129b8a82031ac302fb410c0134b997847e32d436e4fecd2741bd57950b5ea1b42c6458efc896c6adfee0b3e120b74b3732a488

Download Submit
C:\Windows\{8C27E4DB-4CAB-4a1b-A93E-8A93B221D2F0}.exe

Filesize
90KB

MD5
1989d260361d98085e11b3f9dfd2ffd4

SHA1
42dd9ff27b782a7c8de70bc3fb874bfe337e7aed

SHA256
ffebe4b8a8f63362f662b2a249132adea8259254b3d777c58e78f15768d80603

SHA512
a0bbc2dfe5a688feb5da4debf07768a4284ecd1ab24c9e10d49d189b3cdbd84d7557b5d5b9e56bbaf6ca41708b038cd4fe3bf41ce8fc3b070b575513190043a1

Download Submit
C:\Windows\{CDB49D8B-B333-45e3-B87B-7FC184D49AB1}.exe

Filesize
90KB

MD5
30c09fecbc9eec80ccd25b0cafcd5ef6

SHA1
6ca31f7c6c92c7689c3d63230a48f6d04489a85a

SHA256
bd2bfe1825382031ccaa92972e64873c14337afb9cc7fee45fbabb7817ecf3e9

SHA512
7b82647bad46a0b8e82ae886d6942077f693185b854eb4d6767038a1948d353f1e1b6473ab6f54ca9556641c93831dc594e69a58b59c92ff3641446bd967c47c

Download Submit
C:\Windows\{D050646A-0158-48dd-806A-7BBED70B75FD}.exe

Filesize
90KB

MD5
2c322e720ada25e59de7839a4f9414c5

SHA1
1e5d6e27754e31f6be96f241d3b13b9dc5a8220b

SHA256
92e05e841ecfaf3caf7b09ec97e37b7d2f6f65fdfcd0b28fdbdaf1d65bb45b3c

SHA512
6fe32ea8f44c8f0133180677553a7dbcd33fcc3ec2d76dc3f378492aadd35cdc214b97d12fb6baf6ddead2b0a418225c9358d3d1556e82a0b69067c31675ad11

Download Submit
C:\Windows\{D980FCAF-1595-42ca-A145-A8351F31C3E4}.exe

Filesize
90KB

MD5
b12ce2153945a89f1e29c4ad17b23798

SHA1
84ceb9f9416a04e92ee08582ae0ca407a27717cd

SHA256
0c0f03ca9fb1dc415135068101c831d971b5abfd3057e131603b73a7794f3e7c

SHA512
24b963282f4e5b1d506fee62b202d5c62ce362526dfb76e104a3266aeacf7b491b0ca70379930cc361fbc6e665c96f79ba2d3fab6cf83977a2441c297fbc0a37

Download Submit
C:\Windows\{DEE65CDA-9F96-4b3d-A463-8509306584DE}.exe

Filesize
90KB

MD5
6e87539d04a34158ce64c08e0786d9c5

SHA1
72c93d8d9118fef6add2ca77941ec7ffa5ddcf3d

SHA256
f2f52002840d064ece28f3f7e235231ba1155018d69e49b1a48be7a2af3463b6

SHA512
a84a289407aaa6786c1ab15c7767e10df135acbb5541b05774c1e678e387a65feab41ee7107023938344095fb092c3e4be1823d9fcbfd8cfb0b2872c5b8ccce1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads