58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
Size

90KB
MD5

4511d44ebb6011fcd1159a1a297b4f39
SHA1

85375dc2a261eaa559f21a7a8be48f29d166328c
SHA256

58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b
SHA512

a71ae08abd9db210126059abf558fe6c7a143496d510be1abf9db92a12d6ea8aa7d3166dba14db9ef3ea5c87181275901ecc7611dba2ac4f03ff619fee69c6c1
SSDEEP

768:Qvw9816vhKQLroR4/wQRNrfrunMxVFA3b7glw6:YEGh0oRl2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}	{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}\stubpath = "C:\\Windows\\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe"	{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6956FB59-7B03-466c-A5E2-CFC531AFF524}	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}\stubpath = "C:\\Windows\\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe"	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0C28B6-7893-4963-A366-1C7464C0C84C}	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}\stubpath = "C:\\Windows\\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe"	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4883D79D-6C09-4e46-8859-340401F28EC4}	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4883D79D-6C09-4e46-8859-340401F28EC4}\stubpath = "C:\\Windows\\{4883D79D-6C09-4e46-8859-340401F28EC4}.exe"	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A26D346B-A722-4277-9F08-C9F4E1788460}\stubpath = "C:\\Windows\\{A26D346B-A722-4277-9F08-C9F4E1788460}.exe"	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE387F0-E9BE-440c-8E71-5D39B182051E}\stubpath = "C:\\Windows\\{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe"	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}\stubpath = "C:\\Windows\\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe"	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F97796D-22FD-464e-BD2C-82FA3624938C}	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0C28B6-7893-4963-A366-1C7464C0C84C}\stubpath = "C:\\Windows\\{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe"	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}\stubpath = "C:\\Windows\\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe"	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}\stubpath = "C:\\Windows\\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe"	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE387F0-E9BE-440c-8E71-5D39B182051E}	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6956FB59-7B03-466c-A5E2-CFC531AFF524}\stubpath = "C:\\Windows\\{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe"	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F97796D-22FD-464e-BD2C-82FA3624938C}\stubpath = "C:\\Windows\\{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe"	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A26D346B-A722-4277-9F08-C9F4E1788460}	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe

Executes dropped EXE 12 IoCs

pid	Process
1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
2924	{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe
4264	{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
File created	C:\Windows\{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
File created	C:\Windows\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
File created	C:\Windows\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
File created	C:\Windows\{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
File created	C:\Windows\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
File created	C:\Windows\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
File created	C:\Windows\{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
File created	C:\Windows\{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
File created	C:\Windows\{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
File created	C:\Windows\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
File created	C:\Windows\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe	{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
Token: SeIncBasePriorityPrivilege	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
Token: SeIncBasePriorityPrivilege	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
Token: SeIncBasePriorityPrivilege	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
Token: SeIncBasePriorityPrivilege	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
Token: SeIncBasePriorityPrivilege	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
Token: SeIncBasePriorityPrivilege	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
Token: SeIncBasePriorityPrivilege	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
Token: SeIncBasePriorityPrivilege	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
Token: SeIncBasePriorityPrivilege	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
Token: SeIncBasePriorityPrivilege	4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
Token: SeIncBasePriorityPrivilege	2924	{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 1156	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	81
PID 4408 wrote to memory of 1156	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	81
PID 4408 wrote to memory of 1156	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	81
PID 4408 wrote to memory of 4380	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	82
PID 4408 wrote to memory of 4380	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	82
PID 4408 wrote to memory of 4380	4408	58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe	82
PID 1156 wrote to memory of 5020	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	83
PID 1156 wrote to memory of 5020	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	83
PID 1156 wrote to memory of 5020	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	83
PID 1156 wrote to memory of 1252	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	84
PID 1156 wrote to memory of 1252	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	84
PID 1156 wrote to memory of 1252	1156	{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe	84
PID 5020 wrote to memory of 4148	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	90
PID 5020 wrote to memory of 4148	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	90
PID 5020 wrote to memory of 4148	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	90
PID 5020 wrote to memory of 4180	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	91
PID 5020 wrote to memory of 4180	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	91
PID 5020 wrote to memory of 4180	5020	{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe	91
PID 4148 wrote to memory of 2852	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	94
PID 4148 wrote to memory of 2852	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	94
PID 4148 wrote to memory of 2852	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	94
PID 4148 wrote to memory of 2412	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	95
PID 4148 wrote to memory of 2412	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	95
PID 4148 wrote to memory of 2412	4148	{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe	95
PID 2852 wrote to memory of 2032	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	96
PID 2852 wrote to memory of 2032	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	96
PID 2852 wrote to memory of 2032	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	96
PID 2852 wrote to memory of 444	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	97
PID 2852 wrote to memory of 444	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	97
PID 2852 wrote to memory of 444	2852	{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe	97
PID 2032 wrote to memory of 2636	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	98
PID 2032 wrote to memory of 2636	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	98
PID 2032 wrote to memory of 2636	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	98
PID 2032 wrote to memory of 3340	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	99
PID 2032 wrote to memory of 3340	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	99
PID 2032 wrote to memory of 3340	2032	{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe	99
PID 2636 wrote to memory of 1704	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	100
PID 2636 wrote to memory of 1704	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	100
PID 2636 wrote to memory of 1704	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	100
PID 2636 wrote to memory of 1580	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	101
PID 2636 wrote to memory of 1580	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	101
PID 2636 wrote to memory of 1580	2636	{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe	101
PID 1704 wrote to memory of 3468	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	102
PID 1704 wrote to memory of 3468	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	102
PID 1704 wrote to memory of 3468	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	102
PID 1704 wrote to memory of 3208	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	103
PID 1704 wrote to memory of 3208	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	103
PID 1704 wrote to memory of 3208	1704	{4883D79D-6C09-4e46-8859-340401F28EC4}.exe	103
PID 3468 wrote to memory of 464	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	104
PID 3468 wrote to memory of 464	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	104
PID 3468 wrote to memory of 464	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	104
PID 3468 wrote to memory of 2544	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	105
PID 3468 wrote to memory of 2544	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	105
PID 3468 wrote to memory of 2544	3468	{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe	105
PID 464 wrote to memory of 4396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	106
PID 464 wrote to memory of 4396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	106
PID 464 wrote to memory of 4396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	106
PID 464 wrote to memory of 396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	107
PID 464 wrote to memory of 396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	107
PID 464 wrote to memory of 396	464	{A26D346B-A722-4277-9F08-C9F4E1788460}.exe	107
PID 4396 wrote to memory of 2924	4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe	108
PID 4396 wrote to memory of 2924	4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe	108
PID 4396 wrote to memory of 2924	4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe	108
PID 4396 wrote to memory of 4320	4396	{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe	109

C:\Users\Admin\AppData\Local\Temp\58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
"C:\Users\Admin\AppData\Local\Temp\58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
  C:\Windows\{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
    C:\Windows\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
      C:\Windows\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
        
        C:\Windows\{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
        
        C:\Windows\{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
        
        C:\Windows\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
        
        C:\Windows\{4883D79D-6C09-4e46-8859-340401F28EC4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
        
        C:\Windows\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
        
        C:\Windows\{A26D346B-A722-4277-9F08-C9F4E1788460}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
        
        C:\Windows\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe
        
        C:\Windows\{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe
        
        C:\Windows\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE38~1.EXE > nul
        13⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{701CC~1.EXE > nul
        12⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A26D3~1.EXE > nul
        11⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{365D7~1.EXE > nul
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4883D~1.EXE > nul
        9⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861A7~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0C2~1.EXE > nul
        7⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F977~1.EXE > nul
        6⤵
        
        PID:444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E081C~1.EXE > nul
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D61~1.EXE > nul
      4⤵
      PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6956F~1.EXE > nul
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58E7FC~1.EXE > nul
  2⤵
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F97796D-22FD-464e-BD2C-82FA3624938C}.exe

Filesize
90KB

MD5
5ca57bc9f79ddabcc360f83367034f47

SHA1
b8315d16991e2d2671b507e9ddece82a43428387

SHA256
ac4abc084f56ddaf57f0e223f57437679e4117ee2072b5caad96e549a69475b5

SHA512
597085e2aec8562e98db2a31b64cc171f320af6e66b5bb008d13d3b634ecd84d4459703a6793ad15c84af2cb4e5466d71ba5230d84c7647d546d76b7f3c0547e

Download Submit
C:\Windows\{365D74E4-B87C-4b44-B7F6-697D9B119AE5}.exe

Filesize
90KB

MD5
52f8a68986d4d48fbf9a168eef25d8bd

SHA1
fb362ada024eff1ace7505932c6ac199ce64283c

SHA256
08cdd6fcbc1fc2401f6da61dbb259eb9c871e8cda3c582f2fdfa41168347a002

SHA512
a6ce52b36160ecfed655cff68ca2342c044c91228c0bb09cb730bd6b4af4480fd1ff7382a194284c997b85400102baf686d709e178a2857dd9e5ff2f48e148ee

Download Submit
C:\Windows\{4883D79D-6C09-4e46-8859-340401F28EC4}.exe

Filesize
90KB

MD5
84fed16594963b6c73840a9a1e4a296b

SHA1
27256efb2440325c30356a985ab7945dfd0a7760

SHA256
c0bbd79ea434295570000a4c0693f716ba743b8e62e6fd1cad11d0736a1b8be4

SHA512
52f00cbf33bbc50887d43731480e8389381aaf9548127e7550a51052ac80495cbe0b5aa00b004691fab97be15e5cb09f31174efe215f44cd702cf6675c00996d

Download Submit
C:\Windows\{6956FB59-7B03-466c-A5E2-CFC531AFF524}.exe

Filesize
90KB

MD5
840942c19a7694cec806829504ea0921

SHA1
26e20354b9995a8a55bb773ce476ab2d9dfde39f

SHA256
db9cabf019cef7c75cc6773657d2fd04a2a378fa8bc1749d3416c04844076dc6

SHA512
b3f4d9b3ccbf159c77098e38c5339cee6db325c94c1d301cb73fd9b9e38473729a1ab7b3476458153b7e83c405f8674d4fa727e89a9451fea6ebf6e347dbd626

Download Submit
C:\Windows\{701CC99F-D827-4448-8AC3-E5BB718FD5EA}.exe

Filesize
90KB

MD5
6e38553d1dd94515ee73542b91cc9f14

SHA1
6ac5d9f3a33111cfcf57aac6310e6524f29eb746

SHA256
f7622ed49bed84d016c57d4782c18b0e81533d72fba5b84a4bc65cda0f99540a

SHA512
f9e4365845e53ab88ceed2751d9c366d924eaa57493d28f4b0fc9be0a4b145c6955cf40fff136e95f5ed0960943de7e4e890f6ca8da3c0c94197dd0dae370be8

Download Submit
C:\Windows\{861A7B8C-9B9A-49d7-8207-92151F1C5A08}.exe

Filesize
90KB

MD5
d448d378a073887d0c1bec1988d5cf9b

SHA1
7b955a86384d005c1ca887a84ad704e805a71f39

SHA256
508b99f13fbf554c4f2d8972c9987cb58a41bf85af8678b1666e8e642a57b116

SHA512
9532dc2de67df3b7d4fd8ac890bcb71381f42f4ce42e4a7d6d8369be7c49b874e7aa976455c01856e120cc5146c583836b17f4e488375cd7c6cddec300f7540b

Download Submit
C:\Windows\{8E7E10B8-DBF6-4ac0-B107-0386DDEB4CF5}.exe

Filesize
90KB

MD5
8ef35a13e557c4eb2a242cbe2c3f93a5

SHA1
f00efab6f303ceba5c8ff96218efd2d3143f99d4

SHA256
81ba4347d7e158118abde3b8cf1eb694d3de610ded4ab7190cbb3040a652160a

SHA512
56c08c8877d220c4a64456e7abbda20a08c005dcc393610e8b384723b5d4eaa3e72d25486a18e995daef89b9cabcadf2a7ad6e15586e8b80870105c0a72ae172

Download Submit
C:\Windows\{A26D346B-A722-4277-9F08-C9F4E1788460}.exe

Filesize
90KB

MD5
777a2fbf6e10252214a23ee011ef30cb

SHA1
4d4adbc83a4a2de8ca2e7f1164fcee662e39a38d

SHA256
92147a80766e9507f1cb78dbc23538e95495f213bc6a537caf5b60ac70392ccf

SHA512
c5904a0e14c6b31645c5200adcb19a29b71b3c0f1aacc75b538c238d6bfa62b626eb62a44a35a72e6e28b67319726d63518e494436d6ee352c1356f66f3cc393

Download Submit
C:\Windows\{B4D6176C-5D9D-4185-B0AD-DAD6013B4C79}.exe

Filesize
90KB

MD5
b9d0af6c316c5832692c92ca866bc617

SHA1
496588bedcf59a8c5a39feaaaa4cf9d99900e1e7

SHA256
091a41ada37a8d4aa6adb1876cc67eabfdfa02674906b9322914dba3aa6a84db

SHA512
bad33b4dd24f756a772f86623347ff01c5584237e75e2b320bd4173483c342259dbc55b1ebb26299818114c64a98c1ff42157ca3587151fa1ba9bc0282e576f3

Download Submit
C:\Windows\{BDE387F0-E9BE-440c-8E71-5D39B182051E}.exe

Filesize
90KB

MD5
c763380858c36d15b029d9c6bd894ebc

SHA1
2a902ab9059ad2ecda85005783550110a753995d

SHA256
cfba2a24e90573c2df5fe78cd40f491ed063d3d853572b5f865e53ad5963f61b

SHA512
b5e93eb428994277d73fbddc0f2b162d26f4af0217ae1f0c10d1943f35274aa0ede5de017969634e04edc43df291d6c4237e97a3ce58678d0380e0efd3fc1c7e

Download Submit
C:\Windows\{DC0C28B6-7893-4963-A366-1C7464C0C84C}.exe

Filesize
90KB

MD5
e87655872e46c9dd6ba0e5f12e8a2737

SHA1
03f28f68c6ece14303de585db78f7009da12562a

SHA256
ba862674203d35fe8235870deeff551d83ab8cebe0b376cadb2077c14c006aab

SHA512
8844678e98dc5915e8a0f3380222824fe5589a16d0713c9d5653c76294b328abbfe73ff41afe352f9e014ef33ae5de72b1d4247f7775e0530b1d96ebdb48db06

Download Submit
C:\Windows\{E081C9DC-0ED7-45d2-B680-2FCE7FDF6F0F}.exe

Filesize
90KB

MD5
ea921375157cf4dc4c873de60497aefd

SHA1
43041f9078c150a34f247249dd8218a2b9e29f61

SHA256
2fbe8d1da081354a5b6d3aa578b013bc659daa66c8043270f8c157a71cfd3185

SHA512
f12c885c6d2c685656fa87f3f397f6a7e7714d4ebc013ad2ab702834b7aa131cc335e6ac499bbca5f124c9ad77a9c2f60c979458dddadef1b0d371d03e1f974e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads