c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Size

60KB
MD5

335970663867f7b3a6223542467e2ccc
SHA1

c67b2052879e5196f91517bf94ffdc6e5b30deb4
SHA256

c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e
SHA512

39f615c50f58dc642cced0c13f0a096c2d3f5b03f6418a559fc73e9af1e9f9a163504bda214c00a9307ff22321e4a1fa4f06f599a5111eeab24571b5a7d3931b
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwiY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroY4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64DBADBE-DA46-41fa-886E-959D0C408EA7}\stubpath = "C:\\Windows\\{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe"	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598CFA04-B226-4d3f-87E7-0C1A1772654D}	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598CFA04-B226-4d3f-87E7-0C1A1772654D}\stubpath = "C:\\Windows\\{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe"	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}\stubpath = "C:\\Windows\\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe"	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BD0ED-1317-48be-88F0-9642EA49115F}	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BD0ED-1317-48be-88F0-9642EA49115F}\stubpath = "C:\\Windows\\{134BD0ED-1317-48be-88F0-9642EA49115F}.exe"	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{467DF1B7-7E41-457e-8566-386D950CE602}	{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20F7891-EDE2-4f7a-8589-D6929544D13D}	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20F7891-EDE2-4f7a-8589-D6929544D13D}\stubpath = "C:\\Windows\\{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe"	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{467DF1B7-7E41-457e-8566-386D950CE602}\stubpath = "C:\\Windows\\{467DF1B7-7E41-457e-8566-386D950CE602}.exe"	{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}\stubpath = "C:\\Windows\\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe"	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4241AC15-83BE-4ba2-8C08-6BE783B37956}\stubpath = "C:\\Windows\\{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe"	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}\stubpath = "C:\\Windows\\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe"	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C65EE09-6485-485e-959B-495A1E6486BE}\stubpath = "C:\\Windows\\{2C65EE09-6485-485e-959B-495A1E6486BE}.exe"	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}\stubpath = "C:\\Windows\\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe"	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4241AC15-83BE-4ba2-8C08-6BE783B37956}	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C65EE09-6485-485e-959B-495A1E6486BE}	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}\stubpath = "C:\\Windows\\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe"	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64DBADBE-DA46-41fa-886E-959D0C408EA7}	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe

Executes dropped EXE 12 IoCs

pid	Process
4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
4336	{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
4812	{467DF1B7-7E41-457e-8566-386D950CE602}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
File created	C:\Windows\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
File created	C:\Windows\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
File created	C:\Windows\{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
File created	C:\Windows\{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
File created	C:\Windows\{467DF1B7-7E41-457e-8566-386D950CE602}.exe	{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
File created	C:\Windows\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
File created	C:\Windows\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
File created	C:\Windows\{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
File created	C:\Windows\{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
File created	C:\Windows\{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
File created	C:\Windows\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Token: SeIncBasePriorityPrivilege	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
Token: SeIncBasePriorityPrivilege	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
Token: SeIncBasePriorityPrivilege	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
Token: SeIncBasePriorityPrivilege	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
Token: SeIncBasePriorityPrivilege	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
Token: SeIncBasePriorityPrivilege	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
Token: SeIncBasePriorityPrivilege	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
Token: SeIncBasePriorityPrivilege	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
Token: SeIncBasePriorityPrivilege	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
Token: SeIncBasePriorityPrivilege	2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
Token: SeIncBasePriorityPrivilege	4336	{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4828	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	94
PID 4416 wrote to memory of 4828	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	94
PID 4416 wrote to memory of 4828	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	94
PID 4416 wrote to memory of 5000	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	95
PID 4416 wrote to memory of 5000	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	95
PID 4416 wrote to memory of 5000	4416	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	95
PID 4828 wrote to memory of 3308	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	96
PID 4828 wrote to memory of 3308	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	96
PID 4828 wrote to memory of 3308	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	96
PID 4828 wrote to memory of 1396	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	97
PID 4828 wrote to memory of 1396	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	97
PID 4828 wrote to memory of 1396	4828	{134BD0ED-1317-48be-88F0-9642EA49115F}.exe	97
PID 3308 wrote to memory of 3988	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	101
PID 3308 wrote to memory of 3988	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	101
PID 3308 wrote to memory of 3988	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	101
PID 3308 wrote to memory of 4028	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	102
PID 3308 wrote to memory of 4028	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	102
PID 3308 wrote to memory of 4028	3308	{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe	102
PID 3988 wrote to memory of 3412	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	103
PID 3988 wrote to memory of 3412	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	103
PID 3988 wrote to memory of 3412	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	103
PID 3988 wrote to memory of 3368	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	104
PID 3988 wrote to memory of 3368	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	104
PID 3988 wrote to memory of 3368	3988	{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe	104
PID 3412 wrote to memory of 64	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	106
PID 3412 wrote to memory of 64	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	106
PID 3412 wrote to memory of 64	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	106
PID 3412 wrote to memory of 4216	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	107
PID 3412 wrote to memory of 4216	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	107
PID 3412 wrote to memory of 4216	3412	{2C65EE09-6485-485e-959B-495A1E6486BE}.exe	107
PID 64 wrote to memory of 2528	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	108
PID 64 wrote to memory of 2528	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	108
PID 64 wrote to memory of 2528	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	108
PID 64 wrote to memory of 1272	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	109
PID 64 wrote to memory of 1272	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	109
PID 64 wrote to memory of 1272	64	{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe	109
PID 2528 wrote to memory of 1848	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	110
PID 2528 wrote to memory of 1848	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	110
PID 2528 wrote to memory of 1848	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	110
PID 2528 wrote to memory of 4472	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	111
PID 2528 wrote to memory of 4472	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	111
PID 2528 wrote to memory of 4472	2528	{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe	111
PID 1848 wrote to memory of 4272	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	115
PID 1848 wrote to memory of 4272	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	115
PID 1848 wrote to memory of 4272	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	115
PID 1848 wrote to memory of 3164	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	116
PID 1848 wrote to memory of 3164	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	116
PID 1848 wrote to memory of 3164	1848	{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe	116
PID 4272 wrote to memory of 4284	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	120
PID 4272 wrote to memory of 4284	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	120
PID 4272 wrote to memory of 4284	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	120
PID 4272 wrote to memory of 3324	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	121
PID 4272 wrote to memory of 3324	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	121
PID 4272 wrote to memory of 3324	4272	{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe	121
PID 4284 wrote to memory of 2776	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	122
PID 4284 wrote to memory of 2776	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	122
PID 4284 wrote to memory of 2776	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	122
PID 4284 wrote to memory of 3812	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	123
PID 4284 wrote to memory of 3812	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	123
PID 4284 wrote to memory of 3812	4284	{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe	123
PID 2776 wrote to memory of 4336	2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe	127
PID 2776 wrote to memory of 4336	2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe	127
PID 2776 wrote to memory of 4336	2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe	127
PID 2776 wrote to memory of 4384	2776	{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe	128

C:\Users\Admin\AppData\Local\Temp\c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
"C:\Users\Admin\AppData\Local\Temp\c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
  C:\Windows\{134BD0ED-1317-48be-88F0-9642EA49115F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
    C:\Windows\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
      C:\Windows\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
        
        C:\Windows\{2C65EE09-6485-485e-959B-495A1E6486BE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
        
        C:\Windows\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
        
        C:\Windows\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
        
        C:\Windows\{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
        
        C:\Windows\{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
        
        C:\Windows\{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
        
        C:\Windows\{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
        
        C:\Windows\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\{467DF1B7-7E41-457e-8566-386D950CE602}.exe
        
        C:\Windows\{467DF1B7-7E41-457e-8566-386D950CE602}.exe
        13⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{023A8~1.EXE > nul
        13⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598CF~1.EXE > nul
        12⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4241A~1.EXE > nul
        11⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B20F7~1.EXE > nul
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64DBA~1.EXE > nul
        9⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EB4C~1.EXE > nul
        8⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5200~1.EXE > nul
        7⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C65E~1.EXE > nul
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89A5F~1.EXE > nul
        5⤵
        
        PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB4C~1.EXE > nul
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{134BD~1.EXE > nul
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C6005C~1.EXE > nul
  2⤵
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{023A838B-E9FB-4bfc-91FA-044A9CDB009C}.exe

Filesize
60KB

MD5
cbfd4dc25c4f44a1cb943dc0cabce131

SHA1
4abf6c1b69d828abda5ddca9e9577a1019abfa36

SHA256
badb79c7c791caded846d8e504b131d44352ea13e3f9f2531cfd35313d62d5df

SHA512
9a81f20352209d1e1573c98613211c79ee5a2f0753cfed11c7b3c6d1135bfcb3f6be68e386386fad1f56198707666b1fb0d70eb1ee20790446b29c17f59267d5

Download Submit
C:\Windows\{134BD0ED-1317-48be-88F0-9642EA49115F}.exe

Filesize
60KB

MD5
e0eec1aeb868aef91872f93d9d203bfb

SHA1
ffec52cba0aa9a73e0b174316cc733d2a230683a

SHA256
64f8e7c203386bbe7c56d16aeba489bb7557efebfe323515435ecb10fcb7ef77

SHA512
ebaebee9e99b3366d9e190aaeae9efee229695c9908083c98a67e2c0eac918a97be4146af19bfd2f6e589390cc71597f7f0e3b895ead4e7353b88c58d5ac6aee

Download Submit
C:\Windows\{2C65EE09-6485-485e-959B-495A1E6486BE}.exe

Filesize
60KB

MD5
4a6afb13706417956632ce9485374a83

SHA1
4e260d44607e6c764bb001eb7d2ff44a86171ad5

SHA256
7d1dcbe46c82f4551f8b76aaf9d6e8cee5778bdb36996d145de2eac2903c0462

SHA512
c70f20c37c13db22cf6172d0627bed44eb1198fb9fff0119225451e2abdff3be1ba5a1c2ff07da827cbc0582c653fb1d0983284f113ef0022f72bd195e9adf7f

Download Submit
C:\Windows\{4241AC15-83BE-4ba2-8C08-6BE783B37956}.exe

Filesize
60KB

MD5
eb64db08043e46b4f90ca1eed887860b

SHA1
6c60a8b75efc49cfdce2aaa0757bff2602d99317

SHA256
2e2007e89a380fd2c2c224f23084b962ce9ec36dba80ccb1f982c6c35519c8aa

SHA512
8457302384e10743a437449988e177e0f2419168d68cd9f8e4976582d15a8f803971b27ff18419da8547e64cd0ca4c8fdd92094e9fb95adce63ff3d1c110d802

Download Submit
C:\Windows\{467DF1B7-7E41-457e-8566-386D950CE602}.exe

Filesize
60KB

MD5
76a55f905305c815856b74f8c29c88cb

SHA1
ee564611de7223651f83535be17b3d277b0b1bb6

SHA256
95d3b3c1b44da775169e5ee76b1940cacbf2dade45c71874668d6da0e6f9ff4e

SHA512
6ba63093dc9d0bd5a408012cdb37efaa6f943b4162b37b43c886b95c0da39fecf11f9603fd48e83724b10f21e088a8368d65178e5a2eb0ca2576913fbac91f28

Download Submit
C:\Windows\{598CFA04-B226-4d3f-87E7-0C1A1772654D}.exe

Filesize
60KB

MD5
f13518fe54208bb452e34866e8abfcdb

SHA1
cfdc89134eee37e7cf619de3986acb44fd5514fd

SHA256
3759f73018b67c8f88bafc0ec4ada8beb18747382b409814833e248a35375ecc

SHA512
b90464c82b826a3d82b3041a60724758f9ffdc3b2689fa54fd67c4436b2b26a75f771e219c8533c5a9ae8be30ef4935d28f806c18110d12023ffcd575b476a10

Download Submit
C:\Windows\{64DBADBE-DA46-41fa-886E-959D0C408EA7}.exe

Filesize
60KB

MD5
8f6d8e3335f10b9d198fd177b9112375

SHA1
3dbf633348e4b5fdf0128b201cb5a8a1be5ec11b

SHA256
21b8bf22e945950c839541dc9507bae98a20a6b7164009671170a979cef1dd64

SHA512
7f45e512f5c7c2b237acc02f73763e11a1f6b05ffcf411bfd6668c62d208c540180083a01cfe9aba4d28f8b60b283204c7934fd659bc8a4fd9e77a7ac600c2b2

Download Submit
C:\Windows\{89A5F7B6-173F-4060-9BBA-F9DEF75268AC}.exe

Filesize
60KB

MD5
f041373545cb9ecdf2995255a150049f

SHA1
8ec08e9937a9774eed067072ed6347cb954639ea

SHA256
029e714ceb473b858b24a7e09213778c511373b9c1379b8b283a583411b1e01c

SHA512
691de7871e382bab41ed3dbb8946e16b5b4f826a5b0942cc16c70cf9ce76521a70f9252f625a5f4263d8a2c769bab96c320794f975fe2b7d942fa317679928f9

Download Submit
C:\Windows\{8EB4C83A-1C70-4047-B5C1-DF47DE9B04CB}.exe

Filesize
60KB

MD5
a601d798b43a6764a5a8ec471fabdea5

SHA1
31b2006f0ca43bdff2323619241bebf35f33edc7

SHA256
764a3d4082e42b0e6cd23bc2e6232ffcf00f4a8adb62a5fa0d9772052545d4ca

SHA512
c1adfdb2a17957c5493168c748856566de83c80a5910f06333e02453e59431ce08ec2e6bfa6f4edffab593437a0208dde2d748009f16cdcbb671111397d4a316

Download Submit
C:\Windows\{B20F7891-EDE2-4f7a-8589-D6929544D13D}.exe

Filesize
60KB

MD5
9f63d3e6aad2393c0e415071dd8fcb81

SHA1
5f497cb22aa303b99c56ec9e0f607c7620c81128

SHA256
69a201d14241745e118cc086ba73effefec72a735575b643eb73e76f4f5f4d98

SHA512
112bbe68653ec6f4d3814081b64e4eac2c0706ac420d0742665e52dea29e23049ff9d4b0ab7c0a24298a9e5bd5645fc954afe54d3fbfb872a24abe6d137ed256

Download Submit
C:\Windows\{BDB4C50B-216C-4dd0-B065-6AB21AE2E500}.exe

Filesize
60KB

MD5
a953e6eb323a077b54117a3cd6d1d7e7

SHA1
c6e03beba524fb849e77e1fe85566489f386df63

SHA256
9ef3fca393ffb681cc30ebf5d5b2fe7a9b3504b5617a476ffc797304f7132683

SHA512
1a320a37deaffa582bfa0657a8f7e9d5fe942d684f438324ace52220bff0c745a1f4f88cca36c6ed67fe7c3842eb7286a35399de013cac8e7019412c79fbdc9b

Download Submit
C:\Windows\{C5200FCD-729D-41e7-B6B9-3C39D3DBBFF1}.exe

Filesize
60KB

MD5
f51e93aa06c629c48fe6adb765b24d28

SHA1
d86d05500f732478a7f19d2287de59e463ef18c2

SHA256
702e744a1e7bf22e1a75623a84a3970f297786f10516ba0110589fb63b28d0aa

SHA512
3e771eaa4794897b1d469347c5f19ad2aa2de018f789753e310f520f5de4b6bb6e9deb4f6331b9c4b4f40cb5db228730f9e645ace5cdece28ce3bf02e0262807

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads