49da9344d88869b93c3dddfd0800f78daa6906d2ca50aaefee6e4fa282c867fb

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7696421b95628297fb70568fe413a30b.exe
Size

216KB
MD5

7696421b95628297fb70568fe413a30b
SHA1

6589ba00a75425f6d1b6f774efd07971205f933e
SHA256

49da9344d88869b93c3dddfd0800f78daa6906d2ca50aaefee6e4fa282c867fb
SHA512

e7edf11d020370ce34cc83cf8509884ee522ce7961278f639ed26d1b784ee5dc1fd5a3788f7d135f0921cc6da3fe4d4ff82b29f1d6caf66893556cfec4cc64e7
SSDEEP

3072:jEGh0o8l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG+lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CB86536-B840-4d66-B6D4-5C81D005A749}	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C36FCF5-FC97-4472-BADF-757282833E67}\stubpath = "C:\\Windows\\{4C36FCF5-FC97-4472-BADF-757282833E67}.exe"	7696421b95628297fb70568fe413a30b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2636316F-C1E8-4edf-8910-A3967CEC2196}\stubpath = "C:\\Windows\\{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe"	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E140891-F54E-41ec-8C4F-B483104B446F}	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A64663-008F-4bc6-BAA7-9340745097CC}\stubpath = "C:\\Windows\\{71A64663-008F-4bc6-BAA7-9340745097CC}.exe"	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}\stubpath = "C:\\Windows\\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe"	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCEC483-AD35-4211-8E72-3EC20DA07991}	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}\stubpath = "C:\\Windows\\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe"	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E140891-F54E-41ec-8C4F-B483104B446F}\stubpath = "C:\\Windows\\{2E140891-F54E-41ec-8C4F-B483104B446F}.exe"	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}\stubpath = "C:\\Windows\\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe"	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36B4EC87-175F-4654-AE00-878992EBA609}\stubpath = "C:\\Windows\\{36B4EC87-175F-4654-AE00-878992EBA609}.exe"	{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C36FCF5-FC97-4472-BADF-757282833E67}	7696421b95628297fb70568fe413a30b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2636316F-C1E8-4edf-8910-A3967CEC2196}	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}\stubpath = "C:\\Windows\\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe"	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A64663-008F-4bc6-BAA7-9340745097CC}	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CB86536-B840-4d66-B6D4-5C81D005A749}\stubpath = "C:\\Windows\\{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe"	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCEC483-AD35-4211-8E72-3EC20DA07991}\stubpath = "C:\\Windows\\{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe"	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36B4EC87-175F-4654-AE00-878992EBA609}	{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}\stubpath = "C:\\Windows\\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe"	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe

Executes dropped EXE 12 IoCs

pid	Process
208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
3264	{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
4408	{36B4EC87-175F-4654-AE00-878992EBA609}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
File created	C:\Windows\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
File created	C:\Windows\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
File created	C:\Windows\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
File created	C:\Windows\{36B4EC87-175F-4654-AE00-878992EBA609}.exe	{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
File created	C:\Windows\{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	7696421b95628297fb70568fe413a30b.exe
File created	C:\Windows\{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
File created	C:\Windows\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
File created	C:\Windows\{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
File created	C:\Windows\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
File created	C:\Windows\{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
File created	C:\Windows\{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2296	7696421b95628297fb70568fe413a30b.exe
Token: SeIncBasePriorityPrivilege	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
Token: SeIncBasePriorityPrivilege	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
Token: SeIncBasePriorityPrivilege	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
Token: SeIncBasePriorityPrivilege	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
Token: SeIncBasePriorityPrivilege	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
Token: SeIncBasePriorityPrivilege	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
Token: SeIncBasePriorityPrivilege	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
Token: SeIncBasePriorityPrivilege	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
Token: SeIncBasePriorityPrivilege	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
Token: SeIncBasePriorityPrivilege	1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
Token: SeIncBasePriorityPrivilege	3264	{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 208	2296	7696421b95628297fb70568fe413a30b.exe	81
PID 2296 wrote to memory of 208	2296	7696421b95628297fb70568fe413a30b.exe	81
PID 2296 wrote to memory of 208	2296	7696421b95628297fb70568fe413a30b.exe	81
PID 2296 wrote to memory of 4416	2296	7696421b95628297fb70568fe413a30b.exe	82
PID 2296 wrote to memory of 4416	2296	7696421b95628297fb70568fe413a30b.exe	82
PID 2296 wrote to memory of 4416	2296	7696421b95628297fb70568fe413a30b.exe	82
PID 208 wrote to memory of 3224	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	83
PID 208 wrote to memory of 3224	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	83
PID 208 wrote to memory of 3224	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	83
PID 208 wrote to memory of 3356	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	84
PID 208 wrote to memory of 3356	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	84
PID 208 wrote to memory of 3356	208	{4C36FCF5-FC97-4472-BADF-757282833E67}.exe	84
PID 3224 wrote to memory of 2156	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	90
PID 3224 wrote to memory of 2156	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	90
PID 3224 wrote to memory of 2156	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	90
PID 3224 wrote to memory of 3172	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	91
PID 3224 wrote to memory of 3172	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	91
PID 3224 wrote to memory of 3172	3224	{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe	91
PID 2156 wrote to memory of 1296	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	94
PID 2156 wrote to memory of 1296	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	94
PID 2156 wrote to memory of 1296	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	94
PID 2156 wrote to memory of 3384	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	95
PID 2156 wrote to memory of 3384	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	95
PID 2156 wrote to memory of 3384	2156	{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe	95
PID 1296 wrote to memory of 1512	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	96
PID 1296 wrote to memory of 1512	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	96
PID 1296 wrote to memory of 1512	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	96
PID 1296 wrote to memory of 2384	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	97
PID 1296 wrote to memory of 2384	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	97
PID 1296 wrote to memory of 2384	1296	{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe	97
PID 1512 wrote to memory of 3868	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	98
PID 1512 wrote to memory of 3868	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	98
PID 1512 wrote to memory of 3868	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	98
PID 1512 wrote to memory of 1536	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	99
PID 1512 wrote to memory of 1536	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	99
PID 1512 wrote to memory of 1536	1512	{2E140891-F54E-41ec-8C4F-B483104B446F}.exe	99
PID 3868 wrote to memory of 2420	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	100
PID 3868 wrote to memory of 2420	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	100
PID 3868 wrote to memory of 2420	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	100
PID 3868 wrote to memory of 2412	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	101
PID 3868 wrote to memory of 2412	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	101
PID 3868 wrote to memory of 2412	3868	{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe	101
PID 2420 wrote to memory of 4356	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	102
PID 2420 wrote to memory of 4356	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	102
PID 2420 wrote to memory of 4356	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	102
PID 2420 wrote to memory of 1732	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	103
PID 2420 wrote to memory of 1732	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	103
PID 2420 wrote to memory of 1732	2420	{71A64663-008F-4bc6-BAA7-9340745097CC}.exe	103
PID 4356 wrote to memory of 2828	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	104
PID 4356 wrote to memory of 2828	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	104
PID 4356 wrote to memory of 2828	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	104
PID 4356 wrote to memory of 2656	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	105
PID 4356 wrote to memory of 2656	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	105
PID 4356 wrote to memory of 2656	4356	{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe	105
PID 2828 wrote to memory of 1796	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	106
PID 2828 wrote to memory of 1796	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	106
PID 2828 wrote to memory of 1796	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	106
PID 2828 wrote to memory of 4588	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	107
PID 2828 wrote to memory of 4588	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	107
PID 2828 wrote to memory of 4588	2828	{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe	107
PID 1796 wrote to memory of 3264	1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe	108
PID 1796 wrote to memory of 3264	1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe	108
PID 1796 wrote to memory of 3264	1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe	108
PID 1796 wrote to memory of 1508	1796	{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe	109

C:\Users\Admin\AppData\Local\Temp\7696421b95628297fb70568fe413a30b.exe
"C:\Users\Admin\AppData\Local\Temp\7696421b95628297fb70568fe413a30b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
  C:\Windows\{4C36FCF5-FC97-4472-BADF-757282833E67}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
    C:\Windows\{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
      C:\Windows\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
        
        C:\Windows\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Windows\{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
        
        C:\Windows\{2E140891-F54E-41ec-8C4F-B483104B446F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
        
        C:\Windows\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
        
        C:\Windows\{71A64663-008F-4bc6-BAA7-9340745097CC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
        
        C:\Windows\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
        
        C:\Windows\{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
        
        C:\Windows\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
        
        C:\Windows\{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\{36B4EC87-175F-4654-AE00-878992EBA609}.exe
        
        C:\Windows\{36B4EC87-175F-4654-AE00-878992EBA609}.exe
        13⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FCEC~1.EXE > nul
        13⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3745~1.EXE > nul
        12⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB86~1.EXE > nul
        11⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C7C~1.EXE > nul
        10⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A64~1.EXE > nul
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46CCB~1.EXE > nul
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E140~1.EXE > nul
        7⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E86~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11AA9~1.EXE > nul
        5⤵
        
        PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26363~1.EXE > nul
      4⤵
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4C36F~1.EXE > nul
    3⤵
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\769642~1.EXE > nul
  2⤵
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C7C8CB-4784-4a8e-A87E-DC04CDBE7967}.exe

Filesize
216KB

MD5
ee687e8b81275cf3eb7cdb3e76c6b2f7

SHA1
7825107c52bfa85b6cd7ddbee09b2385165cebba

SHA256
fa56d1999c836193e4fc6274eff3c2fb032b08f38d8197978eea8b005e0a3465

SHA512
844dab1be8a1627645686bf28bf42fdb666244288aa6cc426959b582a46711edc0045a42ff4648ab2cbae4bfbfb3bb2ce13d1e2fcd1820cfb0ec5e210001afc9

Download Submit
C:\Windows\{11AA9BD6-F5CE-4225-855A-0EF248A8DCEB}.exe

Filesize
216KB

MD5
8930940091b2a72388590b3db08dbf7d

SHA1
980d23e9e99d83a1f81c4914420497202cd3df87

SHA256
8bf9e183196b2304bdb404c5d32291648767d14adcd36fd148fcc0626cddc6af

SHA512
3aa50364770fc4ba92b57fe017d8487353ec423336668bfb5355394ec51f2af2dc74ad52ffbbf65521c1e42ade3cc24e2fe287a7b457739472901832c161aefd

Download Submit
C:\Windows\{2636316F-C1E8-4edf-8910-A3967CEC2196}.exe

Filesize
216KB

MD5
9bbc7f0644eb6191979f6edc72ea48b5

SHA1
08229cba4dbca99f983415a3e032d602f38e3a73

SHA256
64299ef10471f422887f263d20f94e4847f17860835b4c5d1daf8154d85d5997

SHA512
4568a429b7012704eadc3b51620f3482f021f91db019d034542dbe2c093aedfef173b1edc4ea2be11b42f57cc1d463f952454c7d4876b6b26c0746b6bc162f08

Download Submit
C:\Windows\{2E140891-F54E-41ec-8C4F-B483104B446F}.exe

Filesize
216KB

MD5
a57048e1dbfebad73f3c3c6b35d77e33

SHA1
2a93325c27478e41ccb99031ad60363370d58848

SHA256
c912e805e884137a3a6d9a5deee3450c1b61b44468be3e8b81543f263bf7df7e

SHA512
c0bd4c9c20d5b1a6de4304f28d6b499171e56a4985867f07b2d6c262796560332ec2b4c8d0fe6b565b20b18d4c6908e352d6c75a5c892933016f7984a08a24bb

Download Submit
C:\Windows\{36B4EC87-175F-4654-AE00-878992EBA609}.exe

Filesize
216KB

MD5
f5e0447425324a6770dd9e601f4d21a9

SHA1
c1486993afbb36e121b310cf04a2399c4f0897ba

SHA256
878b4e4240bb8611f1194028b51ac2e91e9ec17f6384058aedb2bb9cb735e4a9

SHA512
366d2bec742e01fd28ce6ddc9770606e35c9248afd1349ef41aeebb86592b75735bf3f865f92f2205d20c5f5fdacbdd3d2001c8b0ecc0ce7e5e6bb8777b162b8

Download Submit
C:\Windows\{46CCBB1A-9B0A-4f91-A9AF-F681FC7CB52B}.exe

Filesize
216KB

MD5
df25c8b175ecf1f870efd2bd32bb9c0a

SHA1
0a67c33813c39576d48c1dfc66c14601901a9940

SHA256
4ae8ef336a835aa5012feb67f88fc22df2398dce77b0768943db4e8c9e230f47

SHA512
bbf4cf9ffa781836c1661f7dc626b57546be9d0fd8ed30bdd82ad77fbee17b5be4ce4ffdd08434007dc2b041bdb56e53f78ec8990c2ec9f14c03b04fdd386fbc

Download Submit
C:\Windows\{4C36FCF5-FC97-4472-BADF-757282833E67}.exe

Filesize
216KB

MD5
bc893e6bd10943b5cee8230a57809ed0

SHA1
56d4b51f315927afcc7e7c9508cbf7bbe21c37a1

SHA256
250c83a26cb6b5cd4dc88daedab2735bfb3e05f014eca3fc141229d5671d0e19

SHA512
f9004719e16d6843e5ba22bbac4c973da9e301ffdeb8905e366f2af597dca409f451af1b255bf9b6c8d4e4c8d49c36a5c0b9921d1aa7dbac209e9a0983003d2f

Download Submit
C:\Windows\{6CB86536-B840-4d66-B6D4-5C81D005A749}.exe

Filesize
216KB

MD5
68b04708cebbeb55cc236483bd77682b

SHA1
7e073f5ff88e937700fe9ba8d3bbe18b0150a010

SHA256
94e7cf434aeaf217cf795ea7e88a02385cbe3dc875ab5e090f83ae91792330b4

SHA512
93c89a351388f2c85dae7275d4903e6b8b0e4fda60d13b832641f8bc6449b4d2f01e318e8d73d0d9e707ac565ca73eea09f3f60b8ae83047b6d34df319725464

Download Submit
C:\Windows\{71A64663-008F-4bc6-BAA7-9340745097CC}.exe

Filesize
216KB

MD5
eaba01372d0079cab8d708df987aaa61

SHA1
f37ad97fc5a3547c3a66c4be3a36edab95f84f5d

SHA256
042d7ea2d8c9d14a7e5646b1d9262c67e7186c4ce56867cfc38fa656c220913f

SHA512
b271a322f66c1c1612c7bfca1f1a90d23a2722ad75d606fda9b92600c6f784a283ff2b72f468bb238d84a53f35bcee717990bb8da83bb41edfa436543332ceb4

Download Submit
C:\Windows\{9FCEC483-AD35-4211-8E72-3EC20DA07991}.exe

Filesize
216KB

MD5
d86ad500feb60982ca55f226330bcff8

SHA1
de55a4b5eeab4cffd19d2e46176341fbfe433f0c

SHA256
6ce0b08303154b96121003c91d788e37c5ae7bb7e0be537bf2e799d28d58d4e9

SHA512
19a549715bb98e751a44ffd3e0f819db750606ffa5759fd84ce713a39cf74c60a764d815552634f7f4eb6fdcb4603421fcce15896b563c10637df67fbb6dc5c0

Download Submit
C:\Windows\{E1E86948-F1F4-4a93-BB45-CC84E7B16558}.exe

Filesize
216KB

MD5
90e0ad714b63c4be6dcf9007fcc44fee

SHA1
be048cd941e9d43c93e5c6af3ad162c56e91ef97

SHA256
ffbf6e455a6a8ddf4e3b352efad243d744e2c9ba92a71d8eae8cc313039785b0

SHA512
797ffd7d70511ee22b838624b73415c5e0fa74ffe8ebd6cdf335d780ae4c8cff753b031e10e9840fa5c6f1215df68be1f389e79d30a63e25a9a32247fcaff1c3

Download Submit
C:\Windows\{F37457C0-CC9C-41bd-A75E-7EB8652E20FE}.exe

Filesize
216KB

MD5
c62becb3fa22e6a0f6068218e39edc06

SHA1
a4a928a07f7bb1202d073f45dd326a055a357f9f

SHA256
72897c144131bb98c8e9b5bf945c3e2b8fded250acbfc12df2485d9a34e4204c

SHA512
3b8a41d2e363a016d99fa380aad20f204a8c9666a447ecd59dd3fe4f572a8a95cb9b441b12f1ac9c1d671c02152d2abbef933e9e996a3005300f8ef50b6363b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads