8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Size

116KB
MD5

bb4836099b6e2b6240e85f9505e44ec4
SHA1

99c3b49c4aa6832068d38b147ebec76cfad63fce
SHA256

8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51
SHA512

24d67d17f2b90df814c316f7d9c8f1c6672c4a01aab9cb4dffb378c9c806b9a6bd5e3683d47a8365fadbc829fa0e45b0690ac804effbf1333187999896a58edb
SSDEEP

768:Qvw9816vhKQLroc4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0ocl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe
2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
1252	{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
5108	{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03650C69-3824-4607-A12E-CDF5E9849F94}	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}\stubpath = "C:\\Windows\\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe"	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF053FEA-B144-4bc4-8C49-773CA6713D44}	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}\stubpath = "C:\\Windows\\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe"	{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}\stubpath = "C:\\Windows\\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe"	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08E6F82-893F-42ae-9152-2BBA0A24C834}\stubpath = "C:\\Windows\\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe"	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03650C69-3824-4607-A12E-CDF5E9849F94}\stubpath = "C:\\Windows\\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe"	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}	{0BE05890-490F-4537-84E3-625D13323F48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}\stubpath = "C:\\Windows\\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe"	{0BE05890-490F-4537-84E3-625D13323F48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}\stubpath = "C:\\Windows\\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe"	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF053FEA-B144-4bc4-8C49-773CA6713D44}\stubpath = "C:\\Windows\\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe"	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}\stubpath = "C:\\Windows\\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe"	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08E6F82-893F-42ae-9152-2BBA0A24C834}	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BE05890-490F-4537-84E3-625D13323F48}	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BE05890-490F-4537-84E3-625D13323F48}\stubpath = "C:\\Windows\\{0BE05890-490F-4537-84E3-625D13323F48}.exe"	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}\stubpath = "C:\\Windows\\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe"	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}	{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}\stubpath = "C:\\Windows\\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe"	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
File created	C:\Windows\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
File created	C:\Windows\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
File created	C:\Windows\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe	{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
File created	C:\Windows\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
File created	C:\Windows\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
File created	C:\Windows\{0BE05890-490F-4537-84E3-625D13323F48}.exe	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
File created	C:\Windows\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	{0BE05890-490F-4537-84E3-625D13323F48}.exe
File created	C:\Windows\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
File created	C:\Windows\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
File created	C:\Windows\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
File created	C:\Windows\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Token: SeIncBasePriorityPrivilege	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
Token: SeIncBasePriorityPrivilege	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
Token: SeIncBasePriorityPrivilege	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
Token: SeIncBasePriorityPrivilege	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
Token: SeIncBasePriorityPrivilege	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
Token: SeIncBasePriorityPrivilege	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe
Token: SeIncBasePriorityPrivilege	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
Token: SeIncBasePriorityPrivilege	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
Token: SeIncBasePriorityPrivilege	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
Token: SeIncBasePriorityPrivilege	3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
Token: SeIncBasePriorityPrivilege	1252	{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3964	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	84
PID 4880 wrote to memory of 3964	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	84
PID 4880 wrote to memory of 3964	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	84
PID 4880 wrote to memory of 1144	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	85
PID 4880 wrote to memory of 1144	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	85
PID 4880 wrote to memory of 1144	4880	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	85
PID 3964 wrote to memory of 1256	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	92
PID 3964 wrote to memory of 1256	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	92
PID 3964 wrote to memory of 1256	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	92
PID 3964 wrote to memory of 3324	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	93
PID 3964 wrote to memory of 3324	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	93
PID 3964 wrote to memory of 3324	3964	{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe	93
PID 1256 wrote to memory of 3724	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	95
PID 1256 wrote to memory of 3724	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	95
PID 1256 wrote to memory of 3724	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	95
PID 1256 wrote to memory of 4296	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	96
PID 1256 wrote to memory of 4296	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	96
PID 1256 wrote to memory of 4296	1256	{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe	96
PID 3724 wrote to memory of 4168	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	97
PID 3724 wrote to memory of 4168	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	97
PID 3724 wrote to memory of 4168	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	97
PID 3724 wrote to memory of 4532	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	98
PID 3724 wrote to memory of 4532	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	98
PID 3724 wrote to memory of 4532	3724	{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe	98
PID 4168 wrote to memory of 4332	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	99
PID 4168 wrote to memory of 4332	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	99
PID 4168 wrote to memory of 4332	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	99
PID 4168 wrote to memory of 1932	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	100
PID 4168 wrote to memory of 1932	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	100
PID 4168 wrote to memory of 1932	4168	{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe	100
PID 4332 wrote to memory of 1444	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	101
PID 4332 wrote to memory of 1444	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	101
PID 4332 wrote to memory of 1444	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	101
PID 4332 wrote to memory of 4024	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	102
PID 4332 wrote to memory of 4024	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	102
PID 4332 wrote to memory of 4024	4332	{03650C69-3824-4607-A12E-CDF5E9849F94}.exe	102
PID 1444 wrote to memory of 2412	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	103
PID 1444 wrote to memory of 2412	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	103
PID 1444 wrote to memory of 2412	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	103
PID 1444 wrote to memory of 3748	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	104
PID 1444 wrote to memory of 3748	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	104
PID 1444 wrote to memory of 3748	1444	{0BE05890-490F-4537-84E3-625D13323F48}.exe	104
PID 2412 wrote to memory of 1784	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	105
PID 2412 wrote to memory of 1784	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	105
PID 2412 wrote to memory of 1784	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	105
PID 2412 wrote to memory of 4516	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	106
PID 2412 wrote to memory of 4516	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	106
PID 2412 wrote to memory of 4516	2412	{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe	106
PID 1784 wrote to memory of 3624	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	107
PID 1784 wrote to memory of 3624	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	107
PID 1784 wrote to memory of 3624	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	107
PID 1784 wrote to memory of 3600	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	108
PID 1784 wrote to memory of 3600	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	108
PID 1784 wrote to memory of 3600	1784	{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe	108
PID 3624 wrote to memory of 3736	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	109
PID 3624 wrote to memory of 3736	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	109
PID 3624 wrote to memory of 3736	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	109
PID 3624 wrote to memory of 4556	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	110
PID 3624 wrote to memory of 4556	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	110
PID 3624 wrote to memory of 4556	3624	{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe	110
PID 3736 wrote to memory of 1252	3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe	111
PID 3736 wrote to memory of 1252	3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe	111
PID 3736 wrote to memory of 1252	3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe	111
PID 3736 wrote to memory of 1780	3736	{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe	112

C:\Users\Admin\AppData\Local\Temp\8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
"C:\Users\Admin\AppData\Local\Temp\8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
  C:\Windows\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
    C:\Windows\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
      C:\Windows\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
        
        C:\Windows\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
        
        C:\Windows\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe
        6⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{0BE05890-490F-4537-84E3-625D13323F48}.exe
        
        C:\Windows\{0BE05890-490F-4537-84E3-625D13323F48}.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
        
        C:\Windows\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
        
        C:\Windows\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
        
        C:\Windows\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe
        10⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
        
        C:\Windows\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe
        11⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
        
        C:\Windows\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe
        12⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe
        
        C:\Windows\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe
        13⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF053~1.EXE > nul
        13⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AC89~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00D7C~1.EXE > nul
        11⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1823F~1.EXE > nul
        10⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34D5~1.EXE > nul
        9⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BE05~1.EXE > nul
        8⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03650~1.EXE > nul
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A08E6~1.EXE > nul
        6⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF40~1.EXE > nul
        5⤵
        
        PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C147A~1.EXE > nul
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C2B~1.EXE > nul
    3⤵
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E6A97~1.EXE > nul
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe

Filesize
116KB

MD5
e5bf9c5fac6ad134b14927f1134f4e77

SHA1
f71a26316d03e524b61f4684c4fdbeff23f8ea8e

SHA256
84723fd0bbc46d02db4dae643e7155ca6b2e41bc097b3ea27fa97917e646a0fb

SHA512
8c264c30390305711d1c8850e3bb3c50c46f8198b2453e2c8768fe6e2bee99d9b38f9d9f4d3227156ba6f3e46fd0336723210b4dd613f1bbf894a5728411e122

Download Submit
C:\Windows\{00D7C7FF-24BD-400f-BBF1-D93EE392A0F5}.exe

Filesize
116KB

MD5
e5bf9c5fac6ad134b14927f1134f4e77

SHA1
f71a26316d03e524b61f4684c4fdbeff23f8ea8e

SHA256
84723fd0bbc46d02db4dae643e7155ca6b2e41bc097b3ea27fa97917e646a0fb

SHA512
8c264c30390305711d1c8850e3bb3c50c46f8198b2453e2c8768fe6e2bee99d9b38f9d9f4d3227156ba6f3e46fd0336723210b4dd613f1bbf894a5728411e122

Download Submit
C:\Windows\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe

Filesize
116KB

MD5
e714ae07814e249be926a92386dc31cd

SHA1
721dc9813c91ff40e7a17753fb16f253f20e9cb1

SHA256
90ac7bdaa64d8b6975e7baae7dd1792b6a9ec9bfa077e71a73bc2a8523825944

SHA512
21b9857bfa5b1cf9517042547e9ac523038b450f56c217100e21a613a0c5f0e1497ebac479b9c44806e6b456b1465c7dce9660d2fad94888b801d274bb3983a9

Download Submit
C:\Windows\{03650C69-3824-4607-A12E-CDF5E9849F94}.exe

Filesize
116KB

MD5
e714ae07814e249be926a92386dc31cd

SHA1
721dc9813c91ff40e7a17753fb16f253f20e9cb1

SHA256
90ac7bdaa64d8b6975e7baae7dd1792b6a9ec9bfa077e71a73bc2a8523825944

SHA512
21b9857bfa5b1cf9517042547e9ac523038b450f56c217100e21a613a0c5f0e1497ebac479b9c44806e6b456b1465c7dce9660d2fad94888b801d274bb3983a9

Download Submit
C:\Windows\{0BE05890-490F-4537-84E3-625D13323F48}.exe

Filesize
116KB

MD5
26e42e8cd619d91d9ddba10b365ef0a9

SHA1
57e4cd7aa7b5bca0e1cde69ccb076f831d54fa28

SHA256
78dab88b77663f24c4e2863fbb2285364b73d27a246875b92ea2d5ae4e3e458c

SHA512
836fb01470e49dd0326f4fc0a3a432c9218a9daf0aeb8bed7ea2925ac3705bedb297574052c3853e7bd2aca5e340527c11a8df4651216d564e897b7c546727d9

Download Submit
C:\Windows\{0BE05890-490F-4537-84E3-625D13323F48}.exe

Filesize
116KB

MD5
26e42e8cd619d91d9ddba10b365ef0a9

SHA1
57e4cd7aa7b5bca0e1cde69ccb076f831d54fa28

SHA256
78dab88b77663f24c4e2863fbb2285364b73d27a246875b92ea2d5ae4e3e458c

SHA512
836fb01470e49dd0326f4fc0a3a432c9218a9daf0aeb8bed7ea2925ac3705bedb297574052c3853e7bd2aca5e340527c11a8df4651216d564e897b7c546727d9

Download Submit
C:\Windows\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe

Filesize
116KB

MD5
8aab770602a72b4fe193fba507f891b3

SHA1
103d5084e1a7b8134cb02b5c8a19016fc5e1f0cb

SHA256
1ecf9f7fc85bd60e892a10ac962f59e88e378fbc6bb02bd22c5263dfa0141666

SHA512
519d7f853991f31e0b3377b5939f36c73a24427a4ea3c4027189eb0a54715f0563f99a3b2c4f4fee0facd3db3831100a52217801f275356c71a0850396424009

Download Submit
C:\Windows\{1823FD0A-DEAD-48f2-8228-AB2D53744D1C}.exe

Filesize
116KB

MD5
8aab770602a72b4fe193fba507f891b3

SHA1
103d5084e1a7b8134cb02b5c8a19016fc5e1f0cb

SHA256
1ecf9f7fc85bd60e892a10ac962f59e88e378fbc6bb02bd22c5263dfa0141666

SHA512
519d7f853991f31e0b3377b5939f36c73a24427a4ea3c4027189eb0a54715f0563f99a3b2c4f4fee0facd3db3831100a52217801f275356c71a0850396424009

Download Submit
C:\Windows\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe

Filesize
116KB

MD5
734c8025271839f13ad4510125ccba3b

SHA1
cad31e8aee28fb9587ed067648da17c8035fe723

SHA256
764fd970f59b5cf1b8ecaa2286cd75290b3fcc2e20868bca0661b562325e6af7

SHA512
704e501b81cb9fca17bb5dd0ba1d2ff2cc8c98fdc550ba5572cdb07806f0dabc42d09dfa946aacef436d4544976e3653c4071326f5aabb5ff8175e1b6a7dc893

Download Submit
C:\Windows\{3AC89B3D-B5D9-42b3-87ED-8571B88A1D7F}.exe

Filesize
116KB

MD5
734c8025271839f13ad4510125ccba3b

SHA1
cad31e8aee28fb9587ed067648da17c8035fe723

SHA256
764fd970f59b5cf1b8ecaa2286cd75290b3fcc2e20868bca0661b562325e6af7

SHA512
704e501b81cb9fca17bb5dd0ba1d2ff2cc8c98fdc550ba5572cdb07806f0dabc42d09dfa946aacef436d4544976e3653c4071326f5aabb5ff8175e1b6a7dc893

Download Submit
C:\Windows\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe

Filesize
116KB

MD5
1ede1e86e8a3563d2c6b1b4ccdba5046

SHA1
b7513df7142287e41afab4b21f1640cda91532c3

SHA256
1399d8a03f62ed266a9c2e10e99d6f8e295f98d507a9f4e77bb158e9215f9585

SHA512
80e11add0f84a7d450afeab12ff732a28f9cdc57d951544f559170ba81022b54447f290814dc23b4eb291ac5a3278a361def772fefa05ae2b90418427e3e9255

Download Submit
C:\Windows\{8617C9A0-2B0C-48d1-A9FB-52B57A1777B6}.exe

Filesize
116KB

MD5
1ede1e86e8a3563d2c6b1b4ccdba5046

SHA1
b7513df7142287e41afab4b21f1640cda91532c3

SHA256
1399d8a03f62ed266a9c2e10e99d6f8e295f98d507a9f4e77bb158e9215f9585

SHA512
80e11add0f84a7d450afeab12ff732a28f9cdc57d951544f559170ba81022b54447f290814dc23b4eb291ac5a3278a361def772fefa05ae2b90418427e3e9255

Download Submit
C:\Windows\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe

Filesize
116KB

MD5
7a54baa817b02b58ae6926ad56fe1b55

SHA1
302f3e739d9d63207bcb3956fa15a9ca170e3041

SHA256
b1304cdbbbea1c58eae3a03ba909199f28eeafc871102906d13705c3a1a07df7

SHA512
b4cc43799c6cde2e28ecb39aaf28e4d5338e855dead1ad52b7206d38b768f86834d6be6fc5e3f629953e75f5e8b61ef5cc5b02e4280cbf9efd3e620c7adc3c95

Download Submit
C:\Windows\{A08E6F82-893F-42ae-9152-2BBA0A24C834}.exe

Filesize
116KB

MD5
7a54baa817b02b58ae6926ad56fe1b55

SHA1
302f3e739d9d63207bcb3956fa15a9ca170e3041

SHA256
b1304cdbbbea1c58eae3a03ba909199f28eeafc871102906d13705c3a1a07df7

SHA512
b4cc43799c6cde2e28ecb39aaf28e4d5338e855dead1ad52b7206d38b768f86834d6be6fc5e3f629953e75f5e8b61ef5cc5b02e4280cbf9efd3e620c7adc3c95

Download Submit
C:\Windows\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe

Filesize
116KB

MD5
f74af67f2d62abbb75ffc67c96ae0c54

SHA1
3abec42eb8a6fa3e24b7e94539b00ae6ae00bfec

SHA256
efdc5f16259d40d6b3c78f70ffce09e2294ea92eb003ef73b0cb612359157d2f

SHA512
74190f67605e27256845fbdd9d360997e8764cbdaa5127ea10263b92bdbea5e59cf83374b7510c19b8a9cd44c809f153082822a770bf0dcb365f71cfb8013fb3

Download Submit
C:\Windows\{AFF40322-BC4F-4ffb-9DB4-F4D1CD1E147F}.exe

Filesize
116KB

MD5
f74af67f2d62abbb75ffc67c96ae0c54

SHA1
3abec42eb8a6fa3e24b7e94539b00ae6ae00bfec

SHA256
efdc5f16259d40d6b3c78f70ffce09e2294ea92eb003ef73b0cb612359157d2f

SHA512
74190f67605e27256845fbdd9d360997e8764cbdaa5127ea10263b92bdbea5e59cf83374b7510c19b8a9cd44c809f153082822a770bf0dcb365f71cfb8013fb3

Download Submit
C:\Windows\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe

Filesize
116KB

MD5
a489f6d7825d1efa384a6e61bb48ee80

SHA1
c599e72e0e195414f147f9b08d6e28b865730f94

SHA256
7afc0680b58c3c4feef2f4d49dece7ddf45c1320eed46c87ae7f320ed1f43ac6

SHA512
acc93f486d1214ceab194ab699bd587b15e2d8117910f5e01aff256e1708b5a06134695bbe9d84093a21fb21104aa510dc256c2efaf849fc803d730b979e4c6a

Download Submit
C:\Windows\{C147AD9B-0A9F-4ca9-8A22-2E4F07AD60C1}.exe

Filesize
116KB

MD5
a489f6d7825d1efa384a6e61bb48ee80

SHA1
c599e72e0e195414f147f9b08d6e28b865730f94

SHA256
7afc0680b58c3c4feef2f4d49dece7ddf45c1320eed46c87ae7f320ed1f43ac6

SHA512
acc93f486d1214ceab194ab699bd587b15e2d8117910f5e01aff256e1708b5a06134695bbe9d84093a21fb21104aa510dc256c2efaf849fc803d730b979e4c6a

Download Submit
C:\Windows\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe

Filesize
116KB

MD5
5c9b68a63b2fbeef58b529b43bbe267b

SHA1
e6b63b950ea10287f5e2437ffd2ac8d85844c509

SHA256
da2966b3322c45863be7502190a9f4596e07c8c8e1f1ab7344f6100518ce0955

SHA512
5bedebeb42a31b1e6dadb788031370801e3106b9e795def58ae709649e8029fc288e4a02fb68b1f8a20157f43fe44fe225e0766b9d3b9749608e042cf7b823e6

Download Submit
C:\Windows\{D1C2BBF7-275F-4a84-8B36-8A34D21A3327}.exe

Filesize
116KB

MD5
5c9b68a63b2fbeef58b529b43bbe267b

SHA1
e6b63b950ea10287f5e2437ffd2ac8d85844c509

SHA256
da2966b3322c45863be7502190a9f4596e07c8c8e1f1ab7344f6100518ce0955

SHA512
5bedebeb42a31b1e6dadb788031370801e3106b9e795def58ae709649e8029fc288e4a02fb68b1f8a20157f43fe44fe225e0766b9d3b9749608e042cf7b823e6

Download Submit
C:\Windows\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe

Filesize
116KB

MD5
6130b00c13921e430058ee5f761b511e

SHA1
0295577b33203f77acee966b71958dc62c6b5d78

SHA256
820c49ababcfba3810725c5e6a1f7dd03dd58c2317b2a7acebd44f70941733fe

SHA512
4c0dacf6545efcc2b71aec2f0767889c603f62bd8f7fa890326144e277c294218f7f3da5758d2306f961692452881d133262aca8d53d3d95e135161f549d149a

Download Submit
C:\Windows\{F34D5786-8083-4b50-9A4F-94CF83CB59F1}.exe

Filesize
116KB

MD5
6130b00c13921e430058ee5f761b511e

SHA1
0295577b33203f77acee966b71958dc62c6b5d78

SHA256
820c49ababcfba3810725c5e6a1f7dd03dd58c2317b2a7acebd44f70941733fe

SHA512
4c0dacf6545efcc2b71aec2f0767889c603f62bd8f7fa890326144e277c294218f7f3da5758d2306f961692452881d133262aca8d53d3d95e135161f549d149a

Download Submit
C:\Windows\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe

Filesize
116KB

MD5
a80fa2f41e3740f5322e5223ad80d352

SHA1
c4429ae87e7f23301bfb148a7ce76a02dba6b124

SHA256
0a738c81f951e5721945fbb6538371f776d34fdda0bf13233d02f2c4752f7be4

SHA512
b96bd38a7a43b6feb38ddfaa52dd998a16bd2556aa9956b597b8523d0f169df998f90c6fb0b1df95ec8b11163a6cc350ec8f2a570f3a41aeb8d2e8b638e99465

Download Submit
C:\Windows\{FF053FEA-B144-4bc4-8C49-773CA6713D44}.exe

Filesize
116KB

MD5
a80fa2f41e3740f5322e5223ad80d352

SHA1
c4429ae87e7f23301bfb148a7ce76a02dba6b124

SHA256
0a738c81f951e5721945fbb6538371f776d34fdda0bf13233d02f2c4752f7be4

SHA512
b96bd38a7a43b6feb38ddfaa52dd998a16bd2556aa9956b597b8523d0f169df998f90c6fb0b1df95ec8b11163a6cc350ec8f2a570f3a41aeb8d2e8b638e99465

Download Submit