621baa635ebb452e2014a99592feaba0b42af8d52343ffe0a9fc7efa14123db5

Analysis

max time kernel
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b373eb6e483dexeexeexeex.exe
Size

372KB
MD5

07b373eb6e483d1f4f87dd8f0d0b362b
SHA1

bb285562274d7bb2eff7826f5b0de6cbe6000305
SHA256

621baa635ebb452e2014a99592feaba0b42af8d52343ffe0a9fc7efa14123db5
SHA512

4a1b17b65e4e30a7b9db74d6d836dffbbc68938b95ccb49579cc45bcaa46c4e46f83297bcf89086a0b136c9dc671bc2bc5d160f3dfc404965f52491c67711722
SSDEEP

3072:CEGh0ormlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG8l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F809CE3-C829-46e7-92C5-735722262146}	07b373eb6e483dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528CB669-75B8-4cea-A49C-8E002D28F4E6}	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}\stubpath = "C:\\Windows\\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe"	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}\stubpath = "C:\\Windows\\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe"	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}\stubpath = "C:\\Windows\\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe"	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}\stubpath = "C:\\Windows\\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe"	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE60E89-8D47-4d0a-A283-522DF26C898D}	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87CB3956-CB60-431a-89CE-DBE88A67113B}\stubpath = "C:\\Windows\\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe"	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}\stubpath = "C:\\Windows\\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe"	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE60E89-8D47-4d0a-A283-522DF26C898D}\stubpath = "C:\\Windows\\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe"	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}\stubpath = "C:\\Windows\\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe"	{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F809CE3-C829-46e7-92C5-735722262146}\stubpath = "C:\\Windows\\{4F809CE3-C829-46e7-92C5-735722262146}.exe"	07b373eb6e483dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{676E9A49-CA9F-4fd2-9A49-22499453382B}	{4F809CE3-C829-46e7-92C5-735722262146}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{676E9A49-CA9F-4fd2-9A49-22499453382B}\stubpath = "C:\\Windows\\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe"	{4F809CE3-C829-46e7-92C5-735722262146}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528CB669-75B8-4cea-A49C-8E002D28F4E6}\stubpath = "C:\\Windows\\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe"	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87CB3956-CB60-431a-89CE-DBE88A67113B}	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}\stubpath = "C:\\Windows\\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe"	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}	{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe
3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
1076	{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe
2476	{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
File created	C:\Windows\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
File created	C:\Windows\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
File created	C:\Windows\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
File created	C:\Windows\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
File created	C:\Windows\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	{4F809CE3-C829-46e7-92C5-735722262146}.exe
File created	C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
File created	C:\Windows\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
File created	C:\Windows\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe	{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe
File created	C:\Windows\{4F809CE3-C829-46e7-92C5-735722262146}.exe	07b373eb6e483dexeexeexeex.exe
File created	C:\Windows\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
File created	C:\Windows\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3944	07b373eb6e483dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe
Token: SeIncBasePriorityPrivilege	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
Token: SeIncBasePriorityPrivilege	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
Token: SeIncBasePriorityPrivilege	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
Token: SeIncBasePriorityPrivilege	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
Token: SeIncBasePriorityPrivilege	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
Token: SeIncBasePriorityPrivilege	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
Token: SeIncBasePriorityPrivilege	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
Token: SeIncBasePriorityPrivilege	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
Token: SeIncBasePriorityPrivilege	1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
Token: SeIncBasePriorityPrivilege	1076	{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 2988	3944	07b373eb6e483dexeexeexeex.exe	79
PID 3944 wrote to memory of 2988	3944	07b373eb6e483dexeexeexeex.exe	79
PID 3944 wrote to memory of 2988	3944	07b373eb6e483dexeexeexeex.exe	79
PID 3944 wrote to memory of 2940	3944	07b373eb6e483dexeexeexeex.exe	80
PID 3944 wrote to memory of 2940	3944	07b373eb6e483dexeexeexeex.exe	80
PID 3944 wrote to memory of 2940	3944	07b373eb6e483dexeexeexeex.exe	80
PID 2988 wrote to memory of 3472	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	81
PID 2988 wrote to memory of 3472	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	81
PID 2988 wrote to memory of 3472	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	81
PID 2988 wrote to memory of 4516	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	82
PID 2988 wrote to memory of 4516	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	82
PID 2988 wrote to memory of 4516	2988	{4F809CE3-C829-46e7-92C5-735722262146}.exe	82
PID 3472 wrote to memory of 1200	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	84
PID 3472 wrote to memory of 1200	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	84
PID 3472 wrote to memory of 1200	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	84
PID 3472 wrote to memory of 1164	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	83
PID 3472 wrote to memory of 1164	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	83
PID 3472 wrote to memory of 1164	3472	{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe	83
PID 1200 wrote to memory of 544	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	85
PID 1200 wrote to memory of 544	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	85
PID 1200 wrote to memory of 544	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	85
PID 1200 wrote to memory of 4288	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	86
PID 1200 wrote to memory of 4288	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	86
PID 1200 wrote to memory of 4288	1200	{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe	86
PID 544 wrote to memory of 1192	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	87
PID 544 wrote to memory of 1192	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	87
PID 544 wrote to memory of 1192	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	87
PID 544 wrote to memory of 4036	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	88
PID 544 wrote to memory of 4036	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	88
PID 544 wrote to memory of 4036	544	{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe	88
PID 1192 wrote to memory of 3912	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	89
PID 1192 wrote to memory of 3912	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	89
PID 1192 wrote to memory of 3912	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	89
PID 1192 wrote to memory of 2944	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	90
PID 1192 wrote to memory of 2944	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	90
PID 1192 wrote to memory of 2944	1192	{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe	90
PID 3912 wrote to memory of 3184	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	91
PID 3912 wrote to memory of 3184	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	91
PID 3912 wrote to memory of 3184	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	91
PID 3912 wrote to memory of 1836	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	92
PID 3912 wrote to memory of 1836	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	92
PID 3912 wrote to memory of 1836	3912	{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe	92
PID 3184 wrote to memory of 4508	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	93
PID 3184 wrote to memory of 4508	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	93
PID 3184 wrote to memory of 4508	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	93
PID 3184 wrote to memory of 3132	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	94
PID 3184 wrote to memory of 3132	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	94
PID 3184 wrote to memory of 3132	3184	{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe	94
PID 4508 wrote to memory of 8	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	95
PID 4508 wrote to memory of 8	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	95
PID 4508 wrote to memory of 8	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	95
PID 4508 wrote to memory of 264	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	96
PID 4508 wrote to memory of 264	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	96
PID 4508 wrote to memory of 264	4508	{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe	96
PID 8 wrote to memory of 1184	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	97
PID 8 wrote to memory of 1184	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	97
PID 8 wrote to memory of 1184	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	97
PID 8 wrote to memory of 468	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	98
PID 8 wrote to memory of 468	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	98
PID 8 wrote to memory of 468	8	{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe	98
PID 1184 wrote to memory of 1076	1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe	99
PID 1184 wrote to memory of 1076	1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe	99
PID 1184 wrote to memory of 1076	1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe	99
PID 1184 wrote to memory of 3344	1184	{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe	100

C:\Users\Admin\AppData\Local\Temp\07b373eb6e483dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\07b373eb6e483dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\{4F809CE3-C829-46e7-92C5-735722262146}.exe
  C:\Windows\{4F809CE3-C829-46e7-92C5-735722262146}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
    C:\Windows\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{676E9~1.EXE > nul
      4⤵
      PID:1164
  - - C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
      C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
        
        C:\Windows\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
        
        C:\Windows\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
        
        C:\Windows\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
        
        C:\Windows\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
        
        C:\Windows\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
        
        C:\Windows\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
        
        C:\Windows\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe
        
        C:\Windows\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe
        
        C:\Windows\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BD4~1.EXE > nul
        13⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDCA~1.EXE > nul
        12⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87CB3~1.EXE > nul
        11⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B66E~1.EXE > nul
        10⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE60~1.EXE > nul
        9⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E30E8~1.EXE > nul
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FA18~1.EXE > nul
        7⤵
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{528CB~1.EXE > nul
        6⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82AEE~1.EXE > nul
        5⤵
        
        PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F809~1.EXE > nul
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07B373~1.EXE > nul
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe

Filesize
372KB

MD5
0dde331edd9b0b46eb9e7a64c50baa31

SHA1
0dd1ecdc0f9349fd85cfdedd04867f426b1be968

SHA256
a4545344edf1d81e19c8571cbcd3a579da79ecf7197088b099cf5874d2fb34a4

SHA512
e965bfa9651e21e24331555a1680915298b62f8aeeb9dc2e33e720a0204f29b29a255f5346882f72320e486f393b213aa3ff6d310bc6d954dad421a9d5cbab7b

Download Submit
C:\Windows\{1B66E70C-0EA5-4e17-8B92-4588DCA4BB59}.exe

Filesize
372KB

MD5
0dde331edd9b0b46eb9e7a64c50baa31

SHA1
0dd1ecdc0f9349fd85cfdedd04867f426b1be968

SHA256
a4545344edf1d81e19c8571cbcd3a579da79ecf7197088b099cf5874d2fb34a4

SHA512
e965bfa9651e21e24331555a1680915298b62f8aeeb9dc2e33e720a0204f29b29a255f5346882f72320e486f393b213aa3ff6d310bc6d954dad421a9d5cbab7b

Download Submit
C:\Windows\{4F809CE3-C829-46e7-92C5-735722262146}.exe

Filesize
372KB

MD5
360042f10690230778458087761518d3

SHA1
92e0e9e906a27c50ff35a4e33535a89313ef73b2

SHA256
af630b71f00d8b2c8d7a2e545b85e08365cff426588dda16c9d4fa7c6185234a

SHA512
45bedf4245621ae1936838c3a80fb901e455f1ff4005e9d64760361476e055152582232ee0c575e5e3e0e22311c2be5c622cc78bd491b04ed20122bce0502a73

Download Submit
C:\Windows\{4F809CE3-C829-46e7-92C5-735722262146}.exe

Filesize
372KB

MD5
360042f10690230778458087761518d3

SHA1
92e0e9e906a27c50ff35a4e33535a89313ef73b2

SHA256
af630b71f00d8b2c8d7a2e545b85e08365cff426588dda16c9d4fa7c6185234a

SHA512
45bedf4245621ae1936838c3a80fb901e455f1ff4005e9d64760361476e055152582232ee0c575e5e3e0e22311c2be5c622cc78bd491b04ed20122bce0502a73

Download Submit
C:\Windows\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe

Filesize
372KB

MD5
9e5f7f7069f16739cb01f28a55a20655

SHA1
01849b5f77429ebaa168acd9cde001a2d043ac31

SHA256
439a41206de778c88ffbc7977ad25eade33ef6e58b411c49a3a61ea819ee5a4a

SHA512
fb140cdd436c693b8514f93211c035fbf9f1e1098cfeb2bab0e22145433ce75da170576094e7fc2e0e5be322dbc70c6889ed16a5102bec8b56b199b4a13d20b2

Download Submit
C:\Windows\{528CB669-75B8-4cea-A49C-8E002D28F4E6}.exe

Filesize
372KB

MD5
9e5f7f7069f16739cb01f28a55a20655

SHA1
01849b5f77429ebaa168acd9cde001a2d043ac31

SHA256
439a41206de778c88ffbc7977ad25eade33ef6e58b411c49a3a61ea819ee5a4a

SHA512
fb140cdd436c693b8514f93211c035fbf9f1e1098cfeb2bab0e22145433ce75da170576094e7fc2e0e5be322dbc70c6889ed16a5102bec8b56b199b4a13d20b2

Download Submit
C:\Windows\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe

Filesize
372KB

MD5
82d9d69a6e3f129788ec1f711c166e25

SHA1
c11f4eead9f63ae40e5a71cb2fede2ab366094ed

SHA256
2638a3a0f1815c67652b8a21d1e68dc3a49d0c0ec01d8b2349a2f6e8751be242

SHA512
3fcd1d27f6d083702ba19a611175f18fb74534e74877eb5144cc480ed5619a3cfeb7a4b464e7374f8e4495520524de793d1d22e73cfaa49e1bf7f94f4148c0c7

Download Submit
C:\Windows\{5DDCAF41-F738-434f-9620-5B4FBC125BCB}.exe

Filesize
372KB

MD5
82d9d69a6e3f129788ec1f711c166e25

SHA1
c11f4eead9f63ae40e5a71cb2fede2ab366094ed

SHA256
2638a3a0f1815c67652b8a21d1e68dc3a49d0c0ec01d8b2349a2f6e8751be242

SHA512
3fcd1d27f6d083702ba19a611175f18fb74534e74877eb5144cc480ed5619a3cfeb7a4b464e7374f8e4495520524de793d1d22e73cfaa49e1bf7f94f4148c0c7

Download Submit
C:\Windows\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe

Filesize
372KB

MD5
14ff9429f1526b0acfd5c231b025f381

SHA1
28b60c5c04234d928584283f16a9e14ca30f5374

SHA256
566d0ad0a5b7987a4e92d10d998e4ebbcf795c4fffd545787190cb098f6634af

SHA512
88de2b9d59787fbd691df7912ea6ea5f3a2e0c722871da9f940bd54275ae866a138d2d257f030ec81000622fb361291389cd4dd47d779bdf5288bafd0184dfa3

Download Submit
C:\Windows\{676E9A49-CA9F-4fd2-9A49-22499453382B}.exe

Filesize
372KB

MD5
14ff9429f1526b0acfd5c231b025f381

SHA1
28b60c5c04234d928584283f16a9e14ca30f5374

SHA256
566d0ad0a5b7987a4e92d10d998e4ebbcf795c4fffd545787190cb098f6634af

SHA512
88de2b9d59787fbd691df7912ea6ea5f3a2e0c722871da9f940bd54275ae866a138d2d257f030ec81000622fb361291389cd4dd47d779bdf5288bafd0184dfa3

Download Submit
C:\Windows\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe

Filesize
372KB

MD5
797ddf5b1af01f9d302dfdbe077ae3d8

SHA1
4157fdcbc5692fd089767cd43f32ee3a22b79e47

SHA256
bca567c336d9a14dc10a4ad3cdc073b45a473e719c02b3db6fe914ec868ab914

SHA512
3d12297247f2e7d94abf1dcbd11f5e53f5b1163d64568e61ee76cb21e3aaed09d02413a18af71783fce16e2ce1208fc984d38faa47be64d5e3e4cb17f5e49e7d

Download Submit
C:\Windows\{7AE60E89-8D47-4d0a-A283-522DF26C898D}.exe

Filesize
372KB

MD5
797ddf5b1af01f9d302dfdbe077ae3d8

SHA1
4157fdcbc5692fd089767cd43f32ee3a22b79e47

SHA256
bca567c336d9a14dc10a4ad3cdc073b45a473e719c02b3db6fe914ec868ab914

SHA512
3d12297247f2e7d94abf1dcbd11f5e53f5b1163d64568e61ee76cb21e3aaed09d02413a18af71783fce16e2ce1208fc984d38faa47be64d5e3e4cb17f5e49e7d

Download Submit
C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe

Filesize
372KB

MD5
21c5a2b4014defd755560db842b5b94a

SHA1
ffd7dba707f51afa32ee6aff78d2a5a1c7842f8c

SHA256
8ad3ed7156fc0b073ffd17e17a428e1b453231b671c71dc04d31f442d4e5da37

SHA512
d387cd11271330337d9e30a6341c9e49402eb384875840f21e99c7b367fbcfde71861e455537934d969ec6f714e1ff25442237fd9a62b775ac417964fbb60de1

Download Submit
C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe

Filesize
372KB

MD5
21c5a2b4014defd755560db842b5b94a

SHA1
ffd7dba707f51afa32ee6aff78d2a5a1c7842f8c

SHA256
8ad3ed7156fc0b073ffd17e17a428e1b453231b671c71dc04d31f442d4e5da37

SHA512
d387cd11271330337d9e30a6341c9e49402eb384875840f21e99c7b367fbcfde71861e455537934d969ec6f714e1ff25442237fd9a62b775ac417964fbb60de1

Download Submit
C:\Windows\{82AEEA9B-9901-4e8b-9126-8ECF6AAF859B}.exe

Filesize
372KB

MD5
21c5a2b4014defd755560db842b5b94a

SHA1
ffd7dba707f51afa32ee6aff78d2a5a1c7842f8c

SHA256
8ad3ed7156fc0b073ffd17e17a428e1b453231b671c71dc04d31f442d4e5da37

SHA512
d387cd11271330337d9e30a6341c9e49402eb384875840f21e99c7b367fbcfde71861e455537934d969ec6f714e1ff25442237fd9a62b775ac417964fbb60de1

Download Submit
C:\Windows\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe

Filesize
372KB

MD5
24e5cad44983275dcfd2738cc803ddc9

SHA1
1774255f001557f13184b94ca69a2cc7e51e932d

SHA256
f52a9cec5250251b10a16ec2441baa8c23ca22c076dbd65e5ff7b5571b58e36d

SHA512
c9e2b9ae1be1dd915aa0f4ae169db1894b61d82ed82d765b7ba7672da41c525e6c77927250004ae45a962bd168d3e2d1f9e7ce41ebf0b655168303048b615876

Download Submit
C:\Windows\{87CB3956-CB60-431a-89CE-DBE88A67113B}.exe

Filesize
372KB

MD5
24e5cad44983275dcfd2738cc803ddc9

SHA1
1774255f001557f13184b94ca69a2cc7e51e932d

SHA256
f52a9cec5250251b10a16ec2441baa8c23ca22c076dbd65e5ff7b5571b58e36d

SHA512
c9e2b9ae1be1dd915aa0f4ae169db1894b61d82ed82d765b7ba7672da41c525e6c77927250004ae45a962bd168d3e2d1f9e7ce41ebf0b655168303048b615876

Download Submit
C:\Windows\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe

Filesize
372KB

MD5
861f678f7ebde731981baac328606d56

SHA1
3df90b0c21ae9a7164ef7253258ade5a68868d68

SHA256
08129ee0c21c69a534e1b84c8cb12e30a651f5ec2363f17787f13028fca8d65f

SHA512
26a9dd78d8b800c6fed536c3d6f908a477ff88df58766e4663a4e6305c5021dfde934d092d9b8e952072de4b696f10c53db109dcd06451acacf9fa163139a735

Download Submit
C:\Windows\{8FA18D58-D0BB-413e-A696-26B5F6F5CE13}.exe

Filesize
372KB

MD5
861f678f7ebde731981baac328606d56

SHA1
3df90b0c21ae9a7164ef7253258ade5a68868d68

SHA256
08129ee0c21c69a534e1b84c8cb12e30a651f5ec2363f17787f13028fca8d65f

SHA512
26a9dd78d8b800c6fed536c3d6f908a477ff88df58766e4663a4e6305c5021dfde934d092d9b8e952072de4b696f10c53db109dcd06451acacf9fa163139a735

Download Submit
C:\Windows\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe

Filesize
372KB

MD5
0247ce71a00bfb1768fb90e9f4fe258b

SHA1
3425fa2dbc3f6e0c1dfb01c1def2c1b22bf558a0

SHA256
1de00ba1af195fc0a8b89e12b759a21b2dd9ae8aefa6b8ada32b7fcfaf826e1c

SHA512
e5de708698f81be807222a8db96dfe524f50ac00f69e8e0e9b3b3d1b2a6027f7cbafa9608491dae333eca2d8c73bbd785fb6355b8fdd654317bf9bf4b938383d

Download Submit
C:\Windows\{AF127F56-951C-45af-B5EB-9C91DED7CCA2}.exe

Filesize
372KB

MD5
0247ce71a00bfb1768fb90e9f4fe258b

SHA1
3425fa2dbc3f6e0c1dfb01c1def2c1b22bf558a0

SHA256
1de00ba1af195fc0a8b89e12b759a21b2dd9ae8aefa6b8ada32b7fcfaf826e1c

SHA512
e5de708698f81be807222a8db96dfe524f50ac00f69e8e0e9b3b3d1b2a6027f7cbafa9608491dae333eca2d8c73bbd785fb6355b8fdd654317bf9bf4b938383d

Download Submit
C:\Windows\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe

Filesize
372KB

MD5
9ac761007aa40cd868f0075eb7134086

SHA1
a8117e82c1011ea198ee387aba85d03106a54f45

SHA256
2f67f8f191203989824acd33c8ccb81b5bec104029ce4c4ce6c47ff2e4bbd37b

SHA512
f0fa0dcd65e796b109488f520c20d86630a10139f7c169c153da1f4e3dcec71d1c658379654cf28ffd7ad2a078f8f0cbdfd40f9fd8e4a9b23318fe7b447a243f

Download Submit
C:\Windows\{E30E826D-9BCA-4eeb-9D2B-1CF5DA7F93DC}.exe

Filesize
372KB

MD5
9ac761007aa40cd868f0075eb7134086

SHA1
a8117e82c1011ea198ee387aba85d03106a54f45

SHA256
2f67f8f191203989824acd33c8ccb81b5bec104029ce4c4ce6c47ff2e4bbd37b

SHA512
f0fa0dcd65e796b109488f520c20d86630a10139f7c169c153da1f4e3dcec71d1c658379654cf28ffd7ad2a078f8f0cbdfd40f9fd8e4a9b23318fe7b447a243f

Download Submit
C:\Windows\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe

Filesize
372KB

MD5
44e727b0dc8cf6fa0f0e5d951a332a7f

SHA1
4996a7e71c0d648a5277006326676c26f067c0a3

SHA256
606d7790a183ac953d73433001e7f776f58a6c26adc378a812c1c49daf46f6a3

SHA512
d447ba9c71c7ffbd66d4ffb42b935589011809e08eb2a5c76c17b46ba474aed763acb627d03c1db5979784a320b1e3e02eae0a068ad45e0422d7aba55243730d

Download Submit
C:\Windows\{E8BD4628-EEB8-4ddb-87F5-272B70FCB6F7}.exe

Filesize
372KB

MD5
44e727b0dc8cf6fa0f0e5d951a332a7f

SHA1
4996a7e71c0d648a5277006326676c26f067c0a3

SHA256
606d7790a183ac953d73433001e7f776f58a6c26adc378a812c1c49daf46f6a3

SHA512
d447ba9c71c7ffbd66d4ffb42b935589011809e08eb2a5c76c17b46ba474aed763acb627d03c1db5979784a320b1e3e02eae0a068ad45e0422d7aba55243730d

Download Submit