70244899ec73565901840e668aff5873373843d244edfdb2798f1e800f798125

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7e653dfc4aecexeexeexeex.exe
Size

168KB
MD5

0b7e653dfc4aec12c077dff8f68c5b1a
SHA1

111b58bfe998a32f67f7eaa22200d332aadc2937
SHA256

70244899ec73565901840e668aff5873373843d244edfdb2798f1e800f798125
SHA512

62f1c71c1a2aace0b2e52d4c86320ba2ea88f85e3ed96ff7e4d3f9fcca2a38fb5f801eee6948a9a9ccff75eb7a159750dace23a32b688bd99dbaead677c609b4
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A565F4AA-171B-4315-B445-A919244A2E57}	0b7e653dfc4aecexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}\stubpath = "C:\\Windows\\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe"	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}\stubpath = "C:\\Windows\\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe"	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{744E4496-22D0-4e34-A5F8-668C087FE10B}	{92976207-F2BE-4310-B073-253FA2F1425E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}\stubpath = "C:\\Windows\\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe"	{A565F4AA-171B-4315-B445-A919244A2E57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}\stubpath = "C:\\Windows\\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe"	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{744E4496-22D0-4e34-A5F8-668C087FE10B}\stubpath = "C:\\Windows\\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe"	{92976207-F2BE-4310-B073-253FA2F1425E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A565F4AA-171B-4315-B445-A919244A2E57}\stubpath = "C:\\Windows\\{A565F4AA-171B-4315-B445-A919244A2E57}.exe"	0b7e653dfc4aecexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}	{A565F4AA-171B-4315-B445-A919244A2E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{284943F9-3BFC-44c4-BE6F-78648B971794}\stubpath = "C:\\Windows\\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe"	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}\stubpath = "C:\\Windows\\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe"	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}\stubpath = "C:\\Windows\\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe"	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{284943F9-3BFC-44c4-BE6F-78648B971794}	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}\stubpath = "C:\\Windows\\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe"	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}\stubpath = "C:\\Windows\\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe"	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92976207-F2BE-4310-B073-253FA2F1425E}	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92976207-F2BE-4310-B073-253FA2F1425E}\stubpath = "C:\\Windows\\{92976207-F2BE-4310-B073-253FA2F1425E}.exe"	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe

Executes dropped EXE 12 IoCs

pid	Process
4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe
2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
4412	{92976207-F2BE-4310-B073-253FA2F1425E}.exe
4680	{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
File created	C:\Windows\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
File created	C:\Windows\{A565F4AA-171B-4315-B445-A919244A2E57}.exe	0b7e653dfc4aecexeexeexeex.exe
File created	C:\Windows\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	{A565F4AA-171B-4315-B445-A919244A2E57}.exe
File created	C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
File created	C:\Windows\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
File created	C:\Windows\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
File created	C:\Windows\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
File created	C:\Windows\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
File created	C:\Windows\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
File created	C:\Windows\{92976207-F2BE-4310-B073-253FA2F1425E}.exe	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
File created	C:\Windows\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe	{92976207-F2BE-4310-B073-253FA2F1425E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3836	0b7e653dfc4aecexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe
Token: SeIncBasePriorityPrivilege	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
Token: SeIncBasePriorityPrivilege	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
Token: SeIncBasePriorityPrivilege	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
Token: SeIncBasePriorityPrivilege	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
Token: SeIncBasePriorityPrivilege	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
Token: SeIncBasePriorityPrivilege	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
Token: SeIncBasePriorityPrivilege	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
Token: SeIncBasePriorityPrivilege	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
Token: SeIncBasePriorityPrivilege	3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
Token: SeIncBasePriorityPrivilege	4412	{92976207-F2BE-4310-B073-253FA2F1425E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 4028	3836	0b7e653dfc4aecexeexeexeex.exe	87
PID 3836 wrote to memory of 4028	3836	0b7e653dfc4aecexeexeexeex.exe	87
PID 3836 wrote to memory of 4028	3836	0b7e653dfc4aecexeexeexeex.exe	87
PID 3836 wrote to memory of 2000	3836	0b7e653dfc4aecexeexeexeex.exe	88
PID 3836 wrote to memory of 2000	3836	0b7e653dfc4aecexeexeexeex.exe	88
PID 3836 wrote to memory of 2000	3836	0b7e653dfc4aecexeexeexeex.exe	88
PID 4028 wrote to memory of 2612	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	89
PID 4028 wrote to memory of 2612	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	89
PID 4028 wrote to memory of 2612	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	89
PID 4028 wrote to memory of 1968	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	90
PID 4028 wrote to memory of 1968	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	90
PID 4028 wrote to memory of 1968	4028	{A565F4AA-171B-4315-B445-A919244A2E57}.exe	90
PID 2612 wrote to memory of 4360	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	95
PID 2612 wrote to memory of 4360	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	95
PID 2612 wrote to memory of 4360	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	95
PID 2612 wrote to memory of 2420	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	94
PID 2612 wrote to memory of 2420	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	94
PID 2612 wrote to memory of 2420	2612	{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe	94
PID 4360 wrote to memory of 1560	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	96
PID 4360 wrote to memory of 1560	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	96
PID 4360 wrote to memory of 1560	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	96
PID 4360 wrote to memory of 4752	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	97
PID 4360 wrote to memory of 4752	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	97
PID 4360 wrote to memory of 4752	4360	{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe	97
PID 1560 wrote to memory of 4744	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	98
PID 1560 wrote to memory of 4744	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	98
PID 1560 wrote to memory of 4744	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	98
PID 1560 wrote to memory of 2924	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	99
PID 1560 wrote to memory of 2924	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	99
PID 1560 wrote to memory of 2924	1560	{284943F9-3BFC-44c4-BE6F-78648B971794}.exe	99
PID 4744 wrote to memory of 4580	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	100
PID 4744 wrote to memory of 4580	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	100
PID 4744 wrote to memory of 4580	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	100
PID 4744 wrote to memory of 2520	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	101
PID 4744 wrote to memory of 2520	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	101
PID 4744 wrote to memory of 2520	4744	{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe	101
PID 4580 wrote to memory of 1032	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	102
PID 4580 wrote to memory of 1032	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	102
PID 4580 wrote to memory of 1032	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	102
PID 4580 wrote to memory of 1180	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	103
PID 4580 wrote to memory of 1180	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	103
PID 4580 wrote to memory of 1180	4580	{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe	103
PID 1032 wrote to memory of 1956	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	104
PID 1032 wrote to memory of 1956	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	104
PID 1032 wrote to memory of 1956	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	104
PID 1032 wrote to memory of 552	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	105
PID 1032 wrote to memory of 552	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	105
PID 1032 wrote to memory of 552	1032	{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe	105
PID 1956 wrote to memory of 2108	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	106
PID 1956 wrote to memory of 2108	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	106
PID 1956 wrote to memory of 2108	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	106
PID 1956 wrote to memory of 2544	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	107
PID 1956 wrote to memory of 2544	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	107
PID 1956 wrote to memory of 2544	1956	{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe	107
PID 2108 wrote to memory of 3664	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	108
PID 2108 wrote to memory of 3664	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	108
PID 2108 wrote to memory of 3664	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	108
PID 2108 wrote to memory of 3620	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	109
PID 2108 wrote to memory of 3620	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	109
PID 2108 wrote to memory of 3620	2108	{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe	109
PID 3664 wrote to memory of 4412	3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe	110
PID 3664 wrote to memory of 4412	3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe	110
PID 3664 wrote to memory of 4412	3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe	110
PID 3664 wrote to memory of 4484	3664	{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe	111

C:\Users\Admin\AppData\Local\Temp\0b7e653dfc4aecexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0b7e653dfc4aecexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\{A565F4AA-171B-4315-B445-A919244A2E57}.exe
  C:\Windows\{A565F4AA-171B-4315-B445-A919244A2E57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
    C:\Windows\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C390~1.EXE > nul
      4⤵
      PID:2420
  - - C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
      C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
        
        C:\Windows\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
        
        C:\Windows\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
        
        C:\Windows\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
        
        C:\Windows\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
        
        C:\Windows\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
        
        C:\Windows\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
        
        C:\Windows\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{92976207-F2BE-4310-B073-253FA2F1425E}.exe
        
        C:\Windows\{92976207-F2BE-4310-B073-253FA2F1425E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe
        
        C:\Windows\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92976~1.EXE > nul
        13⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59FAF~1.EXE > nul
        12⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DEF5~1.EXE > nul
        11⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CABAD~1.EXE > nul
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E34~1.EXE > nul
        9⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A78~1.EXE > nul
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC609~1.EXE > nul
        7⤵
        
        PID:2520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28494~1.EXE > nul
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1263E~1.EXE > nul
        5⤵
        
        PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A565F~1.EXE > nul
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B7E65~1.EXE > nul
  2⤵
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe

Filesize
168KB

MD5
4cbaf557a45fc4ee81eac0db5b19b131

SHA1
c0ff89ffb03a9d3ca7770838b4bd2c29a06d5c2c

SHA256
2aadac2f9d85a9e46b391db8e74c917e78e3a9b6f35737b48ddd70fb3e8cd664

SHA512
8eceb4128e5f3ccfc58b106504d1073a24ca891e43c5c8ea37d21cda34ea9a66a096d499c59745d568d419910e34cdaf241ad6d8a37f380834dbde80e5a1035f

Download Submit
C:\Windows\{10E3427C-CB88-4e9a-B38C-27D9D6A0C3BD}.exe

Filesize
168KB

MD5
4cbaf557a45fc4ee81eac0db5b19b131

SHA1
c0ff89ffb03a9d3ca7770838b4bd2c29a06d5c2c

SHA256
2aadac2f9d85a9e46b391db8e74c917e78e3a9b6f35737b48ddd70fb3e8cd664

SHA512
8eceb4128e5f3ccfc58b106504d1073a24ca891e43c5c8ea37d21cda34ea9a66a096d499c59745d568d419910e34cdaf241ad6d8a37f380834dbde80e5a1035f

Download Submit
C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe

Filesize
168KB

MD5
b02d60c7271345e12e167d2dddc80f6c

SHA1
a4d48d69438b0b2b10efbfa842520268ebf89513

SHA256
f23e0c39b673ca1180a7815bb895fa672d08d6f9260cefcea7bc4dd2377debee

SHA512
bb9befa1311aec2ae23a11f5f4fab942b747768a30ce48572ca10b233982647fe4226be2a8a505c1f58293ed9906f2d0965c6b54cdf2e108d6733e6ffe90c1e2

Download Submit
C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe

Filesize
168KB

MD5
b02d60c7271345e12e167d2dddc80f6c

SHA1
a4d48d69438b0b2b10efbfa842520268ebf89513

SHA256
f23e0c39b673ca1180a7815bb895fa672d08d6f9260cefcea7bc4dd2377debee

SHA512
bb9befa1311aec2ae23a11f5f4fab942b747768a30ce48572ca10b233982647fe4226be2a8a505c1f58293ed9906f2d0965c6b54cdf2e108d6733e6ffe90c1e2

Download Submit
C:\Windows\{1263E3BE-7B53-4812-9A7F-17B7387EEA7F}.exe

Filesize
168KB

MD5
b02d60c7271345e12e167d2dddc80f6c

SHA1
a4d48d69438b0b2b10efbfa842520268ebf89513

SHA256
f23e0c39b673ca1180a7815bb895fa672d08d6f9260cefcea7bc4dd2377debee

SHA512
bb9befa1311aec2ae23a11f5f4fab942b747768a30ce48572ca10b233982647fe4226be2a8a505c1f58293ed9906f2d0965c6b54cdf2e108d6733e6ffe90c1e2

Download Submit
C:\Windows\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe

Filesize
168KB

MD5
088c8240b93dab2aee457846b527fc02

SHA1
71da060aaf6bb03cc59e5a598ef6d3c1af9833b9

SHA256
c5e1e41a58e3d950a04d18d07fbb8fae43f7364dac9bf99c105b264d1abe2c11

SHA512
ef7d03019ac93b5cd3f44ac456db2a175c20db674bd06b9292d56ac3bd24bd1604222703f099c59c3f7a150814e930ea7dc18d6dd1231b494c2b0d1aeacddaf7

Download Submit
C:\Windows\{284943F9-3BFC-44c4-BE6F-78648B971794}.exe

Filesize
168KB

MD5
088c8240b93dab2aee457846b527fc02

SHA1
71da060aaf6bb03cc59e5a598ef6d3c1af9833b9

SHA256
c5e1e41a58e3d950a04d18d07fbb8fae43f7364dac9bf99c105b264d1abe2c11

SHA512
ef7d03019ac93b5cd3f44ac456db2a175c20db674bd06b9292d56ac3bd24bd1604222703f099c59c3f7a150814e930ea7dc18d6dd1231b494c2b0d1aeacddaf7

Download Submit
C:\Windows\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe

Filesize
168KB

MD5
04716f172a6a847c7eca1c34ab4d32f1

SHA1
1e679dee32f45e68bce37bf8d507cc5f0c741c0b

SHA256
b2502192a523420d2e59d6995442daaedd6d9be59276a93b3ba37650ed9bb0eb

SHA512
89660ee4770eae5122e9d29c446ea515ffd57800a0ced71ec5503960a681653b648ce32909582b490974bb228761bdef35c338e5e0e08a674d27537f005d887a

Download Submit
C:\Windows\{47A78D5F-BA96-42c1-82DE-4DB9A8AFA5A5}.exe

Filesize
168KB

MD5
04716f172a6a847c7eca1c34ab4d32f1

SHA1
1e679dee32f45e68bce37bf8d507cc5f0c741c0b

SHA256
b2502192a523420d2e59d6995442daaedd6d9be59276a93b3ba37650ed9bb0eb

SHA512
89660ee4770eae5122e9d29c446ea515ffd57800a0ced71ec5503960a681653b648ce32909582b490974bb228761bdef35c338e5e0e08a674d27537f005d887a

Download Submit
C:\Windows\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe

Filesize
168KB

MD5
7bf5ed4993c58368fd27a396e7f16271

SHA1
d089ad3389dbbf66c1cdb61fdd5c5d3de269bdd8

SHA256
2d3e7621795971e29da236519f9b32adef32d7d459abc6aee796e32c03cb9ccf

SHA512
d0ae365cd7ffb6b264f686e179717fc031b0c0e677dd572e43120069914f0a8e1cdb91930eba32d1dc69c465501b1848667ea24f3145214a36076f9c22ac6df2

Download Submit
C:\Windows\{59FAFD65-BCB5-4243-8B74-6B2ABC62C026}.exe

Filesize
168KB

MD5
7bf5ed4993c58368fd27a396e7f16271

SHA1
d089ad3389dbbf66c1cdb61fdd5c5d3de269bdd8

SHA256
2d3e7621795971e29da236519f9b32adef32d7d459abc6aee796e32c03cb9ccf

SHA512
d0ae365cd7ffb6b264f686e179717fc031b0c0e677dd572e43120069914f0a8e1cdb91930eba32d1dc69c465501b1848667ea24f3145214a36076f9c22ac6df2

Download Submit
C:\Windows\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe

Filesize
168KB

MD5
5419e749ebbf7a2ff8603f1e2a1e9d42

SHA1
1d23190746ba39ba7409f3c234a2d99a68956c15

SHA256
c9f748d44f5cd4697b27ed2587fc20ac2bd365a7ce5914933ea4e9e5be615fff

SHA512
da2a4478ddd457746b08b3551170f4c29eac6d6ca8ccd36caba2232755f37f0eaf81352c660b9b4982c41cc81e093c9b1cad9c64d0f67582b1670ee6a40c3461

Download Submit
C:\Windows\{6C3903CD-CA3E-4715-B118-5DCFC2E625C3}.exe

Filesize
168KB

MD5
5419e749ebbf7a2ff8603f1e2a1e9d42

SHA1
1d23190746ba39ba7409f3c234a2d99a68956c15

SHA256
c9f748d44f5cd4697b27ed2587fc20ac2bd365a7ce5914933ea4e9e5be615fff

SHA512
da2a4478ddd457746b08b3551170f4c29eac6d6ca8ccd36caba2232755f37f0eaf81352c660b9b4982c41cc81e093c9b1cad9c64d0f67582b1670ee6a40c3461

Download Submit
C:\Windows\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe

Filesize
168KB

MD5
bd1ab4ad2b58da7843ad33ca560700f4

SHA1
1b35d3b2c389b45103f8d0446f5014c2984916b8

SHA256
e3bda3d4c609726bf8f50de9c3ca3c44d8298031cee7276a214d4c0f9de0f19a

SHA512
17273066b266f2fe9e804deb1a3f99c2643f7253fba684f2828ca28afd3e9e2f62705e08be904a0ff300999a330af2527a1dfb720abe6a3731f276dc02c800b2

Download Submit
C:\Windows\{744E4496-22D0-4e34-A5F8-668C087FE10B}.exe

Filesize
168KB

MD5
bd1ab4ad2b58da7843ad33ca560700f4

SHA1
1b35d3b2c389b45103f8d0446f5014c2984916b8

SHA256
e3bda3d4c609726bf8f50de9c3ca3c44d8298031cee7276a214d4c0f9de0f19a

SHA512
17273066b266f2fe9e804deb1a3f99c2643f7253fba684f2828ca28afd3e9e2f62705e08be904a0ff300999a330af2527a1dfb720abe6a3731f276dc02c800b2

Download Submit
C:\Windows\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe

Filesize
168KB

MD5
816ff8708f3ff33b75657cf2c96ff7a2

SHA1
186993e55070eeda0fac0477dfc751273cc6b644

SHA256
833e4f876148aeda347ad5f9f1779978d318a8e2826ba8f24ab3ee3a50dacdc2

SHA512
b0bf4c2341e51753d120a8ebaf428225219279c84c790b8db4c44deb910340815663c9eb6ad29ad02111c0254266be4e5154fcd545155ddf41714e3e080bc5b6

Download Submit
C:\Windows\{8DEF5709-0E1C-4aa2-8703-CA4B100A1CDD}.exe

Filesize
168KB

MD5
816ff8708f3ff33b75657cf2c96ff7a2

SHA1
186993e55070eeda0fac0477dfc751273cc6b644

SHA256
833e4f876148aeda347ad5f9f1779978d318a8e2826ba8f24ab3ee3a50dacdc2

SHA512
b0bf4c2341e51753d120a8ebaf428225219279c84c790b8db4c44deb910340815663c9eb6ad29ad02111c0254266be4e5154fcd545155ddf41714e3e080bc5b6

Download Submit
C:\Windows\{92976207-F2BE-4310-B073-253FA2F1425E}.exe

Filesize
168KB

MD5
29eba100086719675d71e2c8455f1ca3

SHA1
931a0edd7900b4686a48d5d9a30754af6080c69d

SHA256
f2a28120bcc1b9631d770e95e9a9efad7ce536d6c7436f9c01a7cf7eeb58c20f

SHA512
496492f01de7a63b15acaaad7b19fbc5c03e6c153e949f31169dad34333566ea883732bc5e26810e1a8647d704f9c0615a4171913317ad24a729697921ba52f0

Download Submit
C:\Windows\{92976207-F2BE-4310-B073-253FA2F1425E}.exe

Filesize
168KB

MD5
29eba100086719675d71e2c8455f1ca3

SHA1
931a0edd7900b4686a48d5d9a30754af6080c69d

SHA256
f2a28120bcc1b9631d770e95e9a9efad7ce536d6c7436f9c01a7cf7eeb58c20f

SHA512
496492f01de7a63b15acaaad7b19fbc5c03e6c153e949f31169dad34333566ea883732bc5e26810e1a8647d704f9c0615a4171913317ad24a729697921ba52f0

Download Submit
C:\Windows\{A565F4AA-171B-4315-B445-A919244A2E57}.exe

Filesize
168KB

MD5
2b7309b83262fd91c30c49700b638347

SHA1
54ade3413ac9c42543dd4d1e799a9abcbdaac6da

SHA256
a01f4093a9fd5cb4dfbcedcb91a0412390ec41456b0f60c2040354324b027555

SHA512
3161e056654b20f8bf51261500d75a2fb5d8e54fe3d3809862a4230b958be3d3cadb92de71c07adbd65171b9508f11f2078fa293d1578c8b5ab1fd3532376619

Download Submit
C:\Windows\{A565F4AA-171B-4315-B445-A919244A2E57}.exe

Filesize
168KB

MD5
2b7309b83262fd91c30c49700b638347

SHA1
54ade3413ac9c42543dd4d1e799a9abcbdaac6da

SHA256
a01f4093a9fd5cb4dfbcedcb91a0412390ec41456b0f60c2040354324b027555

SHA512
3161e056654b20f8bf51261500d75a2fb5d8e54fe3d3809862a4230b958be3d3cadb92de71c07adbd65171b9508f11f2078fa293d1578c8b5ab1fd3532376619

Download Submit
C:\Windows\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe

Filesize
168KB

MD5
9d207b78d13828d75554c95b2fa14be4

SHA1
fe70154545bc18167d202a5ea553714178fa6999

SHA256
c87aae75bded130c8fc213bdb18209400f8590ee967a984462d0de04046a6900

SHA512
66344b5436215ede0d7cc260f075106c949cc24d1e29c6f255b53e72dfcc667b209247769d5ee35140da51d675988a408ab102cdba707dae1868e9267eda9c3c

Download Submit
C:\Windows\{CABAD0A9-DEE5-485c-8DF5-8320BF93645C}.exe

Filesize
168KB

MD5
9d207b78d13828d75554c95b2fa14be4

SHA1
fe70154545bc18167d202a5ea553714178fa6999

SHA256
c87aae75bded130c8fc213bdb18209400f8590ee967a984462d0de04046a6900

SHA512
66344b5436215ede0d7cc260f075106c949cc24d1e29c6f255b53e72dfcc667b209247769d5ee35140da51d675988a408ab102cdba707dae1868e9267eda9c3c

Download Submit
C:\Windows\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe

Filesize
168KB

MD5
ff33eab65315c43cfb32be697a46d26c

SHA1
de23ef95d6d972fff9222ce8ddd2f49fe014874b

SHA256
4bdfe3a56ef1182e423d0d24c73e13545b0e3fc139d6d711b2ebe007156511e8

SHA512
5aead6d0340c1ec876269b33417c6877e72a1be6d07b57260c2df771f59faf752891d6446d332ce0c0f99e2a4f912e6400432b6d50b6814b77e7254ae758436e

Download Submit
C:\Windows\{FC60932E-A435-442d-AE4B-0BAA62F4A5A8}.exe

Filesize
168KB

MD5
ff33eab65315c43cfb32be697a46d26c

SHA1
de23ef95d6d972fff9222ce8ddd2f49fe014874b

SHA256
4bdfe3a56ef1182e423d0d24c73e13545b0e3fc139d6d711b2ebe007156511e8

SHA512
5aead6d0340c1ec876269b33417c6877e72a1be6d07b57260c2df771f59faf752891d6446d332ce0c0f99e2a4f912e6400432b6d50b6814b77e7254ae758436e

Download Submit