7a72e8d6b921e4752fa436b5fc232413a8e4b660164e929831c8c3d87ed62b08

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1248c0a39b1615exeexeexeex.exe
Size

168KB
MD5

1248c0a39b16150e33bad441d6a65ecc
SHA1

8b0461933e5ed775984a5d781cc7e29fd46a8513
SHA256

7a72e8d6b921e4752fa436b5fc232413a8e4b660164e929831c8c3d87ed62b08
SHA512

f0e289c67393138ef30d615f79b4b4a80cc7ebe9273ebee31049ee7c8c7bcae9f39cbbc3babf827e4df12876f3f46c10c1063487ff3f85bffe2e4d6146b67055
SSDEEP

1536:1EGh0oalq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oalqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103B7C22-5486-4e78-9DC4-E170A46C4734}	1248c0a39b1615exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81533B35-8753-430d-8E32-82782145DE22}	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}\stubpath = "C:\\Windows\\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe"	{81533B35-8753-430d-8E32-82782145DE22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9B61BB-923F-4789-A573-5E4C755B99C4}\stubpath = "C:\\Windows\\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe"	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{893F1924-307E-4f2a-B17E-5C905C165DE8}\stubpath = "C:\\Windows\\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe"	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4706F413-9BCD-41de-9BDA-32BB97B3051C}	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103B7C22-5486-4e78-9DC4-E170A46C4734}\stubpath = "C:\\Windows\\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe"	1248c0a39b1615exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B52027-A45E-4e22-B692-5D19F8262C30}\stubpath = "C:\\Windows\\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe"	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A541A11-3915-454a-A03C-F9156DCA0B5C}	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A541A11-3915-454a-A03C-F9156DCA0B5C}\stubpath = "C:\\Windows\\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe"	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81533B35-8753-430d-8E32-82782145DE22}\stubpath = "C:\\Windows\\{81533B35-8753-430d-8E32-82782145DE22}.exe"	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B503335-A68E-4690-9260-368DBE2ECADA}	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{893F1924-307E-4f2a-B17E-5C905C165DE8}	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}\stubpath = "C:\\Windows\\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe"	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4706F413-9BCD-41de-9BDA-32BB97B3051C}\stubpath = "C:\\Windows\\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe"	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E374BA-AE86-4b1e-8007-562C2536399B}	{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}	{81533B35-8753-430d-8E32-82782145DE22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}\stubpath = "C:\\Windows\\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe"	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E374BA-AE86-4b1e-8007-562C2536399B}\stubpath = "C:\\Windows\\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe"	{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B52027-A45E-4e22-B692-5D19F8262C30}	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9B61BB-923F-4789-A573-5E4C755B99C4}	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B503335-A68E-4690-9260-368DBE2ECADA}\stubpath = "C:\\Windows\\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe"	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
4812	{81533B35-8753-430d-8E32-82782145DE22}.exe
4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
2144	{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
4540	{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
File created	C:\Windows\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
File created	C:\Windows\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
File created	C:\Windows\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe	{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
File created	C:\Windows\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
File created	C:\Windows\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
File created	C:\Windows\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
File created	C:\Windows\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
File created	C:\Windows\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	1248c0a39b1615exeexeexeex.exe
File created	C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
File created	C:\Windows\{81533B35-8753-430d-8E32-82782145DE22}.exe	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
File created	C:\Windows\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	{81533B35-8753-430d-8E32-82782145DE22}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3584	1248c0a39b1615exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
Token: SeIncBasePriorityPrivilege	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
Token: SeIncBasePriorityPrivilege	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
Token: SeIncBasePriorityPrivilege	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe
Token: SeIncBasePriorityPrivilege	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
Token: SeIncBasePriorityPrivilege	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
Token: SeIncBasePriorityPrivilege	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
Token: SeIncBasePriorityPrivilege	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
Token: SeIncBasePriorityPrivilege	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
Token: SeIncBasePriorityPrivilege	2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
Token: SeIncBasePriorityPrivilege	2144	{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1744	3584	1248c0a39b1615exeexeexeex.exe	88
PID 3584 wrote to memory of 1744	3584	1248c0a39b1615exeexeexeex.exe	88
PID 3584 wrote to memory of 1744	3584	1248c0a39b1615exeexeexeex.exe	88
PID 3584 wrote to memory of 4248	3584	1248c0a39b1615exeexeexeex.exe	89
PID 3584 wrote to memory of 4248	3584	1248c0a39b1615exeexeexeex.exe	89
PID 3584 wrote to memory of 4248	3584	1248c0a39b1615exeexeexeex.exe	89
PID 1744 wrote to memory of 3716	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	90
PID 1744 wrote to memory of 3716	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	90
PID 1744 wrote to memory of 3716	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	90
PID 1744 wrote to memory of 3492	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	91
PID 1744 wrote to memory of 3492	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	91
PID 1744 wrote to memory of 3492	1744	{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe	91
PID 3716 wrote to memory of 3488	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	95
PID 3716 wrote to memory of 3488	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	95
PID 3716 wrote to memory of 3488	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	95
PID 3716 wrote to memory of 1828	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	96
PID 3716 wrote to memory of 1828	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	96
PID 3716 wrote to memory of 1828	3716	{15B52027-A45E-4e22-B692-5D19F8262C30}.exe	96
PID 3488 wrote to memory of 4812	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	97
PID 3488 wrote to memory of 4812	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	97
PID 3488 wrote to memory of 4812	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	97
PID 3488 wrote to memory of 3148	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	98
PID 3488 wrote to memory of 3148	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	98
PID 3488 wrote to memory of 3148	3488	{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe	98
PID 4812 wrote to memory of 4776	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	99
PID 4812 wrote to memory of 4776	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	99
PID 4812 wrote to memory of 4776	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	99
PID 4812 wrote to memory of 4876	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	100
PID 4812 wrote to memory of 4876	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	100
PID 4812 wrote to memory of 4876	4812	{81533B35-8753-430d-8E32-82782145DE22}.exe	100
PID 4776 wrote to memory of 4788	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	101
PID 4776 wrote to memory of 4788	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	101
PID 4776 wrote to memory of 4788	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	101
PID 4776 wrote to memory of 1552	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	102
PID 4776 wrote to memory of 1552	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	102
PID 4776 wrote to memory of 1552	4776	{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe	102
PID 4788 wrote to memory of 5112	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	103
PID 4788 wrote to memory of 5112	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	103
PID 4788 wrote to memory of 5112	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	103
PID 4788 wrote to memory of 4144	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	104
PID 4788 wrote to memory of 4144	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	104
PID 4788 wrote to memory of 4144	4788	{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe	104
PID 5112 wrote to memory of 2988	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	106
PID 5112 wrote to memory of 2988	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	106
PID 5112 wrote to memory of 2988	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	106
PID 5112 wrote to memory of 3980	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	105
PID 5112 wrote to memory of 3980	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	105
PID 5112 wrote to memory of 3980	5112	{3B503335-A68E-4690-9260-368DBE2ECADA}.exe	105
PID 2988 wrote to memory of 4108	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	107
PID 2988 wrote to memory of 4108	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	107
PID 2988 wrote to memory of 4108	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	107
PID 2988 wrote to memory of 1440	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	108
PID 2988 wrote to memory of 1440	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	108
PID 2988 wrote to memory of 1440	2988	{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe	108
PID 4108 wrote to memory of 2912	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	111
PID 4108 wrote to memory of 2912	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	111
PID 4108 wrote to memory of 2912	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	111
PID 4108 wrote to memory of 688	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	112
PID 4108 wrote to memory of 688	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	112
PID 4108 wrote to memory of 688	4108	{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe	112
PID 2912 wrote to memory of 2144	2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe	113
PID 2912 wrote to memory of 2144	2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe	113
PID 2912 wrote to memory of 2144	2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe	113
PID 2912 wrote to memory of 2208	2912	{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe	114

C:\Users\Admin\AppData\Local\Temp\1248c0a39b1615exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\1248c0a39b1615exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
  C:\Windows\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
    C:\Windows\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
      C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\{81533B35-8753-430d-8E32-82782145DE22}.exe
        
        C:\Windows\{81533B35-8753-430d-8E32-82782145DE22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Windows\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
        
        C:\Windows\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
        
        C:\Windows\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
        
        C:\Windows\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B503~1.EXE > nul
        9⤵
        
        PID:3980
        
        C:\Windows\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
        
        C:\Windows\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
        
        C:\Windows\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
        
        C:\Windows\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
        
        C:\Windows\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe
        
        C:\Windows\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4706F~1.EXE > nul
        13⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D61~1.EXE > nul
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{893F1~1.EXE > nul
        11⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44AC7~1.EXE > nul
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B9B6~1.EXE > nul
        8⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15CF5~1.EXE > nul
        7⤵
        
        PID:1552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81533~1.EXE > nul
        6⤵
        
        PID:4876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A541~1.EXE > nul
        5⤵
        
        PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15B52~1.EXE > nul
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{103B7~1.EXE > nul
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1248C0~1.EXE > nul
  2⤵
  PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe

Filesize
168KB

MD5
82844bc4e4e11ca4501af2b32ff28a20

SHA1
a8035c7e7643ca5bbc6ce67e05f2f2b1f4e271d8

SHA256
bf0ef2041bde21ad399e43fc620f960982af71614b3699915174431e96ac184c

SHA512
486e8547bacd738c25698c7f60add1db5c955ad10bcb86014544e2fdb541c4303372da1cc6efa1bfd6f3aa87089ba6da34fd9782c14200f2e4eb5649e270f6a3

Download Submit
C:\Windows\{103B7C22-5486-4e78-9DC4-E170A46C4734}.exe

Filesize
168KB

MD5
82844bc4e4e11ca4501af2b32ff28a20

SHA1
a8035c7e7643ca5bbc6ce67e05f2f2b1f4e271d8

SHA256
bf0ef2041bde21ad399e43fc620f960982af71614b3699915174431e96ac184c

SHA512
486e8547bacd738c25698c7f60add1db5c955ad10bcb86014544e2fdb541c4303372da1cc6efa1bfd6f3aa87089ba6da34fd9782c14200f2e4eb5649e270f6a3

Download Submit
C:\Windows\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe

Filesize
168KB

MD5
bfc4c57acc7603ea14e64dddc37b5258

SHA1
722396182c074b899bafdc88d2e6d821b0699501

SHA256
c7df6f0196ecb6032bc5b1a8a4ed86d1fdac32450eb18a98aebd661d9ad26edb

SHA512
a0fc68a5c62141beab0a21569503bea085a5472a4cd14168c89cb2b6ee673ae72418977dd3ca76ef7de7fec8f095f59d211630882391e3aa40ce349cb0b3ad18

Download Submit
C:\Windows\{15B52027-A45E-4e22-B692-5D19F8262C30}.exe

Filesize
168KB

MD5
bfc4c57acc7603ea14e64dddc37b5258

SHA1
722396182c074b899bafdc88d2e6d821b0699501

SHA256
c7df6f0196ecb6032bc5b1a8a4ed86d1fdac32450eb18a98aebd661d9ad26edb

SHA512
a0fc68a5c62141beab0a21569503bea085a5472a4cd14168c89cb2b6ee673ae72418977dd3ca76ef7de7fec8f095f59d211630882391e3aa40ce349cb0b3ad18

Download Submit
C:\Windows\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe

Filesize
168KB

MD5
3439636bdb27de04746d47d01e193e1f

SHA1
299ffae8e423c8cd7c79d89877b59d409b9c62fe

SHA256
143611718439532e773152d2a2805aeab0f09eb0b7d8fda2fb26d4e89b674f3f

SHA512
a7b74d67ecee0c94f47ce44f5c0d9d6c3f786c8e743b8cf81d72d6847c872ad3314fd88a702080f6ec85abfb480635175a148e0a1b2d01be1975913523f4205a

Download Submit
C:\Windows\{15CF5549-F24E-4f6e-83E6-F351CA1ECF2B}.exe

Filesize
168KB

MD5
3439636bdb27de04746d47d01e193e1f

SHA1
299ffae8e423c8cd7c79d89877b59d409b9c62fe

SHA256
143611718439532e773152d2a2805aeab0f09eb0b7d8fda2fb26d4e89b674f3f

SHA512
a7b74d67ecee0c94f47ce44f5c0d9d6c3f786c8e743b8cf81d72d6847c872ad3314fd88a702080f6ec85abfb480635175a148e0a1b2d01be1975913523f4205a

Download Submit
C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe

Filesize
168KB

MD5
5a679913efa6897ad09f791085b8afd8

SHA1
e1ff214a69aeb5593e922c8bdb6db0a4fb844d3c

SHA256
995d75ec5a356f570799f9b11b0657928ab0b1739796205534c2e1d6462317fb

SHA512
030096420d3cdf934e1a5ee52ecf0c2990a72814e1c608b85391c7299b3d1976dee92872c0aeb7c77d02c23631946394e6d72c7cf1f66fdb7fec20cec2280c0e

Download Submit
C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe

Filesize
168KB

MD5
5a679913efa6897ad09f791085b8afd8

SHA1
e1ff214a69aeb5593e922c8bdb6db0a4fb844d3c

SHA256
995d75ec5a356f570799f9b11b0657928ab0b1739796205534c2e1d6462317fb

SHA512
030096420d3cdf934e1a5ee52ecf0c2990a72814e1c608b85391c7299b3d1976dee92872c0aeb7c77d02c23631946394e6d72c7cf1f66fdb7fec20cec2280c0e

Download Submit
C:\Windows\{1A541A11-3915-454a-A03C-F9156DCA0B5C}.exe

Filesize
168KB

MD5
5a679913efa6897ad09f791085b8afd8

SHA1
e1ff214a69aeb5593e922c8bdb6db0a4fb844d3c

SHA256
995d75ec5a356f570799f9b11b0657928ab0b1739796205534c2e1d6462317fb

SHA512
030096420d3cdf934e1a5ee52ecf0c2990a72814e1c608b85391c7299b3d1976dee92872c0aeb7c77d02c23631946394e6d72c7cf1f66fdb7fec20cec2280c0e

Download Submit
C:\Windows\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe

Filesize
168KB

MD5
54643f4cef94412ce876a756c28b58be

SHA1
59e94797fd5012129e903758b6a79d175dca1f81

SHA256
7d30e9dc006ffea45d35dcfa5fba07bf0f8bd8cb8e7ba84188dd4307ca0bcc7d

SHA512
bba04b8bd9e32b7ca1d4ba25a5e1362687297aecb775b939339bf3d3d15b98939057299977ca35526fbd31d6470096be51587f7c3fab8d2834125466b616898d

Download Submit
C:\Windows\{3B503335-A68E-4690-9260-368DBE2ECADA}.exe

Filesize
168KB

MD5
54643f4cef94412ce876a756c28b58be

SHA1
59e94797fd5012129e903758b6a79d175dca1f81

SHA256
7d30e9dc006ffea45d35dcfa5fba07bf0f8bd8cb8e7ba84188dd4307ca0bcc7d

SHA512
bba04b8bd9e32b7ca1d4ba25a5e1362687297aecb775b939339bf3d3d15b98939057299977ca35526fbd31d6470096be51587f7c3fab8d2834125466b616898d

Download Submit
C:\Windows\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe

Filesize
168KB

MD5
c9c9232407cf880173bb13057a8fa460

SHA1
2ba5921d63b22a003694379c04c9259c7a42f7db

SHA256
b913dc124a22e3d77cd3fd54dbd6a8b066961956d6785d5e673208772916e4e5

SHA512
03468ba168f5f6b3d57ef628b3a3a4091deca0b6f50a2d39aa6398469fdc8742e2a60f8de21cff9154e7530e73c0fa0ae63c05426d5352fc7f0c31f106e363f3

Download Submit
C:\Windows\{44AC76FB-673E-4f92-B1EC-4D9B9AFEF0E2}.exe

Filesize
168KB

MD5
c9c9232407cf880173bb13057a8fa460

SHA1
2ba5921d63b22a003694379c04c9259c7a42f7db

SHA256
b913dc124a22e3d77cd3fd54dbd6a8b066961956d6785d5e673208772916e4e5

SHA512
03468ba168f5f6b3d57ef628b3a3a4091deca0b6f50a2d39aa6398469fdc8742e2a60f8de21cff9154e7530e73c0fa0ae63c05426d5352fc7f0c31f106e363f3

Download Submit
C:\Windows\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe

Filesize
168KB

MD5
7df4b3f57962801d6ec9861d9e366658

SHA1
bc1f286d6f0289d6c3011401d857d85d59e18fdb

SHA256
b2e48b94a0636c3b78574bfe406a78f93088b0432690f358c91d2e883374262d

SHA512
4cc059be97fe623b2cc99c92f8366293c6063f56655f238d96650f72453924ef01e55d1871b79e6fa37b10570996b854e8f090ea919103872f4439dcc2a43de7

Download Submit
C:\Windows\{4706F413-9BCD-41de-9BDA-32BB97B3051C}.exe

Filesize
168KB

MD5
7df4b3f57962801d6ec9861d9e366658

SHA1
bc1f286d6f0289d6c3011401d857d85d59e18fdb

SHA256
b2e48b94a0636c3b78574bfe406a78f93088b0432690f358c91d2e883374262d

SHA512
4cc059be97fe623b2cc99c92f8366293c6063f56655f238d96650f72453924ef01e55d1871b79e6fa37b10570996b854e8f090ea919103872f4439dcc2a43de7

Download Submit
C:\Windows\{81533B35-8753-430d-8E32-82782145DE22}.exe

Filesize
168KB

MD5
c90660ea5ba10496eadef5ad23765ccf

SHA1
3784f421c50813997e5bf40c079c2c780f56b019

SHA256
228c2ff41dad426af2fd2b21ccd50a48097048c5c95b1cda3460749f09ff4f86

SHA512
7a6297da34ccbbda28f86eedc31e9321a37cbd36258ed09a2c54d7c36dc2d627986adec01ca1f8dc4671424f4c482a39bc8c69c8434c41f04936edd50c52bb21

Download Submit
C:\Windows\{81533B35-8753-430d-8E32-82782145DE22}.exe

Filesize
168KB

MD5
c90660ea5ba10496eadef5ad23765ccf

SHA1
3784f421c50813997e5bf40c079c2c780f56b019

SHA256
228c2ff41dad426af2fd2b21ccd50a48097048c5c95b1cda3460749f09ff4f86

SHA512
7a6297da34ccbbda28f86eedc31e9321a37cbd36258ed09a2c54d7c36dc2d627986adec01ca1f8dc4671424f4c482a39bc8c69c8434c41f04936edd50c52bb21

Download Submit
C:\Windows\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe

Filesize
168KB

MD5
27be100fcd3d9f90aa53bbb826803fbc

SHA1
9d36cb44bd56ce698b56032d787b0a999ec3b3ce

SHA256
7fff033c9064bd1e86891aea3fa0bf32a06006069e01b05c6f5ff1a5d13b0515

SHA512
3a6f5c29c10dc754bbbe49180dfdbee37a7de366db1f7e7501e247a9d07fd62b83baecb204674534e300db92b67175ae6931f30e614d2d4078cd11f749f76c80

Download Submit
C:\Windows\{893F1924-307E-4f2a-B17E-5C905C165DE8}.exe

Filesize
168KB

MD5
27be100fcd3d9f90aa53bbb826803fbc

SHA1
9d36cb44bd56ce698b56032d787b0a999ec3b3ce

SHA256
7fff033c9064bd1e86891aea3fa0bf32a06006069e01b05c6f5ff1a5d13b0515

SHA512
3a6f5c29c10dc754bbbe49180dfdbee37a7de366db1f7e7501e247a9d07fd62b83baecb204674534e300db92b67175ae6931f30e614d2d4078cd11f749f76c80

Download Submit
C:\Windows\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe

Filesize
168KB

MD5
f85c567b351a518db909506927a63d22

SHA1
139f462114de9cc374b381f1012cedc2df635175

SHA256
7378547514e5bb988e1d45cadc28fd0ea2ee0d5183288f9992f73ccce37a3409

SHA512
7a89c79b091accdf463e5a2df814883779272af40a8923e949fff9b34c19cce6e60a68e3e612325b13226fb70017ec6a151846ce6dec33b6d9ee96e74349c0ac

Download Submit
C:\Windows\{8B9B61BB-923F-4789-A573-5E4C755B99C4}.exe

Filesize
168KB

MD5
f85c567b351a518db909506927a63d22

SHA1
139f462114de9cc374b381f1012cedc2df635175

SHA256
7378547514e5bb988e1d45cadc28fd0ea2ee0d5183288f9992f73ccce37a3409

SHA512
7a89c79b091accdf463e5a2df814883779272af40a8923e949fff9b34c19cce6e60a68e3e612325b13226fb70017ec6a151846ce6dec33b6d9ee96e74349c0ac

Download Submit
C:\Windows\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe

Filesize
168KB

MD5
1305473c41dcb340c32d5451c7ba2b60

SHA1
227869df7cdb48a41c3dc8b89f40e77d6020b260

SHA256
bfc93d2111228720e240900ffb1519b1b65522cc8125da1bb628659e64bc46fa

SHA512
6ce9c928b0ad1e7422199bcca988b9909f86aa627c6d7471bf1c8a7246be155499e62e61a5711b21e9df42ed483a04ec96a317d6737f925f43c46e8f44c8b856

Download Submit
C:\Windows\{B9D614FC-AD02-4e6c-8638-B3C583438FCC}.exe

Filesize
168KB

MD5
1305473c41dcb340c32d5451c7ba2b60

SHA1
227869df7cdb48a41c3dc8b89f40e77d6020b260

SHA256
bfc93d2111228720e240900ffb1519b1b65522cc8125da1bb628659e64bc46fa

SHA512
6ce9c928b0ad1e7422199bcca988b9909f86aa627c6d7471bf1c8a7246be155499e62e61a5711b21e9df42ed483a04ec96a317d6737f925f43c46e8f44c8b856

Download Submit
C:\Windows\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe

Filesize
168KB

MD5
e956c67e09e5ea9fb140683b3841d002

SHA1
de1f45d0c8a9f913200e5cc03e84eb8b2b2190e6

SHA256
079b51cfb0786e9d84a2980da995354b95633022668abda6eefb404e2f0d7dac

SHA512
0f157059e53aa184b055f190ae307ce39c8376fb15f575b55a0cbade2639d55badd473c9f9579c080dbc8c3ec84d921e020b229d193336f124612ff118416ab2

Download Submit
C:\Windows\{F0E374BA-AE86-4b1e-8007-562C2536399B}.exe

Filesize
168KB

MD5
e956c67e09e5ea9fb140683b3841d002

SHA1
de1f45d0c8a9f913200e5cc03e84eb8b2b2190e6

SHA256
079b51cfb0786e9d84a2980da995354b95633022668abda6eefb404e2f0d7dac

SHA512
0f157059e53aa184b055f190ae307ce39c8376fb15f575b55a0cbade2639d55badd473c9f9579c080dbc8c3ec84d921e020b229d193336f124612ff118416ab2

Download Submit