22f2d3e46a945f27d45e0a13f5616ec2137662a5a9a5a202909a0ef9c8083270

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1495fa156f2a21exeexeexeex.exe
Size

168KB
MD5

1495fa156f2a21bbbf84415c8ce24c45
SHA1

7c9d5cd30fcaee50b4b090e6d491c2c8104d8675
SHA256

22f2d3e46a945f27d45e0a13f5616ec2137662a5a9a5a202909a0ef9c8083270
SHA512

f3c592855097b913dcc7a20ea7828942fa15b33f824c7188c0aa5e5089209ae6dc7d4050337476490c363ce2834e3629b5fd147b0c70bc3283d3e910162eb38c
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}\stubpath = "C:\\Windows\\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe"	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}\stubpath = "C:\\Windows\\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe"	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}	{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}	1495fa156f2a21exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}\stubpath = "C:\\Windows\\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe"	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}\stubpath = "C:\\Windows\\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe"	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}\stubpath = "C:\\Windows\\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe"	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}\stubpath = "C:\\Windows\\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe"	1495fa156f2a21exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D8B345-B740-443f-92CC-FF83C811BD41}	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D8B345-B740-443f-92CC-FF83C811BD41}\stubpath = "C:\\Windows\\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe"	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}\stubpath = "C:\\Windows\\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe"	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}\stubpath = "C:\\Windows\\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe"	{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}\stubpath = "C:\\Windows\\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe"	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}\stubpath = "C:\\Windows\\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe"	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}\stubpath = "C:\\Windows\\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe"	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe

Executes dropped EXE 12 IoCs

pid	Process
812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
4152	{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
1520	{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
File created	C:\Windows\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
File created	C:\Windows\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
File created	C:\Windows\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
File created	C:\Windows\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	1495fa156f2a21exeexeexeex.exe
File created	C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
File created	C:\Windows\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
File created	C:\Windows\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
File created	C:\Windows\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
File created	C:\Windows\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe	{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
File created	C:\Windows\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
File created	C:\Windows\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1536	1495fa156f2a21exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
Token: SeIncBasePriorityPrivilege	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
Token: SeIncBasePriorityPrivilege	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
Token: SeIncBasePriorityPrivilege	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
Token: SeIncBasePriorityPrivilege	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
Token: SeIncBasePriorityPrivilege	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
Token: SeIncBasePriorityPrivilege	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
Token: SeIncBasePriorityPrivilege	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
Token: SeIncBasePriorityPrivilege	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
Token: SeIncBasePriorityPrivilege	1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
Token: SeIncBasePriorityPrivilege	4152	{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 812	1536	1495fa156f2a21exeexeexeex.exe	85
PID 1536 wrote to memory of 812	1536	1495fa156f2a21exeexeexeex.exe	85
PID 1536 wrote to memory of 812	1536	1495fa156f2a21exeexeexeex.exe	85
PID 1536 wrote to memory of 3496	1536	1495fa156f2a21exeexeexeex.exe	86
PID 1536 wrote to memory of 3496	1536	1495fa156f2a21exeexeexeex.exe	86
PID 1536 wrote to memory of 3496	1536	1495fa156f2a21exeexeexeex.exe	86
PID 812 wrote to memory of 452	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	87
PID 812 wrote to memory of 452	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	87
PID 812 wrote to memory of 452	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	87
PID 812 wrote to memory of 4548	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	88
PID 812 wrote to memory of 4548	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	88
PID 812 wrote to memory of 4548	812	{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe	88
PID 452 wrote to memory of 4904	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	93
PID 452 wrote to memory of 4904	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	93
PID 452 wrote to memory of 4904	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	93
PID 452 wrote to memory of 5080	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	92
PID 452 wrote to memory of 5080	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	92
PID 452 wrote to memory of 5080	452	{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe	92
PID 4904 wrote to memory of 4644	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	94
PID 4904 wrote to memory of 4644	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	94
PID 4904 wrote to memory of 4644	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	94
PID 4904 wrote to memory of 1632	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	95
PID 4904 wrote to memory of 1632	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	95
PID 4904 wrote to memory of 1632	4904	{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe	95
PID 4644 wrote to memory of 2548	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	96
PID 4644 wrote to memory of 2548	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	96
PID 4644 wrote to memory of 2548	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	96
PID 4644 wrote to memory of 820	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	97
PID 4644 wrote to memory of 820	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	97
PID 4644 wrote to memory of 820	4644	{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe	97
PID 2548 wrote to memory of 2404	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	98
PID 2548 wrote to memory of 2404	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	98
PID 2548 wrote to memory of 2404	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	98
PID 2548 wrote to memory of 5068	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	99
PID 2548 wrote to memory of 5068	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	99
PID 2548 wrote to memory of 5068	2548	{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe	99
PID 2404 wrote to memory of 1996	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	100
PID 2404 wrote to memory of 1996	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	100
PID 2404 wrote to memory of 1996	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	100
PID 2404 wrote to memory of 5024	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	101
PID 2404 wrote to memory of 5024	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	101
PID 2404 wrote to memory of 5024	2404	{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe	101
PID 1996 wrote to memory of 1596	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	102
PID 1996 wrote to memory of 1596	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	102
PID 1996 wrote to memory of 1596	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	102
PID 1996 wrote to memory of 4020	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	103
PID 1996 wrote to memory of 4020	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	103
PID 1996 wrote to memory of 4020	1996	{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe	103
PID 1596 wrote to memory of 2984	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	104
PID 1596 wrote to memory of 2984	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	104
PID 1596 wrote to memory of 2984	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	104
PID 1596 wrote to memory of 3956	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	105
PID 1596 wrote to memory of 3956	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	105
PID 1596 wrote to memory of 3956	1596	{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe	105
PID 2984 wrote to memory of 1012	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	106
PID 2984 wrote to memory of 1012	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	106
PID 2984 wrote to memory of 1012	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	106
PID 2984 wrote to memory of 3668	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	107
PID 2984 wrote to memory of 3668	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	107
PID 2984 wrote to memory of 3668	2984	{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe	107
PID 1012 wrote to memory of 4152	1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe	108
PID 1012 wrote to memory of 4152	1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe	108
PID 1012 wrote to memory of 4152	1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe	108
PID 1012 wrote to memory of 2316	1012	{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe	109

C:\Users\Admin\AppData\Local\Temp\1495fa156f2a21exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\1495fa156f2a21exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
  C:\Windows\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
    C:\Windows\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3E7~1.EXE > nul
      4⤵
      PID:5080
  - - C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
      C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
        
        C:\Windows\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
        
        C:\Windows\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
        
        C:\Windows\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
        
        C:\Windows\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
        
        C:\Windows\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
        
        C:\Windows\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
        
        C:\Windows\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
        
        C:\Windows\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe
        
        C:\Windows\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe
        13⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF2CF~1.EXE > nul
        13⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8252~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E198~1.EXE > nul
        11⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB7CB~1.EXE > nul
        10⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D508F~1.EXE > nul
        9⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E80B~1.EXE > nul
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EDA0~1.EXE > nul
        7⤵
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB939~1.EXE > nul
        6⤵
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D8B~1.EXE > nul
        5⤵
        
        PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6E3~1.EXE > nul
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1495FA~1.EXE > nul
  2⤵
  PID:3496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe

Filesize
168KB

MD5
537fe1cb7adb924f721687fba2df102f

SHA1
b2c65bc2e741876a2b37cf0d61538021de7df8fe

SHA256
574c7aa3b07d19632a1cc5fd2f03f76f162c94d993965d383cf1650073238e24

SHA512
8beec52eef476f0cd4f58ee71ce15bea8e2264638e0408e8c7b6097b5648dbcaa1b68cf1b4ff27e42b092226c90b1fc1bb3b76271f860d637c5bc05958548eb0

Download Submit
C:\Windows\{0B6E3934-56DD-4945-9ED2-18D0E39CEEDE}.exe

Filesize
168KB

MD5
537fe1cb7adb924f721687fba2df102f

SHA1
b2c65bc2e741876a2b37cf0d61538021de7df8fe

SHA256
574c7aa3b07d19632a1cc5fd2f03f76f162c94d993965d383cf1650073238e24

SHA512
8beec52eef476f0cd4f58ee71ce15bea8e2264638e0408e8c7b6097b5648dbcaa1b68cf1b4ff27e42b092226c90b1fc1bb3b76271f860d637c5bc05958548eb0

Download Submit
C:\Windows\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe

Filesize
168KB

MD5
c9aae63dbbd503fed5fc0c6af01dbe68

SHA1
a8b24ea20d4ea0ac6d21fa869fc99f07b956d613

SHA256
c10e866f28825ae06586e13529afbe962f97316af9a22bb0e42e9fa0658f6145

SHA512
5f2bc2a8bc4303c10ee8ecf2e6e9c0796b570cefd82659cc44059e5ac144053dbdc5ddfa1454e8219cfe00a20ed72a0391aa4a1f8ceead4d1fa2ed3ae5e229e5

Download Submit
C:\Windows\{2E198D9C-77F6-4ecf-AE96-1E188A129C99}.exe

Filesize
168KB

MD5
c9aae63dbbd503fed5fc0c6af01dbe68

SHA1
a8b24ea20d4ea0ac6d21fa869fc99f07b956d613

SHA256
c10e866f28825ae06586e13529afbe962f97316af9a22bb0e42e9fa0658f6145

SHA512
5f2bc2a8bc4303c10ee8ecf2e6e9c0796b570cefd82659cc44059e5ac144053dbdc5ddfa1454e8219cfe00a20ed72a0391aa4a1f8ceead4d1fa2ed3ae5e229e5

Download Submit
C:\Windows\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe

Filesize
168KB

MD5
18e00cdbaf2e67fe0d607b475a534c3d

SHA1
3f6e45d5965538150353f48f56fb15cb61e3e701

SHA256
7eee6fba44a6a2df19e37cb8eeea5137c8b539b4c2a27d2783358811bea82113

SHA512
de736eec9eb35f37264f196e65dd84f0a3f55e7aebfb252669d263f3df46eadee8657d4bb87a8290e6562ad781bf2dcf854f33c10a9fda8e4bbcc8ec7c1d0863

Download Submit
C:\Windows\{5EDA0248-6038-4521-BC71-D91BA9BEE12E}.exe

Filesize
168KB

MD5
18e00cdbaf2e67fe0d607b475a534c3d

SHA1
3f6e45d5965538150353f48f56fb15cb61e3e701

SHA256
7eee6fba44a6a2df19e37cb8eeea5137c8b539b4c2a27d2783358811bea82113

SHA512
de736eec9eb35f37264f196e65dd84f0a3f55e7aebfb252669d263f3df46eadee8657d4bb87a8290e6562ad781bf2dcf854f33c10a9fda8e4bbcc8ec7c1d0863

Download Submit
C:\Windows\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe

Filesize
168KB

MD5
7c0beec40b2af410cc76760174d518a3

SHA1
d1a836fd9630f5f30e70c985320a77413bfb5cfc

SHA256
11e230f5b4cc2800e765004117e21487a713bfeddebb60d49fb15f42eae73ac7

SHA512
2af184ebb1210b2b5dfafa20f6acce52f5873b81e0bc34fc88bf5172d0ce509bd5530f98427c41a1fb92dbff3de42d5b86d3146e009f48bbb30e207841b910d5

Download Submit
C:\Windows\{7E80BBC2-A8C4-439f-80AA-5F8664C0E476}.exe

Filesize
168KB

MD5
7c0beec40b2af410cc76760174d518a3

SHA1
d1a836fd9630f5f30e70c985320a77413bfb5cfc

SHA256
11e230f5b4cc2800e765004117e21487a713bfeddebb60d49fb15f42eae73ac7

SHA512
2af184ebb1210b2b5dfafa20f6acce52f5873b81e0bc34fc88bf5172d0ce509bd5530f98427c41a1fb92dbff3de42d5b86d3146e009f48bbb30e207841b910d5

Download Submit
C:\Windows\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe

Filesize
168KB

MD5
99a977d6651a4f70d424c0c49d668b93

SHA1
8f07b4bff46de18442056483c9ebb9da4a65bd46

SHA256
bcdf18b983569d10d3aab700616a7f41772e70968e0b2e59311a04c3a5ae2188

SHA512
98d77bbd8e31320524f522c1fed44f84607ad4a1d48e403c621232c6427b30a593504c9b987165eff61b8dc7b5c517feaf6b1e21237122fb38897a10a672ce00

Download Submit
C:\Windows\{BF3E7F90-958A-4dee-B8E4-F8555E7BB70C}.exe

Filesize
168KB

MD5
99a977d6651a4f70d424c0c49d668b93

SHA1
8f07b4bff46de18442056483c9ebb9da4a65bd46

SHA256
bcdf18b983569d10d3aab700616a7f41772e70968e0b2e59311a04c3a5ae2188

SHA512
98d77bbd8e31320524f522c1fed44f84607ad4a1d48e403c621232c6427b30a593504c9b987165eff61b8dc7b5c517feaf6b1e21237122fb38897a10a672ce00

Download Submit
C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe

Filesize
168KB

MD5
51075bbc11ce9be7076644c9e192b3ea

SHA1
27cb40a5186001b2862081edc6db944ba0808d8c

SHA256
36e7818b3786063a1f82df2ed87d3d0b74a470ceec7c90bd8999bffc73974282

SHA512
fd987c951aea2a8a2e626abf6a80a388f06c90daa7c3898823f154a706fdb09a8713005f843983e2e6cf9709cc0c9b1d130d93dbcb653ae244840931aeeca3bc

Download Submit
C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe

Filesize
168KB

MD5
51075bbc11ce9be7076644c9e192b3ea

SHA1
27cb40a5186001b2862081edc6db944ba0808d8c

SHA256
36e7818b3786063a1f82df2ed87d3d0b74a470ceec7c90bd8999bffc73974282

SHA512
fd987c951aea2a8a2e626abf6a80a388f06c90daa7c3898823f154a706fdb09a8713005f843983e2e6cf9709cc0c9b1d130d93dbcb653ae244840931aeeca3bc

Download Submit
C:\Windows\{C1D8B345-B740-443f-92CC-FF83C811BD41}.exe

Filesize
168KB

MD5
51075bbc11ce9be7076644c9e192b3ea

SHA1
27cb40a5186001b2862081edc6db944ba0808d8c

SHA256
36e7818b3786063a1f82df2ed87d3d0b74a470ceec7c90bd8999bffc73974282

SHA512
fd987c951aea2a8a2e626abf6a80a388f06c90daa7c3898823f154a706fdb09a8713005f843983e2e6cf9709cc0c9b1d130d93dbcb653ae244840931aeeca3bc

Download Submit
C:\Windows\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe

Filesize
168KB

MD5
0909b6484d10b32254753d955429f005

SHA1
4850258802902be5a4c9ce9787a23b8deb0d8409

SHA256
3fe99f5aa5bad1c170a3a9015216083ba3fb614f9c02c3c40783e75fb7c480be

SHA512
742d2017054732b52683381ec557962f7e876dd88361807846c37daa604274899f6f0967d7ced2a72da48d4e5733cab79e748f2a3bd942e46f3ab1cd352d7e82

Download Submit
C:\Windows\{C8252E6F-D73A-4af4-B6CF-2F80CA4F1732}.exe

Filesize
168KB

MD5
0909b6484d10b32254753d955429f005

SHA1
4850258802902be5a4c9ce9787a23b8deb0d8409

SHA256
3fe99f5aa5bad1c170a3a9015216083ba3fb614f9c02c3c40783e75fb7c480be

SHA512
742d2017054732b52683381ec557962f7e876dd88361807846c37daa604274899f6f0967d7ced2a72da48d4e5733cab79e748f2a3bd942e46f3ab1cd352d7e82

Download Submit
C:\Windows\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe

Filesize
168KB

MD5
267ae13b98ce7a2fb63bac502ce7f730

SHA1
4f22d18505e3b03bda4e25b55d5c1e51cd093de6

SHA256
70e620842c41f1a499b779c517e54f410040ddedf6e94e257204acf1ab1886ae

SHA512
d37a8f02ad4f9306d3f99663b41b96f4bcafe482804dd8df61387ff7d98f85c3e7ba3c1b2cdcba656ed1a2e681dee4a3512b21569c407077c3ac348ad8c3504a

Download Submit
C:\Windows\{D508F0AD-7ED4-4b31-B746-80CD91F05FE4}.exe

Filesize
168KB

MD5
267ae13b98ce7a2fb63bac502ce7f730

SHA1
4f22d18505e3b03bda4e25b55d5c1e51cd093de6

SHA256
70e620842c41f1a499b779c517e54f410040ddedf6e94e257204acf1ab1886ae

SHA512
d37a8f02ad4f9306d3f99663b41b96f4bcafe482804dd8df61387ff7d98f85c3e7ba3c1b2cdcba656ed1a2e681dee4a3512b21569c407077c3ac348ad8c3504a

Download Submit
C:\Windows\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe

Filesize
168KB

MD5
9475bfe6d4e7b87994139072b7fd1645

SHA1
024431394aa790ce63b4d2ed1ac7b080fbfdc44f

SHA256
9108344ae88a651a0a48fad32bdd5687697a8a8fe665b0d724d4a2453c19f99b

SHA512
5c9783547352a08ab7c73ec13205a29444b4f0f8b8e344c08286e09103959ea55ae9a7645589257b1086f2502908c04681f244e23a3a914daffa79af706fbdb7

Download Submit
C:\Windows\{DB7CB0F9-D61E-47b0-8AB8-6B625D839B49}.exe

Filesize
168KB

MD5
9475bfe6d4e7b87994139072b7fd1645

SHA1
024431394aa790ce63b4d2ed1ac7b080fbfdc44f

SHA256
9108344ae88a651a0a48fad32bdd5687697a8a8fe665b0d724d4a2453c19f99b

SHA512
5c9783547352a08ab7c73ec13205a29444b4f0f8b8e344c08286e09103959ea55ae9a7645589257b1086f2502908c04681f244e23a3a914daffa79af706fbdb7

Download Submit
C:\Windows\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe

Filesize
168KB

MD5
2e14f0b5c866e079b6c899e943da1180

SHA1
4f3cb0a4d5446ad0f3bc73dd792e446639060b95

SHA256
522cfce567dc131ed72a939f3857dd94bdd55ec410ad74c8f4d0d35475311da1

SHA512
7866de775590c49f2d2626f994a1673fc98568486994e9b4f1e01f2663fe0bbe792d88c73dd24a4c87172e38dc77abe3cf581af3c8d5b9f1351dd47803e553a8

Download Submit
C:\Windows\{EB939F3E-2EA3-4ee3-ACF3-C71952ACF6EE}.exe

Filesize
168KB

MD5
2e14f0b5c866e079b6c899e943da1180

SHA1
4f3cb0a4d5446ad0f3bc73dd792e446639060b95

SHA256
522cfce567dc131ed72a939f3857dd94bdd55ec410ad74c8f4d0d35475311da1

SHA512
7866de775590c49f2d2626f994a1673fc98568486994e9b4f1e01f2663fe0bbe792d88c73dd24a4c87172e38dc77abe3cf581af3c8d5b9f1351dd47803e553a8

Download Submit
C:\Windows\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe

Filesize
168KB

MD5
b127b0108376cf24296ce9b1650ae797

SHA1
b41be880a2806f1b18327e564b3b706e2b02be70

SHA256
ce207f3fa94fcf47be060e8efaa3af750f352f5f9e0b9f33d43c6b85a5758bc5

SHA512
128746da72fc474d1404a5e3398befa502056c2ec5816e927eaf7577d0e8786e36ec25140c85e20a14294a84e5e82cd3cd5b1ac73c30572969154760e9699810

Download Submit
C:\Windows\{EF2CFC5C-0644-46ac-92E5-A709A4832B5E}.exe

Filesize
168KB

MD5
b127b0108376cf24296ce9b1650ae797

SHA1
b41be880a2806f1b18327e564b3b706e2b02be70

SHA256
ce207f3fa94fcf47be060e8efaa3af750f352f5f9e0b9f33d43c6b85a5758bc5

SHA512
128746da72fc474d1404a5e3398befa502056c2ec5816e927eaf7577d0e8786e36ec25140c85e20a14294a84e5e82cd3cd5b1ac73c30572969154760e9699810

Download Submit
C:\Windows\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe

Filesize
168KB

MD5
86bf8ada0fa6a4b2d6cff86bc21ef72b

SHA1
ad7184dafe8b5009aee6b2dae5ea4c6fd983af27

SHA256
d55928c09c812dd0f36f617e1b4e72bfb0c562b31c47ad1f5c66c92c0eda6119

SHA512
913c8eb4c6c931517960f21bed8620a81fa3c63018280b85b8b5fddf1c632dddf92e0f5e23d126ddda259df1045216434e2d4ad290cbd2f9a7b787ca77d54278

Download Submit
C:\Windows\{FBA1C8A0-6CCA-44f2-8378-454D18FADB86}.exe

Filesize
168KB

MD5
86bf8ada0fa6a4b2d6cff86bc21ef72b

SHA1
ad7184dafe8b5009aee6b2dae5ea4c6fd983af27

SHA256
d55928c09c812dd0f36f617e1b4e72bfb0c562b31c47ad1f5c66c92c0eda6119

SHA512
913c8eb4c6c931517960f21bed8620a81fa3c63018280b85b8b5fddf1c632dddf92e0f5e23d126ddda259df1045216434e2d4ad290cbd2f9a7b787ca77d54278

Download Submit