601a07ba2e448019f881dec66f71ffb22b872a8cc0b3a062f17d903ea3e7240a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6e3fde941118exeexeexeex.exe
Size

372KB
MD5

1a6e3fde9411185343c9cb682e06aaa4
SHA1

643843b8408c430b6d8343575a76c91062c772f0
SHA256

601a07ba2e448019f881dec66f71ffb22b872a8cc0b3a062f17d903ea3e7240a
SHA512

d95bc709195a4922b01d604bdc742bb87a1169d94c0d8f7abaf739dce2bdfdedd0b7f5562e40d5087f7e040d63a36b132822fe26b1fee080108c3592be5c4f38
SSDEEP

3072:CEGh0o4mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}\stubpath = "C:\\Windows\\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe"	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}\stubpath = "C:\\Windows\\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe"	1a6e3fde941118exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}\stubpath = "C:\\Windows\\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe"	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}\stubpath = "C:\\Windows\\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe"	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}\stubpath = "C:\\Windows\\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe"	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}	1a6e3fde941118exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F4B6051-EB16-41eb-B994-86C5427E9418}	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}\stubpath = "C:\\Windows\\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe"	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D15C57-DDB4-42cf-BF72-61639FB12989}	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D15C57-DDB4-42cf-BF72-61639FB12989}\stubpath = "C:\\Windows\\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe"	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88228440-B195-4403-8B7A-41B4B359C853}	{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88228440-B195-4403-8B7A-41B4B359C853}\stubpath = "C:\\Windows\\{88228440-B195-4403-8B7A-41B4B359C853}.exe"	{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}\stubpath = "C:\\Windows\\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe"	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}\stubpath = "C:\\Windows\\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe"	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F4B6051-EB16-41eb-B994-86C5427E9418}\stubpath = "C:\\Windows\\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe"	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}\stubpath = "C:\\Windows\\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe"	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe

Executes dropped EXE 12 IoCs

pid	Process
3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
1944	{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
5092	{88228440-B195-4403-8B7A-41B4B359C853}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
File created	C:\Windows\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
File created	C:\Windows\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
File created	C:\Windows\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
File created	C:\Windows\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
File created	C:\Windows\{88228440-B195-4403-8B7A-41B4B359C853}.exe	{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
File created	C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
File created	C:\Windows\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
File created	C:\Windows\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
File created	C:\Windows\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
File created	C:\Windows\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
File created	C:\Windows\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	1a6e3fde941118exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	748	1a6e3fde941118exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
Token: SeIncBasePriorityPrivilege	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
Token: SeIncBasePriorityPrivilege	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
Token: SeIncBasePriorityPrivilege	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
Token: SeIncBasePriorityPrivilege	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
Token: SeIncBasePriorityPrivilege	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
Token: SeIncBasePriorityPrivilege	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
Token: SeIncBasePriorityPrivilege	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
Token: SeIncBasePriorityPrivilege	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
Token: SeIncBasePriorityPrivilege	4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
Token: SeIncBasePriorityPrivilege	1944	{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3684	748	1a6e3fde941118exeexeexeex.exe	87
PID 748 wrote to memory of 3684	748	1a6e3fde941118exeexeexeex.exe	87
PID 748 wrote to memory of 3684	748	1a6e3fde941118exeexeexeex.exe	87
PID 748 wrote to memory of 1700	748	1a6e3fde941118exeexeexeex.exe	88
PID 748 wrote to memory of 1700	748	1a6e3fde941118exeexeexeex.exe	88
PID 748 wrote to memory of 1700	748	1a6e3fde941118exeexeexeex.exe	88
PID 3684 wrote to memory of 4428	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	89
PID 3684 wrote to memory of 4428	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	89
PID 3684 wrote to memory of 4428	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	89
PID 3684 wrote to memory of 4888	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	90
PID 3684 wrote to memory of 4888	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	90
PID 3684 wrote to memory of 4888	3684	{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe	90
PID 4428 wrote to memory of 4236	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	95
PID 4428 wrote to memory of 4236	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	95
PID 4428 wrote to memory of 4236	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	95
PID 4428 wrote to memory of 3180	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	94
PID 4428 wrote to memory of 3180	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	94
PID 4428 wrote to memory of 3180	4428	{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe	94
PID 4236 wrote to memory of 4332	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	96
PID 4236 wrote to memory of 4332	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	96
PID 4236 wrote to memory of 4332	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	96
PID 4236 wrote to memory of 2076	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	97
PID 4236 wrote to memory of 2076	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	97
PID 4236 wrote to memory of 2076	4236	{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe	97
PID 4332 wrote to memory of 1232	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	98
PID 4332 wrote to memory of 1232	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	98
PID 4332 wrote to memory of 1232	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	98
PID 4332 wrote to memory of 1628	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	99
PID 4332 wrote to memory of 1628	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	99
PID 4332 wrote to memory of 1628	4332	{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe	99
PID 1232 wrote to memory of 1528	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	100
PID 1232 wrote to memory of 1528	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	100
PID 1232 wrote to memory of 1528	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	100
PID 1232 wrote to memory of 4608	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	101
PID 1232 wrote to memory of 4608	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	101
PID 1232 wrote to memory of 4608	1232	{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe	101
PID 1528 wrote to memory of 2896	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	102
PID 1528 wrote to memory of 2896	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	102
PID 1528 wrote to memory of 2896	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	102
PID 1528 wrote to memory of 1916	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	103
PID 1528 wrote to memory of 1916	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	103
PID 1528 wrote to memory of 1916	1528	{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe	103
PID 2896 wrote to memory of 4472	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	104
PID 2896 wrote to memory of 4472	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	104
PID 2896 wrote to memory of 4472	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	104
PID 2896 wrote to memory of 5116	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	105
PID 2896 wrote to memory of 5116	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	105
PID 2896 wrote to memory of 5116	2896	{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe	105
PID 4472 wrote to memory of 2128	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	106
PID 4472 wrote to memory of 2128	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	106
PID 4472 wrote to memory of 2128	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	106
PID 4472 wrote to memory of 2804	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	107
PID 4472 wrote to memory of 2804	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	107
PID 4472 wrote to memory of 2804	4472	{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe	107
PID 2128 wrote to memory of 4740	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	108
PID 2128 wrote to memory of 4740	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	108
PID 2128 wrote to memory of 4740	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	108
PID 2128 wrote to memory of 4584	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	109
PID 2128 wrote to memory of 4584	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	109
PID 2128 wrote to memory of 4584	2128	{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe	109
PID 4740 wrote to memory of 1944	4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe	110
PID 4740 wrote to memory of 1944	4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe	110
PID 4740 wrote to memory of 1944	4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe	110
PID 4740 wrote to memory of 940	4740	{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe	111

C:\Users\Admin\AppData\Local\Temp\1a6e3fde941118exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\1a6e3fde941118exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
  C:\Windows\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
    C:\Windows\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB9C3~1.EXE > nul
      4⤵
      PID:3180
  - - C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
      C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
        
        C:\Windows\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
        
        C:\Windows\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
        
        C:\Windows\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
        
        C:\Windows\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
        
        C:\Windows\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
        
        C:\Windows\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
        
        C:\Windows\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
        
        C:\Windows\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\{88228440-B195-4403-8B7A-41B4B359C853}.exe
        
        C:\Windows\{88228440-B195-4403-8B7A-41B4B359C853}.exe
        13⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB39~1.EXE > nul
        13⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA07A~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFBF~1.EXE > nul
        11⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D15~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C648C~1.EXE > nul
        9⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AECAF~1.EXE > nul
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F4B6~1.EXE > nul
        7⤵
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52E91~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17E0C~1.EXE > nul
        5⤵
        
        PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29B57~1.EXE > nul
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1A6E3F~1.EXE > nul
  2⤵
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe

Filesize
372KB

MD5
27eb87e51a7d7639d5262a4fc6f6b6fd

SHA1
6059024013500ed0cb814244e847fff1d011fea1

SHA256
9abbbf1d99244ce79d1595f6ba08854f455e9c2cc005c3081bd829bddfed791e

SHA512
ea850ea5c26d0481faa90c1ebc4647f10eb82d7df66dbaa62d210c95e8bf09df461e00dc2c836c4869382e662a7691d19ddeb49f4cfd9ebeac574ff7efde0dfc

Download Submit
C:\Windows\{0F4B6051-EB16-41eb-B994-86C5427E9418}.exe

Filesize
372KB

MD5
27eb87e51a7d7639d5262a4fc6f6b6fd

SHA1
6059024013500ed0cb814244e847fff1d011fea1

SHA256
9abbbf1d99244ce79d1595f6ba08854f455e9c2cc005c3081bd829bddfed791e

SHA512
ea850ea5c26d0481faa90c1ebc4647f10eb82d7df66dbaa62d210c95e8bf09df461e00dc2c836c4869382e662a7691d19ddeb49f4cfd9ebeac574ff7efde0dfc

Download Submit
C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe

Filesize
372KB

MD5
e2119146395cd8b2b03e174ed996454b

SHA1
2fae5fd83e9c7fc88cf824f8d474e5b71f525c8e

SHA256
fb308dce8a981558eaf2900eee2902aab688b5a6e995d6cb2ae35dd4dd60ebb1

SHA512
c1e7ee376407c32450f89130585c71d1de3ff61fa3a91a70d77a4fba57cc31c861bacb18c1ebb2697b06ce1cd10b53e8994f97ebc8e292e2a1f9bf7a1d107558

Download Submit
C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe

Filesize
372KB

MD5
e2119146395cd8b2b03e174ed996454b

SHA1
2fae5fd83e9c7fc88cf824f8d474e5b71f525c8e

SHA256
fb308dce8a981558eaf2900eee2902aab688b5a6e995d6cb2ae35dd4dd60ebb1

SHA512
c1e7ee376407c32450f89130585c71d1de3ff61fa3a91a70d77a4fba57cc31c861bacb18c1ebb2697b06ce1cd10b53e8994f97ebc8e292e2a1f9bf7a1d107558

Download Submit
C:\Windows\{17E0CF05-0209-4d60-8F08-E30CB9CE57F3}.exe

Filesize
372KB

MD5
e2119146395cd8b2b03e174ed996454b

SHA1
2fae5fd83e9c7fc88cf824f8d474e5b71f525c8e

SHA256
fb308dce8a981558eaf2900eee2902aab688b5a6e995d6cb2ae35dd4dd60ebb1

SHA512
c1e7ee376407c32450f89130585c71d1de3ff61fa3a91a70d77a4fba57cc31c861bacb18c1ebb2697b06ce1cd10b53e8994f97ebc8e292e2a1f9bf7a1d107558

Download Submit
C:\Windows\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe

Filesize
372KB

MD5
e3685f5076a60739b0571adc3e1c9b8b

SHA1
976cc1e5d6529b3bddc793a0897466058d3e61f0

SHA256
e891b81f0862489ec368b9cef7efab2bf0e8deb15c03228ea35e93e6d190c1b5

SHA512
e765e34c7a8e41ac53d9453be37653342da8fe8e62c703832c2f1f83909569310cf0e6c0a3748e5e1830ad4f8a583a47304cc0bac0f0f57af104adf51d46f1fd

Download Submit
C:\Windows\{1DB39F64-CF6C-4aab-AE3E-C0DCA0003378}.exe

Filesize
372KB

MD5
e3685f5076a60739b0571adc3e1c9b8b

SHA1
976cc1e5d6529b3bddc793a0897466058d3e61f0

SHA256
e891b81f0862489ec368b9cef7efab2bf0e8deb15c03228ea35e93e6d190c1b5

SHA512
e765e34c7a8e41ac53d9453be37653342da8fe8e62c703832c2f1f83909569310cf0e6c0a3748e5e1830ad4f8a583a47304cc0bac0f0f57af104adf51d46f1fd

Download Submit
C:\Windows\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe

Filesize
372KB

MD5
add81fde227b8611f6e0f8e8b6dc85e0

SHA1
f4d342d7bc4ecb7dbdfb4543018582a08452691a

SHA256
5649dde2eac12183b2490781db28ccc13cfbca4122f0a32aaf909d9d912a6dce

SHA512
35d08dbf64ae0a77e9a2fa657e67c48e798efff7fdbddb3942514602128b74fc4e30b070dd3bb3430304c981cc9ecb13e9e534956202805275d8bef15952e515

Download Submit
C:\Windows\{29B5786C-F4BB-4e93-826B-9C2AD33FA32F}.exe

Filesize
372KB

MD5
add81fde227b8611f6e0f8e8b6dc85e0

SHA1
f4d342d7bc4ecb7dbdfb4543018582a08452691a

SHA256
5649dde2eac12183b2490781db28ccc13cfbca4122f0a32aaf909d9d912a6dce

SHA512
35d08dbf64ae0a77e9a2fa657e67c48e798efff7fdbddb3942514602128b74fc4e30b070dd3bb3430304c981cc9ecb13e9e534956202805275d8bef15952e515

Download Submit
C:\Windows\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe

Filesize
372KB

MD5
0fe6a6631b1215c63f6a8bf164ba537b

SHA1
5f438e57b6a24cdd79eb8fd506828411a1fc0052

SHA256
7d05b69159c686aa070f798598f1cff14652578a06d340e8ce873fce2b864a9b

SHA512
af798fd56865f36a315265ca74af1da92ce34ad64903165d4dfc0c397235816ed0cdb868482526c2468b3bf1404beebcbb6cdb96679fd441decd154ea75a27bc

Download Submit
C:\Windows\{52E915DD-E3FA-42e2-9805-D98BB25B8BD2}.exe

Filesize
372KB

MD5
0fe6a6631b1215c63f6a8bf164ba537b

SHA1
5f438e57b6a24cdd79eb8fd506828411a1fc0052

SHA256
7d05b69159c686aa070f798598f1cff14652578a06d340e8ce873fce2b864a9b

SHA512
af798fd56865f36a315265ca74af1da92ce34ad64903165d4dfc0c397235816ed0cdb868482526c2468b3bf1404beebcbb6cdb96679fd441decd154ea75a27bc

Download Submit
C:\Windows\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe

Filesize
372KB

MD5
1b24bbe84f04f2ad23791a08319ed164

SHA1
a460ff0b66761b91d91eeffe4ed8f5a97abacc13

SHA256
ea4e82bf1d1365b12ab5113e597f1d178ae39a12b0e30c85cf225ae27fd9ee8f

SHA512
4252f8ca408d649c74e19fd9c97c5189ee7db134986b3848ec4bd1efa9657894c424f046e0d43dccebb96bd6c7b5337c825371c15f400c23318985dc4c74f850

Download Submit
C:\Windows\{7DFBFF8C-7EFB-4074-A974-ED9D09EB08E1}.exe

Filesize
372KB

MD5
1b24bbe84f04f2ad23791a08319ed164

SHA1
a460ff0b66761b91d91eeffe4ed8f5a97abacc13

SHA256
ea4e82bf1d1365b12ab5113e597f1d178ae39a12b0e30c85cf225ae27fd9ee8f

SHA512
4252f8ca408d649c74e19fd9c97c5189ee7db134986b3848ec4bd1efa9657894c424f046e0d43dccebb96bd6c7b5337c825371c15f400c23318985dc4c74f850

Download Submit
C:\Windows\{88228440-B195-4403-8B7A-41B4B359C853}.exe

Filesize
372KB

MD5
b173011169fd483a247c2821eaf41ecb

SHA1
7a657b74699b1bdcb8ac2967ba31507368141ae1

SHA256
c8be3dc7cf81b0683d86224804162e55909f5a2d8eab32794d0135c7c23d6fcf

SHA512
6ae5b0ea523f31c7e572885bae3779008d19b9a946706196bbba68b7b9c5eab4917ce85fef9b2e28c8c178e7f57767d0dc9e7e9d5426f9536be7d831450046c3

Download Submit
C:\Windows\{88228440-B195-4403-8B7A-41B4B359C853}.exe

Filesize
372KB

MD5
b173011169fd483a247c2821eaf41ecb

SHA1
7a657b74699b1bdcb8ac2967ba31507368141ae1

SHA256
c8be3dc7cf81b0683d86224804162e55909f5a2d8eab32794d0135c7c23d6fcf

SHA512
6ae5b0ea523f31c7e572885bae3779008d19b9a946706196bbba68b7b9c5eab4917ce85fef9b2e28c8c178e7f57767d0dc9e7e9d5426f9536be7d831450046c3

Download Submit
C:\Windows\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe

Filesize
372KB

MD5
a5077a2e74df90b9cc668cf710e5fa33

SHA1
1e6e4772edb255a2306943c8f7149d78b578124d

SHA256
894c5eca0f595e600f0ee2cd5d22c01c446bfb636fcff45373f4b412a323ee57

SHA512
4dc159e39e2b287a85845764825b211ba5a5c3eb5fb96323a9b70a3386e39b339b4a73a64bb003d959295e73059d12225ac9499674c6e021f454c23dad09ad3d

Download Submit
C:\Windows\{AECAF935-9A6B-4f83-BDC6-9E57C4D1F72A}.exe

Filesize
372KB

MD5
a5077a2e74df90b9cc668cf710e5fa33

SHA1
1e6e4772edb255a2306943c8f7149d78b578124d

SHA256
894c5eca0f595e600f0ee2cd5d22c01c446bfb636fcff45373f4b412a323ee57

SHA512
4dc159e39e2b287a85845764825b211ba5a5c3eb5fb96323a9b70a3386e39b339b4a73a64bb003d959295e73059d12225ac9499674c6e021f454c23dad09ad3d

Download Submit
C:\Windows\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe

Filesize
372KB

MD5
32502d68c961f751414ba4dd8da9f7c7

SHA1
a5a9fa781596e4bb830ac3a8cf6f7378f63fc26e

SHA256
d11a45723e55a22f3ea09796e83e700a54907ef44d07f659eef7780b6ee4f74d

SHA512
5626aecfa35f6e196c0c645d90e3c28982ca4e66bec80eff8bc4e10cf6ec489c155c01457da1fa758b13625bb15cfb0e0a98af4f259925cc5aa0ccaec3d54ef0

Download Submit
C:\Windows\{B6D15C57-DDB4-42cf-BF72-61639FB12989}.exe

Filesize
372KB

MD5
32502d68c961f751414ba4dd8da9f7c7

SHA1
a5a9fa781596e4bb830ac3a8cf6f7378f63fc26e

SHA256
d11a45723e55a22f3ea09796e83e700a54907ef44d07f659eef7780b6ee4f74d

SHA512
5626aecfa35f6e196c0c645d90e3c28982ca4e66bec80eff8bc4e10cf6ec489c155c01457da1fa758b13625bb15cfb0e0a98af4f259925cc5aa0ccaec3d54ef0

Download Submit
C:\Windows\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe

Filesize
372KB

MD5
8343cc6f126a8c5292e2da98dfd78230

SHA1
e216592f30fba245650d5f774e39ada6e7986670

SHA256
2f3a642153e343108e7bb9257c0948356e71c363d10f0ba781dbfef24822f9d5

SHA512
7912e2015ff1e81b7ef5a455d39822005ceb96cbffdb0ab91562781701cb2655764d7b9eae46d07a22f007db82f03383d1cae026ce00412ea5f2d9aef2ff7179

Download Submit
C:\Windows\{C648C7DF-B3D9-447b-84FF-B17C8BD0A770}.exe

Filesize
372KB

MD5
8343cc6f126a8c5292e2da98dfd78230

SHA1
e216592f30fba245650d5f774e39ada6e7986670

SHA256
2f3a642153e343108e7bb9257c0948356e71c363d10f0ba781dbfef24822f9d5

SHA512
7912e2015ff1e81b7ef5a455d39822005ceb96cbffdb0ab91562781701cb2655764d7b9eae46d07a22f007db82f03383d1cae026ce00412ea5f2d9aef2ff7179

Download Submit
C:\Windows\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe

Filesize
372KB

MD5
7e431a21b711494bdddc508d8dd520d0

SHA1
aa9cb19cb3a8d9888a55570d31112fa2d71907af

SHA256
5d8901ca38ddd17acd02d9287135d495058434935fa07637661c4eb86462f2ec

SHA512
b39b265c5dd6fa196cd267ed509a87408be08964a56d75c6bd9fd7b5645401701978cba32ada9b7c7788d97f9b2d866b61b254accfdf8f4d2ca0251eebac83ca

Download Submit
C:\Windows\{CB9C3D50-2DFE-4dac-B489-A9EA384478B2}.exe

Filesize
372KB

MD5
7e431a21b711494bdddc508d8dd520d0

SHA1
aa9cb19cb3a8d9888a55570d31112fa2d71907af

SHA256
5d8901ca38ddd17acd02d9287135d495058434935fa07637661c4eb86462f2ec

SHA512
b39b265c5dd6fa196cd267ed509a87408be08964a56d75c6bd9fd7b5645401701978cba32ada9b7c7788d97f9b2d866b61b254accfdf8f4d2ca0251eebac83ca

Download Submit
C:\Windows\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe

Filesize
372KB

MD5
c9bad12e8e77904cc3bf9e3697adb803

SHA1
29cb57b7c8397d6b7f26b3c6d8a5ed835eeb46b9

SHA256
ba56ab780ee7dac176485369abc350cf215e2f9402c02bb6ea36df09a418029d

SHA512
f30cb038e317d645b10057e631ac9ddf4c853f27a647b367a54a692341fe09973a13dce4f3f294e21cf687e16be69b051f24d6c988e15b46a99b469ed122c14d

Download Submit
C:\Windows\{EA07A423-FB58-4398-88CA-27ECBC9BAB01}.exe

Filesize
372KB

MD5
c9bad12e8e77904cc3bf9e3697adb803

SHA1
29cb57b7c8397d6b7f26b3c6d8a5ed835eeb46b9

SHA256
ba56ab780ee7dac176485369abc350cf215e2f9402c02bb6ea36df09a418029d

SHA512
f30cb038e317d645b10057e631ac9ddf4c853f27a647b367a54a692341fe09973a13dce4f3f294e21cf687e16be69b051f24d6c988e15b46a99b469ed122c14d

Download Submit