2914b3bfd75b7b2445090ff1dd8c2a336df483c3d8fd73f7a2cc0e2f791dc481

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 12:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

298b96bd97ee48exeexeexeex.exe
Size

204KB
MD5

298b96bd97ee48d46710edd5dac353cc
SHA1

8fdf46ab14192f75ecaf8203d772488e2db67929
SHA256

2914b3bfd75b7b2445090ff1dd8c2a336df483c3d8fd73f7a2cc0e2f791dc481
SHA512

d79994efa05ba350afe5d0300d4ef622d9953f77258d7e095baed4d1f033f4fc6a22d199be6d2f090eba97701cd5df4f768b167044c5f596bd7433257a56ed44
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}\stubpath = "C:\\Windows\\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe"	298b96bd97ee48exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}\stubpath = "C:\\Windows\\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe"	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB310852-B317-44bc-8FB3-9F260C10BA11}	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB310852-B317-44bc-8FB3-9F260C10BA11}\stubpath = "C:\\Windows\\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe"	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}	{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D22F2-549D-4548-B962-AC75A2760E8D}\stubpath = "C:\\Windows\\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe"	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}\stubpath = "C:\\Windows\\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe"	{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A275338D-E378-48e5-BB39-0C00938BF583}	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}	{A275338D-E378-48e5-BB39-0C00938BF583}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}\stubpath = "C:\\Windows\\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe"	{A275338D-E378-48e5-BB39-0C00938BF583}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B451B0A-1960-4ab6-A79B-716104C78F79}	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}	298b96bd97ee48exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}\stubpath = "C:\\Windows\\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe"	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}\stubpath = "C:\\Windows\\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe"	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}\stubpath = "C:\\Windows\\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe"	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A275338D-E378-48e5-BB39-0C00938BF583}\stubpath = "C:\\Windows\\{A275338D-E378-48e5-BB39-0C00938BF583}.exe"	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B451B0A-1960-4ab6-A79B-716104C78F79}\stubpath = "C:\\Windows\\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe"	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}\stubpath = "C:\\Windows\\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe"	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D22F2-549D-4548-B962-AC75A2760E8D}	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe
1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe
3040	{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
4312	{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
File created	C:\Windows\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe	{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
File created	C:\Windows\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
File created	C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
File created	C:\Windows\{A275338D-E378-48e5-BB39-0C00938BF583}.exe	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
File created	C:\Windows\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
File created	C:\Windows\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
File created	C:\Windows\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	298b96bd97ee48exeexeexeex.exe
File created	C:\Windows\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	{A275338D-E378-48e5-BB39-0C00938BF583}.exe
File created	C:\Windows\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
File created	C:\Windows\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
File created	C:\Windows\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1176	298b96bd97ee48exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
Token: SeIncBasePriorityPrivilege	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
Token: SeIncBasePriorityPrivilege	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
Token: SeIncBasePriorityPrivilege	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe
Token: SeIncBasePriorityPrivilege	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
Token: SeIncBasePriorityPrivilege	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
Token: SeIncBasePriorityPrivilege	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
Token: SeIncBasePriorityPrivilege	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
Token: SeIncBasePriorityPrivilege	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
Token: SeIncBasePriorityPrivilege	2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe
Token: SeIncBasePriorityPrivilege	3040	{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4100	1176	298b96bd97ee48exeexeexeex.exe	83
PID 1176 wrote to memory of 4100	1176	298b96bd97ee48exeexeexeex.exe	83
PID 1176 wrote to memory of 4100	1176	298b96bd97ee48exeexeexeex.exe	83
PID 1176 wrote to memory of 4820	1176	298b96bd97ee48exeexeexeex.exe	84
PID 1176 wrote to memory of 4820	1176	298b96bd97ee48exeexeexeex.exe	84
PID 1176 wrote to memory of 4820	1176	298b96bd97ee48exeexeexeex.exe	84
PID 4100 wrote to memory of 1768	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	85
PID 4100 wrote to memory of 1768	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	85
PID 4100 wrote to memory of 1768	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	85
PID 4100 wrote to memory of 4696	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	86
PID 4100 wrote to memory of 4696	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	86
PID 4100 wrote to memory of 4696	4100	{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe	86
PID 1768 wrote to memory of 3592	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	89
PID 1768 wrote to memory of 3592	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	89
PID 1768 wrote to memory of 3592	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	89
PID 1768 wrote to memory of 1180	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	88
PID 1768 wrote to memory of 1180	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	88
PID 1768 wrote to memory of 1180	1768	{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe	88
PID 3592 wrote to memory of 564	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	90
PID 3592 wrote to memory of 564	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	90
PID 3592 wrote to memory of 564	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	90
PID 3592 wrote to memory of 4328	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	91
PID 3592 wrote to memory of 4328	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	91
PID 3592 wrote to memory of 4328	3592	{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe	91
PID 564 wrote to memory of 1304	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	92
PID 564 wrote to memory of 1304	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	92
PID 564 wrote to memory of 1304	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	92
PID 564 wrote to memory of 3884	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	93
PID 564 wrote to memory of 3884	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	93
PID 564 wrote to memory of 3884	564	{A275338D-E378-48e5-BB39-0C00938BF583}.exe	93
PID 1304 wrote to memory of 4092	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	94
PID 1304 wrote to memory of 4092	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	94
PID 1304 wrote to memory of 4092	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	94
PID 1304 wrote to memory of 2496	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	95
PID 1304 wrote to memory of 2496	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	95
PID 1304 wrote to memory of 2496	1304	{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe	95
PID 4092 wrote to memory of 2980	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	96
PID 4092 wrote to memory of 2980	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	96
PID 4092 wrote to memory of 2980	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	96
PID 4092 wrote to memory of 2176	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	97
PID 4092 wrote to memory of 2176	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	97
PID 4092 wrote to memory of 2176	4092	{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe	97
PID 2980 wrote to memory of 5108	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	98
PID 2980 wrote to memory of 5108	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	98
PID 2980 wrote to memory of 5108	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	98
PID 2980 wrote to memory of 2508	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	99
PID 2980 wrote to memory of 2508	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	99
PID 2980 wrote to memory of 2508	2980	{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe	99
PID 5108 wrote to memory of 1664	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	100
PID 5108 wrote to memory of 1664	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	100
PID 5108 wrote to memory of 1664	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	100
PID 5108 wrote to memory of 504	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	101
PID 5108 wrote to memory of 504	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	101
PID 5108 wrote to memory of 504	5108	{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe	101
PID 1664 wrote to memory of 2844	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	102
PID 1664 wrote to memory of 2844	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	102
PID 1664 wrote to memory of 2844	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	102
PID 1664 wrote to memory of 1124	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	103
PID 1664 wrote to memory of 1124	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	103
PID 1664 wrote to memory of 1124	1664	{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe	103
PID 2844 wrote to memory of 3040	2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe	104
PID 2844 wrote to memory of 3040	2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe	104
PID 2844 wrote to memory of 3040	2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe	104
PID 2844 wrote to memory of 3416	2844	{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe	105

C:\Users\Admin\AppData\Local\Temp\298b96bd97ee48exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\298b96bd97ee48exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
  C:\Windows\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
    C:\Windows\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BE415~1.EXE > nul
      4⤵
      PID:1180
  - - C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
      C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\{A275338D-E378-48e5-BB39-0C00938BF583}.exe
        
        C:\Windows\{A275338D-E378-48e5-BB39-0C00938BF583}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
        
        C:\Windows\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
        
        C:\Windows\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
        
        C:\Windows\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
        
        C:\Windows\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
        
        C:\Windows\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe
        
        C:\Windows\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
        
        C:\Windows\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe
        
        C:\Windows\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F87D2~1.EXE > nul
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C10A7~1.EXE > nul
        12⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFC8~1.EXE > nul
        11⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B451~1.EXE > nul
        10⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4419E~1.EXE > nul
        9⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB310~1.EXE > nul
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D75D~1.EXE > nul
        7⤵
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2753~1.EXE > nul
        6⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{543CE~1.EXE > nul
        5⤵
        
        PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDCB5~1.EXE > nul
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\298B96~1.EXE > nul
  2⤵
  PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe

Filesize
204KB

MD5
c6ff13ea1948fa7b59c3f79e0f9fcdd1

SHA1
1136ad00de6c2b80dfebc88526d489bc4aaa9885

SHA256
972c11e28c9d8ea15084aab8546efa6c322cbf1ff87311f91e3a01b17fb4a5fe

SHA512
fe9460e8efbc9c95018c20db94746de1d22cef035095b08647488325d1fecb94b2dd5e4886b47519c07b9ed287a43ccfafe9c569583a6ca9eae121c83ced31a6

Download Submit
C:\Windows\{0B451B0A-1960-4ab6-A79B-716104C78F79}.exe

Filesize
204KB

MD5
c6ff13ea1948fa7b59c3f79e0f9fcdd1

SHA1
1136ad00de6c2b80dfebc88526d489bc4aaa9885

SHA256
972c11e28c9d8ea15084aab8546efa6c322cbf1ff87311f91e3a01b17fb4a5fe

SHA512
fe9460e8efbc9c95018c20db94746de1d22cef035095b08647488325d1fecb94b2dd5e4886b47519c07b9ed287a43ccfafe9c569583a6ca9eae121c83ced31a6

Download Submit
C:\Windows\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe

Filesize
204KB

MD5
d71623d63a6561981c0401e39c755edd

SHA1
768ee0f58e1a29bb4621d8281af8c73c3ab356e4

SHA256
375be1ac84e7621837626388fe6a277bd5e1ffdb6c01bf12a6fb414e5ed7a423

SHA512
a56155f06e0eb91374a4f40e0f0b93f5ed0c4ec59cc850043455d953db3d25f52d5224e648c83d97e7a61b0b90fe85805418aa7c4bbc3ccf71221ad857784d91

Download Submit
C:\Windows\{21B515DF-97C5-4c1c-AD15-00F69E145F2A}.exe

Filesize
204KB

MD5
d71623d63a6561981c0401e39c755edd

SHA1
768ee0f58e1a29bb4621d8281af8c73c3ab356e4

SHA256
375be1ac84e7621837626388fe6a277bd5e1ffdb6c01bf12a6fb414e5ed7a423

SHA512
a56155f06e0eb91374a4f40e0f0b93f5ed0c4ec59cc850043455d953db3d25f52d5224e648c83d97e7a61b0b90fe85805418aa7c4bbc3ccf71221ad857784d91

Download Submit
C:\Windows\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe

Filesize
204KB

MD5
602499dda29aef84e36fa9d548ce4c91

SHA1
922a3d6baa7e62c8472b5c7c8a4f70597bb87ce8

SHA256
3f67e7a70cde20d5523102241288b5206e8741e2328a92c478ab5862eeea6eb8

SHA512
0ef86b6bed3478237b8285497998ea91ad55ad780f1646c85dbc3d6f0254c0022287f1ad50227bb893f227e97f573637e022f4e81522335a0742f528dc677351

Download Submit
C:\Windows\{3D75D60A-84AB-440c-81B2-BD94E942B6AC}.exe

Filesize
204KB

MD5
602499dda29aef84e36fa9d548ce4c91

SHA1
922a3d6baa7e62c8472b5c7c8a4f70597bb87ce8

SHA256
3f67e7a70cde20d5523102241288b5206e8741e2328a92c478ab5862eeea6eb8

SHA512
0ef86b6bed3478237b8285497998ea91ad55ad780f1646c85dbc3d6f0254c0022287f1ad50227bb893f227e97f573637e022f4e81522335a0742f528dc677351

Download Submit
C:\Windows\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe

Filesize
204KB

MD5
069a176a246247dfd1ffc92c0f260809

SHA1
b342d54b7bd7e975df33fed0639ec32660217f07

SHA256
fefc4b26d5b65f69b57b49a25f5798ca63e582012fa8f7be2b5f3f84533b39b3

SHA512
4fa5914f79d356eeb17fd2cd22087dc734c0cec3e9fbb3e2a2fc4833832a595b7b5286f5c96fe5634b36c98fd484acbff31b6dae78677efdb0334db210ef7ce7

Download Submit
C:\Windows\{4419E8DC-220C-44c7-AA63-9A7DB8CEE830}.exe

Filesize
204KB

MD5
069a176a246247dfd1ffc92c0f260809

SHA1
b342d54b7bd7e975df33fed0639ec32660217f07

SHA256
fefc4b26d5b65f69b57b49a25f5798ca63e582012fa8f7be2b5f3f84533b39b3

SHA512
4fa5914f79d356eeb17fd2cd22087dc734c0cec3e9fbb3e2a2fc4833832a595b7b5286f5c96fe5634b36c98fd484acbff31b6dae78677efdb0334db210ef7ce7

Download Submit
C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe

Filesize
204KB

MD5
9f84325b0b3c38612d7bb69b1f94801e

SHA1
bcc395e9f78b5d233dd4902efcfa94a314a26a0b

SHA256
fde6eae7bb2ca47ac632edefde97db3aaaff1f5f360fe00b3f8b21b601d25b42

SHA512
f3a1675ef19b192b2423d2710a79b31763420c9d91253039711da6805785a576a1b7690a5389b4b91d7b9c6f8211e44b77ed5361f970bee7208f2f85632d053f

Download Submit
C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe

Filesize
204KB

MD5
9f84325b0b3c38612d7bb69b1f94801e

SHA1
bcc395e9f78b5d233dd4902efcfa94a314a26a0b

SHA256
fde6eae7bb2ca47ac632edefde97db3aaaff1f5f360fe00b3f8b21b601d25b42

SHA512
f3a1675ef19b192b2423d2710a79b31763420c9d91253039711da6805785a576a1b7690a5389b4b91d7b9c6f8211e44b77ed5361f970bee7208f2f85632d053f

Download Submit
C:\Windows\{543CE5E2-8CC0-4b54-BF41-FE54D468CA2A}.exe

Filesize
204KB

MD5
9f84325b0b3c38612d7bb69b1f94801e

SHA1
bcc395e9f78b5d233dd4902efcfa94a314a26a0b

SHA256
fde6eae7bb2ca47ac632edefde97db3aaaff1f5f360fe00b3f8b21b601d25b42

SHA512
f3a1675ef19b192b2423d2710a79b31763420c9d91253039711da6805785a576a1b7690a5389b4b91d7b9c6f8211e44b77ed5361f970bee7208f2f85632d053f

Download Submit
C:\Windows\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe

Filesize
204KB

MD5
397ded67c0d184c66f674c491fe3d1e1

SHA1
5462c132ede2eddcf8462d195212c555460fd373

SHA256
915bdf50619f3a2fb1251eb7e51901bcddeb228fe97e223619b028690f955700

SHA512
c73fe2a3681b2ac937a8f534c397ef345ddada86ed9702482773bd83e05bed413a31a8412e9ab282b44a7c25f50469c2e77e02107c0cca53b104d61d57ffb63a

Download Submit
C:\Windows\{5CFC8705-0060-4e6b-AF3F-3B7F06748299}.exe

Filesize
204KB

MD5
397ded67c0d184c66f674c491fe3d1e1

SHA1
5462c132ede2eddcf8462d195212c555460fd373

SHA256
915bdf50619f3a2fb1251eb7e51901bcddeb228fe97e223619b028690f955700

SHA512
c73fe2a3681b2ac937a8f534c397ef345ddada86ed9702482773bd83e05bed413a31a8412e9ab282b44a7c25f50469c2e77e02107c0cca53b104d61d57ffb63a

Download Submit
C:\Windows\{A275338D-E378-48e5-BB39-0C00938BF583}.exe

Filesize
204KB

MD5
7ab4f494604b0f2e64f0598885b65e41

SHA1
8ad74f4d43fa5f83e76cabf63aa4e2eaa5fe426c

SHA256
d11e1a9fd22628fc71ee25cf09b172aa255281fed445a043ef57b2a7e93def39

SHA512
885619a198f4a36e38b53cf86138f457b722285d52a0beb8dd9c10e731d1f18848beff5330baa2aa185a6033cd0b54effd7cb3d993a22a484cb8e7c415f0794c

Download Submit
C:\Windows\{A275338D-E378-48e5-BB39-0C00938BF583}.exe

Filesize
204KB

MD5
7ab4f494604b0f2e64f0598885b65e41

SHA1
8ad74f4d43fa5f83e76cabf63aa4e2eaa5fe426c

SHA256
d11e1a9fd22628fc71ee25cf09b172aa255281fed445a043ef57b2a7e93def39

SHA512
885619a198f4a36e38b53cf86138f457b722285d52a0beb8dd9c10e731d1f18848beff5330baa2aa185a6033cd0b54effd7cb3d993a22a484cb8e7c415f0794c

Download Submit
C:\Windows\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe

Filesize
204KB

MD5
4879e488bbf4815d8a44f2e507b5fc54

SHA1
f93b4f073d77e484f066d49ada903258d2bab928

SHA256
1e293862237954bf4bc78715779529ab61d9267d719bfbb94538eaee51b0e7ab

SHA512
5976f106bd24d26d7ff50aedfd36ab7482b9a5c0dc12847457f0a7308ffec94c2d7bf41a869a86ed613e3b9d06a0aa590e58625cad7e658d2cc96ba8f9a008dd

Download Submit
C:\Windows\{AB310852-B317-44bc-8FB3-9F260C10BA11}.exe

Filesize
204KB

MD5
4879e488bbf4815d8a44f2e507b5fc54

SHA1
f93b4f073d77e484f066d49ada903258d2bab928

SHA256
1e293862237954bf4bc78715779529ab61d9267d719bfbb94538eaee51b0e7ab

SHA512
5976f106bd24d26d7ff50aedfd36ab7482b9a5c0dc12847457f0a7308ffec94c2d7bf41a869a86ed613e3b9d06a0aa590e58625cad7e658d2cc96ba8f9a008dd

Download Submit
C:\Windows\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe

Filesize
204KB

MD5
03bdfae65d6d5996bed9bc7b4f628d43

SHA1
ae2279de0caca2f7afad11ab867f40adfb32db4e

SHA256
bc93882c1ae95523cc5f76a835946854bd6766f7315ab26dfd91befa911be669

SHA512
1b77aa9530910f46aea6f2a352ef071c99138c4f78bb1932a6ee0b3b75bed653a344418df197bd8952fce4f1874ddbd2bb64492cba0317e353d52015615fac67

Download Submit
C:\Windows\{BE4156C1-7DBC-43b8-BCCC-633D2B56742F}.exe

Filesize
204KB

MD5
03bdfae65d6d5996bed9bc7b4f628d43

SHA1
ae2279de0caca2f7afad11ab867f40adfb32db4e

SHA256
bc93882c1ae95523cc5f76a835946854bd6766f7315ab26dfd91befa911be669

SHA512
1b77aa9530910f46aea6f2a352ef071c99138c4f78bb1932a6ee0b3b75bed653a344418df197bd8952fce4f1874ddbd2bb64492cba0317e353d52015615fac67

Download Submit
C:\Windows\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe

Filesize
204KB

MD5
f4f6b78ebf1ed61a04e44f4a68374104

SHA1
7da7bfcdcc8475712bc963df99e24d172bcd5127

SHA256
629cd590ea53eabc3d38fe1ea9cab052510f5556c9524c2c0c29fc1c9747c22e

SHA512
ce6674bb338da867bdd27a92ee64c91fdaa640be7f8591df742794d0e207ab783b1f309aea476ef08dfe48c4b300cdadfb0b427d04dfec29ab2dac59123b34ac

Download Submit
C:\Windows\{C10A7864-BDB3-4bc1-9FA8-ED8EC9DFF4A6}.exe

Filesize
204KB

MD5
f4f6b78ebf1ed61a04e44f4a68374104

SHA1
7da7bfcdcc8475712bc963df99e24d172bcd5127

SHA256
629cd590ea53eabc3d38fe1ea9cab052510f5556c9524c2c0c29fc1c9747c22e

SHA512
ce6674bb338da867bdd27a92ee64c91fdaa640be7f8591df742794d0e207ab783b1f309aea476ef08dfe48c4b300cdadfb0b427d04dfec29ab2dac59123b34ac

Download Submit
C:\Windows\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe

Filesize
204KB

MD5
c997581972b8a76cc2347e073e81843d

SHA1
0ee2c5be655a16a4bdc45b9e0465287268d91cdf

SHA256
cf7ddb445cfc0511b2f418d1eec01b8b187cc031991f1f2cb6e4b68f059e8c02

SHA512
e1c52ea965e139d38abe7cad3a434285381110211f96f5e119be1ccf996aef4f76d4ac4f129ee2a5963dc74417ee0130eef03f23a15d2ee828fa3522c47d352a

Download Submit
C:\Windows\{F87D22F2-549D-4548-B962-AC75A2760E8D}.exe

Filesize
204KB

MD5
c997581972b8a76cc2347e073e81843d

SHA1
0ee2c5be655a16a4bdc45b9e0465287268d91cdf

SHA256
cf7ddb445cfc0511b2f418d1eec01b8b187cc031991f1f2cb6e4b68f059e8c02

SHA512
e1c52ea965e139d38abe7cad3a434285381110211f96f5e119be1ccf996aef4f76d4ac4f129ee2a5963dc74417ee0130eef03f23a15d2ee828fa3522c47d352a

Download Submit
C:\Windows\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe

Filesize
204KB

MD5
4e4c7076a0115e9e93159fa6ba381c8f

SHA1
a5b37224bf285139755c74bff1f360f44b5fe275

SHA256
0a5ceeb1b0ddeb1a655f2082ce11c61ed351d4b4ffb2171c4f3fe30a361694cb

SHA512
f5302e554c472ccfcc5b1ff0991eef4c223eabd6baad59e19a41b7875fba1e2daf52e746a2dae893ac723681eb7877fa8649f4c2f5d92e612d5439dbce9eba82

Download Submit
C:\Windows\{FDCB5631-076F-4a7e-9B7D-9DF6DA529C95}.exe

Filesize
204KB

MD5
4e4c7076a0115e9e93159fa6ba381c8f

SHA1
a5b37224bf285139755c74bff1f360f44b5fe275

SHA256
0a5ceeb1b0ddeb1a655f2082ce11c61ed351d4b4ffb2171c4f3fe30a361694cb

SHA512
f5302e554c472ccfcc5b1ff0991eef4c223eabd6baad59e19a41b7875fba1e2daf52e746a2dae893ac723681eb7877fa8649f4c2f5d92e612d5439dbce9eba82

Download Submit