e31ee5407226bf1bc9d834092b67f7db87f4a7aeb15e7e9a85c89eafa2dbbd24

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

657c028803a1c6exeexeexeex.exe
Size

168KB
MD5

657c028803a1c6fec233318442008401
SHA1

8b6212d6f701a45be472921832cb6d1a7c4a5f8e
SHA256

e31ee5407226bf1bc9d834092b67f7db87f4a7aeb15e7e9a85c89eafa2dbbd24
SHA512

12c2ecd9824b5dbcebad8014a14625a3eaf29c72ddd02f716dbbb4296c093f97e8f85126f4f96de6b329e4269b82da5114c126e4f361bb12d872aac690bb942a
SSDEEP

1536:1EGh0o13lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oFlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}\stubpath = "C:\\Windows\\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe"	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}\stubpath = "C:\\Windows\\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe"	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}\stubpath = "C:\\Windows\\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe"	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32984BB3-8271-4434-8827-E94FADD9C849}	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32984BB3-8271-4434-8827-E94FADD9C849}\stubpath = "C:\\Windows\\{32984BB3-8271-4434-8827-E94FADD9C849}.exe"	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E19A88-2762-429e-92FE-26F3E9B88460}\stubpath = "C:\\Windows\\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe"	{32984BB3-8271-4434-8827-E94FADD9C849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F45244-B1D7-43c3-AFA9-01A552E676DC}	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}\stubpath = "C:\\Windows\\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe"	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F45244-B1D7-43c3-AFA9-01A552E676DC}\stubpath = "C:\\Windows\\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe"	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30549B05-712E-41fe-BC85-A5D10DD5AC56}	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30549B05-712E-41fe-BC85-A5D10DD5AC56}\stubpath = "C:\\Windows\\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe"	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E19A88-2762-429e-92FE-26F3E9B88460}	{32984BB3-8271-4434-8827-E94FADD9C849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}\stubpath = "C:\\Windows\\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe"	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}	657c028803a1c6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}\stubpath = "C:\\Windows\\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe"	657c028803a1c6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}\stubpath = "C:\\Windows\\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe"	{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}\stubpath = "C:\\Windows\\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe"	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}	{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe
3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
3256	{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
4444	{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
File created	C:\Windows\{32984BB3-8271-4434-8827-E94FADD9C849}.exe	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
File created	C:\Windows\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
File created	C:\Windows\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe	{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
File created	C:\Windows\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	657c028803a1c6exeexeexeex.exe
File created	C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
File created	C:\Windows\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
File created	C:\Windows\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
File created	C:\Windows\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
File created	C:\Windows\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
File created	C:\Windows\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe	{32984BB3-8271-4434-8827-E94FADD9C849}.exe
File created	C:\Windows\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	657c028803a1c6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
Token: SeIncBasePriorityPrivilege	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
Token: SeIncBasePriorityPrivilege	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
Token: SeIncBasePriorityPrivilege	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
Token: SeIncBasePriorityPrivilege	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
Token: SeIncBasePriorityPrivilege	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
Token: SeIncBasePriorityPrivilege	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
Token: SeIncBasePriorityPrivilege	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
Token: SeIncBasePriorityPrivilege	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe
Token: SeIncBasePriorityPrivilege	3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
Token: SeIncBasePriorityPrivilege	3256	{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4820	4240	657c028803a1c6exeexeexeex.exe	83
PID 4240 wrote to memory of 4820	4240	657c028803a1c6exeexeexeex.exe	83
PID 4240 wrote to memory of 4820	4240	657c028803a1c6exeexeexeex.exe	83
PID 4240 wrote to memory of 1156	4240	657c028803a1c6exeexeexeex.exe	84
PID 4240 wrote to memory of 1156	4240	657c028803a1c6exeexeexeex.exe	84
PID 4240 wrote to memory of 1156	4240	657c028803a1c6exeexeexeex.exe	84
PID 4820 wrote to memory of 1712	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	85
PID 4820 wrote to memory of 1712	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	85
PID 4820 wrote to memory of 1712	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	85
PID 4820 wrote to memory of 4480	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	86
PID 4820 wrote to memory of 4480	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	86
PID 4820 wrote to memory of 4480	4820	{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe	86
PID 1712 wrote to memory of 3592	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	89
PID 1712 wrote to memory of 3592	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	89
PID 1712 wrote to memory of 3592	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	89
PID 1712 wrote to memory of 1180	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	88
PID 1712 wrote to memory of 1180	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	88
PID 1712 wrote to memory of 1180	1712	{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe	88
PID 3592 wrote to memory of 4648	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	90
PID 3592 wrote to memory of 4648	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	90
PID 3592 wrote to memory of 4648	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	90
PID 3592 wrote to memory of 1612	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	91
PID 3592 wrote to memory of 1612	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	91
PID 3592 wrote to memory of 1612	3592	{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe	91
PID 4648 wrote to memory of 2600	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	92
PID 4648 wrote to memory of 2600	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	92
PID 4648 wrote to memory of 2600	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	92
PID 4648 wrote to memory of 4900	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	93
PID 4648 wrote to memory of 4900	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	93
PID 4648 wrote to memory of 4900	4648	{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe	93
PID 2600 wrote to memory of 4848	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	94
PID 2600 wrote to memory of 4848	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	94
PID 2600 wrote to memory of 4848	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	94
PID 2600 wrote to memory of 2988	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	95
PID 2600 wrote to memory of 2988	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	95
PID 2600 wrote to memory of 2988	2600	{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe	95
PID 4848 wrote to memory of 2980	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	96
PID 4848 wrote to memory of 2980	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	96
PID 4848 wrote to memory of 2980	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	96
PID 4848 wrote to memory of 2360	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	97
PID 4848 wrote to memory of 2360	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	97
PID 4848 wrote to memory of 2360	4848	{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe	97
PID 2980 wrote to memory of 3648	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	98
PID 2980 wrote to memory of 3648	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	98
PID 2980 wrote to memory of 3648	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	98
PID 2980 wrote to memory of 3392	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	99
PID 2980 wrote to memory of 3392	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	99
PID 2980 wrote to memory of 3392	2980	{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe	99
PID 3648 wrote to memory of 4320	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	100
PID 3648 wrote to memory of 4320	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	100
PID 3648 wrote to memory of 4320	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	100
PID 3648 wrote to memory of 1812	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	101
PID 3648 wrote to memory of 1812	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	101
PID 3648 wrote to memory of 1812	3648	{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe	101
PID 4320 wrote to memory of 3288	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	103
PID 4320 wrote to memory of 3288	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	103
PID 4320 wrote to memory of 3288	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	103
PID 4320 wrote to memory of 4392	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	102
PID 4320 wrote to memory of 4392	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	102
PID 4320 wrote to memory of 4392	4320	{32984BB3-8271-4434-8827-E94FADD9C849}.exe	102
PID 3288 wrote to memory of 3256	3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe	104
PID 3288 wrote to memory of 3256	3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe	104
PID 3288 wrote to memory of 3256	3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe	104
PID 3288 wrote to memory of 2380	3288	{68E19A88-2762-429e-92FE-26F3E9B88460}.exe	105

C:\Users\Admin\AppData\Local\Temp\657c028803a1c6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\657c028803a1c6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
  C:\Windows\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
    C:\Windows\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22F45~1.EXE > nul
      4⤵
      PID:1180
  - - C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
      C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
        
        C:\Windows\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
        
        C:\Windows\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
        
        C:\Windows\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
        
        C:\Windows\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
        
        C:\Windows\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{32984BB3-8271-4434-8827-E94FADD9C849}.exe
        
        C:\Windows\{32984BB3-8271-4434-8827-E94FADD9C849}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32984~1.EXE > nul
        11⤵
        
        PID:4392
        
        C:\Windows\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
        
        C:\Windows\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
        
        C:\Windows\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe
        
        C:\Windows\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe
        13⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F793~1.EXE > nul
        13⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E19~1.EXE > nul
        12⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30549~1.EXE > nul
        10⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AC4~1.EXE > nul
        9⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B5A~1.EXE > nul
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFEEC~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACAA1~1.EXE > nul
        6⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDB5~1.EXE > nul
        5⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76CE2~1.EXE > nul
    3⤵
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\657C02~1.EXE > nul
  2⤵
  PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe

Filesize
168KB

MD5
831196c7176c9397799dc91cbfff36cc

SHA1
304ec1e4277c00ff4c5de8796ced8cb2df6a0451

SHA256
8973bda16ed51b0572a74942dd82a5419f46192bdd4088cf40f32e3123a4a94c

SHA512
d5fc69e3e52d54c1b4829ba76a6aa2f4ff98b8e9257225d03d2ba1ef0fcffa2405859284919be47b16d0f7dc5f7e9b3fdad4094d8672cafff46238705c547527

Download Submit
C:\Windows\{1F79310B-0A20-4d3f-9B81-F09BC00A0A6C}.exe

Filesize
168KB

MD5
831196c7176c9397799dc91cbfff36cc

SHA1
304ec1e4277c00ff4c5de8796ced8cb2df6a0451

SHA256
8973bda16ed51b0572a74942dd82a5419f46192bdd4088cf40f32e3123a4a94c

SHA512
d5fc69e3e52d54c1b4829ba76a6aa2f4ff98b8e9257225d03d2ba1ef0fcffa2405859284919be47b16d0f7dc5f7e9b3fdad4094d8672cafff46238705c547527

Download Submit
C:\Windows\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe

Filesize
168KB

MD5
af2ee8261ac1517d0e04f7006e06fb17

SHA1
e128f6d8f457729f7f7c1f54c7a3f61958aa2bdd

SHA256
76d3b952dc2a141a2582fd0858a8363cad61510edc349e4b6d00c8bba7654824

SHA512
77ef372c6e0090b265208c7a90bc3433bf56791ec3adffb06371bd857a2cb3bb449f02ef749d7a90e57ec40cd3342c134f65adc2048cea21f801e220a7a696f1

Download Submit
C:\Windows\{22F45244-B1D7-43c3-AFA9-01A552E676DC}.exe

Filesize
168KB

MD5
af2ee8261ac1517d0e04f7006e06fb17

SHA1
e128f6d8f457729f7f7c1f54c7a3f61958aa2bdd

SHA256
76d3b952dc2a141a2582fd0858a8363cad61510edc349e4b6d00c8bba7654824

SHA512
77ef372c6e0090b265208c7a90bc3433bf56791ec3adffb06371bd857a2cb3bb449f02ef749d7a90e57ec40cd3342c134f65adc2048cea21f801e220a7a696f1

Download Submit
C:\Windows\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe

Filesize
168KB

MD5
e80fc88066ef4a2c496a8da3d7ac858d

SHA1
75a2245bb78837affd92e0c282a4fcb85c3092d1

SHA256
494033c466601d99878ae75cd18479af96afe2affe0917272d284cc65e874671

SHA512
92a73ff0bba3df97e074e85607240c7ebe2bea19dab5f3859fce05d62dbc5c77e57949a6069a0fec0d765aa493821e0489f8ea4fed8a7d74278fa5365f1ba729

Download Submit
C:\Windows\{30549B05-712E-41fe-BC85-A5D10DD5AC56}.exe

Filesize
168KB

MD5
e80fc88066ef4a2c496a8da3d7ac858d

SHA1
75a2245bb78837affd92e0c282a4fcb85c3092d1

SHA256
494033c466601d99878ae75cd18479af96afe2affe0917272d284cc65e874671

SHA512
92a73ff0bba3df97e074e85607240c7ebe2bea19dab5f3859fce05d62dbc5c77e57949a6069a0fec0d765aa493821e0489f8ea4fed8a7d74278fa5365f1ba729

Download Submit
C:\Windows\{32984BB3-8271-4434-8827-E94FADD9C849}.exe

Filesize
168KB

MD5
fc24dc5facf36db194d058e94d45b073

SHA1
e4a71ba98a7ff17d7bde0e5da2205015fa3a6d14

SHA256
93756a94594f9dbfddee06d758663660320d84e79c5aed292ccfc79a8200edc9

SHA512
0b9b8effb2e5fff811b3894f7c20597128e2aa87bbdcedce913ac9d66e69e788dbefe4a2b79cf3d03f1c363605976b07325c4ee5b3e8be954b69a796ed540399

Download Submit
C:\Windows\{32984BB3-8271-4434-8827-E94FADD9C849}.exe

Filesize
168KB

MD5
fc24dc5facf36db194d058e94d45b073

SHA1
e4a71ba98a7ff17d7bde0e5da2205015fa3a6d14

SHA256
93756a94594f9dbfddee06d758663660320d84e79c5aed292ccfc79a8200edc9

SHA512
0b9b8effb2e5fff811b3894f7c20597128e2aa87bbdcedce913ac9d66e69e788dbefe4a2b79cf3d03f1c363605976b07325c4ee5b3e8be954b69a796ed540399

Download Submit
C:\Windows\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe

Filesize
168KB

MD5
fb3de516b3182118c7d37ddcab9cac01

SHA1
0d39d161bfca6e41b6a9d2cd0eb052936e850bbd

SHA256
f78cea7b8755eb99456d4de3b7212030fa3f7dd469e28725661cf9a6582fcd0f

SHA512
92e17ee0675c470007df280fd9a99746592ffe2f76c282617af4a5c304d3cc4f7774d1493845cb428cc4ce8a5a7335ca4ccfc8120f97de034c1d4a05fa6bf6b4

Download Submit
C:\Windows\{4EBF4220-D8C3-4746-87DB-D95B9F07D040}.exe

Filesize
168KB

MD5
fb3de516b3182118c7d37ddcab9cac01

SHA1
0d39d161bfca6e41b6a9d2cd0eb052936e850bbd

SHA256
f78cea7b8755eb99456d4de3b7212030fa3f7dd469e28725661cf9a6582fcd0f

SHA512
92e17ee0675c470007df280fd9a99746592ffe2f76c282617af4a5c304d3cc4f7774d1493845cb428cc4ce8a5a7335ca4ccfc8120f97de034c1d4a05fa6bf6b4

Download Submit
C:\Windows\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe

Filesize
168KB

MD5
2140beb49b453fd632b48bd5da660a9e

SHA1
cceb9590500b121bf9a98b66953bc4b153048819

SHA256
00d734a41cd4ef591eb0a5cbd41bcfb2b95f8499fa9bb26c080f02dc756df8ae

SHA512
b0343f14a4601d4923a178c93b46c5fb363313f39780b4976d542aaf476f625dbcc5bb1c68a1539f6b730f86f4d3211c43c1a59711667632c4d4fc431a12a6e4

Download Submit
C:\Windows\{68E19A88-2762-429e-92FE-26F3E9B88460}.exe

Filesize
168KB

MD5
2140beb49b453fd632b48bd5da660a9e

SHA1
cceb9590500b121bf9a98b66953bc4b153048819

SHA256
00d734a41cd4ef591eb0a5cbd41bcfb2b95f8499fa9bb26c080f02dc756df8ae

SHA512
b0343f14a4601d4923a178c93b46c5fb363313f39780b4976d542aaf476f625dbcc5bb1c68a1539f6b730f86f4d3211c43c1a59711667632c4d4fc431a12a6e4

Download Submit
C:\Windows\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe

Filesize
168KB

MD5
226a37f1b976baa487ebfefd0dbd755a

SHA1
578f2ff55164c299738e75f60915cdf9fee2b45b

SHA256
51283cf532eb2a5a530c3cd747ba9362b4eaa45eadeadb0bbd3ae5aa7bc90962

SHA512
ea39133e733980cec7c41cb48d96702f9d58cd4eb9d5e36cdc153ee595c842d08526f3d273908d3af104377c11110bf4b8184289d7679de6bef15d8546dae596

Download Submit
C:\Windows\{76CE2EA8-EE06-4b87-A5B9-8E1D4025DA72}.exe

Filesize
168KB

MD5
226a37f1b976baa487ebfefd0dbd755a

SHA1
578f2ff55164c299738e75f60915cdf9fee2b45b

SHA256
51283cf532eb2a5a530c3cd747ba9362b4eaa45eadeadb0bbd3ae5aa7bc90962

SHA512
ea39133e733980cec7c41cb48d96702f9d58cd4eb9d5e36cdc153ee595c842d08526f3d273908d3af104377c11110bf4b8184289d7679de6bef15d8546dae596

Download Submit
C:\Windows\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe

Filesize
168KB

MD5
8b600e413f9b2c063f91d644f5b0b1ea

SHA1
c0498672d755530bd0f8109e180018bd4ad29366

SHA256
5e29ee9ed3df0d2b0be22b4742a5cd63970adf963f244342d66b271142eab330

SHA512
46b4265d93c5de92ef07927b4006c386a93e350607bae565034e57035c54475cea320ba392bb042f571e1b8b6429b018f9a766b6f5fc5b2ac8d6b5a45f181cc3

Download Submit
C:\Windows\{ACAA1EA9-F1BA-44ef-96D8-A22E9F5297F3}.exe

Filesize
168KB

MD5
8b600e413f9b2c063f91d644f5b0b1ea

SHA1
c0498672d755530bd0f8109e180018bd4ad29366

SHA256
5e29ee9ed3df0d2b0be22b4742a5cd63970adf963f244342d66b271142eab330

SHA512
46b4265d93c5de92ef07927b4006c386a93e350607bae565034e57035c54475cea320ba392bb042f571e1b8b6429b018f9a766b6f5fc5b2ac8d6b5a45f181cc3

Download Submit
C:\Windows\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe

Filesize
168KB

MD5
862e5d565d3af5f30962f30d22fa36db

SHA1
88d8cb03b7f54eed3e8a55ece748c10477d9b25b

SHA256
f78e447d56a31eb900ed35ce158728ce6e0118969886fcf59f9108b3cc04664d

SHA512
9f9fe1d490e70c59f4d72cc55b186b93f41c484efbc3a5526937856b8716b3f41e491878929ae2f6fdec8f45904f71aea97d923a9e40e5e1b65957418d347ae2

Download Submit
C:\Windows\{AFEEC15D-13C5-4754-939F-BAADB6C506B8}.exe

Filesize
168KB

MD5
862e5d565d3af5f30962f30d22fa36db

SHA1
88d8cb03b7f54eed3e8a55ece748c10477d9b25b

SHA256
f78e447d56a31eb900ed35ce158728ce6e0118969886fcf59f9108b3cc04664d

SHA512
9f9fe1d490e70c59f4d72cc55b186b93f41c484efbc3a5526937856b8716b3f41e491878929ae2f6fdec8f45904f71aea97d923a9e40e5e1b65957418d347ae2

Download Submit
C:\Windows\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe

Filesize
168KB

MD5
f54ff2ddf6259553a446bfa34066f419

SHA1
021b0e96c532668e8acdda95caaf70443422c3c7

SHA256
7a940865ba1640a85d64674919c0b5259aed96f931c989c4681b59fdeea74ec3

SHA512
c779ea4e9c6ce93dfa4b2244de83b34decc1b580a9113f10cfd162e309d0dda25cf8c9ffa5352cfa77b7b2b1ee7cef766513cde5c40590103aa11e32d4479485

Download Submit
C:\Windows\{B5AC4467-592E-4477-8C27-9996F0A4CFF8}.exe

Filesize
168KB

MD5
f54ff2ddf6259553a446bfa34066f419

SHA1
021b0e96c532668e8acdda95caaf70443422c3c7

SHA256
7a940865ba1640a85d64674919c0b5259aed96f931c989c4681b59fdeea74ec3

SHA512
c779ea4e9c6ce93dfa4b2244de83b34decc1b580a9113f10cfd162e309d0dda25cf8c9ffa5352cfa77b7b2b1ee7cef766513cde5c40590103aa11e32d4479485

Download Submit
C:\Windows\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe

Filesize
168KB

MD5
87575e615d571a600353787162258d98

SHA1
a93fe0510e5163aecd5b7e176276a7a545497886

SHA256
09454b5f74cecd29f62edd73c24789dc946737aa3bd1f1c4f659bd674f60a5a6

SHA512
4a7e7f7b33a34fc193af164430b4b59a509b04539e70597e9c675b3fe600823ea89e286a2b26b4368cfdd38ad95bcb5b58972ba28c2136057b41bdebb5bf2fe2

Download Submit
C:\Windows\{C0B5A8B5-7598-4857-BB66-DE7458BCB7EA}.exe

Filesize
168KB

MD5
87575e615d571a600353787162258d98

SHA1
a93fe0510e5163aecd5b7e176276a7a545497886

SHA256
09454b5f74cecd29f62edd73c24789dc946737aa3bd1f1c4f659bd674f60a5a6

SHA512
4a7e7f7b33a34fc193af164430b4b59a509b04539e70597e9c675b3fe600823ea89e286a2b26b4368cfdd38ad95bcb5b58972ba28c2136057b41bdebb5bf2fe2

Download Submit
C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe

Filesize
168KB

MD5
66aa690b2bb566e39211b3089c5d835b

SHA1
5e4503f7ec9a96758cca6d3bc1c06bd373eda31a

SHA256
cc9b4ca984011a831c83011a1ff197e18ca6d150035f328579f95f9077236e93

SHA512
ec92443eaef4f2a8edc039c46139fa96da060d69987c59a77d040903b1277210b474c966f67f9566ca64342ebe0461933cbdf421d2bc4cf4e4eb4dea3cd30273

Download Submit
C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe

Filesize
168KB

MD5
66aa690b2bb566e39211b3089c5d835b

SHA1
5e4503f7ec9a96758cca6d3bc1c06bd373eda31a

SHA256
cc9b4ca984011a831c83011a1ff197e18ca6d150035f328579f95f9077236e93

SHA512
ec92443eaef4f2a8edc039c46139fa96da060d69987c59a77d040903b1277210b474c966f67f9566ca64342ebe0461933cbdf421d2bc4cf4e4eb4dea3cd30273

Download Submit
C:\Windows\{EDDB5073-30B1-4bb9-B5D3-42F002B58EE9}.exe

Filesize
168KB

MD5
66aa690b2bb566e39211b3089c5d835b

SHA1
5e4503f7ec9a96758cca6d3bc1c06bd373eda31a

SHA256
cc9b4ca984011a831c83011a1ff197e18ca6d150035f328579f95f9077236e93

SHA512
ec92443eaef4f2a8edc039c46139fa96da060d69987c59a77d040903b1277210b474c966f67f9566ca64342ebe0461933cbdf421d2bc4cf4e4eb4dea3cd30273

Download Submit