c83c5e20463279ca92c312cf26c1a2d0b69a885be0c47858c95911db601f793b

Analysis

max time kernel
144s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30190654f0f55dexeexeexeex.exe
Size

204KB
MD5

30190654f0f55dffbf370b848763b1dd
SHA1

e0b8e8b27f8323f0f21e4f214aa692fd0456e399
SHA256

c83c5e20463279ca92c312cf26c1a2d0b69a885be0c47858c95911db601f793b
SHA512

b284fbbd808b2b2c31acdc41a4963b8cd87c1019ec48f7c65806f5c07856a83bc1e92006eed0d2df53390e423af1cd963f7a9fc39c0bf6796549acce249ab4e0
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}\stubpath = "C:\\Windows\\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe"	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}\stubpath = "C:\\Windows\\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe"	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4552DA5D-F527-458c-BD8C-1BB6871F710B}\stubpath = "C:\\Windows\\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe"	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646E5243-006F-489e-972C-738D198C89F9}\stubpath = "C:\\Windows\\{646E5243-006F-489e-972C-738D198C89F9}.exe"	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}\stubpath = "C:\\Windows\\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe"	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}	30190654f0f55dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}\stubpath = "C:\\Windows\\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe"	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C2FB06-986A-45a9-B60D-D1F6188A4430}	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C2FB06-986A-45a9-B60D-D1F6188A4430}\stubpath = "C:\\Windows\\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe"	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}\stubpath = "C:\\Windows\\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe"	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}\stubpath = "C:\\Windows\\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe"	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646E5243-006F-489e-972C-738D198C89F9}	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA752A2-0630-4a11-ADCD-022B5430591C}\stubpath = "C:\\Windows\\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe"	{646E5243-006F-489e-972C-738D198C89F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}\stubpath = "C:\\Windows\\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe"	30190654f0f55dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4552DA5D-F527-458c-BD8C-1BB6871F710B}	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA752A2-0630-4a11-ADCD-022B5430591C}	{646E5243-006F-489e-972C-738D198C89F9}.exe

Executes dropped EXE 11 IoCs

pid	Process
1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
1688	{646E5243-006F-489e-972C-738D198C89F9}.exe
1260	{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe	{646E5243-006F-489e-972C-738D198C89F9}.exe
File created	C:\Windows\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
File created	C:\Windows\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
File created	C:\Windows\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
File created	C:\Windows\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
File created	C:\Windows\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
File created	C:\Windows\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
File created	C:\Windows\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
File created	C:\Windows\{646E5243-006F-489e-972C-738D198C89F9}.exe	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
File created	C:\Windows\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	30190654f0f55dexeexeexeex.exe
File created	C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	30190654f0f55dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
Token: SeIncBasePriorityPrivilege	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
Token: SeIncBasePriorityPrivilege	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
Token: SeIncBasePriorityPrivilege	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
Token: SeIncBasePriorityPrivilege	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
Token: SeIncBasePriorityPrivilege	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
Token: SeIncBasePriorityPrivilege	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
Token: SeIncBasePriorityPrivilege	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
Token: SeIncBasePriorityPrivilege	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
Token: SeIncBasePriorityPrivilege	1688	{646E5243-006F-489e-972C-738D198C89F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1312	2244	30190654f0f55dexeexeexeex.exe	78
PID 2244 wrote to memory of 1312	2244	30190654f0f55dexeexeexeex.exe	78
PID 2244 wrote to memory of 1312	2244	30190654f0f55dexeexeexeex.exe	78
PID 2244 wrote to memory of 1468	2244	30190654f0f55dexeexeexeex.exe	79
PID 2244 wrote to memory of 1468	2244	30190654f0f55dexeexeexeex.exe	79
PID 2244 wrote to memory of 1468	2244	30190654f0f55dexeexeexeex.exe	79
PID 1312 wrote to memory of 2092	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	80
PID 1312 wrote to memory of 2092	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	80
PID 1312 wrote to memory of 2092	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	80
PID 1312 wrote to memory of 536	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	81
PID 1312 wrote to memory of 536	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	81
PID 1312 wrote to memory of 536	1312	{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe	81
PID 2092 wrote to memory of 4112	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	83
PID 2092 wrote to memory of 4112	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	83
PID 2092 wrote to memory of 4112	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	83
PID 2092 wrote to memory of 2108	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	82
PID 2092 wrote to memory of 2108	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	82
PID 2092 wrote to memory of 2108	2092	{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe	82
PID 4112 wrote to memory of 4068	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	84
PID 4112 wrote to memory of 4068	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	84
PID 4112 wrote to memory of 4068	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	84
PID 4112 wrote to memory of 1592	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	85
PID 4112 wrote to memory of 1592	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	85
PID 4112 wrote to memory of 1592	4112	{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe	85
PID 4068 wrote to memory of 4760	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	86
PID 4068 wrote to memory of 4760	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	86
PID 4068 wrote to memory of 4760	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	86
PID 4068 wrote to memory of 1652	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	87
PID 4068 wrote to memory of 1652	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	87
PID 4068 wrote to memory of 1652	4068	{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe	87
PID 4760 wrote to memory of 3532	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	88
PID 4760 wrote to memory of 3532	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	88
PID 4760 wrote to memory of 3532	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	88
PID 4760 wrote to memory of 2464	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	89
PID 4760 wrote to memory of 2464	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	89
PID 4760 wrote to memory of 2464	4760	{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe	89
PID 3532 wrote to memory of 3640	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	90
PID 3532 wrote to memory of 3640	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	90
PID 3532 wrote to memory of 3640	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	90
PID 3532 wrote to memory of 2932	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	91
PID 3532 wrote to memory of 2932	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	91
PID 3532 wrote to memory of 2932	3532	{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe	91
PID 3640 wrote to memory of 688	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	92
PID 3640 wrote to memory of 688	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	92
PID 3640 wrote to memory of 688	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	92
PID 3640 wrote to memory of 3292	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	93
PID 3640 wrote to memory of 3292	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	93
PID 3640 wrote to memory of 3292	3640	{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe	93
PID 688 wrote to memory of 384	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	94
PID 688 wrote to memory of 384	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	94
PID 688 wrote to memory of 384	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	94
PID 688 wrote to memory of 940	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	95
PID 688 wrote to memory of 940	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	95
PID 688 wrote to memory of 940	688	{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe	95
PID 384 wrote to memory of 1688	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	96
PID 384 wrote to memory of 1688	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	96
PID 384 wrote to memory of 1688	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	96
PID 384 wrote to memory of 464	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	97
PID 384 wrote to memory of 464	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	97
PID 384 wrote to memory of 464	384	{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe	97
PID 1688 wrote to memory of 1260	1688	{646E5243-006F-489e-972C-738D198C89F9}.exe	98
PID 1688 wrote to memory of 1260	1688	{646E5243-006F-489e-972C-738D198C89F9}.exe	98
PID 1688 wrote to memory of 1260	1688	{646E5243-006F-489e-972C-738D198C89F9}.exe	98
PID 1688 wrote to memory of 3132	1688	{646E5243-006F-489e-972C-738D198C89F9}.exe	99

C:\Users\Admin\AppData\Local\Temp\30190654f0f55dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\30190654f0f55dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
  C:\Windows\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
    C:\Windows\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DE5~1.EXE > nul
      4⤵
      PID:2108
  - - C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
      C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
        
        C:\Windows\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
        
        C:\Windows\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
        
        C:\Windows\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
        
        C:\Windows\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
        
        C:\Windows\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
        
        C:\Windows\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\{646E5243-006F-489e-972C-738D198C89F9}.exe
        
        C:\Windows\{646E5243-006F-489e-972C-738D198C89F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe
        
        C:\Windows\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{646E5~1.EXE > nul
        12⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DCEC~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C2F~1.EXE > nul
        10⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4552D~1.EXE > nul
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48EE6~1.EXE > nul
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB674~1.EXE > nul
        7⤵
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78DD4~1.EXE > nul
        6⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E81B~1.EXE > nul
        5⤵
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB12E~1.EXE > nul
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\301906~1.EXE > nul
  2⤵
  PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe

Filesize
204KB

MD5
fb848c41212d5a62da904777928a3f4b

SHA1
fc699ebf12d44c5e4a77ecbaaa0ab9bfd52996ee

SHA256
9b1ca8f6f9ac067555bb620c1cb1f857e266b81ec704262a1c2eb849ae1da83b

SHA512
25a224bf98306f06b9e4227f7e6ce6dbfb655f610e80031e356810ff260307cbb0db98e4cf12bcf4b0238dd8bbdde66916041f3aa51749107fea262c78b2170b

Download Submit
C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe

Filesize
204KB

MD5
fb848c41212d5a62da904777928a3f4b

SHA1
fc699ebf12d44c5e4a77ecbaaa0ab9bfd52996ee

SHA256
9b1ca8f6f9ac067555bb620c1cb1f857e266b81ec704262a1c2eb849ae1da83b

SHA512
25a224bf98306f06b9e4227f7e6ce6dbfb655f610e80031e356810ff260307cbb0db98e4cf12bcf4b0238dd8bbdde66916041f3aa51749107fea262c78b2170b

Download Submit
C:\Windows\{1E81B403-F1D2-4988-84EA-F8BBF6C01737}.exe

Filesize
204KB

MD5
fb848c41212d5a62da904777928a3f4b

SHA1
fc699ebf12d44c5e4a77ecbaaa0ab9bfd52996ee

SHA256
9b1ca8f6f9ac067555bb620c1cb1f857e266b81ec704262a1c2eb849ae1da83b

SHA512
25a224bf98306f06b9e4227f7e6ce6dbfb655f610e80031e356810ff260307cbb0db98e4cf12bcf4b0238dd8bbdde66916041f3aa51749107fea262c78b2170b

Download Submit
C:\Windows\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe

Filesize
204KB

MD5
88a6bc45c7a0d663aff9fac07b394464

SHA1
3a8252fe44cf60c72fc3cb56063ed3c747416f2c

SHA256
a8053582d66bec01fbb5b63823e2011274536a45897a592ee1d09c1de5702b7c

SHA512
80f39348d65197803e16de7c4723eeefdaab96a1a3bea7ce7de1f2d1403a8be6e10ace5dc6bde64ed0990d565e7cba1ba2c51a29c70423ff9a74e385e9e29b94

Download Submit
C:\Windows\{29C2FB06-986A-45a9-B60D-D1F6188A4430}.exe

Filesize
204KB

MD5
88a6bc45c7a0d663aff9fac07b394464

SHA1
3a8252fe44cf60c72fc3cb56063ed3c747416f2c

SHA256
a8053582d66bec01fbb5b63823e2011274536a45897a592ee1d09c1de5702b7c

SHA512
80f39348d65197803e16de7c4723eeefdaab96a1a3bea7ce7de1f2d1403a8be6e10ace5dc6bde64ed0990d565e7cba1ba2c51a29c70423ff9a74e385e9e29b94

Download Submit
C:\Windows\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe

Filesize
204KB

MD5
6dbdf8b5beda7d718272884df400d854

SHA1
4802b9371f0fa4adee09bf9bdb1cf635ca45ddb8

SHA256
0a5419ae3d0900e3428489d89ee80468e7c39ae9b0f31852d5c8dd6ef2afbe3a

SHA512
a20ddcfd8f354d0edece2e50efac7442f55b2b6f43a47a5d584ad35509b7f392250eb077a8c62e333aa986671e3b9a8217cd549fde1ce018cce92581777c68af

Download Submit
C:\Windows\{3DA752A2-0630-4a11-ADCD-022B5430591C}.exe

Filesize
204KB

MD5
6dbdf8b5beda7d718272884df400d854

SHA1
4802b9371f0fa4adee09bf9bdb1cf635ca45ddb8

SHA256
0a5419ae3d0900e3428489d89ee80468e7c39ae9b0f31852d5c8dd6ef2afbe3a

SHA512
a20ddcfd8f354d0edece2e50efac7442f55b2b6f43a47a5d584ad35509b7f392250eb077a8c62e333aa986671e3b9a8217cd549fde1ce018cce92581777c68af

Download Submit
C:\Windows\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe

Filesize
204KB

MD5
64fc99082d17ad0057df8fcbe9b5c467

SHA1
5e65e5619c96a1dde8c3e3c295e712d3603f60fe

SHA256
8bac1615c993e8b8784b96c129412aecdb17c1e075c0d07a8b39f34dbd5df678

SHA512
11b3c731466c67079c89e9bdd84b40f3245ffb45f1391e5da4c80f50cc0f39023fbcc9ac4f83bf5f7912f944f9221394484e643f281596ccf7d77717a8dc960d

Download Submit
C:\Windows\{4552DA5D-F527-458c-BD8C-1BB6871F710B}.exe

Filesize
204KB

MD5
64fc99082d17ad0057df8fcbe9b5c467

SHA1
5e65e5619c96a1dde8c3e3c295e712d3603f60fe

SHA256
8bac1615c993e8b8784b96c129412aecdb17c1e075c0d07a8b39f34dbd5df678

SHA512
11b3c731466c67079c89e9bdd84b40f3245ffb45f1391e5da4c80f50cc0f39023fbcc9ac4f83bf5f7912f944f9221394484e643f281596ccf7d77717a8dc960d

Download Submit
C:\Windows\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe

Filesize
204KB

MD5
8d8f64c03ace71b8d86076dc4ba39e70

SHA1
dc5d2329df5c1350051a31931e450583ff6b512d

SHA256
5093ea6108303ee6ab4099b62359cc831921860de752e345c2790edee64500a4

SHA512
8fcec7140daf542f0b6a24ef5eeab4d2b499a24fbe5fdf3c14ba4de4afa913eeac21fea630cb8a17702647feea2edff4379bf237b41b0793c7223fd0a5b64954

Download Submit
C:\Windows\{48EE66C9-18A9-4b20-9864-5BCEB78AC789}.exe

Filesize
204KB

MD5
8d8f64c03ace71b8d86076dc4ba39e70

SHA1
dc5d2329df5c1350051a31931e450583ff6b512d

SHA256
5093ea6108303ee6ab4099b62359cc831921860de752e345c2790edee64500a4

SHA512
8fcec7140daf542f0b6a24ef5eeab4d2b499a24fbe5fdf3c14ba4de4afa913eeac21fea630cb8a17702647feea2edff4379bf237b41b0793c7223fd0a5b64954

Download Submit
C:\Windows\{646E5243-006F-489e-972C-738D198C89F9}.exe

Filesize
204KB

MD5
0c19d757074cca9fb0c5ac107048f2a7

SHA1
28ec0656e6275e5fa4995102d774b20885eb0e17

SHA256
30deb954ddd95de52d1e8aaa95df4c77175289fc116973c331ec1aa6f26d88d0

SHA512
85b4623650194b515b9ccaea29ee0b6879605bca7990bcdd491be4879248e40225ef630046defccad4dfe366a83e6b08cbee5b81a1ad97b36cf904102366394e

Download Submit
C:\Windows\{646E5243-006F-489e-972C-738D198C89F9}.exe

Filesize
204KB

MD5
0c19d757074cca9fb0c5ac107048f2a7

SHA1
28ec0656e6275e5fa4995102d774b20885eb0e17

SHA256
30deb954ddd95de52d1e8aaa95df4c77175289fc116973c331ec1aa6f26d88d0

SHA512
85b4623650194b515b9ccaea29ee0b6879605bca7990bcdd491be4879248e40225ef630046defccad4dfe366a83e6b08cbee5b81a1ad97b36cf904102366394e

Download Submit
C:\Windows\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe

Filesize
204KB

MD5
08c38c680dce8c2aec81c0c5083f0c74

SHA1
38785c1468acf578fe0c587c391e1ce7ebcd5827

SHA256
429f016c72c6ff91849207ee5dae3d9e7e9a50625a55164940a056a2edab3455

SHA512
8fbb45bcd817e2df335ed383837160598c1792e53bbe3929993df6de42373b05a5c6d2c947db33293c208ff89792c6f930733e673b8c202a8e4366369f5e6801

Download Submit
C:\Windows\{78DD4EA2-B9EB-4d73-B3AA-2D911A2142F2}.exe

Filesize
204KB

MD5
08c38c680dce8c2aec81c0c5083f0c74

SHA1
38785c1468acf578fe0c587c391e1ce7ebcd5827

SHA256
429f016c72c6ff91849207ee5dae3d9e7e9a50625a55164940a056a2edab3455

SHA512
8fbb45bcd817e2df335ed383837160598c1792e53bbe3929993df6de42373b05a5c6d2c947db33293c208ff89792c6f930733e673b8c202a8e4366369f5e6801

Download Submit
C:\Windows\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe

Filesize
204KB

MD5
db2921f45f9acdba5f8a21a0022d24fa

SHA1
b8b7e82c548c81bac4c0b0e56db58a22187a1703

SHA256
823810c4a7bb97825ad236d870bd73d735863acc6fdd349694249ed5c321e076

SHA512
3066d7d6b0b9eb87c0d065ebf7c1a8049258232150ae29756744884e600d3f04c571170de75f3b3203a0826e03f4e84af6aa31708e2779ed0d37b5cdd90f6449

Download Submit
C:\Windows\{7DCEC17C-1565-48ae-8744-19E1B86F2BB2}.exe

Filesize
204KB

MD5
db2921f45f9acdba5f8a21a0022d24fa

SHA1
b8b7e82c548c81bac4c0b0e56db58a22187a1703

SHA256
823810c4a7bb97825ad236d870bd73d735863acc6fdd349694249ed5c321e076

SHA512
3066d7d6b0b9eb87c0d065ebf7c1a8049258232150ae29756744884e600d3f04c571170de75f3b3203a0826e03f4e84af6aa31708e2779ed0d37b5cdd90f6449

Download Submit
C:\Windows\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe

Filesize
204KB

MD5
1f030e91b6fa238538d1472b4a1b74db

SHA1
58e2488315e59c4cf194eb3863a2b956a999e74a

SHA256
7e05c933ae6ff13c31f856f8c68f4a4c79d4309f1fd4a3d45a9784251d1a2a2a

SHA512
71491d7b4620ff9c1e33b7e4fb561f6aa321b88e94f0e2e01c1a5b477420cc6038f514f3df1e46802d255eb8fbd853db64b0b2e4912a57179366feb002c1ade9

Download Submit
C:\Windows\{A7DE5C64-C115-4a52-BDE7-CE9CC60979F3}.exe

Filesize
204KB

MD5
1f030e91b6fa238538d1472b4a1b74db

SHA1
58e2488315e59c4cf194eb3863a2b956a999e74a

SHA256
7e05c933ae6ff13c31f856f8c68f4a4c79d4309f1fd4a3d45a9784251d1a2a2a

SHA512
71491d7b4620ff9c1e33b7e4fb561f6aa321b88e94f0e2e01c1a5b477420cc6038f514f3df1e46802d255eb8fbd853db64b0b2e4912a57179366feb002c1ade9

Download Submit
C:\Windows\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe

Filesize
204KB

MD5
e9b4c34f9b3569f351e4cb8be89ea46a

SHA1
d7f15190fe2968e39a155cbf2d39dbf36d5449d0

SHA256
0c44da7f033510aab03220ca99bdc0b208acd10d867678b6f776ef1a06803baf

SHA512
a538b4b27d1d9268f4bf82a0bce4cc91e85d210e5c5425d92fa149393cbf6ee00df3fba05c87f945413f8d78aab120f4b8cc83556fd77f6f5bb0f55cf4924c82

Download Submit
C:\Windows\{BB674DF6-8AB2-4ae7-8D7E-7CE3950EDBAE}.exe

Filesize
204KB

MD5
e9b4c34f9b3569f351e4cb8be89ea46a

SHA1
d7f15190fe2968e39a155cbf2d39dbf36d5449d0

SHA256
0c44da7f033510aab03220ca99bdc0b208acd10d867678b6f776ef1a06803baf

SHA512
a538b4b27d1d9268f4bf82a0bce4cc91e85d210e5c5425d92fa149393cbf6ee00df3fba05c87f945413f8d78aab120f4b8cc83556fd77f6f5bb0f55cf4924c82

Download Submit
C:\Windows\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe

Filesize
204KB

MD5
7949d56cd366d51aff946168b3de8fe6

SHA1
591dd3e6bcb77b51a4d5334d713dca72ed049096

SHA256
d8c2b12d692603e688e239de2501096f8165719e05e6c50ccd6d1cb57974e544

SHA512
ab3062db7ceb37ebcb698279365f4f8bc398b29e260eefc7b94dc88d57797bbe29bc31e3d2b03da3a80824955d8328170a274e15a1b5915dfe45ba992b397aaf

Download Submit
C:\Windows\{CB12E798-5D06-4764-BAE6-0F07B0AF394F}.exe

Filesize
204KB

MD5
7949d56cd366d51aff946168b3de8fe6

SHA1
591dd3e6bcb77b51a4d5334d713dca72ed049096

SHA256
d8c2b12d692603e688e239de2501096f8165719e05e6c50ccd6d1cb57974e544

SHA512
ab3062db7ceb37ebcb698279365f4f8bc398b29e260eefc7b94dc88d57797bbe29bc31e3d2b03da3a80824955d8328170a274e15a1b5915dfe45ba992b397aaf

Download Submit