c8a2b6d15bc2d592240d4b2b0abd38df3bdb89c80677fbd58f495cda5fe2707c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36866179aa3537exeexeexeex.exe
Size

408KB
MD5

36866179aa3537529ca33af3c88cdd6a
SHA1

0023bcf6c6b65a092a76afba7fbb6d7523620ffa
SHA256

c8a2b6d15bc2d592240d4b2b0abd38df3bdb89c80677fbd58f495cda5fe2707c
SHA512

275a1715f89993a0271ebe2d8541f13ec15a87f6408bcdc6e10b7761b3c10d17aa23fe8b044bead755bc458d94a14a4127d7339a05e086584cf7c80f64d59648
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGbldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D67379-FB0A-4c5f-8618-13F744CF2187}	{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139C5689-E3E5-4eed-B365-C51C836B2C5C}	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139C5689-E3E5-4eed-B365-C51C836B2C5C}\stubpath = "C:\\Windows\\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe"	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58494838-6703-4ca1-BC9B-18D774C57A7A}\stubpath = "C:\\Windows\\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe"	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B877C6C-DC45-4004-9ABA-D735543C40E1}	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9349022-1D77-4d64-BD90-C00B50CF9877}	36866179aa3537exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}\stubpath = "C:\\Windows\\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe"	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5FFE928-661D-4027-87A2-422E7B4060D1}	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF24858-92D8-4265-AD02-E8525BD20B81}\stubpath = "C:\\Windows\\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe"	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D67379-FB0A-4c5f-8618-13F744CF2187}\stubpath = "C:\\Windows\\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe"	{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138CEF87-7B25-42a1-9033-1995C8FB955F}	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}\stubpath = "C:\\Windows\\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe"	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF24858-92D8-4265-AD02-E8525BD20B81}	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}\stubpath = "C:\\Windows\\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe"	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B877C6C-DC45-4004-9ABA-D735543C40E1}\stubpath = "C:\\Windows\\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe"	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9349022-1D77-4d64-BD90-C00B50CF9877}\stubpath = "C:\\Windows\\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe"	36866179aa3537exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138CEF87-7B25-42a1-9033-1995C8FB955F}\stubpath = "C:\\Windows\\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe"	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}\stubpath = "C:\\Windows\\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe"	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5FFE928-661D-4027-87A2-422E7B4060D1}\stubpath = "C:\\Windows\\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe"	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58494838-6703-4ca1-BC9B-18D774C57A7A}	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
4256	{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
4420	{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
File created	C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
File created	C:\Windows\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
File created	C:\Windows\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
File created	C:\Windows\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
File created	C:\Windows\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
File created	C:\Windows\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
File created	C:\Windows\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe	{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
File created	C:\Windows\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	36866179aa3537exeexeexeex.exe
File created	C:\Windows\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
File created	C:\Windows\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
File created	C:\Windows\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2648	36866179aa3537exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
Token: SeIncBasePriorityPrivilege	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
Token: SeIncBasePriorityPrivilege	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
Token: SeIncBasePriorityPrivilege	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
Token: SeIncBasePriorityPrivilege	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
Token: SeIncBasePriorityPrivilege	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
Token: SeIncBasePriorityPrivilege	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
Token: SeIncBasePriorityPrivilege	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
Token: SeIncBasePriorityPrivilege	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
Token: SeIncBasePriorityPrivilege	1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
Token: SeIncBasePriorityPrivilege	4256	{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2300	2648	36866179aa3537exeexeexeex.exe	83
PID 2648 wrote to memory of 2300	2648	36866179aa3537exeexeexeex.exe	83
PID 2648 wrote to memory of 2300	2648	36866179aa3537exeexeexeex.exe	83
PID 2648 wrote to memory of 2076	2648	36866179aa3537exeexeexeex.exe	84
PID 2648 wrote to memory of 2076	2648	36866179aa3537exeexeexeex.exe	84
PID 2648 wrote to memory of 2076	2648	36866179aa3537exeexeexeex.exe	84
PID 2300 wrote to memory of 1716	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	85
PID 2300 wrote to memory of 1716	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	85
PID 2300 wrote to memory of 1716	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	85
PID 2300 wrote to memory of 1036	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	86
PID 2300 wrote to memory of 1036	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	86
PID 2300 wrote to memory of 1036	2300	{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe	86
PID 1716 wrote to memory of 3376	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	88
PID 1716 wrote to memory of 3376	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	88
PID 1716 wrote to memory of 3376	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	88
PID 1716 wrote to memory of 3700	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	89
PID 1716 wrote to memory of 3700	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	89
PID 1716 wrote to memory of 3700	1716	{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe	89
PID 3376 wrote to memory of 3756	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	90
PID 3376 wrote to memory of 3756	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	90
PID 3376 wrote to memory of 3756	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	90
PID 3376 wrote to memory of 1832	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	91
PID 3376 wrote to memory of 1832	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	91
PID 3376 wrote to memory of 1832	3376	{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe	91
PID 3756 wrote to memory of 3620	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	92
PID 3756 wrote to memory of 3620	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	92
PID 3756 wrote to memory of 3620	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	92
PID 3756 wrote to memory of 328	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	93
PID 3756 wrote to memory of 328	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	93
PID 3756 wrote to memory of 328	3756	{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe	93
PID 3620 wrote to memory of 4196	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	94
PID 3620 wrote to memory of 4196	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	94
PID 3620 wrote to memory of 4196	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	94
PID 3620 wrote to memory of 1552	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	95
PID 3620 wrote to memory of 1552	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	95
PID 3620 wrote to memory of 1552	3620	{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe	95
PID 4196 wrote to memory of 1348	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	96
PID 4196 wrote to memory of 1348	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	96
PID 4196 wrote to memory of 1348	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	96
PID 4196 wrote to memory of 4720	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	97
PID 4196 wrote to memory of 4720	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	97
PID 4196 wrote to memory of 4720	4196	{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe	97
PID 1348 wrote to memory of 3924	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	98
PID 1348 wrote to memory of 3924	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	98
PID 1348 wrote to memory of 3924	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	98
PID 1348 wrote to memory of 2296	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	99
PID 1348 wrote to memory of 2296	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	99
PID 1348 wrote to memory of 2296	1348	{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe	99
PID 3924 wrote to memory of 864	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	100
PID 3924 wrote to memory of 864	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	100
PID 3924 wrote to memory of 864	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	100
PID 3924 wrote to memory of 4956	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	101
PID 3924 wrote to memory of 4956	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	101
PID 3924 wrote to memory of 4956	3924	{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe	101
PID 864 wrote to memory of 1256	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	102
PID 864 wrote to memory of 1256	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	102
PID 864 wrote to memory of 1256	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	102
PID 864 wrote to memory of 3656	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	103
PID 864 wrote to memory of 3656	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	103
PID 864 wrote to memory of 3656	864	{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe	103
PID 1256 wrote to memory of 4256	1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe	104
PID 1256 wrote to memory of 4256	1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe	104
PID 1256 wrote to memory of 4256	1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe	104
PID 1256 wrote to memory of 1268	1256	{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe	105

C:\Users\Admin\AppData\Local\Temp\36866179aa3537exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\36866179aa3537exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
  C:\Windows\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
    C:\Windows\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
      C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
        
        C:\Windows\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
        
        C:\Windows\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
        
        C:\Windows\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
        
        C:\Windows\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
        
        C:\Windows\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
        
        C:\Windows\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
        
        C:\Windows\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
        
        C:\Windows\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe
        
        C:\Windows\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe
        13⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B877~1.EXE > nul
        13⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DADCE~1.EXE > nul
        12⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DF24~1.EXE > nul
        11⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58494~1.EXE > nul
        10⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5FFE~1.EXE > nul
        9⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C01F1~1.EXE > nul
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{139C5~1.EXE > nul
        7⤵
        
        PID:1552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6740~1.EXE > nul
        6⤵
        
        PID:328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C7B~1.EXE > nul
        5⤵
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{138CE~1.EXE > nul
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9349~1.EXE > nul
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\368661~1.EXE > nul
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe

Filesize
408KB

MD5
aa4fb7c96fb84400709c0f9522c65b5a

SHA1
2799d9307672faf6465b276e110387bc0b8ad627

SHA256
ed50879e21dd3be5e63fc719e69a5748d0fc6cce86ae543f307f8df76b5f525e

SHA512
7ab9da3738ee916a6605768886fd30822ccc6d6dff188abf32191e475bf5550596f10f22742f4656d5a963204c05bbaa30523ceab756c22a465cf6dffa9025da

Download Submit
C:\Windows\{138CEF87-7B25-42a1-9033-1995C8FB955F}.exe

Filesize
408KB

MD5
aa4fb7c96fb84400709c0f9522c65b5a

SHA1
2799d9307672faf6465b276e110387bc0b8ad627

SHA256
ed50879e21dd3be5e63fc719e69a5748d0fc6cce86ae543f307f8df76b5f525e

SHA512
7ab9da3738ee916a6605768886fd30822ccc6d6dff188abf32191e475bf5550596f10f22742f4656d5a963204c05bbaa30523ceab756c22a465cf6dffa9025da

Download Submit
C:\Windows\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe

Filesize
408KB

MD5
abb32ba9ad5b9c75d3a09b18313a8d1e

SHA1
7c09c20fb0b43befdc4f74979fb8a5f1075cb82d

SHA256
f34a5265d0821ed90bb0cd1bf872283125ca8a12dd327a7dbf820197fced0874

SHA512
b283fd7fbe1c18fba2b975be0017aa59a98250b187d1f7f7d3e6259d3cf5807569fcdb7eb073bfe2f88b67475401d27c9ec82406fc4bccf1d38fd3e7cfaf3b7c

Download Submit
C:\Windows\{139C5689-E3E5-4eed-B365-C51C836B2C5C}.exe

Filesize
408KB

MD5
abb32ba9ad5b9c75d3a09b18313a8d1e

SHA1
7c09c20fb0b43befdc4f74979fb8a5f1075cb82d

SHA256
f34a5265d0821ed90bb0cd1bf872283125ca8a12dd327a7dbf820197fced0874

SHA512
b283fd7fbe1c18fba2b975be0017aa59a98250b187d1f7f7d3e6259d3cf5807569fcdb7eb073bfe2f88b67475401d27c9ec82406fc4bccf1d38fd3e7cfaf3b7c

Download Submit
C:\Windows\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe

Filesize
408KB

MD5
b87d52378c1fa78de207adbb40e6ef07

SHA1
c5e03aa40f31e139a96371ed708dfeb122373ea7

SHA256
19baf06ddf27523efeca1c218dd3e775666918d748f7822a5f44e8aaf39a2bc7

SHA512
d8f61983c094b9d802d7fe13f867ff30e4b81afdcd4044e30ce4f6092cbdacc66a41aba86ff3a619766b53044dddf0357a33102922dfc220acfd9dbcb88363d7

Download Submit
C:\Windows\{1DF24858-92D8-4265-AD02-E8525BD20B81}.exe

Filesize
408KB

MD5
b87d52378c1fa78de207adbb40e6ef07

SHA1
c5e03aa40f31e139a96371ed708dfeb122373ea7

SHA256
19baf06ddf27523efeca1c218dd3e775666918d748f7822a5f44e8aaf39a2bc7

SHA512
d8f61983c094b9d802d7fe13f867ff30e4b81afdcd4044e30ce4f6092cbdacc66a41aba86ff3a619766b53044dddf0357a33102922dfc220acfd9dbcb88363d7

Download Submit
C:\Windows\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe

Filesize
408KB

MD5
c57b75f36ed520a8b08c660fe29f8fff

SHA1
74f0bb1f202559e0ee7e14c0aa02d64dc6c79262

SHA256
48067b1949c7f03aa4eb7bb81a18cd9f839759dc931e7227998ae803d38c10c0

SHA512
d0f1caa3e9712bbe4956a7414518346e65d2f3d4eea6ddaac0a54b6da3ffca6495739e5505bb8f1769947784bd53d50ef51a287b6fbe3a20b43eb1310ebb2175

Download Submit
C:\Windows\{4B877C6C-DC45-4004-9ABA-D735543C40E1}.exe

Filesize
408KB

MD5
c57b75f36ed520a8b08c660fe29f8fff

SHA1
74f0bb1f202559e0ee7e14c0aa02d64dc6c79262

SHA256
48067b1949c7f03aa4eb7bb81a18cd9f839759dc931e7227998ae803d38c10c0

SHA512
d0f1caa3e9712bbe4956a7414518346e65d2f3d4eea6ddaac0a54b6da3ffca6495739e5505bb8f1769947784bd53d50ef51a287b6fbe3a20b43eb1310ebb2175

Download Submit
C:\Windows\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe

Filesize
408KB

MD5
becafbce5e069c6eee33a6ada11965b7

SHA1
5f5f73f85d849792b625a90ef656719236bf56a7

SHA256
766cf0e7029b9d867117908f4128cd01de4a1e998d0a73227699feb614e4179b

SHA512
de56d613e5d73caacebbb4a4281e19ba3f40cceac70a7e847a7c4b1b15a4fb976898bb31ef872f6f2dff4c7811fbb4a1184d2bf8514e0aa6bbe07af35cbefbd2

Download Submit
C:\Windows\{58494838-6703-4ca1-BC9B-18D774C57A7A}.exe

Filesize
408KB

MD5
becafbce5e069c6eee33a6ada11965b7

SHA1
5f5f73f85d849792b625a90ef656719236bf56a7

SHA256
766cf0e7029b9d867117908f4128cd01de4a1e998d0a73227699feb614e4179b

SHA512
de56d613e5d73caacebbb4a4281e19ba3f40cceac70a7e847a7c4b1b15a4fb976898bb31ef872f6f2dff4c7811fbb4a1184d2bf8514e0aa6bbe07af35cbefbd2

Download Submit
C:\Windows\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe

Filesize
408KB

MD5
12ee0c400876419363f5821a78e14e96

SHA1
e12b5acdae5203abfa16785da87ddfcec1768ad9

SHA256
574baed763beba7e3773fb1c49b15667be2083151afde8f9643fe62bfb49d030

SHA512
23883b1aa74b6b0995cd4a078b0f95cd688b88a749a92bd67b496eb04c7f6f9e6a24eb4470c3f72601a5208efa3f48361e0dd4a892da954ac2b170dddbe49def

Download Submit
C:\Windows\{A5FFE928-661D-4027-87A2-422E7B4060D1}.exe

Filesize
408KB

MD5
12ee0c400876419363f5821a78e14e96

SHA1
e12b5acdae5203abfa16785da87ddfcec1768ad9

SHA256
574baed763beba7e3773fb1c49b15667be2083151afde8f9643fe62bfb49d030

SHA512
23883b1aa74b6b0995cd4a078b0f95cd688b88a749a92bd67b496eb04c7f6f9e6a24eb4470c3f72601a5208efa3f48361e0dd4a892da954ac2b170dddbe49def

Download Submit
C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe

Filesize
408KB

MD5
0079db3be3139732e64396fa62f2ddaa

SHA1
4537d0fd3f97dff57bf59a7355f3f6b74b1c6dba

SHA256
ae5b6437925dea2262cad45375616648c962e3cd5fe555a85fe9a3f53d898381

SHA512
435ceca695274bbf12de6e6f6ea96c4668dd158ed9655654daf1e6a0bf30602e7ad390a9a0b0a3b14b91f4c62b1bbee145c85a813de5ac4b965c8d0d149bab88

Download Submit
C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe

Filesize
408KB

MD5
0079db3be3139732e64396fa62f2ddaa

SHA1
4537d0fd3f97dff57bf59a7355f3f6b74b1c6dba

SHA256
ae5b6437925dea2262cad45375616648c962e3cd5fe555a85fe9a3f53d898381

SHA512
435ceca695274bbf12de6e6f6ea96c4668dd158ed9655654daf1e6a0bf30602e7ad390a9a0b0a3b14b91f4c62b1bbee145c85a813de5ac4b965c8d0d149bab88

Download Submit
C:\Windows\{B3C7BAC5-104F-47d9-91E2-DB0E8992844C}.exe

Filesize
408KB

MD5
0079db3be3139732e64396fa62f2ddaa

SHA1
4537d0fd3f97dff57bf59a7355f3f6b74b1c6dba

SHA256
ae5b6437925dea2262cad45375616648c962e3cd5fe555a85fe9a3f53d898381

SHA512
435ceca695274bbf12de6e6f6ea96c4668dd158ed9655654daf1e6a0bf30602e7ad390a9a0b0a3b14b91f4c62b1bbee145c85a813de5ac4b965c8d0d149bab88

Download Submit
C:\Windows\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe

Filesize
408KB

MD5
5e7277c6a38dd0a58575b7758f55e126

SHA1
75f0fe6224edbdf2c28f37764c4aa8a5b5a8df17

SHA256
a4be510d2937e763cbf738e18b449238c0e3af0cbcf52d02e9cfccaeba154865

SHA512
5e2246020d8a49e49d55f4da2ef9628db692a1d1e6c5c01490d81651d2765ba5dac40901e623d99ab0de3e5306aa2f6afba9b99f0a9871bb731c898c295f6ae3

Download Submit
C:\Windows\{B67408D7-29E8-4591-BBCD-0C7DA09C0105}.exe

Filesize
408KB

MD5
5e7277c6a38dd0a58575b7758f55e126

SHA1
75f0fe6224edbdf2c28f37764c4aa8a5b5a8df17

SHA256
a4be510d2937e763cbf738e18b449238c0e3af0cbcf52d02e9cfccaeba154865

SHA512
5e2246020d8a49e49d55f4da2ef9628db692a1d1e6c5c01490d81651d2765ba5dac40901e623d99ab0de3e5306aa2f6afba9b99f0a9871bb731c898c295f6ae3

Download Submit
C:\Windows\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe

Filesize
408KB

MD5
4a4a482e961b204cbf18b7bceb5e92e1

SHA1
a8e2830d768fbad19cb6d693c7e4f370618f5097

SHA256
8fe86f422835fe37172eb7f26287ff1df548c6d0524e33ec036ba7c8a8c37cd6

SHA512
89e3acbaf41f7a79b5313817897e6acdf4f612174aa928213bf3f20043cb39058a6f0b5753c9e58eed1a9b1317dabc4d69d0bb23af4395d54b3767733de1cbe9

Download Submit
C:\Windows\{C01F1AEA-1150-4e44-95A0-6257B2DA7024}.exe

Filesize
408KB

MD5
4a4a482e961b204cbf18b7bceb5e92e1

SHA1
a8e2830d768fbad19cb6d693c7e4f370618f5097

SHA256
8fe86f422835fe37172eb7f26287ff1df548c6d0524e33ec036ba7c8a8c37cd6

SHA512
89e3acbaf41f7a79b5313817897e6acdf4f612174aa928213bf3f20043cb39058a6f0b5753c9e58eed1a9b1317dabc4d69d0bb23af4395d54b3767733de1cbe9

Download Submit
C:\Windows\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe

Filesize
408KB

MD5
b19ffc310da850855f7c7f9b57c0118a

SHA1
cc45462345d5d06e26825bd31f0a8d1e6fa006fc

SHA256
e4ad0fe6313e6b57dd5970cc1f4ecc96f1311785e0f0d764f21a47ab46130440

SHA512
74dbeaf7a40993c71a1e2a80f61aab352f868f3e261b8d355635a1029286d4fe1c54235b2ad6de15da4e36729f7e68bfbafe71a5142df3ca22800e890e7e3098

Download Submit
C:\Windows\{DADCE9B0-DB1E-4ea7-B25A-82ADF1979AB4}.exe

Filesize
408KB

MD5
b19ffc310da850855f7c7f9b57c0118a

SHA1
cc45462345d5d06e26825bd31f0a8d1e6fa006fc

SHA256
e4ad0fe6313e6b57dd5970cc1f4ecc96f1311785e0f0d764f21a47ab46130440

SHA512
74dbeaf7a40993c71a1e2a80f61aab352f868f3e261b8d355635a1029286d4fe1c54235b2ad6de15da4e36729f7e68bfbafe71a5142df3ca22800e890e7e3098

Download Submit
C:\Windows\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe

Filesize
408KB

MD5
7430167adf0a2b65ca2b5f509be0886c

SHA1
2bc53500666288926a08c2f43a656b508a4860a0

SHA256
935bcffce76d6f2ba826da89ccd32c586f08dfedcf3d63aea654a34da8c5e741

SHA512
3195ede6bddc991e468901188d2ec2efda8b9efc6ffe218002793afc0d6443ee9a759fb9e6b2f0d22fea8e1785162f11b810366818fa0ef38409b9547508b7cb

Download Submit
C:\Windows\{E8D67379-FB0A-4c5f-8618-13F744CF2187}.exe

Filesize
408KB

MD5
7430167adf0a2b65ca2b5f509be0886c

SHA1
2bc53500666288926a08c2f43a656b508a4860a0

SHA256
935bcffce76d6f2ba826da89ccd32c586f08dfedcf3d63aea654a34da8c5e741

SHA512
3195ede6bddc991e468901188d2ec2efda8b9efc6ffe218002793afc0d6443ee9a759fb9e6b2f0d22fea8e1785162f11b810366818fa0ef38409b9547508b7cb

Download Submit
C:\Windows\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe

Filesize
408KB

MD5
a35f4fe0641637aec53b87f758806e11

SHA1
ccb27fa3990aaf43ececda3662462e1b5f00fdbd

SHA256
d0d211f259c06b2849de56fd01818711b3ed17928ccc63171fe4e42b758c4fcd

SHA512
a4dab9ab8d0d0139199ab819c6130f719566e1ab199fc4d5e60aa0b63771b9b8ffd52b28987f1ca5e3a45aa2e29700aec1f5d37cac1dfe1b9c1add0f593c7022

Download Submit
C:\Windows\{F9349022-1D77-4d64-BD90-C00B50CF9877}.exe

Filesize
408KB

MD5
a35f4fe0641637aec53b87f758806e11

SHA1
ccb27fa3990aaf43ececda3662462e1b5f00fdbd

SHA256
d0d211f259c06b2849de56fd01818711b3ed17928ccc63171fe4e42b758c4fcd

SHA512
a4dab9ab8d0d0139199ab819c6130f719566e1ab199fc4d5e60aa0b63771b9b8ffd52b28987f1ca5e3a45aa2e29700aec1f5d37cac1dfe1b9c1add0f593c7022

Download Submit