02ec767eaff502aac94cd697cd725651f5154b64bda980956fafa282a78ec4e6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c91b8a791359exeexeexeex.exe
Size

372KB
MD5

47c91b8a791359b8e3799200e40e5b32
SHA1

83d785808f10bf4968fdf274de40ff98245ecc68
SHA256

02ec767eaff502aac94cd697cd725651f5154b64bda980956fafa282a78ec4e6
SHA512

33dda107ecef325a3c9c0113d48c6b193c613f184c8e5ad1e9c4cbd819c8106e820959e46113da73ec97786308dbe1cc6d1aef202fdbec4ead14d6fba924e009
SSDEEP

3072:CEGh0oRmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGOl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}	47c91b8a791359exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}\stubpath = "C:\\Windows\\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe"	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}\stubpath = "C:\\Windows\\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe"	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB41B054-16CC-4303-ACF2-4A8C16A41788}\stubpath = "C:\\Windows\\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe"	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}\stubpath = "C:\\Windows\\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe"	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}\stubpath = "C:\\Windows\\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe"	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F044949-C706-48b2-A8D6-81D674571C9A}	{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}\stubpath = "C:\\Windows\\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe"	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC68C666-5326-442c-BDCF-CB5318FFB042}\stubpath = "C:\\Windows\\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe"	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}\stubpath = "C:\\Windows\\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe"	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}\stubpath = "C:\\Windows\\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe"	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}\stubpath = "C:\\Windows\\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe"	47c91b8a791359exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC68C666-5326-442c-BDCF-CB5318FFB042}	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB41B054-16CC-4303-ACF2-4A8C16A41788}	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}\stubpath = "C:\\Windows\\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe"	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F044949-C706-48b2-A8D6-81D674571C9A}\stubpath = "C:\\Windows\\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe"	{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe

Executes dropped EXE 12 IoCs

pid	Process
5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
5024	{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe
1512	{1F044949-C706-48b2-A8D6-81D674571C9A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
File created	C:\Windows\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
File created	C:\Windows\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
File created	C:\Windows\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
File created	C:\Windows\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	47c91b8a791359exeexeexeex.exe
File created	C:\Windows\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
File created	C:\Windows\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
File created	C:\Windows\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
File created	C:\Windows\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
File created	C:\Windows\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
File created	C:\Windows\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe	{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe
File created	C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1160	47c91b8a791359exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
Token: SeIncBasePriorityPrivilege	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
Token: SeIncBasePriorityPrivilege	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
Token: SeIncBasePriorityPrivilege	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
Token: SeIncBasePriorityPrivilege	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
Token: SeIncBasePriorityPrivilege	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
Token: SeIncBasePriorityPrivilege	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
Token: SeIncBasePriorityPrivilege	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
Token: SeIncBasePriorityPrivilege	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
Token: SeIncBasePriorityPrivilege	2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
Token: SeIncBasePriorityPrivilege	5024	{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 5004	1160	47c91b8a791359exeexeexeex.exe	87
PID 1160 wrote to memory of 5004	1160	47c91b8a791359exeexeexeex.exe	87
PID 1160 wrote to memory of 5004	1160	47c91b8a791359exeexeexeex.exe	87
PID 1160 wrote to memory of 4344	1160	47c91b8a791359exeexeexeex.exe	88
PID 1160 wrote to memory of 4344	1160	47c91b8a791359exeexeexeex.exe	88
PID 1160 wrote to memory of 4344	1160	47c91b8a791359exeexeexeex.exe	88
PID 5004 wrote to memory of 4736	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	89
PID 5004 wrote to memory of 4736	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	89
PID 5004 wrote to memory of 4736	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	89
PID 5004 wrote to memory of 1464	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	90
PID 5004 wrote to memory of 1464	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	90
PID 5004 wrote to memory of 1464	5004	{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe	90
PID 4736 wrote to memory of 4008	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	94
PID 4736 wrote to memory of 4008	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	94
PID 4736 wrote to memory of 4008	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	94
PID 4736 wrote to memory of 2312	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	95
PID 4736 wrote to memory of 2312	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	95
PID 4736 wrote to memory of 2312	4736	{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe	95
PID 4008 wrote to memory of 1452	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	96
PID 4008 wrote to memory of 1452	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	96
PID 4008 wrote to memory of 1452	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	96
PID 4008 wrote to memory of 2020	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	97
PID 4008 wrote to memory of 2020	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	97
PID 4008 wrote to memory of 2020	4008	{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe	97
PID 1452 wrote to memory of 3188	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	98
PID 1452 wrote to memory of 3188	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	98
PID 1452 wrote to memory of 3188	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	98
PID 1452 wrote to memory of 4248	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	99
PID 1452 wrote to memory of 4248	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	99
PID 1452 wrote to memory of 4248	1452	{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe	99
PID 3188 wrote to memory of 2532	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	100
PID 3188 wrote to memory of 2532	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	100
PID 3188 wrote to memory of 2532	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	100
PID 3188 wrote to memory of 1296	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	101
PID 3188 wrote to memory of 1296	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	101
PID 3188 wrote to memory of 1296	3188	{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe	101
PID 2532 wrote to memory of 4924	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	102
PID 2532 wrote to memory of 4924	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	102
PID 2532 wrote to memory of 4924	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	102
PID 2532 wrote to memory of 1644	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	103
PID 2532 wrote to memory of 1644	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	103
PID 2532 wrote to memory of 1644	2532	{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe	103
PID 4924 wrote to memory of 2908	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	104
PID 4924 wrote to memory of 2908	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	104
PID 4924 wrote to memory of 2908	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	104
PID 4924 wrote to memory of 3236	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	105
PID 4924 wrote to memory of 3236	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	105
PID 4924 wrote to memory of 3236	4924	{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe	105
PID 2908 wrote to memory of 4252	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	106
PID 2908 wrote to memory of 4252	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	106
PID 2908 wrote to memory of 4252	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	106
PID 2908 wrote to memory of 2804	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	107
PID 2908 wrote to memory of 2804	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	107
PID 2908 wrote to memory of 2804	2908	{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe	107
PID 4252 wrote to memory of 2764	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	108
PID 4252 wrote to memory of 2764	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	108
PID 4252 wrote to memory of 2764	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	108
PID 4252 wrote to memory of 1660	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	109
PID 4252 wrote to memory of 1660	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	109
PID 4252 wrote to memory of 1660	4252	{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe	109
PID 2764 wrote to memory of 5024	2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe	110
PID 2764 wrote to memory of 5024	2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe	110
PID 2764 wrote to memory of 5024	2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe	110
PID 2764 wrote to memory of 3156	2764	{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe	111

C:\Users\Admin\AppData\Local\Temp\47c91b8a791359exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\47c91b8a791359exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
  C:\Windows\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
    C:\Windows\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
      C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
        
        C:\Windows\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
        
        C:\Windows\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
        
        C:\Windows\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
        
        C:\Windows\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
        
        C:\Windows\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
        
        C:\Windows\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
        
        C:\Windows\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe
        
        C:\Windows\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe
        
        C:\Windows\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83A9A~1.EXE > nul
        13⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F09C9~1.EXE > nul
        12⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE734~1.EXE > nul
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB41B~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF79~1.EXE > nul
        9⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28255~1.EXE > nul
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC26A~1.EXE > nul
        7⤵
        
        PID:1296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C2DD~1.EXE > nul
        6⤵
        
        PID:4248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC68C~1.EXE > nul
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAFA5~1.EXE > nul
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{971DC~1.EXE > nul
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\47C91B~1.EXE > nul
  2⤵
  PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe

Filesize
372KB

MD5
68308cc5dc5f9eb2709143612adb1e45

SHA1
17cbb78f03abebadb69fe94f8b72ed56022e35ef

SHA256
682a3bbc10dd02e2377391b3a066575594aebb4c1fdfa57e3625eb7f79d471ac

SHA512
ee291b41a3fbda2511eb06e93d1699e5554b8050ccb40eae7b81e6e46f295cb9e8b716f69ab598cbfdccdf4c5a9627c58526fe8f6c8ec8bc05b8abec4fa8fe29

Download Submit
C:\Windows\{1F044949-C706-48b2-A8D6-81D674571C9A}.exe

Filesize
372KB

MD5
68308cc5dc5f9eb2709143612adb1e45

SHA1
17cbb78f03abebadb69fe94f8b72ed56022e35ef

SHA256
682a3bbc10dd02e2377391b3a066575594aebb4c1fdfa57e3625eb7f79d471ac

SHA512
ee291b41a3fbda2511eb06e93d1699e5554b8050ccb40eae7b81e6e46f295cb9e8b716f69ab598cbfdccdf4c5a9627c58526fe8f6c8ec8bc05b8abec4fa8fe29

Download Submit
C:\Windows\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe

Filesize
372KB

MD5
3fc0143df212c799ce1282488340f677

SHA1
123bfe4c42f33b455d3eb20221ee761533dae71d

SHA256
57b40d727182af85a92d3d92a6eb437cc58d65e8b62e6ef597e88684dadb1a54

SHA512
037c12baa2032918105e684dcb8eda6827c025f4cea82bf46b6375d81f168d85b355ac517c3259d3dadb9cb11d8a8e8d46033fbbc33882cab695d0e721dcd740

Download Submit
C:\Windows\{28255F89-AEB6-4389-AFA5-5A63ECA4F1C9}.exe

Filesize
372KB

MD5
3fc0143df212c799ce1282488340f677

SHA1
123bfe4c42f33b455d3eb20221ee761533dae71d

SHA256
57b40d727182af85a92d3d92a6eb437cc58d65e8b62e6ef597e88684dadb1a54

SHA512
037c12baa2032918105e684dcb8eda6827c025f4cea82bf46b6375d81f168d85b355ac517c3259d3dadb9cb11d8a8e8d46033fbbc33882cab695d0e721dcd740

Download Submit
C:\Windows\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe

Filesize
372KB

MD5
ee64eaba69cbdbab5e8a5e49bfd64647

SHA1
40c2b1c794d54046eb637a572241af18814cc20e

SHA256
0469656a3123a45b7eadc9a62f1b0e8d1dd9d69b66cba029a4cd7700935f33f5

SHA512
2e118efab31da6deb950f18463de41f903c92cbaf5f70e9ef712657eb22df93df65547ce07087bdd588b9788b506e7473582a1c71f52d96486dfbc605d245e5f

Download Submit
C:\Windows\{5C2DD120-CE6C-47f7-8A53-82D301BC480C}.exe

Filesize
372KB

MD5
ee64eaba69cbdbab5e8a5e49bfd64647

SHA1
40c2b1c794d54046eb637a572241af18814cc20e

SHA256
0469656a3123a45b7eadc9a62f1b0e8d1dd9d69b66cba029a4cd7700935f33f5

SHA512
2e118efab31da6deb950f18463de41f903c92cbaf5f70e9ef712657eb22df93df65547ce07087bdd588b9788b506e7473582a1c71f52d96486dfbc605d245e5f

Download Submit
C:\Windows\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe

Filesize
372KB

MD5
5fefd4aa2b551ca7d36446a5c52b56ef

SHA1
2c8cd1e2dc0cc358cfe5f623abfcfb7d7b295bd3

SHA256
eeaf2fa7f55bf34452df366f4436abd612d260bbbdd2c96d16c3c4670286e717

SHA512
8163d367ba4526a82a1cfedf1f922271521cbd01059d7693aa8b7b1ef6f53b3f0f68099a57fee1d5103bb2079bf6e75aca6af900881723bb4dcf8f0f58175ae5

Download Submit
C:\Windows\{83A9A4E1-4FD6-4e59-8B17-51B5106DA603}.exe

Filesize
372KB

MD5
5fefd4aa2b551ca7d36446a5c52b56ef

SHA1
2c8cd1e2dc0cc358cfe5f623abfcfb7d7b295bd3

SHA256
eeaf2fa7f55bf34452df366f4436abd612d260bbbdd2c96d16c3c4670286e717

SHA512
8163d367ba4526a82a1cfedf1f922271521cbd01059d7693aa8b7b1ef6f53b3f0f68099a57fee1d5103bb2079bf6e75aca6af900881723bb4dcf8f0f58175ae5

Download Submit
C:\Windows\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe

Filesize
372KB

MD5
d60c8d037e3d12515e1408f4007acba3

SHA1
69dce65c4974a99eb952c8e9d182f99b38d866b9

SHA256
849462dd8adeade85bd3202c0f576b0936eec2537af52bb10ffa61f7f9cb659c

SHA512
23e288560b97e06c27da6ff45d6bbfcea25e6e8e3b28ecd8c82e3f6073045f769ae2a53848da7019a36c9b6a59ad27cb1ca50fa519325debb14c2bea9d69bf01

Download Submit
C:\Windows\{971DCD6F-6268-4bbd-8BEA-D45BF0FD4FA7}.exe

Filesize
372KB

MD5
d60c8d037e3d12515e1408f4007acba3

SHA1
69dce65c4974a99eb952c8e9d182f99b38d866b9

SHA256
849462dd8adeade85bd3202c0f576b0936eec2537af52bb10ffa61f7f9cb659c

SHA512
23e288560b97e06c27da6ff45d6bbfcea25e6e8e3b28ecd8c82e3f6073045f769ae2a53848da7019a36c9b6a59ad27cb1ca50fa519325debb14c2bea9d69bf01

Download Submit
C:\Windows\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe

Filesize
372KB

MD5
057a9af5ba41ebe3aa715280d81d8bcd

SHA1
da1f9eef6151ae3680581b5436504828191f7de8

SHA256
4e6070de8b60c39007611154d7d4ce6ce2939bb4590060838327980682c54b30

SHA512
275fa3704f81f491c2957072681dd20f34ca53d2387fcd7667050b64c3ed6a1f32deba97c40e4b04de0955929023abae708df937a48609ca860b8b18117e42b8

Download Submit
C:\Windows\{BE734B1B-E8A5-4c08-85C0-2E21B6921D08}.exe

Filesize
372KB

MD5
057a9af5ba41ebe3aa715280d81d8bcd

SHA1
da1f9eef6151ae3680581b5436504828191f7de8

SHA256
4e6070de8b60c39007611154d7d4ce6ce2939bb4590060838327980682c54b30

SHA512
275fa3704f81f491c2957072681dd20f34ca53d2387fcd7667050b64c3ed6a1f32deba97c40e4b04de0955929023abae708df937a48609ca860b8b18117e42b8

Download Submit
C:\Windows\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe

Filesize
372KB

MD5
95f732024abf19ffcb7f99016b17b0f9

SHA1
bfc834d73256a1288cf55042052890ed26fedd88

SHA256
acca61fe679f00cc4cbc17a39f047059d7219e8e2727491fa5b85c787b987a45

SHA512
d16a75d76cfa4ae4f046b91c96320a8a7e1579a8eb9628995dcd5408feef19f411f8afb785ac91acb40ad606d60f11cdf06efcb4e6c95ebb86561cc7b0885407

Download Submit
C:\Windows\{CC26A222-E825-4ba4-8CC2-AD0A44B125CA}.exe

Filesize
372KB

MD5
95f732024abf19ffcb7f99016b17b0f9

SHA1
bfc834d73256a1288cf55042052890ed26fedd88

SHA256
acca61fe679f00cc4cbc17a39f047059d7219e8e2727491fa5b85c787b987a45

SHA512
d16a75d76cfa4ae4f046b91c96320a8a7e1579a8eb9628995dcd5408feef19f411f8afb785ac91acb40ad606d60f11cdf06efcb4e6c95ebb86561cc7b0885407

Download Submit
C:\Windows\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe

Filesize
372KB

MD5
66edb98aab126ecd39592542e5f83bf7

SHA1
b2474fda76b537f4c72c67dfae61de9b72b1f750

SHA256
d4744670363bf12c200b754ddfccde185a485926f00cf7fd522259b0afc732a2

SHA512
529573ee9775a84a82e98ddc2f8cf263f58aa5947d7b2d1c0f9e6ff5bfbad3834b09101c32bd48ed07f8cbd8e10ae63811363ed88562ece314b40bf30ec4f264

Download Submit
C:\Windows\{DEF790C6-8A19-4c5a-AB58-A35E8A09ADD8}.exe

Filesize
372KB

MD5
66edb98aab126ecd39592542e5f83bf7

SHA1
b2474fda76b537f4c72c67dfae61de9b72b1f750

SHA256
d4744670363bf12c200b754ddfccde185a485926f00cf7fd522259b0afc732a2

SHA512
529573ee9775a84a82e98ddc2f8cf263f58aa5947d7b2d1c0f9e6ff5bfbad3834b09101c32bd48ed07f8cbd8e10ae63811363ed88562ece314b40bf30ec4f264

Download Submit
C:\Windows\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe

Filesize
372KB

MD5
a2f69b422744039a5add84c76467a131

SHA1
fbe111b185c5f630536854def5c98d4551e1fa78

SHA256
c32717ab4ea27d49689d5c3a46f82796af08476ee672ced0cd89b02e8548e301

SHA512
39866016c12f84becf06b34fb9a1cb45f3111e36184633b366b4ec6a526b511ff50d03668f33f4bb3084101718757d4dfb3c98cce74a3f8cac8101ee4f775776

Download Submit
C:\Windows\{EAFA5985-DF27-4d96-ACAB-8A7E8CF1BB7A}.exe

Filesize
372KB

MD5
a2f69b422744039a5add84c76467a131

SHA1
fbe111b185c5f630536854def5c98d4551e1fa78

SHA256
c32717ab4ea27d49689d5c3a46f82796af08476ee672ced0cd89b02e8548e301

SHA512
39866016c12f84becf06b34fb9a1cb45f3111e36184633b366b4ec6a526b511ff50d03668f33f4bb3084101718757d4dfb3c98cce74a3f8cac8101ee4f775776

Download Submit
C:\Windows\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe

Filesize
372KB

MD5
c6b4407b81cc0b947757f8ffa31a93e5

SHA1
dfadf1048ad61a0dde4c38ffcdc09f74d5eee5d9

SHA256
f9c96398ae9b195dba53789bfc9bad67743ff6f0b9552ffe1e7adf0aee915033

SHA512
eda47b80d70c631065f3e08ddfc2c01bfc34237a8b312c98329d78356bd039d96a865ad79e84fb5db4fc9041987fc99f36f8ffe73c973ff36ead7bbe01c616a7

Download Submit
C:\Windows\{F09C9AD6-7CE6-4b2b-B584-64B342CB6EE7}.exe

Filesize
372KB

MD5
c6b4407b81cc0b947757f8ffa31a93e5

SHA1
dfadf1048ad61a0dde4c38ffcdc09f74d5eee5d9

SHA256
f9c96398ae9b195dba53789bfc9bad67743ff6f0b9552ffe1e7adf0aee915033

SHA512
eda47b80d70c631065f3e08ddfc2c01bfc34237a8b312c98329d78356bd039d96a865ad79e84fb5db4fc9041987fc99f36f8ffe73c973ff36ead7bbe01c616a7

Download Submit
C:\Windows\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe

Filesize
372KB

MD5
4799751bb8e619f7cd9ce8b53778deb0

SHA1
371d8d72e775b7e426b81df49d5420aefd4a4413

SHA256
20eb702182cb776133d5944e14901cf4ab512663e551cf8850a0f2424b2856c6

SHA512
f47cfbc97df8909f2efa0b39f578eedbb74ab68d9618239bf9b545599a02faef093a040a093c0ba79e490d2f577f52aa2a06df9525fbbc74b8761dc4b5429b88

Download Submit
C:\Windows\{FB41B054-16CC-4303-ACF2-4A8C16A41788}.exe

Filesize
372KB

MD5
4799751bb8e619f7cd9ce8b53778deb0

SHA1
371d8d72e775b7e426b81df49d5420aefd4a4413

SHA256
20eb702182cb776133d5944e14901cf4ab512663e551cf8850a0f2424b2856c6

SHA512
f47cfbc97df8909f2efa0b39f578eedbb74ab68d9618239bf9b545599a02faef093a040a093c0ba79e490d2f577f52aa2a06df9525fbbc74b8761dc4b5429b88

Download Submit
C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe

Filesize
372KB

MD5
985dd7460187b0bb08b94ebbd98221e1

SHA1
38bafde530ee6e705efb66283af3721bc1c3d1f6

SHA256
38cb96d2406182ca36bce98b584082604dc234e643d72c6bd3375c6fc5c208fb

SHA512
66b615266441e106f582542b9086d07d300c7f7697d63b30d1d054d3870857751f6e50ae05cda79441b08ff5630ad7fb7229a9182e5658aaa14b3265559fffdc

Download Submit
C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe

Filesize
372KB

MD5
985dd7460187b0bb08b94ebbd98221e1

SHA1
38bafde530ee6e705efb66283af3721bc1c3d1f6

SHA256
38cb96d2406182ca36bce98b584082604dc234e643d72c6bd3375c6fc5c208fb

SHA512
66b615266441e106f582542b9086d07d300c7f7697d63b30d1d054d3870857751f6e50ae05cda79441b08ff5630ad7fb7229a9182e5658aaa14b3265559fffdc

Download Submit
C:\Windows\{FC68C666-5326-442c-BDCF-CB5318FFB042}.exe

Filesize
372KB

MD5
985dd7460187b0bb08b94ebbd98221e1

SHA1
38bafde530ee6e705efb66283af3721bc1c3d1f6

SHA256
38cb96d2406182ca36bce98b584082604dc234e643d72c6bd3375c6fc5c208fb

SHA512
66b615266441e106f582542b9086d07d300c7f7697d63b30d1d054d3870857751f6e50ae05cda79441b08ff5630ad7fb7229a9182e5658aaa14b3265559fffdc

Download Submit