98a119ef6ace43d4e1a6af23b1c4b2fbd4e39b52ee306c3bf147c235f4835a46

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 13:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ea1a19daa1413exeexeexeex.exe
Size

168KB
MD5

4ea1a19daa1413c29dc3c1366b650297
SHA1

441ebc7196fab9844a2c50f1995f0af52431524c
SHA256

98a119ef6ace43d4e1a6af23b1c4b2fbd4e39b52ee306c3bf147c235f4835a46
SHA512

92c39f52d32f8b4b560cf82ab75a2afc8b6861e403db8bfec056501cd0c61d18953c8845dbb5660bbcb67511e22f51a81a682518bf91bf71ad267d2f79f81bc0
SSDEEP

1536:1EGh0o/lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C109960-5ADB-4d95-B599-C764C638F579}	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AA755F-A016-48fe-BAB5-E194AFBCF466}\stubpath = "C:\\Windows\\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe"	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}\stubpath = "C:\\Windows\\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe"	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AA755F-A016-48fe-BAB5-E194AFBCF466}	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E878190-9DDA-428a-AF94-42C8A8F90D92}\stubpath = "C:\\Windows\\{6E878190-9DDA-428a-AF94-42C8A8F90D92}.exe"	{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}\stubpath = "C:\\Windows\\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe"	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}\stubpath = "C:\\Windows\\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe"	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3851282-140D-4bf3-9F21-B55C1363C995}\stubpath = "C:\\Windows\\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe"	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4894A0F-95D4-438b-BC9D-3E249551594C}\stubpath = "C:\\Windows\\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe"	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3851282-140D-4bf3-9F21-B55C1363C995}	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584DB50-4347-4116-8D7F-45CF233B64AD}	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584DB50-4347-4116-8D7F-45CF233B64AD}\stubpath = "C:\\Windows\\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe"	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}	{8C109960-5ADB-4d95-B599-C764C638F579}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}\stubpath = "C:\\Windows\\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe"	{8C109960-5ADB-4d95-B599-C764C638F579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4894A0F-95D4-438b-BC9D-3E249551594C}	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7207681-193C-4c8b-B3C1-6C1D12938317}	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96535A1-6F56-4aed-9897-75B6360BE2B0}	4ea1a19daa1413exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96535A1-6F56-4aed-9897-75B6360BE2B0}\stubpath = "C:\\Windows\\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe"	4ea1a19daa1413exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C109960-5ADB-4d95-B599-C764C638F579}\stubpath = "C:\\Windows\\{8C109960-5ADB-4d95-B599-C764C638F579}.exe"	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7207681-193C-4c8b-B3C1-6C1D12938317}\stubpath = "C:\\Windows\\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe"	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E878190-9DDA-428a-AF94-42C8A8F90D92}	{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe

Executes dropped EXE 11 IoCs

pid	Process
1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe
3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
4772	{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8C109960-5ADB-4d95-B599-C764C638F579}.exe	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
File created	C:\Windows\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
File created	C:\Windows\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
File created	C:\Windows\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
File created	C:\Windows\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	4ea1a19daa1413exeexeexeex.exe
File created	C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	{8C109960-5ADB-4d95-B599-C764C638F579}.exe
File created	C:\Windows\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
File created	C:\Windows\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
File created	C:\Windows\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
File created	C:\Windows\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
File created	C:\Windows\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
File created	C:\Windows\{6E878190-9DDA-428a-AF94-42C8A8F90D92}.exe	{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4484	4ea1a19daa1413exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
Token: SeIncBasePriorityPrivilege	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe
Token: SeIncBasePriorityPrivilege	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
Token: SeIncBasePriorityPrivilege	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
Token: SeIncBasePriorityPrivilege	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
Token: SeIncBasePriorityPrivilege	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
Token: SeIncBasePriorityPrivilege	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
Token: SeIncBasePriorityPrivilege	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
Token: SeIncBasePriorityPrivilege	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
Token: SeIncBasePriorityPrivilege	4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 1716	4484	4ea1a19daa1413exeexeexeex.exe	84
PID 4484 wrote to memory of 1716	4484	4ea1a19daa1413exeexeexeex.exe	84
PID 4484 wrote to memory of 1716	4484	4ea1a19daa1413exeexeexeex.exe	84
PID 4484 wrote to memory of 5104	4484	4ea1a19daa1413exeexeexeex.exe	85
PID 4484 wrote to memory of 5104	4484	4ea1a19daa1413exeexeexeex.exe	85
PID 4484 wrote to memory of 5104	4484	4ea1a19daa1413exeexeexeex.exe	85
PID 1716 wrote to memory of 1612	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	86
PID 1716 wrote to memory of 1612	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	86
PID 1716 wrote to memory of 1612	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	86
PID 1716 wrote to memory of 1384	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	87
PID 1716 wrote to memory of 1384	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	87
PID 1716 wrote to memory of 1384	1716	{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe	87
PID 1612 wrote to memory of 3664	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	92
PID 1612 wrote to memory of 3664	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	92
PID 1612 wrote to memory of 3664	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	92
PID 1612 wrote to memory of 3884	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	91
PID 1612 wrote to memory of 3884	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	91
PID 1612 wrote to memory of 3884	1612	{8C109960-5ADB-4d95-B599-C764C638F579}.exe	91
PID 3664 wrote to memory of 4992	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	93
PID 3664 wrote to memory of 4992	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	93
PID 3664 wrote to memory of 4992	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	93
PID 3664 wrote to memory of 3452	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	94
PID 3664 wrote to memory of 3452	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	94
PID 3664 wrote to memory of 3452	3664	{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe	94
PID 4992 wrote to memory of 3628	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	95
PID 4992 wrote to memory of 3628	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	95
PID 4992 wrote to memory of 3628	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	95
PID 4992 wrote to memory of 4008	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	96
PID 4992 wrote to memory of 4008	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	96
PID 4992 wrote to memory of 4008	4992	{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe	96
PID 3628 wrote to memory of 4352	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	97
PID 3628 wrote to memory of 4352	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	97
PID 3628 wrote to memory of 4352	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	97
PID 3628 wrote to memory of 3960	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	98
PID 3628 wrote to memory of 3960	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	98
PID 3628 wrote to memory of 3960	3628	{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe	98
PID 4352 wrote to memory of 3888	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	99
PID 4352 wrote to memory of 3888	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	99
PID 4352 wrote to memory of 3888	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	99
PID 4352 wrote to memory of 2156	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	100
PID 4352 wrote to memory of 2156	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	100
PID 4352 wrote to memory of 2156	4352	{D3851282-140D-4bf3-9F21-B55C1363C995}.exe	100
PID 3888 wrote to memory of 940	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	101
PID 3888 wrote to memory of 940	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	101
PID 3888 wrote to memory of 940	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	101
PID 3888 wrote to memory of 1104	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	102
PID 3888 wrote to memory of 1104	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	102
PID 3888 wrote to memory of 1104	3888	{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe	102
PID 940 wrote to memory of 1464	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	103
PID 940 wrote to memory of 1464	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	103
PID 940 wrote to memory of 1464	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	103
PID 940 wrote to memory of 4900	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	104
PID 940 wrote to memory of 4900	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	104
PID 940 wrote to memory of 4900	940	{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe	104
PID 1464 wrote to memory of 4916	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	105
PID 1464 wrote to memory of 4916	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	105
PID 1464 wrote to memory of 4916	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	105
PID 1464 wrote to memory of 4312	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	106
PID 1464 wrote to memory of 4312	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	106
PID 1464 wrote to memory of 4312	1464	{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe	106
PID 4916 wrote to memory of 4772	4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe	107
PID 4916 wrote to memory of 4772	4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe	107
PID 4916 wrote to memory of 4772	4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe	107
PID 4916 wrote to memory of 2364	4916	{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe	108

C:\Users\Admin\AppData\Local\Temp\4ea1a19daa1413exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4ea1a19daa1413exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
  C:\Windows\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{8C109960-5ADB-4d95-B599-C764C638F579}.exe
    C:\Windows\{8C109960-5ADB-4d95-B599-C764C638F579}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C109~1.EXE > nul
      4⤵
      PID:3884
  - - C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
      C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
        
        C:\Windows\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Windows\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
        
        C:\Windows\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
        
        C:\Windows\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
        
        C:\Windows\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
        
        C:\Windows\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
        
        C:\Windows\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
        
        C:\Windows\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe
        
        C:\Windows\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53AA7~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4894~1.EXE > nul
        11⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D584D~1.EXE > nul
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4253D~1.EXE > nul
        9⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3851~1.EXE > nul
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62BD3~1.EXE > nul
        7⤵
        
        PID:3960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA3E9~1.EXE > nul
        6⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D834~1.EXE > nul
        5⤵
        
        PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9653~1.EXE > nul
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EA1A1~1.EXE > nul
  2⤵
  PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe

Filesize
168KB

MD5
ac85ef482a7773c05cbe241023e16fbb

SHA1
4d2c41fb30fd87db69a18ef56ce666438562769c

SHA256
12271980c8bdc64b8ffefabbf8e47fe667ada35fdf38acbf44f479af27fd3eb0

SHA512
4e04ba224a08f8b0ab88951d8fc29c48141acb368ebd362ea9f882ac511dc6481c008fc3cb451836a8d795229b7b565f7cc8ddf6cdb4bf36358d979f65847f8a

Download Submit
C:\Windows\{4253DAA5-9D41-4b2a-9990-AB49C3BB334B}.exe

Filesize
168KB

MD5
ac85ef482a7773c05cbe241023e16fbb

SHA1
4d2c41fb30fd87db69a18ef56ce666438562769c

SHA256
12271980c8bdc64b8ffefabbf8e47fe667ada35fdf38acbf44f479af27fd3eb0

SHA512
4e04ba224a08f8b0ab88951d8fc29c48141acb368ebd362ea9f882ac511dc6481c008fc3cb451836a8d795229b7b565f7cc8ddf6cdb4bf36358d979f65847f8a

Download Submit
C:\Windows\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe

Filesize
168KB

MD5
c6d2178748e997aa159418405a2aaf1c

SHA1
c9bfafe8588b870ae29f5db9090d99438e003806

SHA256
510a91ec6aeefdca041a884a0a1181858c2d66377c6f191165cc8e89cccd0d66

SHA512
ed7fb2084abcebaaaf121d271414d74c8d934b77bdc7fdcaff554be076b98928e7ae4fff8f2fc6851ab42f197f573a30ac6b087bd8427cd52f10d991e2928742

Download Submit
C:\Windows\{53AA755F-A016-48fe-BAB5-E194AFBCF466}.exe

Filesize
168KB

MD5
c6d2178748e997aa159418405a2aaf1c

SHA1
c9bfafe8588b870ae29f5db9090d99438e003806

SHA256
510a91ec6aeefdca041a884a0a1181858c2d66377c6f191165cc8e89cccd0d66

SHA512
ed7fb2084abcebaaaf121d271414d74c8d934b77bdc7fdcaff554be076b98928e7ae4fff8f2fc6851ab42f197f573a30ac6b087bd8427cd52f10d991e2928742

Download Submit
C:\Windows\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe

Filesize
168KB

MD5
2fcc7712dda61688eb251997b4ab8799

SHA1
9fab4097ab11ca89f9a8f0cb1e33fbbed9fbc9b6

SHA256
89dfc694a7133870754cca7844e79936ead1ac1fecba2425c33116a31edee3a9

SHA512
bfbaaffd398ed1ce98caf591192f9ce0dd0fe1982f5aa74855e9ff8e8ccb9cc4c39c3d6da6829274e7d9c762346079c000893c2f9753b2efc02a019c370a3e1e

Download Submit
C:\Windows\{62BD3B0C-C90E-4c8d-B82F-10B431BD5C79}.exe

Filesize
168KB

MD5
2fcc7712dda61688eb251997b4ab8799

SHA1
9fab4097ab11ca89f9a8f0cb1e33fbbed9fbc9b6

SHA256
89dfc694a7133870754cca7844e79936ead1ac1fecba2425c33116a31edee3a9

SHA512
bfbaaffd398ed1ce98caf591192f9ce0dd0fe1982f5aa74855e9ff8e8ccb9cc4c39c3d6da6829274e7d9c762346079c000893c2f9753b2efc02a019c370a3e1e

Download Submit
C:\Windows\{8C109960-5ADB-4d95-B599-C764C638F579}.exe

Filesize
168KB

MD5
1a3472a04a6c574263daacf28a995bf3

SHA1
3ee6b6741d14f2395ad570696dc75258533bc0e4

SHA256
6ba996d2c6f61b4e4b0a7c3bb8a3ae8f839ae0caf470d737e12eb982da1a21a0

SHA512
1a57f463e0d3e2c38ea6790642024961abd1f88e19ad61a7f6971290f48e46fbdf79bb4c20b9f39665dc15626326f36aa695d372a628f74775d3d3d4871a8df1

Download Submit
C:\Windows\{8C109960-5ADB-4d95-B599-C764C638F579}.exe

Filesize
168KB

MD5
1a3472a04a6c574263daacf28a995bf3

SHA1
3ee6b6741d14f2395ad570696dc75258533bc0e4

SHA256
6ba996d2c6f61b4e4b0a7c3bb8a3ae8f839ae0caf470d737e12eb982da1a21a0

SHA512
1a57f463e0d3e2c38ea6790642024961abd1f88e19ad61a7f6971290f48e46fbdf79bb4c20b9f39665dc15626326f36aa695d372a628f74775d3d3d4871a8df1

Download Submit
C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe

Filesize
168KB

MD5
d5f845768801d7999122c5a60f7cdda3

SHA1
77a3a42f19abbc34d13604018229755a2d5cab3b

SHA256
3524335c6678f75466ef30337b6c9c18b97e68a5141742aa7ac8f07a97a7388d

SHA512
b527942a24b95d21349c20299ca4ec9a3fc565d82a48699e4268fbfa16a953098db23f3c9887e2665c53272b563adeb4a1b524978fe2fb15e1601803c5f4c5bf

Download Submit
C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe

Filesize
168KB

MD5
d5f845768801d7999122c5a60f7cdda3

SHA1
77a3a42f19abbc34d13604018229755a2d5cab3b

SHA256
3524335c6678f75466ef30337b6c9c18b97e68a5141742aa7ac8f07a97a7388d

SHA512
b527942a24b95d21349c20299ca4ec9a3fc565d82a48699e4268fbfa16a953098db23f3c9887e2665c53272b563adeb4a1b524978fe2fb15e1601803c5f4c5bf

Download Submit
C:\Windows\{8D834A97-1A3C-4f75-BEFE-14FBA8F368D9}.exe

Filesize
168KB

MD5
d5f845768801d7999122c5a60f7cdda3

SHA1
77a3a42f19abbc34d13604018229755a2d5cab3b

SHA256
3524335c6678f75466ef30337b6c9c18b97e68a5141742aa7ac8f07a97a7388d

SHA512
b527942a24b95d21349c20299ca4ec9a3fc565d82a48699e4268fbfa16a953098db23f3c9887e2665c53272b563adeb4a1b524978fe2fb15e1601803c5f4c5bf

Download Submit
C:\Windows\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe

Filesize
168KB

MD5
65deec1831c4d9e21ccb68a1704a7588

SHA1
1de0255d78097ac16151b1b520f0ce86186fa064

SHA256
362eb92c9bc27feef391c89c7bc0c2d734f5187d666da814d0d7cf775a8e370c

SHA512
08c4822d5bf2fbd595ea3026d003c512bfb81b4517b161554fc6ed898011c8084a83ee78bfc242eb4896905210b3256d7731a8c52b343678453d520b3c92d4e2

Download Submit
C:\Windows\{A4894A0F-95D4-438b-BC9D-3E249551594C}.exe

Filesize
168KB

MD5
65deec1831c4d9e21ccb68a1704a7588

SHA1
1de0255d78097ac16151b1b520f0ce86186fa064

SHA256
362eb92c9bc27feef391c89c7bc0c2d734f5187d666da814d0d7cf775a8e370c

SHA512
08c4822d5bf2fbd595ea3026d003c512bfb81b4517b161554fc6ed898011c8084a83ee78bfc242eb4896905210b3256d7731a8c52b343678453d520b3c92d4e2

Download Submit
C:\Windows\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe

Filesize
168KB

MD5
1bcf9ee3a72cec75de79ea0a42220d36

SHA1
5727daac4f776a2137f60948941a59bf929f4aff

SHA256
8d98b204cdc164a99474d06d87d7e44bf344e9e1023b54edc5bc3890d7e0f608

SHA512
31a7e6f52aa2c050b69f67f8bf23e56e0f4ab90454596f0499585485db08350b9aef3f7ebc50dbd4a40ebbc130bc876fea9f8e470bfb0783739e3d8ca4222840

Download Submit
C:\Windows\{A96535A1-6F56-4aed-9897-75B6360BE2B0}.exe

Filesize
168KB

MD5
1bcf9ee3a72cec75de79ea0a42220d36

SHA1
5727daac4f776a2137f60948941a59bf929f4aff

SHA256
8d98b204cdc164a99474d06d87d7e44bf344e9e1023b54edc5bc3890d7e0f608

SHA512
31a7e6f52aa2c050b69f67f8bf23e56e0f4ab90454596f0499585485db08350b9aef3f7ebc50dbd4a40ebbc130bc876fea9f8e470bfb0783739e3d8ca4222840

Download Submit
C:\Windows\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe

Filesize
168KB

MD5
d7aed5ebfc9e4050cbbd0843800d6e10

SHA1
8cb3619a7e62b8c93a8ac20742c245a0cb5442d9

SHA256
90d17693c81f6d3f5afaa9d163c228f7bcd4a6e36f0f427e6d13621a4fc3ac2d

SHA512
a29bdaa5910f043da8554f47201cb1f743478269259e7f650d06bafb28da4dacbb2e37416b27efb2eb49c973adbe2462658b38ef7b7a97f839d6b4f3799b9945

Download Submit
C:\Windows\{AA3E97AB-F6FB-4a20-A4EA-BF8900E6E6E3}.exe

Filesize
168KB

MD5
d7aed5ebfc9e4050cbbd0843800d6e10

SHA1
8cb3619a7e62b8c93a8ac20742c245a0cb5442d9

SHA256
90d17693c81f6d3f5afaa9d163c228f7bcd4a6e36f0f427e6d13621a4fc3ac2d

SHA512
a29bdaa5910f043da8554f47201cb1f743478269259e7f650d06bafb28da4dacbb2e37416b27efb2eb49c973adbe2462658b38ef7b7a97f839d6b4f3799b9945

Download Submit
C:\Windows\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe

Filesize
168KB

MD5
1ddfe7584bae3d5369a2069ded327f6a

SHA1
714388c90171344660c5957758679d8b42134528

SHA256
e3e1e354004740a2c32a654d863769bdef1e6caf03175a6ebf288a17050e626c

SHA512
89abd44710471f64c6908bb8330f937172d65b93b0b32cba949a20d5abd6d6ab9e5245771dfe8af845369f2b29b39090393317e36a7153528334fd2725da6c13

Download Submit
C:\Windows\{D3851282-140D-4bf3-9F21-B55C1363C995}.exe

Filesize
168KB

MD5
1ddfe7584bae3d5369a2069ded327f6a

SHA1
714388c90171344660c5957758679d8b42134528

SHA256
e3e1e354004740a2c32a654d863769bdef1e6caf03175a6ebf288a17050e626c

SHA512
89abd44710471f64c6908bb8330f937172d65b93b0b32cba949a20d5abd6d6ab9e5245771dfe8af845369f2b29b39090393317e36a7153528334fd2725da6c13

Download Submit
C:\Windows\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe

Filesize
168KB

MD5
7cf8588e6d202c80834d0efd9c13c054

SHA1
10132edb056b3757d331d5d1b02fb533e21496ee

SHA256
6b9a6bde9b9fd56645a4f8ff84b13c369e0e573c57abfdead5d766993934a4b0

SHA512
a92026247d604a909e02ddbad4dde9f3f4217c9ed0a948104bbbaae72c79b14aea511c4d763b03beb8770645605225411090c10a37fec8d36a1668f7288a0375

Download Submit
C:\Windows\{D584DB50-4347-4116-8D7F-45CF233B64AD}.exe

Filesize
168KB

MD5
7cf8588e6d202c80834d0efd9c13c054

SHA1
10132edb056b3757d331d5d1b02fb533e21496ee

SHA256
6b9a6bde9b9fd56645a4f8ff84b13c369e0e573c57abfdead5d766993934a4b0

SHA512
a92026247d604a909e02ddbad4dde9f3f4217c9ed0a948104bbbaae72c79b14aea511c4d763b03beb8770645605225411090c10a37fec8d36a1668f7288a0375

Download Submit
C:\Windows\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe

Filesize
168KB

MD5
493d0bcf28b621cbd039d3330443a144

SHA1
90a1b6614ef4727ef466bd73c738532ec7814397

SHA256
9b9cf12462965a2f73dda59e598567b0db8b8a3d9e451d55d57e09c5fb4ffcf5

SHA512
32c15cfbbae46556e47f85562925a6c5ea1544081474e8a1ad62b4ae7b1a324eadccac1ec4cb385c5af6f955bd5ec68446a1f36894323ee5386a896fbd7974c7

Download Submit
C:\Windows\{E7207681-193C-4c8b-B3C1-6C1D12938317}.exe

Filesize
168KB

MD5
493d0bcf28b621cbd039d3330443a144

SHA1
90a1b6614ef4727ef466bd73c738532ec7814397

SHA256
9b9cf12462965a2f73dda59e598567b0db8b8a3d9e451d55d57e09c5fb4ffcf5

SHA512
32c15cfbbae46556e47f85562925a6c5ea1544081474e8a1ad62b4ae7b1a324eadccac1ec4cb385c5af6f955bd5ec68446a1f36894323ee5386a896fbd7974c7

Download Submit