e27821a4605d1837c104e3d055f9952dad8c9db0af55b01fd570ffe6473a4a86

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d98faa800af1exeexeexeex.exe
Size

168KB
MD5

53d98faa800af137ec93ce8a004ae16e
SHA1

240ab04a5c120f19861921686aea59e12178ac10
SHA256

e27821a4605d1837c104e3d055f9952dad8c9db0af55b01fd570ffe6473a4a86
SHA512

011ac5c27ad39c2d851b2459f1ef45f1147bd15853220a4bc5443efe0011d7e032deed3317c1dd2e015768a3623a5c61bd21731195b8c9699f610cac9c228edc
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0C65DA9-926B-42d3-962C-33B1199666DF}	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3356FCD-E45E-4aa9-803F-F3907806F94E}\stubpath = "C:\\Windows\\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe"	{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1695315B-70C4-433b-9238-E5324580D09E}	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1695315B-70C4-433b-9238-E5324580D09E}\stubpath = "C:\\Windows\\{1695315B-70C4-433b-9238-E5324580D09E}.exe"	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}\stubpath = "C:\\Windows\\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe"	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30621C95-9F60-4c1c-912C-2AB81D190FEE}\stubpath = "C:\\Windows\\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe"	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3356FCD-E45E-4aa9-803F-F3907806F94E}	{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EA3CFA-845E-4559-A3C1-382D538F21BC}\stubpath = "C:\\Windows\\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe"	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35114750-B6CF-49d0-857E-AA94AA522D2C}	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0853CF00-2EB5-4e05-96E3-2C920962153D}	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{164A29A5-FCB9-458b-9414-A1536B50171D}\stubpath = "C:\\Windows\\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe"	53d98faa800af1exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9734FE8F-A4F8-4200-8B66-255910AEE811}	{1695315B-70C4-433b-9238-E5324580D09E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9734FE8F-A4F8-4200-8B66-255910AEE811}\stubpath = "C:\\Windows\\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe"	{1695315B-70C4-433b-9238-E5324580D09E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EA3CFA-845E-4559-A3C1-382D538F21BC}	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0853CF00-2EB5-4e05-96E3-2C920962153D}\stubpath = "C:\\Windows\\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe"	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0C65DA9-926B-42d3-962C-33B1199666DF}\stubpath = "C:\\Windows\\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe"	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30621C95-9F60-4c1c-912C-2AB81D190FEE}	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{164A29A5-FCB9-458b-9414-A1536B50171D}	53d98faa800af1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}\stubpath = "C:\\Windows\\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe"	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35114750-B6CF-49d0-857E-AA94AA522D2C}\stubpath = "C:\\Windows\\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe"	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}\stubpath = "C:\\Windows\\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe"	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe
812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
3832	{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
4580	{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	{1695315B-70C4-433b-9238-E5324580D09E}.exe
File created	C:\Windows\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
File created	C:\Windows\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
File created	C:\Windows\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
File created	C:\Windows\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
File created	C:\Windows\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe	{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
File created	C:\Windows\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	53d98faa800af1exeexeexeex.exe
File created	C:\Windows\{1695315B-70C4-433b-9238-E5324580D09E}.exe	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
File created	C:\Windows\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
File created	C:\Windows\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
File created	C:\Windows\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
File created	C:\Windows\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1932	53d98faa800af1exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
Token: SeIncBasePriorityPrivilege	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe
Token: SeIncBasePriorityPrivilege	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
Token: SeIncBasePriorityPrivilege	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
Token: SeIncBasePriorityPrivilege	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
Token: SeIncBasePriorityPrivilege	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
Token: SeIncBasePriorityPrivilege	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
Token: SeIncBasePriorityPrivilege	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
Token: SeIncBasePriorityPrivilege	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
Token: SeIncBasePriorityPrivilege	2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
Token: SeIncBasePriorityPrivilege	3832	{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2352	1932	53d98faa800af1exeexeexeex.exe	83
PID 1932 wrote to memory of 2352	1932	53d98faa800af1exeexeexeex.exe	83
PID 1932 wrote to memory of 2352	1932	53d98faa800af1exeexeexeex.exe	83
PID 1932 wrote to memory of 680	1932	53d98faa800af1exeexeexeex.exe	84
PID 1932 wrote to memory of 680	1932	53d98faa800af1exeexeexeex.exe	84
PID 1932 wrote to memory of 680	1932	53d98faa800af1exeexeexeex.exe	84
PID 2352 wrote to memory of 2044	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	85
PID 2352 wrote to memory of 2044	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	85
PID 2352 wrote to memory of 2044	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	85
PID 2352 wrote to memory of 1036	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	86
PID 2352 wrote to memory of 1036	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	86
PID 2352 wrote to memory of 1036	2352	{164A29A5-FCB9-458b-9414-A1536B50171D}.exe	86
PID 2044 wrote to memory of 812	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	91
PID 2044 wrote to memory of 812	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	91
PID 2044 wrote to memory of 812	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	91
PID 2044 wrote to memory of 3372	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	90
PID 2044 wrote to memory of 3372	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	90
PID 2044 wrote to memory of 3372	2044	{1695315B-70C4-433b-9238-E5324580D09E}.exe	90
PID 812 wrote to memory of 5064	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	92
PID 812 wrote to memory of 5064	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	92
PID 812 wrote to memory of 5064	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	92
PID 812 wrote to memory of 4068	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	93
PID 812 wrote to memory of 4068	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	93
PID 812 wrote to memory of 4068	812	{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe	93
PID 5064 wrote to memory of 1700	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	94
PID 5064 wrote to memory of 1700	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	94
PID 5064 wrote to memory of 1700	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	94
PID 5064 wrote to memory of 4576	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	95
PID 5064 wrote to memory of 4576	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	95
PID 5064 wrote to memory of 4576	5064	{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe	95
PID 1700 wrote to memory of 3744	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	96
PID 1700 wrote to memory of 3744	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	96
PID 1700 wrote to memory of 3744	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	96
PID 1700 wrote to memory of 4248	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	97
PID 1700 wrote to memory of 4248	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	97
PID 1700 wrote to memory of 4248	1700	{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe	97
PID 3744 wrote to memory of 3772	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	98
PID 3744 wrote to memory of 3772	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	98
PID 3744 wrote to memory of 3772	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	98
PID 3744 wrote to memory of 1692	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	99
PID 3744 wrote to memory of 1692	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	99
PID 3744 wrote to memory of 1692	3744	{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe	99
PID 3772 wrote to memory of 3244	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	100
PID 3772 wrote to memory of 3244	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	100
PID 3772 wrote to memory of 3244	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	100
PID 3772 wrote to memory of 5032	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	101
PID 3772 wrote to memory of 5032	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	101
PID 3772 wrote to memory of 5032	3772	{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe	101
PID 3244 wrote to memory of 1540	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	102
PID 3244 wrote to memory of 1540	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	102
PID 3244 wrote to memory of 1540	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	102
PID 3244 wrote to memory of 2660	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	103
PID 3244 wrote to memory of 2660	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	103
PID 3244 wrote to memory of 2660	3244	{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe	103
PID 1540 wrote to memory of 2324	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	104
PID 1540 wrote to memory of 2324	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	104
PID 1540 wrote to memory of 2324	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	104
PID 1540 wrote to memory of 1404	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	105
PID 1540 wrote to memory of 1404	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	105
PID 1540 wrote to memory of 1404	1540	{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe	105
PID 2324 wrote to memory of 3832	2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe	106
PID 2324 wrote to memory of 3832	2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe	106
PID 2324 wrote to memory of 3832	2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe	106
PID 2324 wrote to memory of 4964	2324	{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe	107

C:\Users\Admin\AppData\Local\Temp\53d98faa800af1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\53d98faa800af1exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
  C:\Windows\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\{1695315B-70C4-433b-9238-E5324580D09E}.exe
    C:\Windows\{1695315B-70C4-433b-9238-E5324580D09E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16953~1.EXE > nul
      4⤵
      PID:3372
  - - C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
      C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
        
        C:\Windows\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
        
        C:\Windows\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
        
        C:\Windows\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
        
        C:\Windows\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
        
        C:\Windows\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
        
        C:\Windows\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
        
        C:\Windows\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
        
        C:\Windows\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe
        
        C:\Windows\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30621~1.EXE > nul
        13⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB92E~1.EXE > nul
        12⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0853C~1.EXE > nul
        11⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C65~1.EXE > nul
        10⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91BCC~1.EXE > nul
        9⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35114~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93EA3~1.EXE > nul
        7⤵
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5B1E~1.EXE > nul
        6⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9734F~1.EXE > nul
        5⤵
        
        PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{164A2~1.EXE > nul
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\53D98F~1.EXE > nul
  2⤵
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe

Filesize
168KB

MD5
6efdd2609f13c9daef78203190d5f890

SHA1
4e964af42987291671905a7c1fc42025e53ba3b4

SHA256
0cdae3141ecdf126f2c6baf5d6cc2a7b32897b9d3277011a4e4f32305d8c530e

SHA512
48b03f168a6cd395cd858f129ed9d93a475d8a34e10514055fba07adf0464390bd74e8433d2b7e001cb0ce8f407ac83cc0ecb9677b2c45774c97e33d799113e7

Download Submit
C:\Windows\{0853CF00-2EB5-4e05-96E3-2C920962153D}.exe

Filesize
168KB

MD5
6efdd2609f13c9daef78203190d5f890

SHA1
4e964af42987291671905a7c1fc42025e53ba3b4

SHA256
0cdae3141ecdf126f2c6baf5d6cc2a7b32897b9d3277011a4e4f32305d8c530e

SHA512
48b03f168a6cd395cd858f129ed9d93a475d8a34e10514055fba07adf0464390bd74e8433d2b7e001cb0ce8f407ac83cc0ecb9677b2c45774c97e33d799113e7

Download Submit
C:\Windows\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe

Filesize
168KB

MD5
a00f0bfa6364b2dc999a988fa8cff865

SHA1
9a85ed120c1e8651d03914d5cef33e15afe65d99

SHA256
0f5ffb21d56de8e122a61e024ed16e5e5cca53b82d9904cb8caddd62e028e536

SHA512
088053efaa78f0ab58fcc2b77bc968118a54ede93648863d279139a5ae31c49497d321af29213037d6ec9e953ff73c2daac0dd139da29322b2769bd6f81cf06c

Download Submit
C:\Windows\{164A29A5-FCB9-458b-9414-A1536B50171D}.exe

Filesize
168KB

MD5
a00f0bfa6364b2dc999a988fa8cff865

SHA1
9a85ed120c1e8651d03914d5cef33e15afe65d99

SHA256
0f5ffb21d56de8e122a61e024ed16e5e5cca53b82d9904cb8caddd62e028e536

SHA512
088053efaa78f0ab58fcc2b77bc968118a54ede93648863d279139a5ae31c49497d321af29213037d6ec9e953ff73c2daac0dd139da29322b2769bd6f81cf06c

Download Submit
C:\Windows\{1695315B-70C4-433b-9238-E5324580D09E}.exe

Filesize
168KB

MD5
5e540e01e54899e6996f62466a2370b1

SHA1
5fbd1a63821c534d1a26e7d06c52c3e5cbb904ee

SHA256
ae2b077a9b58606a2fc19f9042c8f0409bc389fb9170b36e7974503bd71246e6

SHA512
bbdff7373750c8ddc60fdbe1dbfd28f5873ef262ee952c4ee11472e223aff5b529de4f0f357d668b699d7e295da42b176259b5116eb1abd2e8e5c218ac9fa15a

Download Submit
C:\Windows\{1695315B-70C4-433b-9238-E5324580D09E}.exe

Filesize
168KB

MD5
5e540e01e54899e6996f62466a2370b1

SHA1
5fbd1a63821c534d1a26e7d06c52c3e5cbb904ee

SHA256
ae2b077a9b58606a2fc19f9042c8f0409bc389fb9170b36e7974503bd71246e6

SHA512
bbdff7373750c8ddc60fdbe1dbfd28f5873ef262ee952c4ee11472e223aff5b529de4f0f357d668b699d7e295da42b176259b5116eb1abd2e8e5c218ac9fa15a

Download Submit
C:\Windows\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe

Filesize
168KB

MD5
355f08b76dedb6a5f1012a5021995903

SHA1
860e27edac057cd3c1204465e25d419b14479f58

SHA256
610561aaa3252ec3143fb306004029800c4d94c73f34fc5aa7bdca10f78ee298

SHA512
bcacd180c272c430257869d97d6dc9f9cdc9aa06aa877133b315a89f69333a402ab0c34854a5cfb61e4f038a2e3763495481d5ebb622497a4b36737ae57b5579

Download Submit
C:\Windows\{30621C95-9F60-4c1c-912C-2AB81D190FEE}.exe

Filesize
168KB

MD5
355f08b76dedb6a5f1012a5021995903

SHA1
860e27edac057cd3c1204465e25d419b14479f58

SHA256
610561aaa3252ec3143fb306004029800c4d94c73f34fc5aa7bdca10f78ee298

SHA512
bcacd180c272c430257869d97d6dc9f9cdc9aa06aa877133b315a89f69333a402ab0c34854a5cfb61e4f038a2e3763495481d5ebb622497a4b36737ae57b5579

Download Submit
C:\Windows\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe

Filesize
168KB

MD5
5a3b97383191e2c3ac245b094b972a70

SHA1
fc6b521af2a83d2198b4e7e177facfb59c70099d

SHA256
3bceb07ee147ea41f54bf88ab1b18f1bb5ed83ab99cb5d3694510a41c63e8433

SHA512
821aac7bf88680f25ff3bb6dfae7387f2bd35423cefc4031ac5f9679668791aeb44c1c4446fee6ab0ddc8a4c436d19d2b79556738446c144d279ef51d54ba6ec

Download Submit
C:\Windows\{35114750-B6CF-49d0-857E-AA94AA522D2C}.exe

Filesize
168KB

MD5
5a3b97383191e2c3ac245b094b972a70

SHA1
fc6b521af2a83d2198b4e7e177facfb59c70099d

SHA256
3bceb07ee147ea41f54bf88ab1b18f1bb5ed83ab99cb5d3694510a41c63e8433

SHA512
821aac7bf88680f25ff3bb6dfae7387f2bd35423cefc4031ac5f9679668791aeb44c1c4446fee6ab0ddc8a4c436d19d2b79556738446c144d279ef51d54ba6ec

Download Submit
C:\Windows\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe

Filesize
168KB

MD5
eacbbd0d409c15c18dd7a6a4b3707e1b

SHA1
504b65e09dbbe8703c55c357aa19898c1abe8071

SHA256
b613faa6f3c0d6448be2d34a1995c4112b50c3c08f1d27815c596edb6e4bac46

SHA512
f14dc8fddc1dc3e4bd4cc1651c345334208406abc6393a0041c560fa35ae604f1379bd1fe78b136b44aee95bf787826e511a7f3377732c7d2fc8b94cff3ba5b9

Download Submit
C:\Windows\{91BCC5BD-3DC9-471e-B870-C7ECA962F9A0}.exe

Filesize
168KB

MD5
eacbbd0d409c15c18dd7a6a4b3707e1b

SHA1
504b65e09dbbe8703c55c357aa19898c1abe8071

SHA256
b613faa6f3c0d6448be2d34a1995c4112b50c3c08f1d27815c596edb6e4bac46

SHA512
f14dc8fddc1dc3e4bd4cc1651c345334208406abc6393a0041c560fa35ae604f1379bd1fe78b136b44aee95bf787826e511a7f3377732c7d2fc8b94cff3ba5b9

Download Submit
C:\Windows\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe

Filesize
168KB

MD5
be6203f71d8c7a8ef00af3ba6e489f4f

SHA1
0e11a465ef5d4538aa05734cd8d3f6fd7e5184b5

SHA256
887fa839fe5d6cbbce80f07f059c08ade285eb583e2b898cc3526f1f62b5e9ef

SHA512
4ee79ad40558b6c72b60d803b27ab05c38f85f0b13d761bdb92407669f109b7034997f030872d756b9d42f43518f0563f3470bc2bd4ad2ce80fb87a500f35de0

Download Submit
C:\Windows\{93EA3CFA-845E-4559-A3C1-382D538F21BC}.exe

Filesize
168KB

MD5
be6203f71d8c7a8ef00af3ba6e489f4f

SHA1
0e11a465ef5d4538aa05734cd8d3f6fd7e5184b5

SHA256
887fa839fe5d6cbbce80f07f059c08ade285eb583e2b898cc3526f1f62b5e9ef

SHA512
4ee79ad40558b6c72b60d803b27ab05c38f85f0b13d761bdb92407669f109b7034997f030872d756b9d42f43518f0563f3470bc2bd4ad2ce80fb87a500f35de0

Download Submit
C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe

Filesize
168KB

MD5
e3bfedf1685a47d75d1642e9bc1a4229

SHA1
7f817fc45014601a951d5218222b176f78253e5a

SHA256
806e6519b5ddf88d871060061e9b09c8ce83f9903a88bf07b382318d33f936a8

SHA512
b5b591c3b87911f36097de6be0657cf9610eb4c971642dd0912294746902e10fb5af8e810e6f72ca7dc732186454494ceee6c368c99437d2cf7311855ce04b8d

Download Submit
C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe

Filesize
168KB

MD5
e3bfedf1685a47d75d1642e9bc1a4229

SHA1
7f817fc45014601a951d5218222b176f78253e5a

SHA256
806e6519b5ddf88d871060061e9b09c8ce83f9903a88bf07b382318d33f936a8

SHA512
b5b591c3b87911f36097de6be0657cf9610eb4c971642dd0912294746902e10fb5af8e810e6f72ca7dc732186454494ceee6c368c99437d2cf7311855ce04b8d

Download Submit
C:\Windows\{9734FE8F-A4F8-4200-8B66-255910AEE811}.exe

Filesize
168KB

MD5
e3bfedf1685a47d75d1642e9bc1a4229

SHA1
7f817fc45014601a951d5218222b176f78253e5a

SHA256
806e6519b5ddf88d871060061e9b09c8ce83f9903a88bf07b382318d33f936a8

SHA512
b5b591c3b87911f36097de6be0657cf9610eb4c971642dd0912294746902e10fb5af8e810e6f72ca7dc732186454494ceee6c368c99437d2cf7311855ce04b8d

Download Submit
C:\Windows\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe

Filesize
168KB

MD5
e2b1333c45150be6b820999e913d5a31

SHA1
52882a2c21739f5fc1d38291f797167da470a5b0

SHA256
d3d9f6a9a524b3842002846c652fdd60b43867a2096ea8020a198a9401cf9de3

SHA512
5e41ced81a38c7a6aae192d5d06879638df2397f0c16f7cc7c298f0eb98ae2142aebadce33f7a1d4f1df81be9096c66cf478e43862d84844585729f835eb1a7a

Download Submit
C:\Windows\{AB92EDD7-C40C-407e-8D2D-A0A14C5AF298}.exe

Filesize
168KB

MD5
e2b1333c45150be6b820999e913d5a31

SHA1
52882a2c21739f5fc1d38291f797167da470a5b0

SHA256
d3d9f6a9a524b3842002846c652fdd60b43867a2096ea8020a198a9401cf9de3

SHA512
5e41ced81a38c7a6aae192d5d06879638df2397f0c16f7cc7c298f0eb98ae2142aebadce33f7a1d4f1df81be9096c66cf478e43862d84844585729f835eb1a7a

Download Submit
C:\Windows\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe

Filesize
168KB

MD5
fbc9459a2b573f890d43d4c8547f1764

SHA1
45b481cc9299efea551ef5881d6f3cdd88975fe2

SHA256
e977de4ad93220a48fdd7004e77ed2dc9a83c63570ef03552ea54d3c1a699d28

SHA512
16d6ccc2e75f5e0b5d4b5d0a2b775ce52eb77b1764ce2c17d7b1fb847526a76f1a55303e7efa6c00dc63981150a4b76d9b6786e6f5a33b43fae51e1d7c226a28

Download Submit
C:\Windows\{C3356FCD-E45E-4aa9-803F-F3907806F94E}.exe

Filesize
168KB

MD5
fbc9459a2b573f890d43d4c8547f1764

SHA1
45b481cc9299efea551ef5881d6f3cdd88975fe2

SHA256
e977de4ad93220a48fdd7004e77ed2dc9a83c63570ef03552ea54d3c1a699d28

SHA512
16d6ccc2e75f5e0b5d4b5d0a2b775ce52eb77b1764ce2c17d7b1fb847526a76f1a55303e7efa6c00dc63981150a4b76d9b6786e6f5a33b43fae51e1d7c226a28

Download Submit
C:\Windows\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe

Filesize
168KB

MD5
c70efce3f63393a70d699790d06921f4

SHA1
2dac779edb110973ee4cf61b60bc931775ec3a71

SHA256
e2121fc4138dc314078ef2455b04d4d73e29d7552959adfafb657f38cc34583a

SHA512
fa046c47258386318bcd91e3e76f1ef3541563dea826229c04e3af06e970ee4fdd95647a57a24cc903f3514e6b369fce08842a51eb34831d6a2cd65a1c94873f

Download Submit
C:\Windows\{D0C65DA9-926B-42d3-962C-33B1199666DF}.exe

Filesize
168KB

MD5
c70efce3f63393a70d699790d06921f4

SHA1
2dac779edb110973ee4cf61b60bc931775ec3a71

SHA256
e2121fc4138dc314078ef2455b04d4d73e29d7552959adfafb657f38cc34583a

SHA512
fa046c47258386318bcd91e3e76f1ef3541563dea826229c04e3af06e970ee4fdd95647a57a24cc903f3514e6b369fce08842a51eb34831d6a2cd65a1c94873f

Download Submit
C:\Windows\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe

Filesize
168KB

MD5
90d042a46028a9e770c7caed4eb19dac

SHA1
b5354680bb32c80b0f626dd4b43acdc46b9e5e34

SHA256
79bb0ffdc8291c6b21fd229210cfdfed1e11e7b7978c505f715c0060308fe040

SHA512
fa4476d9cfc759828f3443fb75d03ffe9f4dc7af37459f4dc322ef1a829f4cffeaf947bd652046a72eb91145c9835d284ab3cd4bed6572b8faa91ee29e674c44

Download Submit
C:\Windows\{D5B1E897-7525-4adc-A271-BDC51BB3D3B5}.exe

Filesize
168KB

MD5
90d042a46028a9e770c7caed4eb19dac

SHA1
b5354680bb32c80b0f626dd4b43acdc46b9e5e34

SHA256
79bb0ffdc8291c6b21fd229210cfdfed1e11e7b7978c505f715c0060308fe040

SHA512
fa4476d9cfc759828f3443fb75d03ffe9f4dc7af37459f4dc322ef1a829f4cffeaf947bd652046a72eb91145c9835d284ab3cd4bed6572b8faa91ee29e674c44

Download Submit