0f8e0d27f6a67b4c17fd0b43e512ddbebbbd138b1aa0115c7d8017dc26285304

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6641279509087dexeexeexeex.exe
Size

372KB
MD5

6641279509087da42e6e1ac4a1b6c096
SHA1

337df33c2805d2d61a08820e800d113260cf7d7f
SHA256

0f8e0d27f6a67b4c17fd0b43e512ddbebbbd138b1aa0115c7d8017dc26285304
SHA512

4841c5345a892e20d2aa304c52a574e7bf353d272636a4caef23be49d66359b518971a85b15e297704037442412211b91c3d7aef2188eee24e512af47dfe8bf4
SSDEEP

3072:CEGh0o3mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{612CE454-D906-4612-B385-1F81390C2982}\stubpath = "C:\\Windows\\{612CE454-D906-4612-B385-1F81390C2982}.exe"	6641279509087dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92326DB-3148-4418-87CA-5838906DF8A1}	{612CE454-D906-4612-B385-1F81390C2982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2769E76E-4574-46eb-ADA7-51B13532F887}	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}\stubpath = "C:\\Windows\\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe"	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74457E44-9AD1-49fb-8A34-DA042FF81243}	{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}\stubpath = "C:\\Windows\\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe"	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D95BCB25-21C4-433a-A128-397E4E1B681A}\stubpath = "C:\\Windows\\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe"	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}\stubpath = "C:\\Windows\\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe"	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}\stubpath = "C:\\Windows\\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe"	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D95BCB25-21C4-433a-A128-397E4E1B681A}	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2769E76E-4574-46eb-ADA7-51B13532F887}\stubpath = "C:\\Windows\\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe"	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{612CE454-D906-4612-B385-1F81390C2982}	6641279509087dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92326DB-3148-4418-87CA-5838906DF8A1}\stubpath = "C:\\Windows\\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe"	{612CE454-D906-4612-B385-1F81390C2982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}\stubpath = "C:\\Windows\\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe"	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}\stubpath = "C:\\Windows\\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe"	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74457E44-9AD1-49fb-8A34-DA042FF81243}\stubpath = "C:\\Windows\\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe"	{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}\stubpath = "C:\\Windows\\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe"	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4884	{612CE454-D906-4612-B385-1F81390C2982}.exe
3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
4584	{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
4572	{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
File created	C:\Windows\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
File created	C:\Windows\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
File created	C:\Windows\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe	{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
File created	C:\Windows\{612CE454-D906-4612-B385-1F81390C2982}.exe	6641279509087dexeexeexeex.exe
File created	C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
File created	C:\Windows\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
File created	C:\Windows\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
File created	C:\Windows\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
File created	C:\Windows\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	{612CE454-D906-4612-B385-1F81390C2982}.exe
File created	C:\Windows\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
File created	C:\Windows\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1116	6641279509087dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe
Token: SeIncBasePriorityPrivilege	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
Token: SeIncBasePriorityPrivilege	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
Token: SeIncBasePriorityPrivilege	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
Token: SeIncBasePriorityPrivilege	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
Token: SeIncBasePriorityPrivilege	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
Token: SeIncBasePriorityPrivilege	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
Token: SeIncBasePriorityPrivilege	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
Token: SeIncBasePriorityPrivilege	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
Token: SeIncBasePriorityPrivilege	4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
Token: SeIncBasePriorityPrivilege	4584	{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4884	1116	6641279509087dexeexeexeex.exe	84
PID 1116 wrote to memory of 4884	1116	6641279509087dexeexeexeex.exe	84
PID 1116 wrote to memory of 4884	1116	6641279509087dexeexeexeex.exe	84
PID 1116 wrote to memory of 2172	1116	6641279509087dexeexeexeex.exe	85
PID 1116 wrote to memory of 2172	1116	6641279509087dexeexeexeex.exe	85
PID 1116 wrote to memory of 2172	1116	6641279509087dexeexeexeex.exe	85
PID 4884 wrote to memory of 3376	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	86
PID 4884 wrote to memory of 3376	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	86
PID 4884 wrote to memory of 3376	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	86
PID 4884 wrote to memory of 3424	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	87
PID 4884 wrote to memory of 3424	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	87
PID 4884 wrote to memory of 3424	4884	{612CE454-D906-4612-B385-1F81390C2982}.exe	87
PID 3376 wrote to memory of 2264	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	92
PID 3376 wrote to memory of 2264	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	92
PID 3376 wrote to memory of 2264	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	92
PID 3376 wrote to memory of 2248	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	91
PID 3376 wrote to memory of 2248	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	91
PID 3376 wrote to memory of 2248	3376	{B92326DB-3148-4418-87CA-5838906DF8A1}.exe	91
PID 2264 wrote to memory of 1312	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	93
PID 2264 wrote to memory of 1312	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	93
PID 2264 wrote to memory of 1312	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	93
PID 2264 wrote to memory of 4628	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	94
PID 2264 wrote to memory of 4628	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	94
PID 2264 wrote to memory of 4628	2264	{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe	94
PID 1312 wrote to memory of 2572	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	95
PID 1312 wrote to memory of 2572	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	95
PID 1312 wrote to memory of 2572	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	95
PID 1312 wrote to memory of 1256	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	96
PID 1312 wrote to memory of 1256	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	96
PID 1312 wrote to memory of 1256	1312	{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe	96
PID 2572 wrote to memory of 3000	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	97
PID 2572 wrote to memory of 3000	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	97
PID 2572 wrote to memory of 3000	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	97
PID 2572 wrote to memory of 2636	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	98
PID 2572 wrote to memory of 2636	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	98
PID 2572 wrote to memory of 2636	2572	{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe	98
PID 3000 wrote to memory of 4852	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	99
PID 3000 wrote to memory of 4852	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	99
PID 3000 wrote to memory of 4852	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	99
PID 3000 wrote to memory of 3960	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	100
PID 3000 wrote to memory of 3960	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	100
PID 3000 wrote to memory of 3960	3000	{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe	100
PID 4852 wrote to memory of 1040	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	101
PID 4852 wrote to memory of 1040	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	101
PID 4852 wrote to memory of 1040	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	101
PID 4852 wrote to memory of 3504	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	102
PID 4852 wrote to memory of 3504	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	102
PID 4852 wrote to memory of 3504	4852	{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe	102
PID 1040 wrote to memory of 3336	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	103
PID 1040 wrote to memory of 3336	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	103
PID 1040 wrote to memory of 3336	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	103
PID 1040 wrote to memory of 2144	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	104
PID 1040 wrote to memory of 2144	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	104
PID 1040 wrote to memory of 2144	1040	{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe	104
PID 3336 wrote to memory of 4612	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	105
PID 3336 wrote to memory of 4612	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	105
PID 3336 wrote to memory of 4612	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	105
PID 3336 wrote to memory of 4592	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	106
PID 3336 wrote to memory of 4592	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	106
PID 3336 wrote to memory of 4592	3336	{2769E76E-4574-46eb-ADA7-51B13532F887}.exe	106
PID 4612 wrote to memory of 4584	4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe	107
PID 4612 wrote to memory of 4584	4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe	107
PID 4612 wrote to memory of 4584	4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe	107
PID 4612 wrote to memory of 4252	4612	{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe	108

C:\Users\Admin\AppData\Local\Temp\6641279509087dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6641279509087dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\{612CE454-D906-4612-B385-1F81390C2982}.exe
  C:\Windows\{612CE454-D906-4612-B385-1F81390C2982}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
    C:\Windows\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9232~1.EXE > nul
      4⤵
      PID:2248
  - - C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
      C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
        
        C:\Windows\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
        
        C:\Windows\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
        
        C:\Windows\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
        
        C:\Windows\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
        
        C:\Windows\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
        
        C:\Windows\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
        
        C:\Windows\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
        
        C:\Windows\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Windows\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe
        
        C:\Windows\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe
        13⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8ED5~1.EXE > nul
        13⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AA3B~1.EXE > nul
        12⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2769E~1.EXE > nul
        11⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D95BC~1.EXE > nul
        10⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A79E1~1.EXE > nul
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F905~1.EXE > nul
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ACA0~1.EXE > nul
        7⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F99F~1.EXE > nul
        6⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4472D~1.EXE > nul
        5⤵
        
        PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{612CE~1.EXE > nul
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\664127~1.EXE > nul
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe

Filesize
372KB

MD5
471aa80a8848f7ffa0cae7c5dc3a19fd

SHA1
15302e4d04521b4e02eaefa086724eb652b5841d

SHA256
8ef132217157e2169ff54420e730978a49f90dfa4c1d6753e6e0f79272a94c8e

SHA512
dfb1ac6599c523074717b0bd4806b58685e7613d6b0e3ef22e617d751a95eff5fb71914c34c0d9704a86f3313dfe956e69c2e9fcccb069e5ede1e325f117f254

Download Submit
C:\Windows\{1ACA094E-8DE8-4937-80E4-DFEB2E43EC80}.exe

Filesize
372KB

MD5
471aa80a8848f7ffa0cae7c5dc3a19fd

SHA1
15302e4d04521b4e02eaefa086724eb652b5841d

SHA256
8ef132217157e2169ff54420e730978a49f90dfa4c1d6753e6e0f79272a94c8e

SHA512
dfb1ac6599c523074717b0bd4806b58685e7613d6b0e3ef22e617d751a95eff5fb71914c34c0d9704a86f3313dfe956e69c2e9fcccb069e5ede1e325f117f254

Download Submit
C:\Windows\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe

Filesize
372KB

MD5
f08b765b48a2ea5013335d8386f80c3e

SHA1
bfaad7df756be7f6ec8b7d60b9c78dc34ac47d7d

SHA256
caa7f5f9ae812936913a302ea4f11495b9ef1fc16b3bf7a16abb96295b1a28a9

SHA512
1af7e7f39631241d523596b3f24ba022d29d3e7756a84e9b85f3d83ed57831c00c056a7e7e991f60367f25f8b5f9ab495c67289c2de89316c0e01af5ad184b49

Download Submit
C:\Windows\{2769E76E-4574-46eb-ADA7-51B13532F887}.exe

Filesize
372KB

MD5
f08b765b48a2ea5013335d8386f80c3e

SHA1
bfaad7df756be7f6ec8b7d60b9c78dc34ac47d7d

SHA256
caa7f5f9ae812936913a302ea4f11495b9ef1fc16b3bf7a16abb96295b1a28a9

SHA512
1af7e7f39631241d523596b3f24ba022d29d3e7756a84e9b85f3d83ed57831c00c056a7e7e991f60367f25f8b5f9ab495c67289c2de89316c0e01af5ad184b49

Download Submit
C:\Windows\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe

Filesize
372KB

MD5
a9de0030c6db25b114e4700f1fff1e93

SHA1
b11b0002594960fc2dbefb9822193556f7207308

SHA256
b7d99c6cf19fdd9782cde17f3f0020721409e5cf829ce9dd3cabd013b93a29d6

SHA512
27b2f08c5f1771228f03d69f227047595834fa849ccf109fcf300f47f1312bcad1cabdc46e07b823c39292a84a4dbee778093034659b3bd46e1ac2692549e4c0

Download Submit
C:\Windows\{2AA3B8EA-D52A-433b-A5E7-94218048E69F}.exe

Filesize
372KB

MD5
a9de0030c6db25b114e4700f1fff1e93

SHA1
b11b0002594960fc2dbefb9822193556f7207308

SHA256
b7d99c6cf19fdd9782cde17f3f0020721409e5cf829ce9dd3cabd013b93a29d6

SHA512
27b2f08c5f1771228f03d69f227047595834fa849ccf109fcf300f47f1312bcad1cabdc46e07b823c39292a84a4dbee778093034659b3bd46e1ac2692549e4c0

Download Submit
C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe

Filesize
372KB

MD5
f037c65f155b8d3ba02a87ba7b69bdab

SHA1
951f7ca37f7d37cae0569574f47e15c2a8385128

SHA256
27ead17d046a0c0a90786bfb088af2450aa33270ff68ccd5bedb3da3f7405c28

SHA512
a60112597304421f708b81248ca8f2728122a96ca31bbecf615808b321c65dc10fb5d26f213bede290d5999756e204678193b001f05258eb97f69eff2e64f21d

Download Submit
C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe

Filesize
372KB

MD5
f037c65f155b8d3ba02a87ba7b69bdab

SHA1
951f7ca37f7d37cae0569574f47e15c2a8385128

SHA256
27ead17d046a0c0a90786bfb088af2450aa33270ff68ccd5bedb3da3f7405c28

SHA512
a60112597304421f708b81248ca8f2728122a96ca31bbecf615808b321c65dc10fb5d26f213bede290d5999756e204678193b001f05258eb97f69eff2e64f21d

Download Submit
C:\Windows\{4472DFFE-046A-430d-B37F-7F5E4ED4C012}.exe

Filesize
372KB

MD5
f037c65f155b8d3ba02a87ba7b69bdab

SHA1
951f7ca37f7d37cae0569574f47e15c2a8385128

SHA256
27ead17d046a0c0a90786bfb088af2450aa33270ff68ccd5bedb3da3f7405c28

SHA512
a60112597304421f708b81248ca8f2728122a96ca31bbecf615808b321c65dc10fb5d26f213bede290d5999756e204678193b001f05258eb97f69eff2e64f21d

Download Submit
C:\Windows\{612CE454-D906-4612-B385-1F81390C2982}.exe

Filesize
372KB

MD5
8fc4764eca16bd1d3d884bdf1bf6e0bd

SHA1
d3447fe8d12ee20bf958561ab95f70b394987441

SHA256
e766424313f2f1e0b2b1e46dfc95cb53fbe76f723a53ec71dcd2685469169f28

SHA512
d2476e0d26af86874d389222ae1abd12118502dd054fb6be57a4da8a3f08625e8e691a2255a6f713b9946c31786d73fcf4b4a35e1ddfa989c344cf8f1bc96bd0

Download Submit
C:\Windows\{612CE454-D906-4612-B385-1F81390C2982}.exe

Filesize
372KB

MD5
8fc4764eca16bd1d3d884bdf1bf6e0bd

SHA1
d3447fe8d12ee20bf958561ab95f70b394987441

SHA256
e766424313f2f1e0b2b1e46dfc95cb53fbe76f723a53ec71dcd2685469169f28

SHA512
d2476e0d26af86874d389222ae1abd12118502dd054fb6be57a4da8a3f08625e8e691a2255a6f713b9946c31786d73fcf4b4a35e1ddfa989c344cf8f1bc96bd0

Download Submit
C:\Windows\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe

Filesize
372KB

MD5
0f7ac9e88edd97cd4c41e1b0f4820cdf

SHA1
67390b1e86d27da4a3135830816b11d7f83855c0

SHA256
5fc1edb30a4553c45ec21e59904eca6a99820ed0687b1807f0c7a5250de43ab7

SHA512
0f1bbb9334783c0a738abe5d40afa6a924f19d7eef9d02ae86040e07ca5cc7cc4db1bf50da319a1202459e91b76aeb1d95564c27c9ce8c5fb30dbdd2226cb3e6

Download Submit
C:\Windows\{6F90544E-66DE-4b28-A168-CDA8BB1D419F}.exe

Filesize
372KB

MD5
0f7ac9e88edd97cd4c41e1b0f4820cdf

SHA1
67390b1e86d27da4a3135830816b11d7f83855c0

SHA256
5fc1edb30a4553c45ec21e59904eca6a99820ed0687b1807f0c7a5250de43ab7

SHA512
0f1bbb9334783c0a738abe5d40afa6a924f19d7eef9d02ae86040e07ca5cc7cc4db1bf50da319a1202459e91b76aeb1d95564c27c9ce8c5fb30dbdd2226cb3e6

Download Submit
C:\Windows\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe

Filesize
372KB

MD5
80fb368e84956c86c7ed13e0a7263330

SHA1
d7f0ff8774059f418a928ae398a0e05291a60ad6

SHA256
1725f7a5021ae6e99afa50fd7d54bb9daeed8a139bd0a65471b788135de93780

SHA512
79efa8daa01095da0bc506183a57c330d9b4bf35d18a8701ff25c6180eb55a34395e4a6ff4068525de2e265b2c0d2610edff823638d6d6b9a6f56ea7290d42ff

Download Submit
C:\Windows\{6F99FA6E-E7DA-40e5-807E-CF3C0FA64288}.exe

Filesize
372KB

MD5
80fb368e84956c86c7ed13e0a7263330

SHA1
d7f0ff8774059f418a928ae398a0e05291a60ad6

SHA256
1725f7a5021ae6e99afa50fd7d54bb9daeed8a139bd0a65471b788135de93780

SHA512
79efa8daa01095da0bc506183a57c330d9b4bf35d18a8701ff25c6180eb55a34395e4a6ff4068525de2e265b2c0d2610edff823638d6d6b9a6f56ea7290d42ff

Download Submit
C:\Windows\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe

Filesize
372KB

MD5
30daf578d440d9a542f60099f33f525b

SHA1
967bb26424b58308ef39eb4904b1ffdf8ffa9a04

SHA256
2435a2d9ebd35e958ff4793e31ce11eaadbdb256e34892a6c01d73899b23b3f0

SHA512
bdd5aeb875f703d780db0ab35d35d8c6a96d0dc4d51e4fcd455a635ff46f2f6a29d37e73ac1ecba421607d6844204d99b38793232542cbce1947ba45bb780bad

Download Submit
C:\Windows\{74457E44-9AD1-49fb-8A34-DA042FF81243}.exe

Filesize
372KB

MD5
30daf578d440d9a542f60099f33f525b

SHA1
967bb26424b58308ef39eb4904b1ffdf8ffa9a04

SHA256
2435a2d9ebd35e958ff4793e31ce11eaadbdb256e34892a6c01d73899b23b3f0

SHA512
bdd5aeb875f703d780db0ab35d35d8c6a96d0dc4d51e4fcd455a635ff46f2f6a29d37e73ac1ecba421607d6844204d99b38793232542cbce1947ba45bb780bad

Download Submit
C:\Windows\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe

Filesize
372KB

MD5
a6958c764ef870a5eb95778b924b658d

SHA1
9664751bed9e310d37dbf0d4f3849cf6bcc401c7

SHA256
1388eeeb2db0ec2b885f2a0d41927514c6ef339366b417ef77445cec3c8d7b23

SHA512
0907a1acc8fbafdc406699f19846e1c4fbcd17ee9301df7ef4e3034d4c8c4c81709d970b5704d81bdff52eea0930389db2b32d19d5f2ccb5ee9aeb515acb9969

Download Submit
C:\Windows\{A79E14C1-A1E2-43a9-8BEC-F4CE2A29D1C6}.exe

Filesize
372KB

MD5
a6958c764ef870a5eb95778b924b658d

SHA1
9664751bed9e310d37dbf0d4f3849cf6bcc401c7

SHA256
1388eeeb2db0ec2b885f2a0d41927514c6ef339366b417ef77445cec3c8d7b23

SHA512
0907a1acc8fbafdc406699f19846e1c4fbcd17ee9301df7ef4e3034d4c8c4c81709d970b5704d81bdff52eea0930389db2b32d19d5f2ccb5ee9aeb515acb9969

Download Submit
C:\Windows\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe

Filesize
372KB

MD5
87213601f5dd329de85868e8698728b8

SHA1
532787947f86ab9a74f5ae3bc487d650b7ce7d65

SHA256
27cdc39b957fae4ae7bc010c47b3428be59965228c40d1da0886b7ac08b3b6f8

SHA512
a9fe3ddadd30369b86f0c5d1f7452a82dee11f035fcc215caab2c44924e162e13f367dfc1c2ccd63e1977a292ef83162ee8a83aaaeeb21083bc756b38bcefb80

Download Submit
C:\Windows\{B92326DB-3148-4418-87CA-5838906DF8A1}.exe

Filesize
372KB

MD5
87213601f5dd329de85868e8698728b8

SHA1
532787947f86ab9a74f5ae3bc487d650b7ce7d65

SHA256
27cdc39b957fae4ae7bc010c47b3428be59965228c40d1da0886b7ac08b3b6f8

SHA512
a9fe3ddadd30369b86f0c5d1f7452a82dee11f035fcc215caab2c44924e162e13f367dfc1c2ccd63e1977a292ef83162ee8a83aaaeeb21083bc756b38bcefb80

Download Submit
C:\Windows\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe

Filesize
372KB

MD5
9e7e9e31fd5320ce1b8d4593854d0062

SHA1
82b18b4bdb9c47ea7bc32a5cf3410577284988af

SHA256
ccf617084bcb3388f5bb4fbd5ac05b8e3fa65af02cf74624842d84435339811b

SHA512
53cfaadeb130e9d30526968f47021569c0b34a038b38857d959eb81f0bf8be4bdaf617aa82ddfc1c22c1413ae6fff17dd36b365adcc9c36e5b8f99cef9eefc45

Download Submit
C:\Windows\{C8ED502F-3F4A-466e-B4CE-984D8F0E4D21}.exe

Filesize
372KB

MD5
9e7e9e31fd5320ce1b8d4593854d0062

SHA1
82b18b4bdb9c47ea7bc32a5cf3410577284988af

SHA256
ccf617084bcb3388f5bb4fbd5ac05b8e3fa65af02cf74624842d84435339811b

SHA512
53cfaadeb130e9d30526968f47021569c0b34a038b38857d959eb81f0bf8be4bdaf617aa82ddfc1c22c1413ae6fff17dd36b365adcc9c36e5b8f99cef9eefc45

Download Submit
C:\Windows\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe

Filesize
372KB

MD5
9d974b5bf610be9ab6e25994df2137ab

SHA1
fcc018be5e5fc153b2254a33b04577a4d472d86c

SHA256
4d7ec94afb6309d1005ab6e4556ad31698be0b97ec9102cf95e6d5a781194cd7

SHA512
c6be987ec07d3f42f14fbb5fcbcdc67cffce3a8a2fba2d2f229a86363207664f7a21f888358fa08a5e18f3a615bda5cfed79a1496d9daa343cb94bd695286c6d

Download Submit
C:\Windows\{D95BCB25-21C4-433a-A128-397E4E1B681A}.exe

Filesize
372KB

MD5
9d974b5bf610be9ab6e25994df2137ab

SHA1
fcc018be5e5fc153b2254a33b04577a4d472d86c

SHA256
4d7ec94afb6309d1005ab6e4556ad31698be0b97ec9102cf95e6d5a781194cd7

SHA512
c6be987ec07d3f42f14fbb5fcbcdc67cffce3a8a2fba2d2f229a86363207664f7a21f888358fa08a5e18f3a615bda5cfed79a1496d9daa343cb94bd695286c6d

Download Submit