25d15aa4fe3537ebb129b600e47ea82256fb73ae992e5255de9245b148ff04bb

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a957c7ed0a4d5exeexeexeex.exe
Size

168KB
MD5

6a957c7ed0a4d537b2b71281635959c0
SHA1

d3259d3758aff4ed2ad921a365eb4b5de58543a8
SHA256

25d15aa4fe3537ebb129b600e47ea82256fb73ae992e5255de9245b148ff04bb
SHA512

f598b71a7a28740f3700f9e75b92f1655d139ab50230b2784cfd90767b4cd888158df2c2c677d65b3d81e1746f8847bac409a2024beb4ba6af9efbe4bc1b2145
SSDEEP

1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66B810F-9CF4-4e51-9830-F70D376DFA91}	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6301E9F8-017A-4190-9025-28B5184A505A}\stubpath = "C:\\Windows\\{6301E9F8-017A-4190-9025-28B5184A505A}.exe"	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}\stubpath = "C:\\Windows\\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe"	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4FBF19-8AB4-421f-A724-E77E33032F64}	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D634C89E-870B-4a05-BC38-1E3F94A2A683}	{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646DD617-605B-4171-A6C0-6FC0954BB664}	{6301E9F8-017A-4190-9025-28B5184A505A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}\stubpath = "C:\\Windows\\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe"	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D634C89E-870B-4a05-BC38-1E3F94A2A683}\stubpath = "C:\\Windows\\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe"	{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC300AB8-40FE-45e8-923D-D501DC085960}\stubpath = "C:\\Windows\\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe"	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}	6a957c7ed0a4d5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66B810F-9CF4-4e51-9830-F70D376DFA91}\stubpath = "C:\\Windows\\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe"	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646DD617-605B-4171-A6C0-6FC0954BB664}\stubpath = "C:\\Windows\\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe"	{6301E9F8-017A-4190-9025-28B5184A505A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4FBF19-8AB4-421f-A724-E77E33032F64}\stubpath = "C:\\Windows\\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe"	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}\stubpath = "C:\\Windows\\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe"	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDF303D-EE10-424c-B8C5-86BEE257694D}\stubpath = "C:\\Windows\\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe"	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}\stubpath = "C:\\Windows\\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe"	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}\stubpath = "C:\\Windows\\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe"	6a957c7ed0a4d5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6301E9F8-017A-4190-9025-28B5184A505A}	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDF303D-EE10-424c-B8C5-86BEE257694D}	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC300AB8-40FE-45e8-923D-D501DC085960}	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe

Executes dropped EXE 12 IoCs

pid	Process
2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe
2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
2628	{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
632	{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe	{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
File created	C:\Windows\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
File created	C:\Windows\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
File created	C:\Windows\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
File created	C:\Windows\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
File created	C:\Windows\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
File created	C:\Windows\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
File created	C:\Windows\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	6a957c7ed0a4d5exeexeexeex.exe
File created	C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
File created	C:\Windows\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	{6301E9F8-017A-4190-9025-28B5184A505A}.exe
File created	C:\Windows\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
File created	C:\Windows\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4152	6a957c7ed0a4d5exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
Token: SeIncBasePriorityPrivilege	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
Token: SeIncBasePriorityPrivilege	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe
Token: SeIncBasePriorityPrivilege	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
Token: SeIncBasePriorityPrivilege	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
Token: SeIncBasePriorityPrivilege	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
Token: SeIncBasePriorityPrivilege	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
Token: SeIncBasePriorityPrivilege	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
Token: SeIncBasePriorityPrivilege	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
Token: SeIncBasePriorityPrivilege	1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
Token: SeIncBasePriorityPrivilege	2628	{FC300AB8-40FE-45e8-923D-D501DC085960}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2608	4152	6a957c7ed0a4d5exeexeexeex.exe	84
PID 4152 wrote to memory of 2608	4152	6a957c7ed0a4d5exeexeexeex.exe	84
PID 4152 wrote to memory of 2608	4152	6a957c7ed0a4d5exeexeexeex.exe	84
PID 4152 wrote to memory of 3932	4152	6a957c7ed0a4d5exeexeexeex.exe	85
PID 4152 wrote to memory of 3932	4152	6a957c7ed0a4d5exeexeexeex.exe	85
PID 4152 wrote to memory of 3932	4152	6a957c7ed0a4d5exeexeexeex.exe	85
PID 2608 wrote to memory of 1008	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	86
PID 2608 wrote to memory of 1008	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	86
PID 2608 wrote to memory of 1008	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	86
PID 2608 wrote to memory of 2904	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	87
PID 2608 wrote to memory of 2904	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	87
PID 2608 wrote to memory of 2904	2608	{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe	87
PID 1008 wrote to memory of 5100	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	92
PID 1008 wrote to memory of 5100	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	92
PID 1008 wrote to memory of 5100	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	92
PID 1008 wrote to memory of 2216	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	91
PID 1008 wrote to memory of 2216	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	91
PID 1008 wrote to memory of 2216	1008	{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe	91
PID 5100 wrote to memory of 2300	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	93
PID 5100 wrote to memory of 2300	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	93
PID 5100 wrote to memory of 2300	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	93
PID 5100 wrote to memory of 828	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	94
PID 5100 wrote to memory of 828	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	94
PID 5100 wrote to memory of 828	5100	{6301E9F8-017A-4190-9025-28B5184A505A}.exe	94
PID 2300 wrote to memory of 2684	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	95
PID 2300 wrote to memory of 2684	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	95
PID 2300 wrote to memory of 2684	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	95
PID 2300 wrote to memory of 1256	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	96
PID 2300 wrote to memory of 1256	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	96
PID 2300 wrote to memory of 1256	2300	{646DD617-605B-4171-A6C0-6FC0954BB664}.exe	96
PID 2684 wrote to memory of 4432	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	97
PID 2684 wrote to memory of 4432	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	97
PID 2684 wrote to memory of 4432	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	97
PID 2684 wrote to memory of 728	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	98
PID 2684 wrote to memory of 728	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	98
PID 2684 wrote to memory of 728	2684	{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe	98
PID 4432 wrote to memory of 1056	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	99
PID 4432 wrote to memory of 1056	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	99
PID 4432 wrote to memory of 1056	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	99
PID 4432 wrote to memory of 2620	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	100
PID 4432 wrote to memory of 2620	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	100
PID 4432 wrote to memory of 2620	4432	{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe	100
PID 1056 wrote to memory of 1188	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	101
PID 1056 wrote to memory of 1188	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	101
PID 1056 wrote to memory of 1188	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	101
PID 1056 wrote to memory of 1948	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	102
PID 1056 wrote to memory of 1948	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	102
PID 1056 wrote to memory of 1948	1056	{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe	102
PID 1188 wrote to memory of 1136	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	103
PID 1188 wrote to memory of 1136	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	103
PID 1188 wrote to memory of 1136	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	103
PID 1188 wrote to memory of 1800	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	104
PID 1188 wrote to memory of 1800	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	104
PID 1188 wrote to memory of 1800	1188	{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe	104
PID 1136 wrote to memory of 1012	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	105
PID 1136 wrote to memory of 1012	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	105
PID 1136 wrote to memory of 1012	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	105
PID 1136 wrote to memory of 1196	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	106
PID 1136 wrote to memory of 1196	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	106
PID 1136 wrote to memory of 1196	1136	{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe	106
PID 1012 wrote to memory of 2628	1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe	107
PID 1012 wrote to memory of 2628	1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe	107
PID 1012 wrote to memory of 2628	1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe	107
PID 1012 wrote to memory of 4868	1012	{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe	108

C:\Users\Admin\AppData\Local\Temp\6a957c7ed0a4d5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6a957c7ed0a4d5exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
  C:\Windows\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
    C:\Windows\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B66B8~1.EXE > nul
      4⤵
      PID:2216
  - - C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe
      C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
        
        C:\Windows\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
        
        C:\Windows\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
        
        C:\Windows\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
        
        C:\Windows\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
        
        C:\Windows\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
        
        C:\Windows\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
        
        C:\Windows\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
        
        C:\Windows\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe
        
        C:\Windows\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe
        13⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC300~1.EXE > nul
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FABB8~1.EXE > nul
        12⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDF3~1.EXE > nul
        11⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4CA0~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F4FB~1.EXE > nul
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26AAB~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17C22~1.EXE > nul
        7⤵
        
        PID:728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{646DD~1.EXE > nul
        6⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6301E~1.EXE > nul
        5⤵
        
        PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E918~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A957C~1.EXE > nul
  2⤵
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe

Filesize
168KB

MD5
fc9632b6224e0d725d2e366e840a8d0c

SHA1
665513c8029a0c9c60cce963ea158e76bb0c2293

SHA256
02752e40ba582ea5182cab51c03a8d0b076a0d888d4d2e65f80126f334b355e8

SHA512
8da68bcbc32e04cc839e7015a65997a6bd96a1689228b32fc1d4ceec3686d1dd843a14432afc39af8e20777d038714326b908c1840e9cc106897efb6a71f726e

Download Submit
C:\Windows\{17C22B6B-1250-48c8-BCD8-9DD92367B1A7}.exe

Filesize
168KB

MD5
fc9632b6224e0d725d2e366e840a8d0c

SHA1
665513c8029a0c9c60cce963ea158e76bb0c2293

SHA256
02752e40ba582ea5182cab51c03a8d0b076a0d888d4d2e65f80126f334b355e8

SHA512
8da68bcbc32e04cc839e7015a65997a6bd96a1689228b32fc1d4ceec3686d1dd843a14432afc39af8e20777d038714326b908c1840e9cc106897efb6a71f726e

Download Submit
C:\Windows\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe

Filesize
168KB

MD5
a51242b2e8ce633b59909aea1d086ad0

SHA1
afa6620cfc6e6d237078e011d8d74b7898394811

SHA256
26499dfb43948e4bf69eee625afab2780b862191b1a20c9e4fe762f4ff57fc1f

SHA512
d7ad1956fc8b3d3b1b42320cbc19c24e3f9a4d2346346fe371fe41d4217c9a70d8597d3da3978d8472a5ef5b4f5eb7e09a4ab967c1408a5cdd9d1f0e69280d80

Download Submit
C:\Windows\{26AAB28B-3CE7-44ba-AA7C-087B3ECC90C2}.exe

Filesize
168KB

MD5
a51242b2e8ce633b59909aea1d086ad0

SHA1
afa6620cfc6e6d237078e011d8d74b7898394811

SHA256
26499dfb43948e4bf69eee625afab2780b862191b1a20c9e4fe762f4ff57fc1f

SHA512
d7ad1956fc8b3d3b1b42320cbc19c24e3f9a4d2346346fe371fe41d4217c9a70d8597d3da3978d8472a5ef5b4f5eb7e09a4ab967c1408a5cdd9d1f0e69280d80

Download Submit
C:\Windows\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe

Filesize
168KB

MD5
f8fcc2cae20daad93ce58908aff5af67

SHA1
c80ac7c5d7bcd8092da3efc0958889718b7be2cd

SHA256
98ae8186a4bb0ab1f02fb95958f215171cb299ed3d128b801d4ae9ca30dd7119

SHA512
9bc3333fd4df7c4c80d0964158d0f14ae34d57ec61af7395a4fee08ad199d3faf40c4228512d0ba033cbb2274f5dddb324e98f7d83d8a725882856281653dfa8

Download Submit
C:\Windows\{3F4FBF19-8AB4-421f-A724-E77E33032F64}.exe

Filesize
168KB

MD5
f8fcc2cae20daad93ce58908aff5af67

SHA1
c80ac7c5d7bcd8092da3efc0958889718b7be2cd

SHA256
98ae8186a4bb0ab1f02fb95958f215171cb299ed3d128b801d4ae9ca30dd7119

SHA512
9bc3333fd4df7c4c80d0964158d0f14ae34d57ec61af7395a4fee08ad199d3faf40c4228512d0ba033cbb2274f5dddb324e98f7d83d8a725882856281653dfa8

Download Submit
C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe

Filesize
168KB

MD5
722f3f84a0888385ca648e26ef81b00e

SHA1
a459075e1b9a0db0018418408ef3868a8db3a854

SHA256
5e7a125d94866c3b3b04efebaa611481976af7a1a986ff20bc4fe27c529d6806

SHA512
626758ebbfbacaf6606e4f8ddffdef20e3997ab8b3e56b62b0572762e8d6984fd143098e9bfa1ede8cf9aa63c697666dd40d9a10069fc9e2475f542b6613d5d0

Download Submit
C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe

Filesize
168KB

MD5
722f3f84a0888385ca648e26ef81b00e

SHA1
a459075e1b9a0db0018418408ef3868a8db3a854

SHA256
5e7a125d94866c3b3b04efebaa611481976af7a1a986ff20bc4fe27c529d6806

SHA512
626758ebbfbacaf6606e4f8ddffdef20e3997ab8b3e56b62b0572762e8d6984fd143098e9bfa1ede8cf9aa63c697666dd40d9a10069fc9e2475f542b6613d5d0

Download Submit
C:\Windows\{6301E9F8-017A-4190-9025-28B5184A505A}.exe

Filesize
168KB

MD5
722f3f84a0888385ca648e26ef81b00e

SHA1
a459075e1b9a0db0018418408ef3868a8db3a854

SHA256
5e7a125d94866c3b3b04efebaa611481976af7a1a986ff20bc4fe27c529d6806

SHA512
626758ebbfbacaf6606e4f8ddffdef20e3997ab8b3e56b62b0572762e8d6984fd143098e9bfa1ede8cf9aa63c697666dd40d9a10069fc9e2475f542b6613d5d0

Download Submit
C:\Windows\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe

Filesize
168KB

MD5
bc77ab8be4b5df4c971c59a0ec31e8b5

SHA1
a7de7c81b238ea0e79a149eba695b0c844e67747

SHA256
8ec2210f4d1469ad81d2c6f702ea9647c62866ba5644c4696a4c460aed2cd2ab

SHA512
b0c8c18c2b4a8a7a2bfb8236db9a3e3d452bfc7fcaec74b952817ae18882795da12e580dd65386640d1b6fb88a80486d2f79027b1d5f0544b19791a055b808db

Download Submit
C:\Windows\{646DD617-605B-4171-A6C0-6FC0954BB664}.exe

Filesize
168KB

MD5
bc77ab8be4b5df4c971c59a0ec31e8b5

SHA1
a7de7c81b238ea0e79a149eba695b0c844e67747

SHA256
8ec2210f4d1469ad81d2c6f702ea9647c62866ba5644c4696a4c460aed2cd2ab

SHA512
b0c8c18c2b4a8a7a2bfb8236db9a3e3d452bfc7fcaec74b952817ae18882795da12e580dd65386640d1b6fb88a80486d2f79027b1d5f0544b19791a055b808db

Download Submit
C:\Windows\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe

Filesize
168KB

MD5
5144897316cc9d415af45b5372a2ef02

SHA1
4982d2d1f625bc535264d8e909b7a79cc56dc0c9

SHA256
75abfcde960c4210d5f49978afeefc3744de173af02743ea564a9e1c94bfbaaa

SHA512
edafb7f003a88d768afed6e70a2615b5e77ff5e617cf591a6b221f95e1da24048b91274b6abb116447b6716b181b33ac1087c4812d84e12d81ca88dfa130d933

Download Submit
C:\Windows\{7E918CA2-FEC0-4755-A9AB-8575FD44AE3E}.exe

Filesize
168KB

MD5
5144897316cc9d415af45b5372a2ef02

SHA1
4982d2d1f625bc535264d8e909b7a79cc56dc0c9

SHA256
75abfcde960c4210d5f49978afeefc3744de173af02743ea564a9e1c94bfbaaa

SHA512
edafb7f003a88d768afed6e70a2615b5e77ff5e617cf591a6b221f95e1da24048b91274b6abb116447b6716b181b33ac1087c4812d84e12d81ca88dfa130d933

Download Submit
C:\Windows\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe

Filesize
168KB

MD5
55e84924ca97e38b60ff909ffcc9418c

SHA1
7939d72b47dc07f3358844ffc96fe8e35a3b4b6d

SHA256
b33b0b8eaebbd905c6785882fe8055163d1ef05f7dc778a6fd3c64792e169c16

SHA512
92685eb2a6e3bb09f33aef9e9cc805efaea1b8ab1856771eed680ababc793b9577abdb03e8f51facc0b02db2e8e85507b0d2bd59b3412727e186bf2b28e5061f

Download Submit
C:\Windows\{B66B810F-9CF4-4e51-9830-F70D376DFA91}.exe

Filesize
168KB

MD5
55e84924ca97e38b60ff909ffcc9418c

SHA1
7939d72b47dc07f3358844ffc96fe8e35a3b4b6d

SHA256
b33b0b8eaebbd905c6785882fe8055163d1ef05f7dc778a6fd3c64792e169c16

SHA512
92685eb2a6e3bb09f33aef9e9cc805efaea1b8ab1856771eed680ababc793b9577abdb03e8f51facc0b02db2e8e85507b0d2bd59b3412727e186bf2b28e5061f

Download Submit
C:\Windows\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe

Filesize
168KB

MD5
310e91566e40119cc0de6d9be4880bd5

SHA1
7944e05ba42d60e7d0ec80bc63bdcd4cec9cc631

SHA256
c15b8820c2251b9e69723c1b92f3eb1fb8d1d6559f337e26e2668509d5914d36

SHA512
d25bc53927b516a882acd90c8401ecbbcbf444b104619ed35b577a3bd70bab2bea991c7cb2839746b6c670c2f3256a2b62139999d6b8177ab02c551f33a7c454

Download Submit
C:\Windows\{BEDF303D-EE10-424c-B8C5-86BEE257694D}.exe

Filesize
168KB

MD5
310e91566e40119cc0de6d9be4880bd5

SHA1
7944e05ba42d60e7d0ec80bc63bdcd4cec9cc631

SHA256
c15b8820c2251b9e69723c1b92f3eb1fb8d1d6559f337e26e2668509d5914d36

SHA512
d25bc53927b516a882acd90c8401ecbbcbf444b104619ed35b577a3bd70bab2bea991c7cb2839746b6c670c2f3256a2b62139999d6b8177ab02c551f33a7c454

Download Submit
C:\Windows\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe

Filesize
168KB

MD5
e87ca2faf4694cf30c204e5290da7289

SHA1
7b268653aaa682ddd3f7dd189d925de2b25bb645

SHA256
bfc02644f441ac8a95b8e61945e6ec02f13f13f1741db0d9c933be71ced3f612

SHA512
b078fb08019c7cfaa5e2b3dfe9fb20056e511ff5a489e5130ce7cbe22ede166ab6186e7dfccd833ea98febf44a886b2df8def1782f34d2b4014f150ed2d7dc29

Download Submit
C:\Windows\{D4CA08BD-24B7-4964-9996-0C16F7F2F1F4}.exe

Filesize
168KB

MD5
e87ca2faf4694cf30c204e5290da7289

SHA1
7b268653aaa682ddd3f7dd189d925de2b25bb645

SHA256
bfc02644f441ac8a95b8e61945e6ec02f13f13f1741db0d9c933be71ced3f612

SHA512
b078fb08019c7cfaa5e2b3dfe9fb20056e511ff5a489e5130ce7cbe22ede166ab6186e7dfccd833ea98febf44a886b2df8def1782f34d2b4014f150ed2d7dc29

Download Submit
C:\Windows\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe

Filesize
168KB

MD5
cd3eb332339d403b99e60e7484788d52

SHA1
7ed3e6a036d792587c5669b24642732e17fd808b

SHA256
3bd93fa18938893a9ec022818a6092bb34eb41522288967005e9a117f125268d

SHA512
b490478924a25c28f15162faac0a3ebe9dbf53c9c7b0f251a7b1d1fe42d7f6ff7d0e1d2e3d99fd49565c62580b9c887e55aa3c28c2c6a09f3e60ac7e0fe2a00e

Download Submit
C:\Windows\{D634C89E-870B-4a05-BC38-1E3F94A2A683}.exe

Filesize
168KB

MD5
cd3eb332339d403b99e60e7484788d52

SHA1
7ed3e6a036d792587c5669b24642732e17fd808b

SHA256
3bd93fa18938893a9ec022818a6092bb34eb41522288967005e9a117f125268d

SHA512
b490478924a25c28f15162faac0a3ebe9dbf53c9c7b0f251a7b1d1fe42d7f6ff7d0e1d2e3d99fd49565c62580b9c887e55aa3c28c2c6a09f3e60ac7e0fe2a00e

Download Submit
C:\Windows\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe

Filesize
168KB

MD5
52b9a83ef56578d4a65be03712b7aab9

SHA1
ff60f962739f20117ee842ec3747545750d5fc6c

SHA256
859123a3fdb693672d1b74fd6c3be8a2d3e9bd942b6932e1fef191894915d1e2

SHA512
4e608b2846c329d18fbabbd0496d6993f35390f8d28b4ff6231e1922f27a7c709d0feadc23e8c5d60fdc9e4cfc8a908b215b4c30d9d110372bfccd63ad3453aa

Download Submit
C:\Windows\{FABB86ED-7C86-4d7f-8A29-C44DC71D7058}.exe

Filesize
168KB

MD5
52b9a83ef56578d4a65be03712b7aab9

SHA1
ff60f962739f20117ee842ec3747545750d5fc6c

SHA256
859123a3fdb693672d1b74fd6c3be8a2d3e9bd942b6932e1fef191894915d1e2

SHA512
4e608b2846c329d18fbabbd0496d6993f35390f8d28b4ff6231e1922f27a7c709d0feadc23e8c5d60fdc9e4cfc8a908b215b4c30d9d110372bfccd63ad3453aa

Download Submit
C:\Windows\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe

Filesize
168KB

MD5
31b7481e60242ca57ebcc0a43f5828dc

SHA1
5f7302ce523bd3abdcebd990ebc8a1028be1ee2c

SHA256
59ceed7e7fa5deeb10c2ac2e0d3f03698ce3f24aa203e1ab64142b1a23b8a821

SHA512
436f879d5cd7bd152beb4513e1d530867e4829f4f99ebceab1fe57c27dfdafc03f930d4af774e54cce596855f3550328524f542d8f9e2104cadca8b0b4bf95f9

Download Submit
C:\Windows\{FC300AB8-40FE-45e8-923D-D501DC085960}.exe

Filesize
168KB

MD5
31b7481e60242ca57ebcc0a43f5828dc

SHA1
5f7302ce523bd3abdcebd990ebc8a1028be1ee2c

SHA256
59ceed7e7fa5deeb10c2ac2e0d3f03698ce3f24aa203e1ab64142b1a23b8a821

SHA512
436f879d5cd7bd152beb4513e1d530867e4829f4f99ebceab1fe57c27dfdafc03f930d4af774e54cce596855f3550328524f542d8f9e2104cadca8b0b4bf95f9

Download Submit