da2964f7d47a89f81452649979ab8804d42aabc160abdc41b05be0f924301218

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70cab08d784021exeexeexeex.exe
Size

372KB
MD5

70cab08d7840213da2ef57006b93a588
SHA1

9ff5c3d942dec842c39fd4987df4fe3c597ec33c
SHA256

da2964f7d47a89f81452649979ab8804d42aabc160abdc41b05be0f924301218
SHA512

4813a75d6a776c966aaa24aa886986279e114051b8584e4767de277550fcfd31aeacb120704ac5d3fd51c9875c17436ba3b873b77ac4c9da61d839965f17e645
SSDEEP

3072:CEGh0o4mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGbl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}	70cab08d784021exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B477F968-A205-40e8-B8C8-01619E1C2086}	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802EF6B9-BE54-4601-B9E7-7380288736FC}	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}\stubpath = "C:\\Windows\\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe"	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}\stubpath = "C:\\Windows\\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe"	70cab08d784021exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}\stubpath = "C:\\Windows\\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe"	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}\stubpath = "C:\\Windows\\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe"	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53E50989-7517-4580-AB48-609FBE621B73}	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B477F968-A205-40e8-B8C8-01619E1C2086}\stubpath = "C:\\Windows\\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe"	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}\stubpath = "C:\\Windows\\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe"	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}\stubpath = "C:\\Windows\\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe"	{53E50989-7517-4580-AB48-609FBE621B73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62DFE92A-988C-413f-A143-FE9FFEC67134}	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62DFE92A-988C-413f-A143-FE9FFEC67134}\stubpath = "C:\\Windows\\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe"	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802EF6B9-BE54-4601-B9E7-7380288736FC}\stubpath = "C:\\Windows\\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe"	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53E50989-7517-4580-AB48-609FBE621B73}\stubpath = "C:\\Windows\\{53E50989-7517-4580-AB48-609FBE621B73}.exe"	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}	{53E50989-7517-4580-AB48-609FBE621B73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}\stubpath = "C:\\Windows\\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe"	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}	{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}\stubpath = "C:\\Windows\\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe"	{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe
5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
4848	{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe
2644	{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
File created	C:\Windows\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
File created	C:\Windows\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
File created	C:\Windows\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
File created	C:\Windows\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe	{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe
File created	C:\Windows\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	70cab08d784021exeexeexeex.exe
File created	C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
File created	C:\Windows\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
File created	C:\Windows\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
File created	C:\Windows\{53E50989-7517-4580-AB48-609FBE621B73}.exe	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
File created	C:\Windows\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	{53E50989-7517-4580-AB48-609FBE621B73}.exe
File created	C:\Windows\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4336	70cab08d784021exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
Token: SeIncBasePriorityPrivilege	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
Token: SeIncBasePriorityPrivilege	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
Token: SeIncBasePriorityPrivilege	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
Token: SeIncBasePriorityPrivilege	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
Token: SeIncBasePriorityPrivilege	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
Token: SeIncBasePriorityPrivilege	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe
Token: SeIncBasePriorityPrivilege	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
Token: SeIncBasePriorityPrivilege	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
Token: SeIncBasePriorityPrivilege	4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
Token: SeIncBasePriorityPrivilege	4848	{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4868	4336	70cab08d784021exeexeexeex.exe	84
PID 4336 wrote to memory of 4868	4336	70cab08d784021exeexeexeex.exe	84
PID 4336 wrote to memory of 4868	4336	70cab08d784021exeexeexeex.exe	84
PID 4336 wrote to memory of 3108	4336	70cab08d784021exeexeexeex.exe	85
PID 4336 wrote to memory of 3108	4336	70cab08d784021exeexeexeex.exe	85
PID 4336 wrote to memory of 3108	4336	70cab08d784021exeexeexeex.exe	85
PID 4868 wrote to memory of 3368	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	86
PID 4868 wrote to memory of 3368	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	86
PID 4868 wrote to memory of 3368	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	86
PID 4868 wrote to memory of 4372	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	87
PID 4868 wrote to memory of 4372	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	87
PID 4868 wrote to memory of 4372	4868	{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe	87
PID 3368 wrote to memory of 948	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	90
PID 3368 wrote to memory of 948	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	90
PID 3368 wrote to memory of 948	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	90
PID 3368 wrote to memory of 4800	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	91
PID 3368 wrote to memory of 4800	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	91
PID 3368 wrote to memory of 4800	3368	{B477F968-A205-40e8-B8C8-01619E1C2086}.exe	91
PID 948 wrote to memory of 872	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	93
PID 948 wrote to memory of 872	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	93
PID 948 wrote to memory of 872	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	93
PID 948 wrote to memory of 4776	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	94
PID 948 wrote to memory of 4776	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	94
PID 948 wrote to memory of 4776	948	{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe	94
PID 872 wrote to memory of 1524	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	95
PID 872 wrote to memory of 1524	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	95
PID 872 wrote to memory of 1524	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	95
PID 872 wrote to memory of 3664	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	96
PID 872 wrote to memory of 3664	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	96
PID 872 wrote to memory of 3664	872	{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe	96
PID 1524 wrote to memory of 4636	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	97
PID 1524 wrote to memory of 4636	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	97
PID 1524 wrote to memory of 4636	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	97
PID 1524 wrote to memory of 4544	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	98
PID 1524 wrote to memory of 4544	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	98
PID 1524 wrote to memory of 4544	1524	{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe	98
PID 4636 wrote to memory of 3360	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	99
PID 4636 wrote to memory of 3360	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	99
PID 4636 wrote to memory of 3360	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	99
PID 4636 wrote to memory of 2940	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	100
PID 4636 wrote to memory of 2940	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	100
PID 4636 wrote to memory of 2940	4636	{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe	100
PID 3360 wrote to memory of 5084	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	102
PID 3360 wrote to memory of 5084	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	102
PID 3360 wrote to memory of 5084	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	102
PID 3360 wrote to memory of 3920	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	101
PID 3360 wrote to memory of 3920	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	101
PID 3360 wrote to memory of 3920	3360	{53E50989-7517-4580-AB48-609FBE621B73}.exe	101
PID 5084 wrote to memory of 2176	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	103
PID 5084 wrote to memory of 2176	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	103
PID 5084 wrote to memory of 2176	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	103
PID 5084 wrote to memory of 1156	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	104
PID 5084 wrote to memory of 1156	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	104
PID 5084 wrote to memory of 1156	5084	{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe	104
PID 2176 wrote to memory of 4568	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	105
PID 2176 wrote to memory of 4568	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	105
PID 2176 wrote to memory of 4568	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	105
PID 2176 wrote to memory of 1248	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	106
PID 2176 wrote to memory of 1248	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	106
PID 2176 wrote to memory of 1248	2176	{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe	106
PID 4568 wrote to memory of 4848	4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe	107
PID 4568 wrote to memory of 4848	4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe	107
PID 4568 wrote to memory of 4848	4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe	107
PID 4568 wrote to memory of 3048	4568	{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe	108

C:\Users\Admin\AppData\Local\Temp\70cab08d784021exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\70cab08d784021exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
  C:\Windows\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
    C:\Windows\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
      C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
        
        C:\Windows\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
        
        C:\Windows\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
        
        C:\Windows\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{53E50989-7517-4580-AB48-609FBE621B73}.exe
        
        C:\Windows\{53E50989-7517-4580-AB48-609FBE621B73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53E50~1.EXE > nul
        9⤵
        
        PID:3920
        
        C:\Windows\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
        
        C:\Windows\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
        
        C:\Windows\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
        
        C:\Windows\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe
        
        C:\Windows\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe
        
        C:\Windows\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe
        13⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BF78~1.EXE > nul
        13⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41B5E~1.EXE > nul
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62DFE~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F762C~1.EXE > nul
        10⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0FCF~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07AC8~1.EXE > nul
        7⤵
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{802EF~1.EXE > nul
        6⤵
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF52B~1.EXE > nul
        5⤵
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B477F~1.EXE > nul
      4⤵
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC901~1.EXE > nul
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70CAB0~1.EXE > nul
  2⤵
  PID:3108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe

Filesize
372KB

MD5
db1b8570feab499d2fc52a376425d5fb

SHA1
2813c16cbe3667590ccfd590aa852076afebbf61

SHA256
a906c3e7f42c64c3c71bfb38eb01f8a4e88a1bb610cec6a12c23821bc01a4705

SHA512
90c8a23c111735096fc60b4077d0fe7e2a71a055470aaaff68f6b11939f49f0f7e3a9fe92093c6c72bcda943c228aad85b310bf79d756c6293a0281e345c55d9

Download Submit
C:\Windows\{07AC8399-35B3-40b1-9338-C7D6D7036F3A}.exe

Filesize
372KB

MD5
db1b8570feab499d2fc52a376425d5fb

SHA1
2813c16cbe3667590ccfd590aa852076afebbf61

SHA256
a906c3e7f42c64c3c71bfb38eb01f8a4e88a1bb610cec6a12c23821bc01a4705

SHA512
90c8a23c111735096fc60b4077d0fe7e2a71a055470aaaff68f6b11939f49f0f7e3a9fe92093c6c72bcda943c228aad85b310bf79d756c6293a0281e345c55d9

Download Submit
C:\Windows\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe

Filesize
372KB

MD5
975268db805b493f61e7acaa26c4f74a

SHA1
5e43d380c24123c95a8730a63cc87db93cef0be3

SHA256
d2a5016b52b4998e031ebe3ca2339c0ef9dad8a8b0a96b252785cde4992a882f

SHA512
31cb7c27ec50fc65430281a2e82712cc976c651ad560acc956854987506fe11f98aeadb8c3b6741f1587f21c32333a2fe0fed34ce98decc4c973409d2fded78d

Download Submit
C:\Windows\{295A3FAF-EB6D-4de4-86E7-F5BAA1C3A296}.exe

Filesize
372KB

MD5
975268db805b493f61e7acaa26c4f74a

SHA1
5e43d380c24123c95a8730a63cc87db93cef0be3

SHA256
d2a5016b52b4998e031ebe3ca2339c0ef9dad8a8b0a96b252785cde4992a882f

SHA512
31cb7c27ec50fc65430281a2e82712cc976c651ad560acc956854987506fe11f98aeadb8c3b6741f1587f21c32333a2fe0fed34ce98decc4c973409d2fded78d

Download Submit
C:\Windows\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe

Filesize
372KB

MD5
c9e81ef84c6a4a257341de8a8b28110b

SHA1
73adbf455b83703d4ec619ea831c8873f0410f69

SHA256
05469c21887673b1e3151d3f1f39144549cb27f1f8b58f28d1fcc4e4000e5a8b

SHA512
b878f4e0647720e1e6b507297f8a36696cf96477417a2a97017415e519451ae6cc4e1f6aab19b99a2494f07e6146f533336bb710193927d12d84748ae6d93c66

Download Submit
C:\Windows\{41B5E0C2-6022-411f-A3A6-E923A5F6526A}.exe

Filesize
372KB

MD5
c9e81ef84c6a4a257341de8a8b28110b

SHA1
73adbf455b83703d4ec619ea831c8873f0410f69

SHA256
05469c21887673b1e3151d3f1f39144549cb27f1f8b58f28d1fcc4e4000e5a8b

SHA512
b878f4e0647720e1e6b507297f8a36696cf96477417a2a97017415e519451ae6cc4e1f6aab19b99a2494f07e6146f533336bb710193927d12d84748ae6d93c66

Download Submit
C:\Windows\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe

Filesize
372KB

MD5
585cf2dbbff19fa4f7dafef82bddf9bf

SHA1
cf57ec0cc334efcc037bb8d822f811f95d1264cb

SHA256
6c227abfb87fc7c8ca4074ac02666d315d2af6e55f6019a6f563ad1c353bfc3b

SHA512
efd308c15565f06de5ee55f7397f37bf7b7954da989fc861b2ff78488d1cfbdeb3dc10868c92738ffcd6267f2c3958b21cdfaa357fa79bd010e06577503cf815

Download Submit
C:\Windows\{4BF78C96-A213-4af7-B3E1-A18128A7C79B}.exe

Filesize
372KB

MD5
585cf2dbbff19fa4f7dafef82bddf9bf

SHA1
cf57ec0cc334efcc037bb8d822f811f95d1264cb

SHA256
6c227abfb87fc7c8ca4074ac02666d315d2af6e55f6019a6f563ad1c353bfc3b

SHA512
efd308c15565f06de5ee55f7397f37bf7b7954da989fc861b2ff78488d1cfbdeb3dc10868c92738ffcd6267f2c3958b21cdfaa357fa79bd010e06577503cf815

Download Submit
C:\Windows\{53E50989-7517-4580-AB48-609FBE621B73}.exe

Filesize
372KB

MD5
3e21afb15a6bea98ba4198a924dac10c

SHA1
098fa684b9333ff44d59cd3d4338d43ef3bd4c26

SHA256
5ba4a6b1c4c61121a61a0caef71c016621bd12615e815b8ab0068f04e89ba4d0

SHA512
78fd29364bd086497866e8aa3a9c9d7bab4a5200e3f1e23eb40fb7e5329ce7453a3c33f9f75f2880995b96f55da91170fcc116b74000cdcbe1a289944c5c14fe

Download Submit
C:\Windows\{53E50989-7517-4580-AB48-609FBE621B73}.exe

Filesize
372KB

MD5
3e21afb15a6bea98ba4198a924dac10c

SHA1
098fa684b9333ff44d59cd3d4338d43ef3bd4c26

SHA256
5ba4a6b1c4c61121a61a0caef71c016621bd12615e815b8ab0068f04e89ba4d0

SHA512
78fd29364bd086497866e8aa3a9c9d7bab4a5200e3f1e23eb40fb7e5329ce7453a3c33f9f75f2880995b96f55da91170fcc116b74000cdcbe1a289944c5c14fe

Download Submit
C:\Windows\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe

Filesize
372KB

MD5
63de30b408057f076a1bf581522cf427

SHA1
a93538493a58bc36f7886c9c279faa5b514a4a7d

SHA256
80d58e41db5883f4ad1bfa09bc4cc53990911e8931ecf1a7806dc1eb32b694eb

SHA512
8cb799ce6e551c6b08ff8e74287f3ba78acc1aec6fedf3be2576dceed2bd8cccb70fef13d1bf9d6bfbe0d8bae90cb96c59deb1f75f2924d27442df1b667ca812

Download Submit
C:\Windows\{62DFE92A-988C-413f-A143-FE9FFEC67134}.exe

Filesize
372KB

MD5
63de30b408057f076a1bf581522cf427

SHA1
a93538493a58bc36f7886c9c279faa5b514a4a7d

SHA256
80d58e41db5883f4ad1bfa09bc4cc53990911e8931ecf1a7806dc1eb32b694eb

SHA512
8cb799ce6e551c6b08ff8e74287f3ba78acc1aec6fedf3be2576dceed2bd8cccb70fef13d1bf9d6bfbe0d8bae90cb96c59deb1f75f2924d27442df1b667ca812

Download Submit
C:\Windows\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe

Filesize
372KB

MD5
d052de8b19bd4be4adb0d9578833e73d

SHA1
13ab702d3d5cc53bb00201ebc10194df85885163

SHA256
d53f79bd4149d614796c7f6b5123e322278c3fd874ea11ce394014d20a1cb820

SHA512
0f4eb29696c15791cceeb9078d9e37e426f7cde9cb5fb595f06cbff065837d6d00f40425e9e5ba127a99e700c1d4d33ee24770976c8225592b669f625a634273

Download Submit
C:\Windows\{802EF6B9-BE54-4601-B9E7-7380288736FC}.exe

Filesize
372KB

MD5
d052de8b19bd4be4adb0d9578833e73d

SHA1
13ab702d3d5cc53bb00201ebc10194df85885163

SHA256
d53f79bd4149d614796c7f6b5123e322278c3fd874ea11ce394014d20a1cb820

SHA512
0f4eb29696c15791cceeb9078d9e37e426f7cde9cb5fb595f06cbff065837d6d00f40425e9e5ba127a99e700c1d4d33ee24770976c8225592b669f625a634273

Download Submit
C:\Windows\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe

Filesize
372KB

MD5
a991ad5447b538d189fd291c561f41e0

SHA1
79e98a980bb1503823ed009e6c681b7e537e096e

SHA256
05fcffbc4d3a360fb4a98ca3d66c145124b6c7960aa3002e873d2a11b0bcf1bf

SHA512
816e54eaba8e37ac6133319e8cabb8b608ce94420e054cc52ae530345dd6d79b3ba9aa3348da0aef42ede7377a7621e65c812851821b31b9c85f7b6b488cbe89

Download Submit
C:\Windows\{A0FCFC11-FD17-4414-917E-3580BE9FDBFC}.exe

Filesize
372KB

MD5
a991ad5447b538d189fd291c561f41e0

SHA1
79e98a980bb1503823ed009e6c681b7e537e096e

SHA256
05fcffbc4d3a360fb4a98ca3d66c145124b6c7960aa3002e873d2a11b0bcf1bf

SHA512
816e54eaba8e37ac6133319e8cabb8b608ce94420e054cc52ae530345dd6d79b3ba9aa3348da0aef42ede7377a7621e65c812851821b31b9c85f7b6b488cbe89

Download Submit
C:\Windows\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe

Filesize
372KB

MD5
1db7ceb6fcd5d61a1069e00df6e98392

SHA1
f64229a7af9797731b1638dafa16237a23e15d5c

SHA256
7bd4ae11468142c3ecb3e9c72ae7753e25e772dea5d8f8a83eff46e0399dee19

SHA512
5f4a3781c281285233014576885d5be3af92f01adc2b74b8766391d456f90eb2a055eaed0d42650181d49c3597170cd8dddc5242e29b30a798a63d15c3a98b70

Download Submit
C:\Windows\{B477F968-A205-40e8-B8C8-01619E1C2086}.exe

Filesize
372KB

MD5
1db7ceb6fcd5d61a1069e00df6e98392

SHA1
f64229a7af9797731b1638dafa16237a23e15d5c

SHA256
7bd4ae11468142c3ecb3e9c72ae7753e25e772dea5d8f8a83eff46e0399dee19

SHA512
5f4a3781c281285233014576885d5be3af92f01adc2b74b8766391d456f90eb2a055eaed0d42650181d49c3597170cd8dddc5242e29b30a798a63d15c3a98b70

Download Submit
C:\Windows\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe

Filesize
372KB

MD5
e59329ed5ab50c20b2887bebb238660b

SHA1
f8ff84da190e1b746b7ceb937c8f3c2f9cae5b0e

SHA256
1008c208f4ce506aafa98cfa4ce14ac5ccd051b0f087744d988eec18b3ff33ae

SHA512
42720a804a40185032bd1b9a0955fc8ca45f612d69697dd0143b3f19c09548dfaa4bb4a42e0a163935cce5a33365eb1c1ec7c7079c3329aeb60c11a8ab812b9c

Download Submit
C:\Windows\{F762CB9D-3284-465d-A7B3-1708C88D1CF7}.exe

Filesize
372KB

MD5
e59329ed5ab50c20b2887bebb238660b

SHA1
f8ff84da190e1b746b7ceb937c8f3c2f9cae5b0e

SHA256
1008c208f4ce506aafa98cfa4ce14ac5ccd051b0f087744d988eec18b3ff33ae

SHA512
42720a804a40185032bd1b9a0955fc8ca45f612d69697dd0143b3f19c09548dfaa4bb4a42e0a163935cce5a33365eb1c1ec7c7079c3329aeb60c11a8ab812b9c

Download Submit
C:\Windows\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe

Filesize
372KB

MD5
e2084f3c67996e3c431193e399442877

SHA1
c1fcb507a22426a9397a59ddf74ec6cecffe1ec5

SHA256
90debb972a37522d658bc0da90e684790eb8bb31d861028ccdb9f8a42bed801a

SHA512
06611edd927b74f36917bc4203000c844a2231e997a02e83f25fd356cad3cacd8fc40a5a3b415b2eaf0ffa316c4269554623f4fbc7f785446fd6650ecb0a9e84

Download Submit
C:\Windows\{FC9016E7-C123-4bb3-9B82-FADABD1CD0BC}.exe

Filesize
372KB

MD5
e2084f3c67996e3c431193e399442877

SHA1
c1fcb507a22426a9397a59ddf74ec6cecffe1ec5

SHA256
90debb972a37522d658bc0da90e684790eb8bb31d861028ccdb9f8a42bed801a

SHA512
06611edd927b74f36917bc4203000c844a2231e997a02e83f25fd356cad3cacd8fc40a5a3b415b2eaf0ffa316c4269554623f4fbc7f785446fd6650ecb0a9e84

Download Submit
C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe

Filesize
372KB

MD5
9363cb24ad77a4270eb43563824590e5

SHA1
c0b3848cb387ef409e795f0f7c9253ad740c6b0c

SHA256
ea60f300c0874cf32837d6fd3b00050d236d1d06c47e6f5753cf3f9ad549a6f7

SHA512
5c949437f0030a8e9ca560ad036607c6cd46df3bd0b028efc1beb239a91fdb16ccff80be139e9ec3851a2f0c32174f33df4bc0907b6bd8a66fd12fc39a9e8c70

Download Submit
C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe

Filesize
372KB

MD5
9363cb24ad77a4270eb43563824590e5

SHA1
c0b3848cb387ef409e795f0f7c9253ad740c6b0c

SHA256
ea60f300c0874cf32837d6fd3b00050d236d1d06c47e6f5753cf3f9ad549a6f7

SHA512
5c949437f0030a8e9ca560ad036607c6cd46df3bd0b028efc1beb239a91fdb16ccff80be139e9ec3851a2f0c32174f33df4bc0907b6bd8a66fd12fc39a9e8c70

Download Submit
C:\Windows\{FF52B0BA-504A-4563-96F3-923CCA02AEF9}.exe

Filesize
372KB

MD5
9363cb24ad77a4270eb43563824590e5

SHA1
c0b3848cb387ef409e795f0f7c9253ad740c6b0c

SHA256
ea60f300c0874cf32837d6fd3b00050d236d1d06c47e6f5753cf3f9ad549a6f7

SHA512
5c949437f0030a8e9ca560ad036607c6cd46df3bd0b028efc1beb239a91fdb16ccff80be139e9ec3851a2f0c32174f33df4bc0907b6bd8a66fd12fc39a9e8c70

Download Submit