11d2d2ef470b9d8e0f29b5744b3e1969583ea40abf68eb7a337a156e4cd9fe77

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

917def1b61598bexeexeexeex.exe
Size

168KB
MD5

917def1b61598b2edca9cac59674196a
SHA1

088c2f15ec734b40daf74a1ace8d8be298e63406
SHA256

11d2d2ef470b9d8e0f29b5744b3e1969583ea40abf68eb7a337a156e4cd9fe77
SHA512

f72153cb216c8762beab5ecd1d344e983c9edbda573996333968f92988d2939b76e4d20cb243adcd1836a8290f394002ddf472938f37de53416ad9f46a200001
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}\stubpath = "C:\\Windows\\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe"	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F780B6C8-66C8-44d5-93D2-3F1C69941732}\stubpath = "C:\\Windows\\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe"	917def1b61598bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A90E8F5C-873A-4d2e-8AFF-552979853472}	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}\stubpath = "C:\\Windows\\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe"	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}\stubpath = "C:\\Windows\\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe"	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F780B6C8-66C8-44d5-93D2-3F1C69941732}	917def1b61598bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A90E8F5C-873A-4d2e-8AFF-552979853472}\stubpath = "C:\\Windows\\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe"	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}\stubpath = "C:\\Windows\\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe"	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}	{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}\stubpath = "C:\\Windows\\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe"	{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABFCF307-069F-43ef-834F-D7045253F2AE}	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}\stubpath = "C:\\Windows\\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe"	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}\stubpath = "C:\\Windows\\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe"	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}\stubpath = "C:\\Windows\\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe"	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABFCF307-069F-43ef-834F-D7045253F2AE}\stubpath = "C:\\Windows\\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe"	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}\stubpath = "C:\\Windows\\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe"	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
4200	{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
5056	{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
File created	C:\Windows\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe	{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
File created	C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
File created	C:\Windows\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
File created	C:\Windows\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
File created	C:\Windows\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
File created	C:\Windows\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
File created	C:\Windows\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
File created	C:\Windows\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
File created	C:\Windows\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
File created	C:\Windows\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	917def1b61598bexeexeexeex.exe
File created	C:\Windows\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3468	917def1b61598bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
Token: SeIncBasePriorityPrivilege	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
Token: SeIncBasePriorityPrivilege	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
Token: SeIncBasePriorityPrivilege	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
Token: SeIncBasePriorityPrivilege	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
Token: SeIncBasePriorityPrivilege	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
Token: SeIncBasePriorityPrivilege	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
Token: SeIncBasePriorityPrivilege	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
Token: SeIncBasePriorityPrivilege	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
Token: SeIncBasePriorityPrivilege	3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
Token: SeIncBasePriorityPrivilege	4200	{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4424	3468	917def1b61598bexeexeexeex.exe	84
PID 3468 wrote to memory of 4424	3468	917def1b61598bexeexeexeex.exe	84
PID 3468 wrote to memory of 4424	3468	917def1b61598bexeexeexeex.exe	84
PID 3468 wrote to memory of 704	3468	917def1b61598bexeexeexeex.exe	85
PID 3468 wrote to memory of 704	3468	917def1b61598bexeexeexeex.exe	85
PID 3468 wrote to memory of 704	3468	917def1b61598bexeexeexeex.exe	85
PID 4424 wrote to memory of 1436	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	86
PID 4424 wrote to memory of 1436	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	86
PID 4424 wrote to memory of 1436	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	86
PID 4424 wrote to memory of 4656	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	87
PID 4424 wrote to memory of 4656	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	87
PID 4424 wrote to memory of 4656	4424	{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe	87
PID 1436 wrote to memory of 4920	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	91
PID 1436 wrote to memory of 4920	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	91
PID 1436 wrote to memory of 4920	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	91
PID 1436 wrote to memory of 1568	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	90
PID 1436 wrote to memory of 1568	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	90
PID 1436 wrote to memory of 1568	1436	{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe	90
PID 4920 wrote to memory of 2544	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	93
PID 4920 wrote to memory of 2544	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	93
PID 4920 wrote to memory of 2544	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	93
PID 4920 wrote to memory of 4216	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	94
PID 4920 wrote to memory of 4216	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	94
PID 4920 wrote to memory of 4216	4920	{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe	94
PID 2544 wrote to memory of 3768	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	95
PID 2544 wrote to memory of 3768	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	95
PID 2544 wrote to memory of 3768	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	95
PID 2544 wrote to memory of 2136	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	96
PID 2544 wrote to memory of 2136	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	96
PID 2544 wrote to memory of 2136	2544	{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe	96
PID 3768 wrote to memory of 3988	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	97
PID 3768 wrote to memory of 3988	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	97
PID 3768 wrote to memory of 3988	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	97
PID 3768 wrote to memory of 4544	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	98
PID 3768 wrote to memory of 4544	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	98
PID 3768 wrote to memory of 4544	3768	{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe	98
PID 3988 wrote to memory of 2096	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	99
PID 3988 wrote to memory of 2096	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	99
PID 3988 wrote to memory of 2096	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	99
PID 3988 wrote to memory of 3112	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	100
PID 3988 wrote to memory of 3112	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	100
PID 3988 wrote to memory of 3112	3988	{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe	100
PID 2096 wrote to memory of 3260	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	101
PID 2096 wrote to memory of 3260	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	101
PID 2096 wrote to memory of 3260	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	101
PID 2096 wrote to memory of 5108	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	102
PID 2096 wrote to memory of 5108	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	102
PID 2096 wrote to memory of 5108	2096	{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe	102
PID 3260 wrote to memory of 3416	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	103
PID 3260 wrote to memory of 3416	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	103
PID 3260 wrote to memory of 3416	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	103
PID 3260 wrote to memory of 1596	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	104
PID 3260 wrote to memory of 1596	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	104
PID 3260 wrote to memory of 1596	3260	{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe	104
PID 3416 wrote to memory of 3232	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	105
PID 3416 wrote to memory of 3232	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	105
PID 3416 wrote to memory of 3232	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	105
PID 3416 wrote to memory of 1328	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	106
PID 3416 wrote to memory of 1328	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	106
PID 3416 wrote to memory of 1328	3416	{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe	106
PID 3232 wrote to memory of 4200	3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe	107
PID 3232 wrote to memory of 4200	3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe	107
PID 3232 wrote to memory of 4200	3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe	107
PID 3232 wrote to memory of 2144	3232	{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe	108

C:\Users\Admin\AppData\Local\Temp\917def1b61598bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\917def1b61598bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
  C:\Windows\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
    C:\Windows\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A90E8~1.EXE > nul
      4⤵
      PID:1568
  - - C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
      C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
        
        C:\Windows\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
        
        C:\Windows\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
        
        C:\Windows\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
        
        C:\Windows\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
        
        C:\Windows\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
        
        C:\Windows\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
        
        C:\Windows\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
        
        C:\Windows\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe
        
        C:\Windows\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe
        13⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C8E6~1.EXE > nul
        13⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F85B~1.EXE > nul
        12⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C475~1.EXE > nul
        11⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A94C7~1.EXE > nul
        10⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE5F~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C3D0~1.EXE > nul
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AA69~1.EXE > nul
        7⤵
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB292~1.EXE > nul
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABFCF~1.EXE > nul
        5⤵
        
        PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F780B~1.EXE > nul
    3⤵
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\917DEF~1.EXE > nul
  2⤵
  PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe

Filesize
168KB

MD5
8237edcee615d45cadaddd017b3e8fc0

SHA1
8529574f58022709789c51a53898a2cdfe11825d

SHA256
5489b641b73a3b9a22389f0518b647b065024d91bc93b48e4a561979b9bf3d5a

SHA512
fa221adf973fa08b0a01d2fc389285a7d32e4c1b9f8fe4238e462b7c105b416f1353b01ca90be6bcd7f7e8dfd4209a98e7e4c2605f268f2139192c6a2ded855f

Download Submit
C:\Windows\{3C475F73-615B-4bd6-AE3D-DF8B8DA2B71A}.exe

Filesize
168KB

MD5
8237edcee615d45cadaddd017b3e8fc0

SHA1
8529574f58022709789c51a53898a2cdfe11825d

SHA256
5489b641b73a3b9a22389f0518b647b065024d91bc93b48e4a561979b9bf3d5a

SHA512
fa221adf973fa08b0a01d2fc389285a7d32e4c1b9f8fe4238e462b7c105b416f1353b01ca90be6bcd7f7e8dfd4209a98e7e4c2605f268f2139192c6a2ded855f

Download Submit
C:\Windows\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe

Filesize
168KB

MD5
fe2f57387e43884931ee89a40fdd2de7

SHA1
f639aab47718cce35427a11904e991bb76b9f1f3

SHA256
30f07f2ec3c051f7caec464e4fb2a1eacdfa44fc6036cc24dd4f89d39a99ea72

SHA512
8b45b7c267c32c4468b74691b599042c08969e869d117b5e929c42d13703269d73c59f3c1b026ccbdb4c563b40723d155ab468c0046964ea95cedd1a41b6ecae

Download Submit
C:\Windows\{3F85B06F-7812-46b6-B1D8-9DE2525099DE}.exe

Filesize
168KB

MD5
fe2f57387e43884931ee89a40fdd2de7

SHA1
f639aab47718cce35427a11904e991bb76b9f1f3

SHA256
30f07f2ec3c051f7caec464e4fb2a1eacdfa44fc6036cc24dd4f89d39a99ea72

SHA512
8b45b7c267c32c4468b74691b599042c08969e869d117b5e929c42d13703269d73c59f3c1b026ccbdb4c563b40723d155ab468c0046964ea95cedd1a41b6ecae

Download Submit
C:\Windows\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe

Filesize
168KB

MD5
e6508a28a9e9c112bdcbaf75e28c82c9

SHA1
bc271a3c49025cb86ff94f05f51ccdadbc1e1689

SHA256
3886e7dff7dedd72ab97f57265f7df04a9c32ba4eeca6fdd5650db2c227bebc3

SHA512
7809610d38fa6ed2c33e578f20277fb5e3b4025a4cfff150082b9027cca904993fc77b72d6c7452fa89a6f0e8e36c879ae403a05d43e696c1505299eca042092

Download Submit
C:\Windows\{4AA690BA-EFDB-45d2-9A6B-9859FB89F6DC}.exe

Filesize
168KB

MD5
e6508a28a9e9c112bdcbaf75e28c82c9

SHA1
bc271a3c49025cb86ff94f05f51ccdadbc1e1689

SHA256
3886e7dff7dedd72ab97f57265f7df04a9c32ba4eeca6fdd5650db2c227bebc3

SHA512
7809610d38fa6ed2c33e578f20277fb5e3b4025a4cfff150082b9027cca904993fc77b72d6c7452fa89a6f0e8e36c879ae403a05d43e696c1505299eca042092

Download Submit
C:\Windows\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe

Filesize
168KB

MD5
b2c9641aaf7181ed2980bc3d139759bd

SHA1
c23a1fe1640824fc80f03f83f80a96f8ee636fa4

SHA256
3d1e3b229148df2ce6cb9f8969e3b3a5d358c1b29fa67da3f637977e4cb39ec8

SHA512
9506bd3f13fc12395b9921a3e17ff302568f28d5453bb57062e4d3d398987aabc5450cbaa5a4ab76f8e693294c054d906b706186d396f6c7d8b56441aec60134

Download Submit
C:\Windows\{4EE5F5EA-0B3D-4c6c-AE80-6AD9C4259B1E}.exe

Filesize
168KB

MD5
b2c9641aaf7181ed2980bc3d139759bd

SHA1
c23a1fe1640824fc80f03f83f80a96f8ee636fa4

SHA256
3d1e3b229148df2ce6cb9f8969e3b3a5d358c1b29fa67da3f637977e4cb39ec8

SHA512
9506bd3f13fc12395b9921a3e17ff302568f28d5453bb57062e4d3d398987aabc5450cbaa5a4ab76f8e693294c054d906b706186d396f6c7d8b56441aec60134

Download Submit
C:\Windows\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe

Filesize
168KB

MD5
a716ee37295337db6d72399fe39f9626

SHA1
f63c7419789eae756ce9172df236a26f957bd780

SHA256
cb1a342ce01f9fa4502d258b1478e2ff5795e905e957a3616f17f39eee02770e

SHA512
f57593fae186f6de72aca147402b309b7ed571dcba04db474bf6f5da4bf4470bf5eac74988540c7de9218d8b43ecd93b747e9ae103041b5ad383b14d792944f8

Download Submit
C:\Windows\{8C3D0DA8-762C-4d92-99EB-3CEB9EAEDD31}.exe

Filesize
168KB

MD5
a716ee37295337db6d72399fe39f9626

SHA1
f63c7419789eae756ce9172df236a26f957bd780

SHA256
cb1a342ce01f9fa4502d258b1478e2ff5795e905e957a3616f17f39eee02770e

SHA512
f57593fae186f6de72aca147402b309b7ed571dcba04db474bf6f5da4bf4470bf5eac74988540c7de9218d8b43ecd93b747e9ae103041b5ad383b14d792944f8

Download Submit
C:\Windows\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe

Filesize
168KB

MD5
3fb2d9a90492fee3e2a3715d5ac3086d

SHA1
77a9a4447221b83d2256f7ba8406ffc0afb9720e

SHA256
90a38a062c9a407357b1870cf24b0e3e619f80e67dca12cd41a541adb179e620

SHA512
e0485c384378e6fa9e29142567926e7c1e52fe8b37a04fca26cdb5fedc7363e2ceed2ec57888472655fc482bd9a65916bcddce8dd5f1ef613c3b069d051bc997

Download Submit
C:\Windows\{8C8E651E-1D52-4ad3-ABF5-A4DBB29ABE8F}.exe

Filesize
168KB

MD5
3fb2d9a90492fee3e2a3715d5ac3086d

SHA1
77a9a4447221b83d2256f7ba8406ffc0afb9720e

SHA256
90a38a062c9a407357b1870cf24b0e3e619f80e67dca12cd41a541adb179e620

SHA512
e0485c384378e6fa9e29142567926e7c1e52fe8b37a04fca26cdb5fedc7363e2ceed2ec57888472655fc482bd9a65916bcddce8dd5f1ef613c3b069d051bc997

Download Submit
C:\Windows\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe

Filesize
168KB

MD5
ee720d92a92f30f8e696637c215bebc1

SHA1
c51218d5458042b42ddd7c566f8b0b882b40a514

SHA256
df8c4dbdbde135fd7a189e607ce4970357ffeee5754ff0399330d5a36d7baef4

SHA512
5823e012c4125bffee20fcc87746eb90072035c6cec6022bdeac268010fa2969477a1cae6aa7cd164f7ccc5cdd69cdf617991a8dfba2da35dd7379d888a05004

Download Submit
C:\Windows\{A90E8F5C-873A-4d2e-8AFF-552979853472}.exe

Filesize
168KB

MD5
ee720d92a92f30f8e696637c215bebc1

SHA1
c51218d5458042b42ddd7c566f8b0b882b40a514

SHA256
df8c4dbdbde135fd7a189e607ce4970357ffeee5754ff0399330d5a36d7baef4

SHA512
5823e012c4125bffee20fcc87746eb90072035c6cec6022bdeac268010fa2969477a1cae6aa7cd164f7ccc5cdd69cdf617991a8dfba2da35dd7379d888a05004

Download Submit
C:\Windows\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe

Filesize
168KB

MD5
eb2ff9a3a91566e687bc721f735d323d

SHA1
5a2b33c3abad37f39f4ade43ae79ad6ae7857b6a

SHA256
9c74008e27da4d534b5fbacd3744dfc8b2a93549f39d0854bf6bc8da3d141dd0

SHA512
7bcbbd3b01e50c8dc71f650a8d07099baa92404fa693acd5e77ba8cb71a8cc648956c6de7df642a1d6f63f4336eab2fe1306a49dfc91dace3a0698be41d35221

Download Submit
C:\Windows\{A94C75A6-DC52-4cba-9E39-160B4345F7D9}.exe

Filesize
168KB

MD5
eb2ff9a3a91566e687bc721f735d323d

SHA1
5a2b33c3abad37f39f4ade43ae79ad6ae7857b6a

SHA256
9c74008e27da4d534b5fbacd3744dfc8b2a93549f39d0854bf6bc8da3d141dd0

SHA512
7bcbbd3b01e50c8dc71f650a8d07099baa92404fa693acd5e77ba8cb71a8cc648956c6de7df642a1d6f63f4336eab2fe1306a49dfc91dace3a0698be41d35221

Download Submit
C:\Windows\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe

Filesize
168KB

MD5
1fb611d7a034fe12bf10b7fa6600e0d8

SHA1
dbd49d0c2c5bf39b65066a2a2aeaf81699037b63

SHA256
c950cf0a47f79fa4ee6ed233e471e82d846f4d89439f5fa149690998747f7873

SHA512
0b812e7246d675468abd5d6211e141928a3afa86694e04b091c8c64005c56c766af3a503fa03789c76028cc7031c09828af4e038f8914a291b420d6db7a8639a

Download Submit
C:\Windows\{AB292C07-9593-4b3f-96B0-46FBA52B37A5}.exe

Filesize
168KB

MD5
1fb611d7a034fe12bf10b7fa6600e0d8

SHA1
dbd49d0c2c5bf39b65066a2a2aeaf81699037b63

SHA256
c950cf0a47f79fa4ee6ed233e471e82d846f4d89439f5fa149690998747f7873

SHA512
0b812e7246d675468abd5d6211e141928a3afa86694e04b091c8c64005c56c766af3a503fa03789c76028cc7031c09828af4e038f8914a291b420d6db7a8639a

Download Submit
C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe

Filesize
168KB

MD5
f776d75ff4960c522be2acb13c977e3b

SHA1
cca0da4cdd6bcdd6294c90dd45542a7e8e83c784

SHA256
a83bf7352d8257794cf42e31bc55c0dd8aec972167d2d4970abf964754501e82

SHA512
b9d765be6c6a1ed720ce3983bfdc60646ce302010f1185cdee9e6dd3aad66b3a39b6bbf6c0102916e8a31fa755252553c29375e09b190fd11362912859e65496

Download Submit
C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe

Filesize
168KB

MD5
f776d75ff4960c522be2acb13c977e3b

SHA1
cca0da4cdd6bcdd6294c90dd45542a7e8e83c784

SHA256
a83bf7352d8257794cf42e31bc55c0dd8aec972167d2d4970abf964754501e82

SHA512
b9d765be6c6a1ed720ce3983bfdc60646ce302010f1185cdee9e6dd3aad66b3a39b6bbf6c0102916e8a31fa755252553c29375e09b190fd11362912859e65496

Download Submit
C:\Windows\{ABFCF307-069F-43ef-834F-D7045253F2AE}.exe

Filesize
168KB

MD5
f776d75ff4960c522be2acb13c977e3b

SHA1
cca0da4cdd6bcdd6294c90dd45542a7e8e83c784

SHA256
a83bf7352d8257794cf42e31bc55c0dd8aec972167d2d4970abf964754501e82

SHA512
b9d765be6c6a1ed720ce3983bfdc60646ce302010f1185cdee9e6dd3aad66b3a39b6bbf6c0102916e8a31fa755252553c29375e09b190fd11362912859e65496

Download Submit
C:\Windows\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe

Filesize
168KB

MD5
439c04cd976a633db9f80fd1e71dfbdd

SHA1
70c6b1c9d5cf56852bb847af4e3785be1130e45d

SHA256
f28e4b5b821eb0c5d6e9229d702bb330136c0519fcbfaf1133081321d8bf25c2

SHA512
2927d66ae98fd99fe75a5a99c7d0522631553237c98690ed8d0adecde8220cc7a6934c85d9752867eafa30791f0d645fe562921e6e1811f003a9e87d3f135d4f

Download Submit
C:\Windows\{C1B841BC-A935-4cf8-A16C-EA577A5FABA7}.exe

Filesize
168KB

MD5
439c04cd976a633db9f80fd1e71dfbdd

SHA1
70c6b1c9d5cf56852bb847af4e3785be1130e45d

SHA256
f28e4b5b821eb0c5d6e9229d702bb330136c0519fcbfaf1133081321d8bf25c2

SHA512
2927d66ae98fd99fe75a5a99c7d0522631553237c98690ed8d0adecde8220cc7a6934c85d9752867eafa30791f0d645fe562921e6e1811f003a9e87d3f135d4f

Download Submit
C:\Windows\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe

Filesize
168KB

MD5
a6fbcb36f543435c7c220de874258631

SHA1
29fd20ad4a29e15342b8299628f3e1ee96cc9e47

SHA256
116e378b02747f0625901768a648616973dffca62e0a87d28e577bdab8a0519f

SHA512
48bf9c68d2fe82f39d0c6bdc926df6cfc4bae555ddc13999c6b514eb80cf45e694021364d965f963801c62239f2e06c5f6fe09c8d0c49ae42f01e37e1fd3285b

Download Submit
C:\Windows\{F780B6C8-66C8-44d5-93D2-3F1C69941732}.exe

Filesize
168KB

MD5
a6fbcb36f543435c7c220de874258631

SHA1
29fd20ad4a29e15342b8299628f3e1ee96cc9e47

SHA256
116e378b02747f0625901768a648616973dffca62e0a87d28e577bdab8a0519f

SHA512
48bf9c68d2fe82f39d0c6bdc926df6cfc4bae555ddc13999c6b514eb80cf45e694021364d965f963801c62239f2e06c5f6fe09c8d0c49ae42f01e37e1fd3285b

Download Submit