4c01e72e7bccc5bf938a6c8a0f7ba1c947ecbf51abd2d02b2f5137f52d3a28ab

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92ba12b970aab6exeexeexeex.exe
Size

168KB
MD5

92ba12b970aab6fde366f8aa96a52f6b
SHA1

bb06f293130c6480915fd7589cf0ac856b5d35d7
SHA256

4c01e72e7bccc5bf938a6c8a0f7ba1c947ecbf51abd2d02b2f5137f52d3a28ab
SHA512

0935bb64c593d9ef989ef9d9851a21c8ade24e65d69b70bb13e0e104facb009716e8603e5271ad2bb259840c1622448577be3f00b076c3ec66e3e5a0ef9eff22
SSDEEP

1536:1EGh0oTrlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTrlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80614CA2-E1AC-4241-BC19-2B46A9016686}	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}	92ba12b970aab6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D650B8-2E54-419f-AD85-1B5C72076A06}\stubpath = "C:\\Windows\\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe"	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59017504-3DBB-4f86-ADAC-27C57CDE4013}\stubpath = "C:\\Windows\\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe"	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}\stubpath = "C:\\Windows\\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe"	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}\stubpath = "C:\\Windows\\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe"	{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D650B8-2E54-419f-AD85-1B5C72076A06}	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2480B800-0CDE-4b85-8E53-571A7D14D841}\stubpath = "C:\\Windows\\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe"	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}\stubpath = "C:\\Windows\\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe"	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}\stubpath = "C:\\Windows\\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe"	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2480B800-0CDE-4b85-8E53-571A7D14D841}	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}\stubpath = "C:\\Windows\\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe"	92ba12b970aab6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}\stubpath = "C:\\Windows\\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe"	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}\stubpath = "C:\\Windows\\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe"	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59017504-3DBB-4f86-ADAC-27C57CDE4013}	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}\stubpath = "C:\\Windows\\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe"	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80614CA2-E1AC-4241-BC19-2B46A9016686}\stubpath = "C:\\Windows\\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe"	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}	{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe

Executes dropped EXE 12 IoCs

pid	Process
2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
860	{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe
4668	{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
File created	C:\Windows\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
File created	C:\Windows\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe	{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe
File created	C:\Windows\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	92ba12b970aab6exeexeexeex.exe
File created	C:\Windows\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
File created	C:\Windows\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
File created	C:\Windows\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
File created	C:\Windows\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
File created	C:\Windows\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
File created	C:\Windows\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
File created	C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
File created	C:\Windows\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4752	92ba12b970aab6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
Token: SeIncBasePriorityPrivilege	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
Token: SeIncBasePriorityPrivilege	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
Token: SeIncBasePriorityPrivilege	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
Token: SeIncBasePriorityPrivilege	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
Token: SeIncBasePriorityPrivilege	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
Token: SeIncBasePriorityPrivilege	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
Token: SeIncBasePriorityPrivilege	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
Token: SeIncBasePriorityPrivilege	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
Token: SeIncBasePriorityPrivilege	4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
Token: SeIncBasePriorityPrivilege	860	{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2492	4752	92ba12b970aab6exeexeexeex.exe	83
PID 4752 wrote to memory of 2492	4752	92ba12b970aab6exeexeexeex.exe	83
PID 4752 wrote to memory of 2492	4752	92ba12b970aab6exeexeexeex.exe	83
PID 4752 wrote to memory of 720	4752	92ba12b970aab6exeexeexeex.exe	84
PID 4752 wrote to memory of 720	4752	92ba12b970aab6exeexeexeex.exe	84
PID 4752 wrote to memory of 720	4752	92ba12b970aab6exeexeexeex.exe	84
PID 2492 wrote to memory of 4728	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	85
PID 2492 wrote to memory of 4728	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	85
PID 2492 wrote to memory of 4728	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	85
PID 2492 wrote to memory of 3488	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	86
PID 2492 wrote to memory of 3488	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	86
PID 2492 wrote to memory of 3488	2492	{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe	86
PID 4728 wrote to memory of 2276	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	90
PID 4728 wrote to memory of 2276	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	90
PID 4728 wrote to memory of 2276	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	90
PID 4728 wrote to memory of 2820	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	91
PID 4728 wrote to memory of 2820	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	91
PID 4728 wrote to memory of 2820	4728	{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe	91
PID 2276 wrote to memory of 3692	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	92
PID 2276 wrote to memory of 3692	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	92
PID 2276 wrote to memory of 3692	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	92
PID 2276 wrote to memory of 3628	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	93
PID 2276 wrote to memory of 3628	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	93
PID 2276 wrote to memory of 3628	2276	{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe	93
PID 3692 wrote to memory of 2344	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	94
PID 3692 wrote to memory of 2344	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	94
PID 3692 wrote to memory of 2344	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	94
PID 3692 wrote to memory of 2212	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	95
PID 3692 wrote to memory of 2212	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	95
PID 3692 wrote to memory of 2212	3692	{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe	95
PID 2344 wrote to memory of 1076	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	96
PID 2344 wrote to memory of 1076	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	96
PID 2344 wrote to memory of 1076	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	96
PID 2344 wrote to memory of 3652	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	97
PID 2344 wrote to memory of 3652	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	97
PID 2344 wrote to memory of 3652	2344	{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe	97
PID 1076 wrote to memory of 4200	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	98
PID 1076 wrote to memory of 4200	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	98
PID 1076 wrote to memory of 4200	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	98
PID 1076 wrote to memory of 3564	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	99
PID 1076 wrote to memory of 3564	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	99
PID 1076 wrote to memory of 3564	1076	{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe	99
PID 4200 wrote to memory of 1944	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	100
PID 4200 wrote to memory of 1944	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	100
PID 4200 wrote to memory of 1944	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	100
PID 4200 wrote to memory of 4100	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	101
PID 4200 wrote to memory of 4100	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	101
PID 4200 wrote to memory of 4100	4200	{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe	101
PID 1944 wrote to memory of 2712	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	102
PID 1944 wrote to memory of 2712	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	102
PID 1944 wrote to memory of 2712	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	102
PID 1944 wrote to memory of 2108	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	103
PID 1944 wrote to memory of 2108	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	103
PID 1944 wrote to memory of 2108	1944	{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe	103
PID 2712 wrote to memory of 4564	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	104
PID 2712 wrote to memory of 4564	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	104
PID 2712 wrote to memory of 4564	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	104
PID 2712 wrote to memory of 1204	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	105
PID 2712 wrote to memory of 1204	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	105
PID 2712 wrote to memory of 1204	2712	{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe	105
PID 4564 wrote to memory of 860	4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe	106
PID 4564 wrote to memory of 860	4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe	106
PID 4564 wrote to memory of 860	4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe	106
PID 4564 wrote to memory of 3080	4564	{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe	107

C:\Users\Admin\AppData\Local\Temp\92ba12b970aab6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\92ba12b970aab6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
  C:\Windows\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
    C:\Windows\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
      C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
        
        C:\Windows\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
        
        C:\Windows\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
        
        C:\Windows\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
        
        C:\Windows\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
        
        C:\Windows\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
        
        C:\Windows\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
        
        C:\Windows\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe
        
        C:\Windows\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe
        
        C:\Windows\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF02B~1.EXE > nul
        13⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33C6F~1.EXE > nul
        12⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2480B~1.EXE > nul
        11⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80614~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33889~1.EXE > nul
        9⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F42A~1.EXE > nul
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59017~1.EXE > nul
        7⤵
        
        PID:3652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9D65~1.EXE > nul
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB0FF~1.EXE > nul
        5⤵
        
        PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59691~1.EXE > nul
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F5F~1.EXE > nul
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\92BA12~1.EXE > nul
  2⤵
  PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe

Filesize
168KB

MD5
7f3c555b5e42b970453b5b299a8b26d7

SHA1
8efbb1b4e57927ee75199511f833ea04e80aa491

SHA256
8abb3d2e348786c3da1a24d334e5be33360369635be406e3d133578a2a7513e3

SHA512
f65dff5e7fdcfa3ec5f4803afba64eac417b2f6436ac7f9807c4e35f0ed1ef64eedf9148ed914d98989752a8967539c2a5c06483097e2f466bee9aa029cbcc39

Download Submit
C:\Windows\{0F42AEE4-A21A-4a01-A425-9EB3AE1E2ECB}.exe

Filesize
168KB

MD5
7f3c555b5e42b970453b5b299a8b26d7

SHA1
8efbb1b4e57927ee75199511f833ea04e80aa491

SHA256
8abb3d2e348786c3da1a24d334e5be33360369635be406e3d133578a2a7513e3

SHA512
f65dff5e7fdcfa3ec5f4803afba64eac417b2f6436ac7f9807c4e35f0ed1ef64eedf9148ed914d98989752a8967539c2a5c06483097e2f466bee9aa029cbcc39

Download Submit
C:\Windows\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe

Filesize
168KB

MD5
28f2bdd3ad8ca0499c74d5ce0f484557

SHA1
71fc84f9e6bacbc2043be554c9f2abea949b2e4a

SHA256
2048f25b0784b97d52494e14b68306522b6e2df1098e55679e62db31185546cd

SHA512
53416214dd6a775929c7a97ef9b9e2b018813e5349e2abc2cc20b5d0404eb95256966191e852201a9dc293b19ff95492c7efa3dc7294d8bb0e87a25b45227ab1

Download Submit
C:\Windows\{2480B800-0CDE-4b85-8E53-571A7D14D841}.exe

Filesize
168KB

MD5
28f2bdd3ad8ca0499c74d5ce0f484557

SHA1
71fc84f9e6bacbc2043be554c9f2abea949b2e4a

SHA256
2048f25b0784b97d52494e14b68306522b6e2df1098e55679e62db31185546cd

SHA512
53416214dd6a775929c7a97ef9b9e2b018813e5349e2abc2cc20b5d0404eb95256966191e852201a9dc293b19ff95492c7efa3dc7294d8bb0e87a25b45227ab1

Download Submit
C:\Windows\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe

Filesize
168KB

MD5
99e692b53d5636ab58149d503a6dc3bc

SHA1
8849fef3da1aa640cc044c6a6e7c601e3387d531

SHA256
a881f4504e6e28bd6ac933f5164c5f2857580c1083bc3aa8533a29fdb9f8f9c0

SHA512
6140b2499e18f24754c1772d5732ef907f8ab3f24638d83c34a0d1ff4726098072f0651e21c5620f8271153196c2920bcce67a9dacac7688539242a421afa6c2

Download Submit
C:\Windows\{3388996F-B6B9-4531-AA5D-DA9BE3431E8A}.exe

Filesize
168KB

MD5
99e692b53d5636ab58149d503a6dc3bc

SHA1
8849fef3da1aa640cc044c6a6e7c601e3387d531

SHA256
a881f4504e6e28bd6ac933f5164c5f2857580c1083bc3aa8533a29fdb9f8f9c0

SHA512
6140b2499e18f24754c1772d5732ef907f8ab3f24638d83c34a0d1ff4726098072f0651e21c5620f8271153196c2920bcce67a9dacac7688539242a421afa6c2

Download Submit
C:\Windows\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe

Filesize
168KB

MD5
6aaf5d908fe91188969ea97b82c02137

SHA1
464117080384ffff4fb56ec01d3dba223c787057

SHA256
4b92d42d0fa146ecd3a1053f5111fe95c88bacb1de0c83e4ed8bb0898c1741c2

SHA512
f9fec5ea1a323056063a7fff758652b3fa16abc066db2b0c3ed6400ffe84982d699c992d869ecd57c1b62236004b9858a299d3ea00866a88af0047bd5756f928

Download Submit
C:\Windows\{33C6FA36-FB7F-4445-9A5E-F7ADDFF1D945}.exe

Filesize
168KB

MD5
6aaf5d908fe91188969ea97b82c02137

SHA1
464117080384ffff4fb56ec01d3dba223c787057

SHA256
4b92d42d0fa146ecd3a1053f5111fe95c88bacb1de0c83e4ed8bb0898c1741c2

SHA512
f9fec5ea1a323056063a7fff758652b3fa16abc066db2b0c3ed6400ffe84982d699c992d869ecd57c1b62236004b9858a299d3ea00866a88af0047bd5756f928

Download Submit
C:\Windows\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe

Filesize
168KB

MD5
022988bef3c4cf390c5f9eee708e290d

SHA1
7d7b09b7dae035f9d820c1a1034a18e2742d2341

SHA256
d32787f2f0b6e6951ef259fc955b0b8b623c074ca1cf6dd0cbfb31cddf309df6

SHA512
bee7c28055d98daac844463ebb432d7886b78ad7d2865f300f94ffcc484e696d24bfb7ab08a24f0598c47b15b62591efb9425dc98ad3708b433778eec93c3fb7

Download Submit
C:\Windows\{59017504-3DBB-4f86-ADAC-27C57CDE4013}.exe

Filesize
168KB

MD5
022988bef3c4cf390c5f9eee708e290d

SHA1
7d7b09b7dae035f9d820c1a1034a18e2742d2341

SHA256
d32787f2f0b6e6951ef259fc955b0b8b623c074ca1cf6dd0cbfb31cddf309df6

SHA512
bee7c28055d98daac844463ebb432d7886b78ad7d2865f300f94ffcc484e696d24bfb7ab08a24f0598c47b15b62591efb9425dc98ad3708b433778eec93c3fb7

Download Submit
C:\Windows\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe

Filesize
168KB

MD5
9eb26675ea66345cad4d4d525793f2f8

SHA1
820e5f8a6a405e98d7ca75e316f8f2e196f2baeb

SHA256
a9bd4fd6f5f2e697f1275e91bdde1344b196a4eb91630060037b70479dc60f2e

SHA512
fa1d6f99480e81ef4175100dd4369db4b03105b7d5ef5accecb75dcb57252d5f023f14fd5f5f245bd9c0ab6e540190f6278041bf4a1ea4e5896f236812867fa1

Download Submit
C:\Windows\{596919FD-75E0-4d0d-BFB9-FF80DE6E1ED8}.exe

Filesize
168KB

MD5
9eb26675ea66345cad4d4d525793f2f8

SHA1
820e5f8a6a405e98d7ca75e316f8f2e196f2baeb

SHA256
a9bd4fd6f5f2e697f1275e91bdde1344b196a4eb91630060037b70479dc60f2e

SHA512
fa1d6f99480e81ef4175100dd4369db4b03105b7d5ef5accecb75dcb57252d5f023f14fd5f5f245bd9c0ab6e540190f6278041bf4a1ea4e5896f236812867fa1

Download Submit
C:\Windows\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe

Filesize
168KB

MD5
8334b290e2c1032997a92f4483f8dee7

SHA1
bc67866ab173532a3c70a79d56a7dcd54ae6aade

SHA256
b9ce6e1da3a631d1a56564e87f4164cd0ee27a038c19c83ddb7405960e939220

SHA512
28582358c4b5e01df6cb1ab418c3bdadf9b63583fb08d761d7693bc4eb9f1df78f2fbe6499061175b5f1cc6aca23cc16eadce25ad03ed7aa9739b5b910325de2

Download Submit
C:\Windows\{80614CA2-E1AC-4241-BC19-2B46A9016686}.exe

Filesize
168KB

MD5
8334b290e2c1032997a92f4483f8dee7

SHA1
bc67866ab173532a3c70a79d56a7dcd54ae6aade

SHA256
b9ce6e1da3a631d1a56564e87f4164cd0ee27a038c19c83ddb7405960e939220

SHA512
28582358c4b5e01df6cb1ab418c3bdadf9b63583fb08d761d7693bc4eb9f1df78f2fbe6499061175b5f1cc6aca23cc16eadce25ad03ed7aa9739b5b910325de2

Download Submit
C:\Windows\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe

Filesize
168KB

MD5
1200feb02907d5cd4c2d5da2a72a0085

SHA1
44bcdaaade3a4d7409acc9bcfe0454d8f3841008

SHA256
7baf3bf32f543c5ca439f048d5c4246516f63cec76620bbd5ac4822c08710e8e

SHA512
cf7535d045ca42688fb630915df861488bcc0ffffbf0451515acf7e229c9eca3892147ecc191980eda11145fcbe3b4d33a2d02d5b9900a2f49d444e9b730fddd

Download Submit
C:\Windows\{A5F5FE1F-8CD6-4623-9945-0624D0E7148F}.exe

Filesize
168KB

MD5
1200feb02907d5cd4c2d5da2a72a0085

SHA1
44bcdaaade3a4d7409acc9bcfe0454d8f3841008

SHA256
7baf3bf32f543c5ca439f048d5c4246516f63cec76620bbd5ac4822c08710e8e

SHA512
cf7535d045ca42688fb630915df861488bcc0ffffbf0451515acf7e229c9eca3892147ecc191980eda11145fcbe3b4d33a2d02d5b9900a2f49d444e9b730fddd

Download Submit
C:\Windows\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe

Filesize
168KB

MD5
22153c48dbb580862355de740554a63b

SHA1
c1d0deb67720bbd1ef79fcc661c19b64c409ff38

SHA256
76e556c681ab107d42a9d35e2d37b83dce38143900a0dc1720720abe23bb0b22

SHA512
56dc9c9e0c77116e8b0e1e7509e712f6899af2174265e4b2066ae1d43bb1ebbffa8c4681faf767cba1ce626352507125cce44a58128427d71379a027aa0d1e9c

Download Submit
C:\Windows\{A9D650B8-2E54-419f-AD85-1B5C72076A06}.exe

Filesize
168KB

MD5
22153c48dbb580862355de740554a63b

SHA1
c1d0deb67720bbd1ef79fcc661c19b64c409ff38

SHA256
76e556c681ab107d42a9d35e2d37b83dce38143900a0dc1720720abe23bb0b22

SHA512
56dc9c9e0c77116e8b0e1e7509e712f6899af2174265e4b2066ae1d43bb1ebbffa8c4681faf767cba1ce626352507125cce44a58128427d71379a027aa0d1e9c

Download Submit
C:\Windows\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe

Filesize
168KB

MD5
1c17a298a1ce20b8f381871d1bb95d44

SHA1
871abeaa81ee60faa8714a5db2dd0ccda809ff19

SHA256
8cb7cd9311c7720c9078776c9b2a85ed575e96d525bc20b28c04213136da34b1

SHA512
8e18ef0cfa7757004fb7ae390ab42415d624271338f5409bc1c4d509b0b1adc8cb7c654f7d31b11c7300ca53122b59d83c59b273760d05e3a3b2d65218830e75

Download Submit
C:\Windows\{BD53AA84-BBCC-4df0-B160-5CE82EF326FC}.exe

Filesize
168KB

MD5
1c17a298a1ce20b8f381871d1bb95d44

SHA1
871abeaa81ee60faa8714a5db2dd0ccda809ff19

SHA256
8cb7cd9311c7720c9078776c9b2a85ed575e96d525bc20b28c04213136da34b1

SHA512
8e18ef0cfa7757004fb7ae390ab42415d624271338f5409bc1c4d509b0b1adc8cb7c654f7d31b11c7300ca53122b59d83c59b273760d05e3a3b2d65218830e75

Download Submit
C:\Windows\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe

Filesize
168KB

MD5
976e99806a27645de0d838a970c7b9db

SHA1
ae8d8cdb80b4d94e65d9359c950224f685807e13

SHA256
580a14de640cf124f9f52c696363992e5f65ba92e7d0d0c5525985debd60a7f6

SHA512
83dceed9da5a0f43e0cdeab86040bdc694efeeb8b49b8933e36004678d9c72e7df615dfb5297a16dfaa2655bfa2e93413adfee199e3503781580821c3e7c0dab

Download Submit
C:\Windows\{DF02B8E5-9D13-4447-BF27-9C72D9C23379}.exe

Filesize
168KB

MD5
976e99806a27645de0d838a970c7b9db

SHA1
ae8d8cdb80b4d94e65d9359c950224f685807e13

SHA256
580a14de640cf124f9f52c696363992e5f65ba92e7d0d0c5525985debd60a7f6

SHA512
83dceed9da5a0f43e0cdeab86040bdc694efeeb8b49b8933e36004678d9c72e7df615dfb5297a16dfaa2655bfa2e93413adfee199e3503781580821c3e7c0dab

Download Submit
C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe

Filesize
168KB

MD5
31a2a97f680a32020356b2e488ab1620

SHA1
ec2891860e65369fd20357ba426fb50215167d75

SHA256
4ec538789a3d8d5e7204bbdc1fcfd5711245f4c734d0acddc0c798cdca526531

SHA512
4b2fd08df5635ff974ef4817514bc4f570dc9a0f770bdf5f784d95abe607a235ddb23016cafa024c11f4ebe613800893ce2182d4262bbb13fc11f7610aec3bfa

Download Submit
C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe

Filesize
168KB

MD5
31a2a97f680a32020356b2e488ab1620

SHA1
ec2891860e65369fd20357ba426fb50215167d75

SHA256
4ec538789a3d8d5e7204bbdc1fcfd5711245f4c734d0acddc0c798cdca526531

SHA512
4b2fd08df5635ff974ef4817514bc4f570dc9a0f770bdf5f784d95abe607a235ddb23016cafa024c11f4ebe613800893ce2182d4262bbb13fc11f7610aec3bfa

Download Submit
C:\Windows\{FB0FF134-2401-47b9-8CEC-EEC8431875C7}.exe

Filesize
168KB

MD5
31a2a97f680a32020356b2e488ab1620

SHA1
ec2891860e65369fd20357ba426fb50215167d75

SHA256
4ec538789a3d8d5e7204bbdc1fcfd5711245f4c734d0acddc0c798cdca526531

SHA512
4b2fd08df5635ff974ef4817514bc4f570dc9a0f770bdf5f784d95abe607a235ddb23016cafa024c11f4ebe613800893ce2182d4262bbb13fc11f7610aec3bfa

Download Submit