606f97e261d994503874abb889c19510c612f2b4378a9c5315ddcb418ff936ad

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

946f3dd384ba33exeexeexeex.exe
Size

168KB
MD5

946f3dd384ba33578e209d55042286e5
SHA1

9077d0023c439af365ae4ab280bf03e59834d4a9
SHA256

606f97e261d994503874abb889c19510c612f2b4378a9c5315ddcb418ff936ad
SHA512

4b6b94e14cb9dddb64a5fcf6500c461c74b7cd3eb666a9744517f54434a6e8ffdbeccff45b35dca8ca23c24e6ab65d84b1b0836f6bec2eaf3222ea8c70863158
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}\stubpath = "C:\\Windows\\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe"	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}\stubpath = "C:\\Windows\\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe"	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}\stubpath = "C:\\Windows\\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe"	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934832E6-103D-440e-93CE-7D855F1A14E0}	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C58D62-3B26-4866-BBC3-54339F9F565F}	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}\stubpath = "C:\\Windows\\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe"	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}\stubpath = "C:\\Windows\\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe"	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7662E34A-B662-489e-B62E-BEB1961A4DBF}\stubpath = "C:\\Windows\\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe"	946f3dd384ba33exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}\stubpath = "C:\\Windows\\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe"	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C58D62-3B26-4866-BBC3-54339F9F565F}\stubpath = "C:\\Windows\\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe"	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}	{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A178257-EE7F-4358-AEF0-B89971BC665C}\stubpath = "C:\\Windows\\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe"	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934832E6-103D-440e-93CE-7D855F1A14E0}\stubpath = "C:\\Windows\\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe"	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}\stubpath = "C:\\Windows\\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe"	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}\stubpath = "C:\\Windows\\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe"	{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7662E34A-B662-489e-B62E-BEB1961A4DBF}	946f3dd384ba33exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A178257-EE7F-4358-AEF0-B89971BC665C}	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe

Executes dropped EXE 12 IoCs

pid	Process
3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe
5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
1284	{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
4244	{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
File created	C:\Windows\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
File created	C:\Windows\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
File created	C:\Windows\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
File created	C:\Windows\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
File created	C:\Windows\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
File created	C:\Windows\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
File created	C:\Windows\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
File created	C:\Windows\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe	{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
File created	C:\Windows\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	946f3dd384ba33exeexeexeex.exe
File created	C:\Windows\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
File created	C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3700	946f3dd384ba33exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
Token: SeIncBasePriorityPrivilege	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe
Token: SeIncBasePriorityPrivilege	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
Token: SeIncBasePriorityPrivilege	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
Token: SeIncBasePriorityPrivilege	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
Token: SeIncBasePriorityPrivilege	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
Token: SeIncBasePriorityPrivilege	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
Token: SeIncBasePriorityPrivilege	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
Token: SeIncBasePriorityPrivilege	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
Token: SeIncBasePriorityPrivilege	452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
Token: SeIncBasePriorityPrivilege	1284	{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3108	3700	946f3dd384ba33exeexeexeex.exe	87
PID 3700 wrote to memory of 3108	3700	946f3dd384ba33exeexeexeex.exe	87
PID 3700 wrote to memory of 3108	3700	946f3dd384ba33exeexeexeex.exe	87
PID 3700 wrote to memory of 4352	3700	946f3dd384ba33exeexeexeex.exe	88
PID 3700 wrote to memory of 4352	3700	946f3dd384ba33exeexeexeex.exe	88
PID 3700 wrote to memory of 4352	3700	946f3dd384ba33exeexeexeex.exe	88
PID 3108 wrote to memory of 2644	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	89
PID 3108 wrote to memory of 2644	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	89
PID 3108 wrote to memory of 2644	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	89
PID 3108 wrote to memory of 4468	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	90
PID 3108 wrote to memory of 4468	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	90
PID 3108 wrote to memory of 4468	3108	{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe	90
PID 2644 wrote to memory of 5060	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	94
PID 2644 wrote to memory of 5060	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	94
PID 2644 wrote to memory of 5060	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	94
PID 2644 wrote to memory of 1364	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	95
PID 2644 wrote to memory of 1364	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	95
PID 2644 wrote to memory of 1364	2644	{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe	95
PID 5060 wrote to memory of 3640	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	96
PID 5060 wrote to memory of 3640	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	96
PID 5060 wrote to memory of 3640	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	96
PID 5060 wrote to memory of 1552	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	97
PID 5060 wrote to memory of 1552	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	97
PID 5060 wrote to memory of 1552	5060	{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe	97
PID 3640 wrote to memory of 4272	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	98
PID 3640 wrote to memory of 4272	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	98
PID 3640 wrote to memory of 4272	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	98
PID 3640 wrote to memory of 3516	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	99
PID 3640 wrote to memory of 3516	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	99
PID 3640 wrote to memory of 3516	3640	{934832E6-103D-440e-93CE-7D855F1A14E0}.exe	99
PID 4272 wrote to memory of 2540	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	100
PID 4272 wrote to memory of 2540	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	100
PID 4272 wrote to memory of 2540	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	100
PID 4272 wrote to memory of 5072	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	101
PID 4272 wrote to memory of 5072	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	101
PID 4272 wrote to memory of 5072	4272	{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe	101
PID 2540 wrote to memory of 1644	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	102
PID 2540 wrote to memory of 1644	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	102
PID 2540 wrote to memory of 1644	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	102
PID 2540 wrote to memory of 5100	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	103
PID 2540 wrote to memory of 5100	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	103
PID 2540 wrote to memory of 5100	2540	{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe	103
PID 1644 wrote to memory of 2120	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	104
PID 1644 wrote to memory of 2120	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	104
PID 1644 wrote to memory of 2120	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	104
PID 1644 wrote to memory of 916	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	105
PID 1644 wrote to memory of 916	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	105
PID 1644 wrote to memory of 916	1644	{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe	105
PID 2120 wrote to memory of 2312	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	106
PID 2120 wrote to memory of 2312	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	106
PID 2120 wrote to memory of 2312	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	106
PID 2120 wrote to memory of 3784	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	107
PID 2120 wrote to memory of 3784	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	107
PID 2120 wrote to memory of 3784	2120	{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe	107
PID 2312 wrote to memory of 452	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	108
PID 2312 wrote to memory of 452	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	108
PID 2312 wrote to memory of 452	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	108
PID 2312 wrote to memory of 1856	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	109
PID 2312 wrote to memory of 1856	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	109
PID 2312 wrote to memory of 1856	2312	{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe	109
PID 452 wrote to memory of 1284	452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe	110
PID 452 wrote to memory of 1284	452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe	110
PID 452 wrote to memory of 1284	452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe	110
PID 452 wrote to memory of 1536	452	{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe	111

C:\Users\Admin\AppData\Local\Temp\946f3dd384ba33exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\946f3dd384ba33exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
  C:\Windows\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe
    C:\Windows\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
      C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
        
        C:\Windows\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
        
        C:\Windows\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
        
        C:\Windows\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
        
        C:\Windows\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
        
        C:\Windows\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
        
        C:\Windows\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
        
        C:\Windows\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
        
        C:\Windows\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe
        
        C:\Windows\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0AF1~1.EXE > nul
        13⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9CFC~1.EXE > nul
        12⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26CDF~1.EXE > nul
        11⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B47A6~1.EXE > nul
        10⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BB4~1.EXE > nul
        9⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F228~1.EXE > nul
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C58~1.EXE > nul
        7⤵
        
        PID:5072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93483~1.EXE > nul
        6⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A178~1.EXE > nul
        5⤵
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6AE~1.EXE > nul
      4⤵
      PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7662E~1.EXE > nul
    3⤵
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\946F3D~1.EXE > nul
  2⤵
  PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe

Filesize
168KB

MD5
39f20c135eafb7e0ccd29c03257b98c5

SHA1
85ba63c35d98a30e570087ad64c9a2ee162221dd

SHA256
4e09cfe5009d72ed1ea1179e175d09963cdc465b132fb8bb2f8b1585cd48cea1

SHA512
c029bf15df034cc123272d6b138e845aa5aa8893907c52497050128cff35bbc24bae5c4ff973b14f4ade50ff9d4fc597e690b2987637e94d76f69b96e9f8af4c

Download Submit
C:\Windows\{0F2288D2-86D0-4ac5-9EA1-D5BB249B63C3}.exe

Filesize
168KB

MD5
39f20c135eafb7e0ccd29c03257b98c5

SHA1
85ba63c35d98a30e570087ad64c9a2ee162221dd

SHA256
4e09cfe5009d72ed1ea1179e175d09963cdc465b132fb8bb2f8b1585cd48cea1

SHA512
c029bf15df034cc123272d6b138e845aa5aa8893907c52497050128cff35bbc24bae5c4ff973b14f4ade50ff9d4fc597e690b2987637e94d76f69b96e9f8af4c

Download Submit
C:\Windows\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe

Filesize
168KB

MD5
c5c2d886292a56a7e8a22008f3501ab5

SHA1
8cdc1131a04b8c42fcc8375854694a9b5097438b

SHA256
f38e95cedd17e9454ed00c800cf49680a648922a356fcbed2db7a73ac5a56a34

SHA512
dcf630287d6696cd38f6ec2b37e4f4ac82f29fc7ff8069f3b687133bcaf39938f0f43630403cc2ab067a231c3c1fe7aca71c73104cf23d68b9ee3606a817c44d

Download Submit
C:\Windows\{1A6AE41F-53DD-4b3a-8832-7F50E620C199}.exe

Filesize
168KB

MD5
c5c2d886292a56a7e8a22008f3501ab5

SHA1
8cdc1131a04b8c42fcc8375854694a9b5097438b

SHA256
f38e95cedd17e9454ed00c800cf49680a648922a356fcbed2db7a73ac5a56a34

SHA512
dcf630287d6696cd38f6ec2b37e4f4ac82f29fc7ff8069f3b687133bcaf39938f0f43630403cc2ab067a231c3c1fe7aca71c73104cf23d68b9ee3606a817c44d

Download Submit
C:\Windows\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe

Filesize
168KB

MD5
e0b4598fa56285d550317acf573022b3

SHA1
9237a16a137f8d094071289525e5920c9b1f09ee

SHA256
19ce22d06df2bcd399be1427d87f4a7d37f524157a6c63648beef04ecae85cce

SHA512
21c206e8ddab73cfe120cda9964b03af18562be7ba06ae5c3553ac3802a404978623c0a4c5bea4e386c9421acb530b76faf584c273b759a924403a06dbbb10bc

Download Submit
C:\Windows\{26CDFE6B-D006-428c-A6E5-644A3A613B6F}.exe

Filesize
168KB

MD5
e0b4598fa56285d550317acf573022b3

SHA1
9237a16a137f8d094071289525e5920c9b1f09ee

SHA256
19ce22d06df2bcd399be1427d87f4a7d37f524157a6c63648beef04ecae85cce

SHA512
21c206e8ddab73cfe120cda9964b03af18562be7ba06ae5c3553ac3802a404978623c0a4c5bea4e386c9421acb530b76faf584c273b759a924403a06dbbb10bc

Download Submit
C:\Windows\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe

Filesize
168KB

MD5
d82b77f571d54cabb293f9b7895ba19c

SHA1
150e22182edcd06edc447efb1cba9a339a1405af

SHA256
459b683ecd2918bff52510a6a8b3a706907bba367a7a60fad673ca9195680721

SHA512
d36c8d6b818b836c6d39fa4aa4660e79f1b6d21934ad3e4a2d7ab3b336ae3f9dbf2755a758c6a926e555a2eabfc8f040179b7be5d77b952cdd4937d47a35ed34

Download Submit
C:\Windows\{28D62BFD-6F39-486b-A15F-B7BA6F4AF5D1}.exe

Filesize
168KB

MD5
d82b77f571d54cabb293f9b7895ba19c

SHA1
150e22182edcd06edc447efb1cba9a339a1405af

SHA256
459b683ecd2918bff52510a6a8b3a706907bba367a7a60fad673ca9195680721

SHA512
d36c8d6b818b836c6d39fa4aa4660e79f1b6d21934ad3e4a2d7ab3b336ae3f9dbf2755a758c6a926e555a2eabfc8f040179b7be5d77b952cdd4937d47a35ed34

Download Submit
C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe

Filesize
168KB

MD5
3b17f3302a42d5d1faf621e25c483d44

SHA1
dda38df6af5471873830c8808d5511762d052304

SHA256
1a36f1bc126967e12ef7e8729464ac066a61dc88e825774fb7ba35e23ad91d61

SHA512
45b0c5029b7391511405f2b816b348c263ee5646088c4698d628dcbf9e77ee9995ffbc41a485fffabb4b648b075018ee2223c9060524993887b850f63f6d2f8d

Download Submit
C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe

Filesize
168KB

MD5
3b17f3302a42d5d1faf621e25c483d44

SHA1
dda38df6af5471873830c8808d5511762d052304

SHA256
1a36f1bc126967e12ef7e8729464ac066a61dc88e825774fb7ba35e23ad91d61

SHA512
45b0c5029b7391511405f2b816b348c263ee5646088c4698d628dcbf9e77ee9995ffbc41a485fffabb4b648b075018ee2223c9060524993887b850f63f6d2f8d

Download Submit
C:\Windows\{4A178257-EE7F-4358-AEF0-B89971BC665C}.exe

Filesize
168KB

MD5
3b17f3302a42d5d1faf621e25c483d44

SHA1
dda38df6af5471873830c8808d5511762d052304

SHA256
1a36f1bc126967e12ef7e8729464ac066a61dc88e825774fb7ba35e23ad91d61

SHA512
45b0c5029b7391511405f2b816b348c263ee5646088c4698d628dcbf9e77ee9995ffbc41a485fffabb4b648b075018ee2223c9060524993887b850f63f6d2f8d

Download Submit
C:\Windows\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe

Filesize
168KB

MD5
be56b32c04431bed2dbd833cc7ceaa6d

SHA1
c0467a2f4befe45a6c26a6add829656168e9f57a

SHA256
b8dec0e2f54050055c01ab4e7f2c9d6e231973ff0b363b8140a21177082e175d

SHA512
8ccaab66e74e72231d1fe990f7728eda50c75446a9d2927f5525698198dec058dbe50542f7100f81a7d6476305396525e88427d3302eec9c97cbd6d2dff1a2d4

Download Submit
C:\Windows\{57C58D62-3B26-4866-BBC3-54339F9F565F}.exe

Filesize
168KB

MD5
be56b32c04431bed2dbd833cc7ceaa6d

SHA1
c0467a2f4befe45a6c26a6add829656168e9f57a

SHA256
b8dec0e2f54050055c01ab4e7f2c9d6e231973ff0b363b8140a21177082e175d

SHA512
8ccaab66e74e72231d1fe990f7728eda50c75446a9d2927f5525698198dec058dbe50542f7100f81a7d6476305396525e88427d3302eec9c97cbd6d2dff1a2d4

Download Submit
C:\Windows\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe

Filesize
168KB

MD5
d64e6a54ecae77def764e5016869c028

SHA1
5016ea19464a88ab0c3243daf87d78f0bda334b0

SHA256
54be98176a375dfafd7aefe6a1a602e0ab51ee8ca6615183c9ed956e5b0337b8

SHA512
9db52a27b52760805d80649aa0f67df80571afcbfbd3e4d3e3984d27dcc9a503b800ecccecd12f24125bdf0492d6d2633a32c8a2d6b95aaa45bc3ad66a94febb

Download Submit
C:\Windows\{7662E34A-B662-489e-B62E-BEB1961A4DBF}.exe

Filesize
168KB

MD5
d64e6a54ecae77def764e5016869c028

SHA1
5016ea19464a88ab0c3243daf87d78f0bda334b0

SHA256
54be98176a375dfafd7aefe6a1a602e0ab51ee8ca6615183c9ed956e5b0337b8

SHA512
9db52a27b52760805d80649aa0f67df80571afcbfbd3e4d3e3984d27dcc9a503b800ecccecd12f24125bdf0492d6d2633a32c8a2d6b95aaa45bc3ad66a94febb

Download Submit
C:\Windows\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe

Filesize
168KB

MD5
09457eb957fe17bbaa9b485a87a5c070

SHA1
967d557ed1433e8ac751592395cc2cdd24cc4cf7

SHA256
ff9eab18305a6eabb3da54967f2ff500a8bf5c7cf087aec13424dde8e85204e4

SHA512
d8c912c8a8975db85d75af9b4ec9170fba617e84da7bdfda429e278eafe3daffd1a351904c15971d6f46eb853befdfe8dab2c929f801df3198e5da206e446cb1

Download Submit
C:\Windows\{934832E6-103D-440e-93CE-7D855F1A14E0}.exe

Filesize
168KB

MD5
09457eb957fe17bbaa9b485a87a5c070

SHA1
967d557ed1433e8ac751592395cc2cdd24cc4cf7

SHA256
ff9eab18305a6eabb3da54967f2ff500a8bf5c7cf087aec13424dde8e85204e4

SHA512
d8c912c8a8975db85d75af9b4ec9170fba617e84da7bdfda429e278eafe3daffd1a351904c15971d6f46eb853befdfe8dab2c929f801df3198e5da206e446cb1

Download Submit
C:\Windows\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe

Filesize
168KB

MD5
f8709e8f56e9a14bc767a48d24590103

SHA1
980efead83bd608c1ee39e9a6d21a96d36b14282

SHA256
96903dad5aece6a4c1a06ea2cbaeb467d50842a652586194536feecb0c1acf79

SHA512
95e0e2f25d155572aa54832fa5672cd4506234bc9da21a212a5f8be5b6bf70585eec248cb43ec1d56d941db0c2505e2f8bb0ec8c451556c6bf08862380c80647

Download Submit
C:\Windows\{A5BB48DF-1A76-4a1d-81C1-3F8A1D93C52E}.exe

Filesize
168KB

MD5
f8709e8f56e9a14bc767a48d24590103

SHA1
980efead83bd608c1ee39e9a6d21a96d36b14282

SHA256
96903dad5aece6a4c1a06ea2cbaeb467d50842a652586194536feecb0c1acf79

SHA512
95e0e2f25d155572aa54832fa5672cd4506234bc9da21a212a5f8be5b6bf70585eec248cb43ec1d56d941db0c2505e2f8bb0ec8c451556c6bf08862380c80647

Download Submit
C:\Windows\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe

Filesize
168KB

MD5
d73df195dcae35d1da8f5a03fa4f74e6

SHA1
ee1e412cedd8dbf336c392d00aae1eaeb40021ea

SHA256
b9cbbc1e2b4d0d361a5e69b4340b0dedda0f4e6061c8364bc307ecbaa74ab035

SHA512
6ca5c4a2d04db73f216dd05b4b2928ef7388274ec4cd38061ad5fbeff2580fe47b8051cf95207d0081f00b6dfd86d59350bf8e017776aa1943f92fe103a7da7f

Download Submit
C:\Windows\{B47A6B0D-DC1E-4eb7-AEA7-52FE732506C0}.exe

Filesize
168KB

MD5
d73df195dcae35d1da8f5a03fa4f74e6

SHA1
ee1e412cedd8dbf336c392d00aae1eaeb40021ea

SHA256
b9cbbc1e2b4d0d361a5e69b4340b0dedda0f4e6061c8364bc307ecbaa74ab035

SHA512
6ca5c4a2d04db73f216dd05b4b2928ef7388274ec4cd38061ad5fbeff2580fe47b8051cf95207d0081f00b6dfd86d59350bf8e017776aa1943f92fe103a7da7f

Download Submit
C:\Windows\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe

Filesize
168KB

MD5
6a7bdfba6dd88f2253e639b8fd9af95d

SHA1
aa6b93221f9fa494f4d55a78e0003bedd0e6c71a

SHA256
83c0bb69a5a6aa8cc34644b28e601eca5e5a3f288f6b46e90ae8f4ca756b0351

SHA512
261c758c27997b580ce6aeb1ebb1f28cc77f4e3c814e3a2999bb168aa13d552af9644318a6866142d31470f233a76976afc74f684f7f8805727bca15204d20c2

Download Submit
C:\Windows\{E0AF1CB6-3A4E-4523-A1E6-A62370121956}.exe

Filesize
168KB

MD5
6a7bdfba6dd88f2253e639b8fd9af95d

SHA1
aa6b93221f9fa494f4d55a78e0003bedd0e6c71a

SHA256
83c0bb69a5a6aa8cc34644b28e601eca5e5a3f288f6b46e90ae8f4ca756b0351

SHA512
261c758c27997b580ce6aeb1ebb1f28cc77f4e3c814e3a2999bb168aa13d552af9644318a6866142d31470f233a76976afc74f684f7f8805727bca15204d20c2

Download Submit
C:\Windows\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe

Filesize
168KB

MD5
b22aea15987d8a97ce6f59bd16165256

SHA1
5cf8e4bfdc1ae2131b43d461867d2f534cfab71f

SHA256
7969edb42720a60e0bdd2ed33a428a224840d38f00c3bdec691c9a1dda6be741

SHA512
32b65b05c9aac0d5e32408ba4832486e162f432a32193d711cc22829036b4fa0c83a2f8d9707a697036b9bbb99d8e7c186c471e3135dc4b9d01070b5b0c71202

Download Submit
C:\Windows\{F9CFC44F-EDF9-4cfe-97E7-90B4BBDAF519}.exe

Filesize
168KB

MD5
b22aea15987d8a97ce6f59bd16165256

SHA1
5cf8e4bfdc1ae2131b43d461867d2f534cfab71f

SHA256
7969edb42720a60e0bdd2ed33a428a224840d38f00c3bdec691c9a1dda6be741

SHA512
32b65b05c9aac0d5e32408ba4832486e162f432a32193d711cc22829036b4fa0c83a2f8d9707a697036b9bbb99d8e7c186c471e3135dc4b9d01070b5b0c71202

Download Submit