76d66c7485aa7cd185827904613d793ef8ecba88c02b30fbe30806aa4d69435d

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a78f41573d24exeexeexeex.exe
Size

204KB
MD5

a1a78f41573d2439a550056b49c1fa98
SHA1

f1105bc9450c960dcf647dc153efee81997c4737
SHA256

76d66c7485aa7cd185827904613d793ef8ecba88c02b30fbe30806aa4d69435d
SHA512

2dc602e4bd9b5c0442a9ed9c1e3debb2d29bb9c5329bcd03cb0b9911ee1313ce096249e07a5f15a8da16a69f5ef9b2730296f04734e3fbc4f1b9718c64e9451b
SSDEEP

1536:1EGh0oFl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oFl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A1B044-A122-454d-BD21-01AD0055381C}\stubpath = "C:\\Windows\\{56A1B044-A122-454d-BD21-01AD0055381C}.exe"	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}\stubpath = "C:\\Windows\\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe"	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A1B044-A122-454d-BD21-01AD0055381C}	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}	{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}\stubpath = "C:\\Windows\\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe"	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FC150A5-824F-4d7f-8557-C3047680E87E}	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C9677F1-19C0-4a9c-A644-68C359F57216}	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}\stubpath = "C:\\Windows\\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe"	{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}	a1a78f41573d24exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}\stubpath = "C:\\Windows\\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe"	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C9677F1-19C0-4a9c-A644-68C359F57216}\stubpath = "C:\\Windows\\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe"	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}\stubpath = "C:\\Windows\\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe"	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6ED94D-4BA8-4691-A05A-019890AFF888}	{56A1B044-A122-454d-BD21-01AD0055381C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6ED94D-4BA8-4691-A05A-019890AFF888}\stubpath = "C:\\Windows\\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe"	{56A1B044-A122-454d-BD21-01AD0055381C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}\stubpath = "C:\\Windows\\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe"	a1a78f41573d24exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}\stubpath = "C:\\Windows\\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe"	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}\stubpath = "C:\\Windows\\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe"	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FC150A5-824F-4d7f-8557-C3047680E87E}\stubpath = "C:\\Windows\\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe"	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe

Executes dropped EXE 12 IoCs

pid	Process
4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe
632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
4172	{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe
4024	{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	a1a78f41573d24exeexeexeex.exe
File created	C:\Windows\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
File created	C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
File created	C:\Windows\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
File created	C:\Windows\{56A1B044-A122-454d-BD21-01AD0055381C}.exe	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
File created	C:\Windows\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
File created	C:\Windows\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
File created	C:\Windows\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
File created	C:\Windows\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
File created	C:\Windows\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	{56A1B044-A122-454d-BD21-01AD0055381C}.exe
File created	C:\Windows\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
File created	C:\Windows\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe	{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	a1a78f41573d24exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
Token: SeIncBasePriorityPrivilege	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
Token: SeIncBasePriorityPrivilege	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
Token: SeIncBasePriorityPrivilege	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
Token: SeIncBasePriorityPrivilege	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
Token: SeIncBasePriorityPrivilege	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
Token: SeIncBasePriorityPrivilege	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
Token: SeIncBasePriorityPrivilege	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe
Token: SeIncBasePriorityPrivilege	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
Token: SeIncBasePriorityPrivilege	3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
Token: SeIncBasePriorityPrivilege	4172	{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4740	1448	a1a78f41573d24exeexeexeex.exe	87
PID 1448 wrote to memory of 4740	1448	a1a78f41573d24exeexeexeex.exe	87
PID 1448 wrote to memory of 4740	1448	a1a78f41573d24exeexeexeex.exe	87
PID 1448 wrote to memory of 4124	1448	a1a78f41573d24exeexeexeex.exe	88
PID 1448 wrote to memory of 4124	1448	a1a78f41573d24exeexeexeex.exe	88
PID 1448 wrote to memory of 4124	1448	a1a78f41573d24exeexeexeex.exe	88
PID 4740 wrote to memory of 4276	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	89
PID 4740 wrote to memory of 4276	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	89
PID 4740 wrote to memory of 4276	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	89
PID 4740 wrote to memory of 2608	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	90
PID 4740 wrote to memory of 2608	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	90
PID 4740 wrote to memory of 2608	4740	{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe	90
PID 4276 wrote to memory of 3056	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	95
PID 4276 wrote to memory of 3056	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	95
PID 4276 wrote to memory of 3056	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	95
PID 4276 wrote to memory of 5012	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	94
PID 4276 wrote to memory of 5012	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	94
PID 4276 wrote to memory of 5012	4276	{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe	94
PID 3056 wrote to memory of 2196	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	96
PID 3056 wrote to memory of 2196	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	96
PID 3056 wrote to memory of 2196	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	96
PID 3056 wrote to memory of 1148	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	97
PID 3056 wrote to memory of 1148	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	97
PID 3056 wrote to memory of 1148	3056	{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe	97
PID 2196 wrote to memory of 4104	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	98
PID 2196 wrote to memory of 4104	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	98
PID 2196 wrote to memory of 4104	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	98
PID 2196 wrote to memory of 4684	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	99
PID 2196 wrote to memory of 4684	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	99
PID 2196 wrote to memory of 4684	2196	{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe	99
PID 4104 wrote to memory of 1380	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	100
PID 4104 wrote to memory of 1380	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	100
PID 4104 wrote to memory of 1380	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	100
PID 4104 wrote to memory of 1716	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	101
PID 4104 wrote to memory of 1716	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	101
PID 4104 wrote to memory of 1716	4104	{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe	101
PID 1380 wrote to memory of 4752	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	102
PID 1380 wrote to memory of 4752	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	102
PID 1380 wrote to memory of 4752	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	102
PID 1380 wrote to memory of 532	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	103
PID 1380 wrote to memory of 532	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	103
PID 1380 wrote to memory of 532	1380	{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe	103
PID 4752 wrote to memory of 4336	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	104
PID 4752 wrote to memory of 4336	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	104
PID 4752 wrote to memory of 4336	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	104
PID 4752 wrote to memory of 1968	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	105
PID 4752 wrote to memory of 1968	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	105
PID 4752 wrote to memory of 1968	4752	{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe	105
PID 4336 wrote to memory of 632	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	106
PID 4336 wrote to memory of 632	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	106
PID 4336 wrote to memory of 632	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	106
PID 4336 wrote to memory of 4920	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	107
PID 4336 wrote to memory of 4920	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	107
PID 4336 wrote to memory of 4920	4336	{56A1B044-A122-454d-BD21-01AD0055381C}.exe	107
PID 632 wrote to memory of 3140	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	108
PID 632 wrote to memory of 3140	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	108
PID 632 wrote to memory of 3140	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	108
PID 632 wrote to memory of 4296	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	109
PID 632 wrote to memory of 4296	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	109
PID 632 wrote to memory of 4296	632	{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe	109
PID 3140 wrote to memory of 4172	3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe	110
PID 3140 wrote to memory of 4172	3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe	110
PID 3140 wrote to memory of 4172	3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe	110
PID 3140 wrote to memory of 3192	3140	{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe	111

C:\Users\Admin\AppData\Local\Temp\a1a78f41573d24exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a1a78f41573d24exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
  C:\Windows\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
    C:\Windows\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6A3B~1.EXE > nul
      4⤵
      PID:5012
  - - C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
      C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
        
        C:\Windows\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
        
        C:\Windows\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
        
        C:\Windows\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
        
        C:\Windows\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\{56A1B044-A122-454d-BD21-01AD0055381C}.exe
        
        C:\Windows\{56A1B044-A122-454d-BD21-01AD0055381C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
        
        C:\Windows\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
        
        C:\Windows\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe
        
        C:\Windows\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe
        
        C:\Windows\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84326~1.EXE > nul
        13⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C43E~1.EXE > nul
        12⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD6ED~1.EXE > nul
        11⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56A1B~1.EXE > nul
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E29~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C967~1.EXE > nul
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC15~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4438C~1.EXE > nul
        6⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B13~1.EXE > nul
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3272~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1A78F~1.EXE > nul
  2⤵
  PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe

Filesize
204KB

MD5
1a2712c3e4b234d952e8f523607ae528

SHA1
b37f6fe59f21622b4dac776184768b0224b62a45

SHA256
d70e8c5c1a8cd3f880dc8aced099f50279894b718e224587ca8bdceb63a34465

SHA512
231a2027f76eccacebb2f3f6df54b666cf9755a9a63c3fb64b46e948cece4b26bbb4468a2341c47433e0151a06a7cf17977e91e81c7a769a494550c3451c31a4

Download Submit
C:\Windows\{0C9677F1-19C0-4a9c-A644-68C359F57216}.exe

Filesize
204KB

MD5
1a2712c3e4b234d952e8f523607ae528

SHA1
b37f6fe59f21622b4dac776184768b0224b62a45

SHA256
d70e8c5c1a8cd3f880dc8aced099f50279894b718e224587ca8bdceb63a34465

SHA512
231a2027f76eccacebb2f3f6df54b666cf9755a9a63c3fb64b46e948cece4b26bbb4468a2341c47433e0151a06a7cf17977e91e81c7a769a494550c3451c31a4

Download Submit
C:\Windows\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe

Filesize
204KB

MD5
c67e962c8a990489432ae2aa68092f54

SHA1
fed6bd389ae96ecdb2812206342d685c0973bef4

SHA256
9271b5a646990a56410d68169f0fccfee988bfea2561cdfda22445a6af6d0ba6

SHA512
8a30bccf6c3361decf2d7eb3d0aa0b1f98d628aa40133145bb30524d38572333c24670b3c20e8feb87690be2d36b8ec467c7408f37d51aa263a0c8fc2614dcbb

Download Submit
C:\Windows\{4438C712-96CC-433f-8266-B7CAFAA4B2C7}.exe

Filesize
204KB

MD5
c67e962c8a990489432ae2aa68092f54

SHA1
fed6bd389ae96ecdb2812206342d685c0973bef4

SHA256
9271b5a646990a56410d68169f0fccfee988bfea2561cdfda22445a6af6d0ba6

SHA512
8a30bccf6c3361decf2d7eb3d0aa0b1f98d628aa40133145bb30524d38572333c24670b3c20e8feb87690be2d36b8ec467c7408f37d51aa263a0c8fc2614dcbb

Download Submit
C:\Windows\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe

Filesize
204KB

MD5
8c5822eb29566838790e4370af4b2109

SHA1
9de505811881062e6ec11a791e4209228d955b7a

SHA256
fb8fecdfd393bb8eda57e2416a59ad67a52c178538fb89e84f0427ed11c5b35b

SHA512
19d2f876106ebe6762040826a0e983668ef8a98bdf3f9d864b5edd9f38f178083f644011f5754fce3915d078c8a14327d6c58f39101770890613037f5e2522c5

Download Submit
C:\Windows\{5433C823-0A4F-4ab3-97A0-BEDFECCC3BF6}.exe

Filesize
204KB

MD5
8c5822eb29566838790e4370af4b2109

SHA1
9de505811881062e6ec11a791e4209228d955b7a

SHA256
fb8fecdfd393bb8eda57e2416a59ad67a52c178538fb89e84f0427ed11c5b35b

SHA512
19d2f876106ebe6762040826a0e983668ef8a98bdf3f9d864b5edd9f38f178083f644011f5754fce3915d078c8a14327d6c58f39101770890613037f5e2522c5

Download Submit
C:\Windows\{56A1B044-A122-454d-BD21-01AD0055381C}.exe

Filesize
204KB

MD5
e5725608c5f5c4db3b946fc4fa6784ec

SHA1
fd58750ed865bd4171cbfc79e8d4c3c8195e4704

SHA256
730253a5fa0f6e65e368aec0d7542b50bf3fe81153e80d7d26fe922a37df7260

SHA512
868035c6ff4a9ac708b36847526cd1a923e48e4d8ad7a813622ba4598a75d1893f458797ec72ba702f8002dcc37ecabd3b37d5041a3a158eb029aa0499fdaf4d

Download Submit
C:\Windows\{56A1B044-A122-454d-BD21-01AD0055381C}.exe

Filesize
204KB

MD5
e5725608c5f5c4db3b946fc4fa6784ec

SHA1
fd58750ed865bd4171cbfc79e8d4c3c8195e4704

SHA256
730253a5fa0f6e65e368aec0d7542b50bf3fe81153e80d7d26fe922a37df7260

SHA512
868035c6ff4a9ac708b36847526cd1a923e48e4d8ad7a813622ba4598a75d1893f458797ec72ba702f8002dcc37ecabd3b37d5041a3a158eb029aa0499fdaf4d

Download Submit
C:\Windows\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe

Filesize
204KB

MD5
f83fba080f43a5db66ce2761bee31fef

SHA1
f15699ba799d5ada53f648bf863b69a4f5391885

SHA256
c140e1c15879b19caacfc2c392cb0ba3d60c231309bac83cd5bec18cd8ea4734

SHA512
c4c2aa1010d3aecac25620d9a91a888e9715397c02207723df091c062e1c938ec4efc9e06e54fce31c1cee16504e15e2f61e68c94df1fee183d78a2f81b5f19b

Download Submit
C:\Windows\{6C43EB18-7326-49f5-A78E-6B1BAD334B36}.exe

Filesize
204KB

MD5
f83fba080f43a5db66ce2761bee31fef

SHA1
f15699ba799d5ada53f648bf863b69a4f5391885

SHA256
c140e1c15879b19caacfc2c392cb0ba3d60c231309bac83cd5bec18cd8ea4734

SHA512
c4c2aa1010d3aecac25620d9a91a888e9715397c02207723df091c062e1c938ec4efc9e06e54fce31c1cee16504e15e2f61e68c94df1fee183d78a2f81b5f19b

Download Submit
C:\Windows\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe

Filesize
204KB

MD5
7e812ca8d567d2868180ac61e3552bb0

SHA1
fefecd6ef1de327e23bc44835a21a9f33d6c48c8

SHA256
3cdaca823f15b4e229c8bf16023628e2398e590ab928645c3ef041d86be56c22

SHA512
390e6090bb508078d89180cfc4e0c7a0384348b5b70911f3ed98a179e807536a529bcf4e980cb85ca4fd20689d060c7fa532e92fb827f547ad4111a7fb0a4d14

Download Submit
C:\Windows\{7FC150A5-824F-4d7f-8557-C3047680E87E}.exe

Filesize
204KB

MD5
7e812ca8d567d2868180ac61e3552bb0

SHA1
fefecd6ef1de327e23bc44835a21a9f33d6c48c8

SHA256
3cdaca823f15b4e229c8bf16023628e2398e590ab928645c3ef041d86be56c22

SHA512
390e6090bb508078d89180cfc4e0c7a0384348b5b70911f3ed98a179e807536a529bcf4e980cb85ca4fd20689d060c7fa532e92fb827f547ad4111a7fb0a4d14

Download Submit
C:\Windows\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe

Filesize
204KB

MD5
a7e8d745876f6f2a446878f8026fb7c7

SHA1
2a677a0a0506ed20e2853cf1ee7877f1339cf887

SHA256
f1c1f10ae5ebebcb679c088f11973b7520a47594c958f1080e7cbecdaa5dd6e1

SHA512
6ad846e8a90cc288b7b1b9d56bf81c4e438986f2c4317172e74106b6df7202a46a7ca993d0f810a1599b42bb217b002909a2f8a87d1a760e6b9a7b7ed65f3549

Download Submit
C:\Windows\{843266DB-AB45-4e13-92E0-E5AD1183F8C7}.exe

Filesize
204KB

MD5
a7e8d745876f6f2a446878f8026fb7c7

SHA1
2a677a0a0506ed20e2853cf1ee7877f1339cf887

SHA256
f1c1f10ae5ebebcb679c088f11973b7520a47594c958f1080e7cbecdaa5dd6e1

SHA512
6ad846e8a90cc288b7b1b9d56bf81c4e438986f2c4317172e74106b6df7202a46a7ca993d0f810a1599b42bb217b002909a2f8a87d1a760e6b9a7b7ed65f3549

Download Submit
C:\Windows\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe

Filesize
204KB

MD5
0e8eef831fdfb49c80f813fef567986c

SHA1
7a8b485506531e9f65f64bd1eac3ed8bda6a9dde

SHA256
d4f058bb8379daaacdd3c5925d2b22a20be2b63789309d12e9136647800f3988

SHA512
187f5890a8d0602d43378c238c9d0fb8cc6e9223a997759805313d2ca734fa77661895d1e6bb925a3141761e4e0d11990a5e2625a73e0772341bb2bc9d5d55c7

Download Submit
C:\Windows\{B32728E0-6CE7-4e4f-ABE4-F4BBA847B291}.exe

Filesize
204KB

MD5
0e8eef831fdfb49c80f813fef567986c

SHA1
7a8b485506531e9f65f64bd1eac3ed8bda6a9dde

SHA256
d4f058bb8379daaacdd3c5925d2b22a20be2b63789309d12e9136647800f3988

SHA512
187f5890a8d0602d43378c238c9d0fb8cc6e9223a997759805313d2ca734fa77661895d1e6bb925a3141761e4e0d11990a5e2625a73e0772341bb2bc9d5d55c7

Download Submit
C:\Windows\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe

Filesize
204KB

MD5
31102763d4c260a1ec5cdad98722aa99

SHA1
edbe42516b3be1d2afb8b073affebb41ae1dd23a

SHA256
6b213f116343c7bebb408f41e0799c06f707bdabb632c6260e6da95f0b47f258

SHA512
92afb1e7ed0c6f87cf080010396c04bfb7f9013ab55ffcf0727f1da0cb82a9c8d1c544bfcebe43bdb6a3dc71cb045780ccf961cb87fc480b4ce672c46fa325da

Download Submit
C:\Windows\{C6A3B04D-D822-491d-851C-F7FB605BB5C6}.exe

Filesize
204KB

MD5
31102763d4c260a1ec5cdad98722aa99

SHA1
edbe42516b3be1d2afb8b073affebb41ae1dd23a

SHA256
6b213f116343c7bebb408f41e0799c06f707bdabb632c6260e6da95f0b47f258

SHA512
92afb1e7ed0c6f87cf080010396c04bfb7f9013ab55ffcf0727f1da0cb82a9c8d1c544bfcebe43bdb6a3dc71cb045780ccf961cb87fc480b4ce672c46fa325da

Download Submit
C:\Windows\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe

Filesize
204KB

MD5
19c0d9241624efdbc755ee82429bbe21

SHA1
810cf4c3ff00812779a6bafc7ff8a2f2c3e3579f

SHA256
4722dc3b0d86cedba57da1370dad0ad49a2117fe8f662f392c77edc486be399a

SHA512
a04f03da8d4ea4c03539910d16ee6f37180a9aead2f0b3dc7a1d11f1f43d8fcb95e524222220c1bd55177002efd4ed03b5fbf37fa59d0c7ea4d601f7f6e4372e

Download Submit
C:\Windows\{CD6ED94D-4BA8-4691-A05A-019890AFF888}.exe

Filesize
204KB

MD5
19c0d9241624efdbc755ee82429bbe21

SHA1
810cf4c3ff00812779a6bafc7ff8a2f2c3e3579f

SHA256
4722dc3b0d86cedba57da1370dad0ad49a2117fe8f662f392c77edc486be399a

SHA512
a04f03da8d4ea4c03539910d16ee6f37180a9aead2f0b3dc7a1d11f1f43d8fcb95e524222220c1bd55177002efd4ed03b5fbf37fa59d0c7ea4d601f7f6e4372e

Download Submit
C:\Windows\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe

Filesize
204KB

MD5
f8e2b1e20641cd7047b5d075bf6daea4

SHA1
d0ecf45bd54e5a6d2b08b6c7b763c6e3c9ab4a4b

SHA256
b1900d3271f4931469c8c21d770e28ffd9e345480fe7a7f706b68d0066578021

SHA512
80ff77721e098a8124c32ae13f0632bb077eb805c81b18aa782f4c8c59878c8fdab3e98f045cd7d0066e6367f942a934e9d120c73738bda1208502d2d9c7c32b

Download Submit
C:\Windows\{D0E29EA9-9FB2-4ffd-A8CF-EF5842778B8E}.exe

Filesize
204KB

MD5
f8e2b1e20641cd7047b5d075bf6daea4

SHA1
d0ecf45bd54e5a6d2b08b6c7b763c6e3c9ab4a4b

SHA256
b1900d3271f4931469c8c21d770e28ffd9e345480fe7a7f706b68d0066578021

SHA512
80ff77721e098a8124c32ae13f0632bb077eb805c81b18aa782f4c8c59878c8fdab3e98f045cd7d0066e6367f942a934e9d120c73738bda1208502d2d9c7c32b

Download Submit
C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe

Filesize
204KB

MD5
9aff6fefa12d1edff45682668ad3fa52

SHA1
f28ae4b3139218f65777b78e065f4ae47171c2ba

SHA256
27570d934ac74505af775465eb43db38174be4308cf1df3a5a51bd4e3b5e3a34

SHA512
2b2e82441cbcb9b5bbf640ac7eb77860548e5abc36e132c6fd057366d8def5d75758ee7088419e765dea1b5fd922e660aacd17e40fbe5d702dd637ceef8c74ed

Download Submit
C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe

Filesize
204KB

MD5
9aff6fefa12d1edff45682668ad3fa52

SHA1
f28ae4b3139218f65777b78e065f4ae47171c2ba

SHA256
27570d934ac74505af775465eb43db38174be4308cf1df3a5a51bd4e3b5e3a34

SHA512
2b2e82441cbcb9b5bbf640ac7eb77860548e5abc36e132c6fd057366d8def5d75758ee7088419e765dea1b5fd922e660aacd17e40fbe5d702dd637ceef8c74ed

Download Submit
C:\Windows\{E9B13BFE-A6B2-4a7f-A712-E162D68F44F1}.exe

Filesize
204KB

MD5
9aff6fefa12d1edff45682668ad3fa52

SHA1
f28ae4b3139218f65777b78e065f4ae47171c2ba

SHA256
27570d934ac74505af775465eb43db38174be4308cf1df3a5a51bd4e3b5e3a34

SHA512
2b2e82441cbcb9b5bbf640ac7eb77860548e5abc36e132c6fd057366d8def5d75758ee7088419e765dea1b5fd922e660aacd17e40fbe5d702dd637ceef8c74ed

Download Submit