c76477a3571f6be87e41f16c37ec781cc1e00270bf483834f04a2247a896ed46

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9b58eaf6b1cddexeexeexeex.exe
Size

372KB
MD5

a9b58eaf6b1cddbf27afa795cb64f2c4
SHA1

b250c9381cc007a80cdb5d6450e756933c1241ca
SHA256

c76477a3571f6be87e41f16c37ec781cc1e00270bf483834f04a2247a896ed46
SHA512

49801d0a6d3f73fcfbc2edfc1b7080e044d81e7fc2b4ecaa057a738dfd9260f8047486b7811d88658a4eee1ce1dd0bbbf4fbe4b4e89a36f3634c5886ccec7a44
SSDEEP

3072:CEGh0o1mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{950CA997-DE75-4535-A4BF-698ABA9FD406}\stubpath = "C:\\Windows\\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe"	a9b58eaf6b1cddexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57629707-FF1C-43ad-A526-5835293B3A8B}\stubpath = "C:\\Windows\\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe"	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02549D6F-EC6A-4b04-8269-999036942879}\stubpath = "C:\\Windows\\{02549D6F-EC6A-4b04-8269-999036942879}.exe"	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900515A0-CFEF-497a-A74E-699E848A973F}	{02549D6F-EC6A-4b04-8269-999036942879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}	{900515A0-CFEF-497a-A74E-699E848A973F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}\stubpath = "C:\\Windows\\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe"	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E8F383-22CC-481f-968D-94DD14925277}	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C322B7C-7A57-42d8-859A-078FF3581E6F}\stubpath = "C:\\Windows\\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe"	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}	{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}\stubpath = "C:\\Windows\\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe"	{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57629707-FF1C-43ad-A526-5835293B3A8B}	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02549D6F-EC6A-4b04-8269-999036942879}	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}\stubpath = "C:\\Windows\\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe"	{900515A0-CFEF-497a-A74E-699E848A973F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}	{C1E8F383-22CC-481f-968D-94DD14925277}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}\stubpath = "C:\\Windows\\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe"	{C1E8F383-22CC-481f-968D-94DD14925277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{950CA997-DE75-4535-A4BF-698ABA9FD406}	a9b58eaf6b1cddexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529BCB76-B50E-446f-B84E-4EA6118EFE00}	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529BCB76-B50E-446f-B84E-4EA6118EFE00}\stubpath = "C:\\Windows\\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe"	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}\stubpath = "C:\\Windows\\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe"	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900515A0-CFEF-497a-A74E-699E848A973F}\stubpath = "C:\\Windows\\{900515A0-CFEF-497a-A74E-699E848A973F}.exe"	{02549D6F-EC6A-4b04-8269-999036942879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E8F383-22CC-481f-968D-94DD14925277}\stubpath = "C:\\Windows\\{C1E8F383-22CC-481f-968D-94DD14925277}.exe"	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C322B7C-7A57-42d8-859A-078FF3581E6F}	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe

Executes dropped EXE 12 IoCs

pid	Process
2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe
3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe
1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe
1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
3588	{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
4704	{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
File created	C:\Windows\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	a9b58eaf6b1cddexeexeexeex.exe
File created	C:\Windows\{02549D6F-EC6A-4b04-8269-999036942879}.exe	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
File created	C:\Windows\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	{C1E8F383-22CC-481f-968D-94DD14925277}.exe
File created	C:\Windows\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	{900515A0-CFEF-497a-A74E-699E848A973F}.exe
File created	C:\Windows\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
File created	C:\Windows\{C1E8F383-22CC-481f-968D-94DD14925277}.exe	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
File created	C:\Windows\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
File created	C:\Windows\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe	{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
File created	C:\Windows\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
File created	C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
File created	C:\Windows\{900515A0-CFEF-497a-A74E-699E848A973F}.exe	{02549D6F-EC6A-4b04-8269-999036942879}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4708	a9b58eaf6b1cddexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
Token: SeIncBasePriorityPrivilege	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
Token: SeIncBasePriorityPrivilege	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
Token: SeIncBasePriorityPrivilege	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe
Token: SeIncBasePriorityPrivilege	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe
Token: SeIncBasePriorityPrivilege	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
Token: SeIncBasePriorityPrivilege	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
Token: SeIncBasePriorityPrivilege	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe
Token: SeIncBasePriorityPrivilege	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
Token: SeIncBasePriorityPrivilege	3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
Token: SeIncBasePriorityPrivilege	3588	{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 2532	4708	a9b58eaf6b1cddexeexeexeex.exe	84
PID 4708 wrote to memory of 2532	4708	a9b58eaf6b1cddexeexeexeex.exe	84
PID 4708 wrote to memory of 2532	4708	a9b58eaf6b1cddexeexeexeex.exe	84
PID 4708 wrote to memory of 3764	4708	a9b58eaf6b1cddexeexeexeex.exe	85
PID 4708 wrote to memory of 3764	4708	a9b58eaf6b1cddexeexeexeex.exe	85
PID 4708 wrote to memory of 3764	4708	a9b58eaf6b1cddexeexeexeex.exe	85
PID 2532 wrote to memory of 4688	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	86
PID 2532 wrote to memory of 4688	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	86
PID 2532 wrote to memory of 4688	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	86
PID 2532 wrote to memory of 960	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	87
PID 2532 wrote to memory of 960	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	87
PID 2532 wrote to memory of 960	2532	{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe	87
PID 4688 wrote to memory of 3908	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	91
PID 4688 wrote to memory of 3908	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	91
PID 4688 wrote to memory of 3908	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	91
PID 4688 wrote to memory of 1856	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	92
PID 4688 wrote to memory of 1856	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	92
PID 4688 wrote to memory of 1856	4688	{57629707-FF1C-43ad-A526-5835293B3A8B}.exe	92
PID 3908 wrote to memory of 1676	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	93
PID 3908 wrote to memory of 1676	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	93
PID 3908 wrote to memory of 1676	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	93
PID 3908 wrote to memory of 3572	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	94
PID 3908 wrote to memory of 3572	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	94
PID 3908 wrote to memory of 3572	3908	{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe	94
PID 1676 wrote to memory of 3976	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	95
PID 1676 wrote to memory of 3976	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	95
PID 1676 wrote to memory of 3976	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	95
PID 1676 wrote to memory of 4540	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	96
PID 1676 wrote to memory of 4540	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	96
PID 1676 wrote to memory of 4540	1676	{02549D6F-EC6A-4b04-8269-999036942879}.exe	96
PID 3976 wrote to memory of 1396	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	97
PID 3976 wrote to memory of 1396	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	97
PID 3976 wrote to memory of 1396	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	97
PID 3976 wrote to memory of 2952	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	98
PID 3976 wrote to memory of 2952	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	98
PID 3976 wrote to memory of 2952	3976	{900515A0-CFEF-497a-A74E-699E848A973F}.exe	98
PID 1396 wrote to memory of 2808	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	99
PID 1396 wrote to memory of 2808	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	99
PID 1396 wrote to memory of 2808	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	99
PID 1396 wrote to memory of 2284	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	100
PID 1396 wrote to memory of 2284	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	100
PID 1396 wrote to memory of 2284	1396	{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe	100
PID 2808 wrote to memory of 2524	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	101
PID 2808 wrote to memory of 2524	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	101
PID 2808 wrote to memory of 2524	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	101
PID 2808 wrote to memory of 4644	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	102
PID 2808 wrote to memory of 4644	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	102
PID 2808 wrote to memory of 4644	2808	{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe	102
PID 2524 wrote to memory of 1884	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	103
PID 2524 wrote to memory of 1884	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	103
PID 2524 wrote to memory of 1884	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	103
PID 2524 wrote to memory of 1168	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	104
PID 2524 wrote to memory of 1168	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	104
PID 2524 wrote to memory of 1168	2524	{C1E8F383-22CC-481f-968D-94DD14925277}.exe	104
PID 1884 wrote to memory of 3084	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	105
PID 1884 wrote to memory of 3084	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	105
PID 1884 wrote to memory of 3084	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	105
PID 1884 wrote to memory of 1240	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	106
PID 1884 wrote to memory of 1240	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	106
PID 1884 wrote to memory of 1240	1884	{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe	106
PID 3084 wrote to memory of 3588	3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe	107
PID 3084 wrote to memory of 3588	3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe	107
PID 3084 wrote to memory of 3588	3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe	107
PID 3084 wrote to memory of 2332	3084	{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe	108

C:\Users\Admin\AppData\Local\Temp\a9b58eaf6b1cddexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a9b58eaf6b1cddexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
  C:\Windows\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
    C:\Windows\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
      C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\{02549D6F-EC6A-4b04-8269-999036942879}.exe
        
        C:\Windows\{02549D6F-EC6A-4b04-8269-999036942879}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\{900515A0-CFEF-497a-A74E-699E848A973F}.exe
        
        C:\Windows\{900515A0-CFEF-497a-A74E-699E848A973F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
        
        C:\Windows\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
        
        C:\Windows\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{C1E8F383-22CC-481f-968D-94DD14925277}.exe
        
        C:\Windows\{C1E8F383-22CC-481f-968D-94DD14925277}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
        
        C:\Windows\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
        
        C:\Windows\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
        
        C:\Windows\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe
        
        C:\Windows\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe
        13⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C322~1.EXE > nul
        13⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{529BC~1.EXE > nul
        12⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A421~1.EXE > nul
        11⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E8F~1.EXE > nul
        10⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB31~1.EXE > nul
        9⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{778BE~1.EXE > nul
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90051~1.EXE > nul
        7⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02549~1.EXE > nul
        6⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7590~1.EXE > nul
        5⤵
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57629~1.EXE > nul
      4⤵
      PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{950CA~1.EXE > nul
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A9B58E~1.EXE > nul
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02549D6F-EC6A-4b04-8269-999036942879}.exe

Filesize
372KB

MD5
7c149af0a8200ffecfc7dff6a6245823

SHA1
a3d9ea589fe3db8238a8632b2361f9cc351b2880

SHA256
c43ae9d75a5c01bde48dc80617aa33950680384e7f5a4ae08d10687827efaef9

SHA512
f9c8a380f58e048ee2172668beaa2691d170408caecb19746828f7ab25cfc6b54cc95fedc0973923c049e2491edf8f14e47cd0a90ba5a9abe9fbc4c56192e5f9

Download Submit
C:\Windows\{02549D6F-EC6A-4b04-8269-999036942879}.exe

Filesize
372KB

MD5
7c149af0a8200ffecfc7dff6a6245823

SHA1
a3d9ea589fe3db8238a8632b2361f9cc351b2880

SHA256
c43ae9d75a5c01bde48dc80617aa33950680384e7f5a4ae08d10687827efaef9

SHA512
f9c8a380f58e048ee2172668beaa2691d170408caecb19746828f7ab25cfc6b54cc95fedc0973923c049e2491edf8f14e47cd0a90ba5a9abe9fbc4c56192e5f9

Download Submit
C:\Windows\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe

Filesize
372KB

MD5
bff5fab21342038974fdcd7b0c70639f

SHA1
020ccca2c09ac21434e41e62aaed565673e08471

SHA256
eb8482e2eaef63f80ddd2cc38b6f68265243a6213ff77f43f80284754e639c5c

SHA512
a1c026ef8cf2dcd93904a1122702ad12049c2ac83d263d050bc14513641222b6097d50bcf5f2c1080cec25265d0bd669898abc847f01b58be97777644c30140b

Download Submit
C:\Windows\{2C322B7C-7A57-42d8-859A-078FF3581E6F}.exe

Filesize
372KB

MD5
bff5fab21342038974fdcd7b0c70639f

SHA1
020ccca2c09ac21434e41e62aaed565673e08471

SHA256
eb8482e2eaef63f80ddd2cc38b6f68265243a6213ff77f43f80284754e639c5c

SHA512
a1c026ef8cf2dcd93904a1122702ad12049c2ac83d263d050bc14513641222b6097d50bcf5f2c1080cec25265d0bd669898abc847f01b58be97777644c30140b

Download Submit
C:\Windows\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe

Filesize
372KB

MD5
8f39570050eb19a0c1a55bf979b382b6

SHA1
62a3fb1014a9ab8646b02538a177b2e6f98975c9

SHA256
637de578c55e17a6c6648ea834a65162068097228396c95a072d1125768e6886

SHA512
1f74127daf0958202e6b0569c93c64fa40162adaaea8920453a2ff0471c7ff574317688e128a412112834edaa4790f591c13290dfca2c7e12fef8b6134330840

Download Submit
C:\Windows\{4989AACE-351A-4935-93D1-AD7E0ADCF5BE}.exe

Filesize
372KB

MD5
8f39570050eb19a0c1a55bf979b382b6

SHA1
62a3fb1014a9ab8646b02538a177b2e6f98975c9

SHA256
637de578c55e17a6c6648ea834a65162068097228396c95a072d1125768e6886

SHA512
1f74127daf0958202e6b0569c93c64fa40162adaaea8920453a2ff0471c7ff574317688e128a412112834edaa4790f591c13290dfca2c7e12fef8b6134330840

Download Submit
C:\Windows\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe

Filesize
372KB

MD5
90a41b1ed0c7ca9c96c86e427d02f85b

SHA1
51e4b15ae57d8361f4cb1ebba1e9ec89dc3f7419

SHA256
af3a65c3c6ef524289dadc7f1342119a88837b38b81144aa03f53c0ccdec2c15

SHA512
b44b763de9df14deee3cc396a5ca6df6cd8f607c2bb1b408416a5bdb6810697f720193f90e0b51a655d407e18e35c00e22590c8948a63da5a95f300f66aa84ce

Download Submit
C:\Windows\{529BCB76-B50E-446f-B84E-4EA6118EFE00}.exe

Filesize
372KB

MD5
90a41b1ed0c7ca9c96c86e427d02f85b

SHA1
51e4b15ae57d8361f4cb1ebba1e9ec89dc3f7419

SHA256
af3a65c3c6ef524289dadc7f1342119a88837b38b81144aa03f53c0ccdec2c15

SHA512
b44b763de9df14deee3cc396a5ca6df6cd8f607c2bb1b408416a5bdb6810697f720193f90e0b51a655d407e18e35c00e22590c8948a63da5a95f300f66aa84ce

Download Submit
C:\Windows\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe

Filesize
372KB

MD5
30e86ff47e35cece560f6ffe110ef125

SHA1
e26b6102304ccd27d8c6840d2d0094a927c4adc9

SHA256
de60b1d98f7a77b7ffaed7034d52f535bb6a684b582b38c09510e7637100c89f

SHA512
2ae02fcacca68adba963890f9d34bd24117a463df4f5f4f9faaa0e324cdb5cb80c601baca05a0bf2f839ab3ec30a3d1f017422f008a2f0ba0d43e1ec3bc01ed1

Download Submit
C:\Windows\{57629707-FF1C-43ad-A526-5835293B3A8B}.exe

Filesize
372KB

MD5
30e86ff47e35cece560f6ffe110ef125

SHA1
e26b6102304ccd27d8c6840d2d0094a927c4adc9

SHA256
de60b1d98f7a77b7ffaed7034d52f535bb6a684b582b38c09510e7637100c89f

SHA512
2ae02fcacca68adba963890f9d34bd24117a463df4f5f4f9faaa0e324cdb5cb80c601baca05a0bf2f839ab3ec30a3d1f017422f008a2f0ba0d43e1ec3bc01ed1

Download Submit
C:\Windows\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe

Filesize
372KB

MD5
297e52f8a6295fc37ddca9726b03dfcd

SHA1
5ac3a27bba80abf3332437747a3f54098300f8b4

SHA256
3759868d4f3ee589d22b19f75f13981dfc61a0144b35c5275508d38b7f17319b

SHA512
576a43a207f55f08b344668b2a374064724ef0c074f58432b22febee75ffb75bd327678bea32a918786d1fb177d5ce7c8af69cfdca40e9e412908ff621eed2a2

Download Submit
C:\Windows\{778BEF7F-5B48-4de5-9CEB-BD1B10EFD418}.exe

Filesize
372KB

MD5
297e52f8a6295fc37ddca9726b03dfcd

SHA1
5ac3a27bba80abf3332437747a3f54098300f8b4

SHA256
3759868d4f3ee589d22b19f75f13981dfc61a0144b35c5275508d38b7f17319b

SHA512
576a43a207f55f08b344668b2a374064724ef0c074f58432b22febee75ffb75bd327678bea32a918786d1fb177d5ce7c8af69cfdca40e9e412908ff621eed2a2

Download Submit
C:\Windows\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe

Filesize
372KB

MD5
ca23860239bc21ea32cc76f213ef06e6

SHA1
e2fe40e9c501b38b72a3ef67cedb1ce14834732b

SHA256
31b0e176a1bc821a0a8999e9c1a57fd06ff2a6a24b85dde092b9e29c467ca127

SHA512
4dd78ecdeb5441cc0909a37ed5c0e18ecb760fa5e71ef87e798752f9bea63490557d8e0dc8450bbe4d212a617aeaeef6fbee446501e9a2ffdb9455a258aaba82

Download Submit
C:\Windows\{8A421581-1CBB-4aa1-86FD-8BE9F7D39D81}.exe

Filesize
372KB

MD5
ca23860239bc21ea32cc76f213ef06e6

SHA1
e2fe40e9c501b38b72a3ef67cedb1ce14834732b

SHA256
31b0e176a1bc821a0a8999e9c1a57fd06ff2a6a24b85dde092b9e29c467ca127

SHA512
4dd78ecdeb5441cc0909a37ed5c0e18ecb760fa5e71ef87e798752f9bea63490557d8e0dc8450bbe4d212a617aeaeef6fbee446501e9a2ffdb9455a258aaba82

Download Submit
C:\Windows\{900515A0-CFEF-497a-A74E-699E848A973F}.exe

Filesize
372KB

MD5
f155136ff9d335598cd79919964372af

SHA1
9c5ea8ac18391c99dbffa70f1b68625074332dc6

SHA256
b2a90b8be858d0d946225a948fafbd0463539ab023127ce7ac1cd73dae656621

SHA512
3a340943b62008365af4505c4bbe8b80c2a64a19867d31c86693edc2f6fb4a08da8afd783fb57213399d74107eda0717e04503bda4679bbc8ebafa8a238eb32d

Download Submit
C:\Windows\{900515A0-CFEF-497a-A74E-699E848A973F}.exe

Filesize
372KB

MD5
f155136ff9d335598cd79919964372af

SHA1
9c5ea8ac18391c99dbffa70f1b68625074332dc6

SHA256
b2a90b8be858d0d946225a948fafbd0463539ab023127ce7ac1cd73dae656621

SHA512
3a340943b62008365af4505c4bbe8b80c2a64a19867d31c86693edc2f6fb4a08da8afd783fb57213399d74107eda0717e04503bda4679bbc8ebafa8a238eb32d

Download Submit
C:\Windows\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe

Filesize
372KB

MD5
09fb6910adb4fa0b74c0dd8a6f201c6c

SHA1
b88fa840cbe97d2e4667023515fde74228a8df49

SHA256
4b9389a4c7417141d996214ecc795f5405a167236bbc51eeb5071176fa480623

SHA512
eafa74a3768268d5b30505d92e4220e8c1a184863e3f0c9870ace12c2658df577c121a3296ecc32bb1f689b5f023094c17f2635dc2b4aaaad91ae2a8c3f3abeb

Download Submit
C:\Windows\{950CA997-DE75-4535-A4BF-698ABA9FD406}.exe

Filesize
372KB

MD5
09fb6910adb4fa0b74c0dd8a6f201c6c

SHA1
b88fa840cbe97d2e4667023515fde74228a8df49

SHA256
4b9389a4c7417141d996214ecc795f5405a167236bbc51eeb5071176fa480623

SHA512
eafa74a3768268d5b30505d92e4220e8c1a184863e3f0c9870ace12c2658df577c121a3296ecc32bb1f689b5f023094c17f2635dc2b4aaaad91ae2a8c3f3abeb

Download Submit
C:\Windows\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe

Filesize
372KB

MD5
5c30a174683741c0699b1b833f7cdbe7

SHA1
707faa70af2ba5d429a9eef620537489ba6cfc09

SHA256
f2bb12f35055e428fb7481f610a59f14ba52c53531f82e81b16d5ee6a890d79a

SHA512
b68d9368f8e3b2e737b6b6742348aad65dbb9870a87f18f60a2755a5e58bf56d902d5b2bdda80e7723ded3145a8fc805494c8d2fc4d2fb9f15fbb9f86903d2a0

Download Submit
C:\Windows\{AEB31A72-3F54-44bd-A2D5-4C9B50CAD445}.exe

Filesize
372KB

MD5
5c30a174683741c0699b1b833f7cdbe7

SHA1
707faa70af2ba5d429a9eef620537489ba6cfc09

SHA256
f2bb12f35055e428fb7481f610a59f14ba52c53531f82e81b16d5ee6a890d79a

SHA512
b68d9368f8e3b2e737b6b6742348aad65dbb9870a87f18f60a2755a5e58bf56d902d5b2bdda80e7723ded3145a8fc805494c8d2fc4d2fb9f15fbb9f86903d2a0

Download Submit
C:\Windows\{C1E8F383-22CC-481f-968D-94DD14925277}.exe

Filesize
372KB

MD5
d4f64a9ef1d0a31e0c8146cc8e589ad0

SHA1
aefe51ec3708cdcd4fb91fabb5362e93aae2cfdf

SHA256
d2c55143254628e8cb2c5226687e7e1322f70ba01243454d8c8522157478102f

SHA512
32c5018dea0dfc2a37c76e6f76d267b841e3d14fca4576a231ee6d2153a49177cd86ff927e0e487f9b0169517a1dc933c542f11089964b9d31c14050b13c17d1

Download Submit
C:\Windows\{C1E8F383-22CC-481f-968D-94DD14925277}.exe

Filesize
372KB

MD5
d4f64a9ef1d0a31e0c8146cc8e589ad0

SHA1
aefe51ec3708cdcd4fb91fabb5362e93aae2cfdf

SHA256
d2c55143254628e8cb2c5226687e7e1322f70ba01243454d8c8522157478102f

SHA512
32c5018dea0dfc2a37c76e6f76d267b841e3d14fca4576a231ee6d2153a49177cd86ff927e0e487f9b0169517a1dc933c542f11089964b9d31c14050b13c17d1

Download Submit
C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe

Filesize
372KB

MD5
39f6fb23fa7a960496255eb9a9af9327

SHA1
8b7755d83a8885d214bca3c6152f17b8f2799875

SHA256
2ab7662eedc36d2e61246e2f200c484f7dfaa4f48880c4e5add1ef2f3a108492

SHA512
1d09b8bd7005b560f42c3c9b92abb49385495fb86a5a377693ea2b2910716d25377a9d0601f89030520371305e75280e187317f4c78cc0f453d79bf74e905633

Download Submit
C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe

Filesize
372KB

MD5
39f6fb23fa7a960496255eb9a9af9327

SHA1
8b7755d83a8885d214bca3c6152f17b8f2799875

SHA256
2ab7662eedc36d2e61246e2f200c484f7dfaa4f48880c4e5add1ef2f3a108492

SHA512
1d09b8bd7005b560f42c3c9b92abb49385495fb86a5a377693ea2b2910716d25377a9d0601f89030520371305e75280e187317f4c78cc0f453d79bf74e905633

Download Submit
C:\Windows\{F7590AB8-C9B3-4ff0-9F13-F1E0FCF90CF9}.exe

Filesize
372KB

MD5
39f6fb23fa7a960496255eb9a9af9327

SHA1
8b7755d83a8885d214bca3c6152f17b8f2799875

SHA256
2ab7662eedc36d2e61246e2f200c484f7dfaa4f48880c4e5add1ef2f3a108492

SHA512
1d09b8bd7005b560f42c3c9b92abb49385495fb86a5a377693ea2b2910716d25377a9d0601f89030520371305e75280e187317f4c78cc0f453d79bf74e905633

Download Submit