ad11ca3ce0ad501cd74f5508933216c7e12bb655e69fd21992ed10a825113b3f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8219d2660e4aexeexeexeex.exe
Size

372KB
MD5

be8219d2660e4a609b9fa6329966183a
SHA1

58ef8ff01b49afa98fda9a1a4bcf513aa73abd60
SHA256

ad11ca3ce0ad501cd74f5508933216c7e12bb655e69fd21992ed10a825113b3f
SHA512

e31a4e6d7c90926ffa668a76fe06e08b2566cd41e712c2742dd12fda893324d3c94459ad7f5bbfe429c68cf738886d0784f54b3749819c3c6e9ca1e64959f289
SSDEEP

3072:CEGh0o2mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGRl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}\stubpath = "C:\\Windows\\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe"	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43F6295-5732-401c-9980-AB441C1D16FA}\stubpath = "C:\\Windows\\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe"	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}\stubpath = "C:\\Windows\\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe"	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}\stubpath = "C:\\Windows\\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe"	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}\stubpath = "C:\\Windows\\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe"	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B406F151-218C-4890-A93B-608F648CF917}	{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B406F151-218C-4890-A93B-608F648CF917}\stubpath = "C:\\Windows\\{B406F151-218C-4890-A93B-608F648CF917}.exe"	{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43F6295-5732-401c-9980-AB441C1D16FA}	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}\stubpath = "C:\\Windows\\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe"	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}	be8219d2660e4aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{606C3609-3CDE-43ff-9EB9-318A8A494A97}\stubpath = "C:\\Windows\\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe"	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9313DAA5-DB33-48ee-BB23-E150C42F368B}	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9313DAA5-DB33-48ee-BB23-E150C42F368B}\stubpath = "C:\\Windows\\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe"	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}\stubpath = "C:\\Windows\\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe"	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{606C3609-3CDE-43ff-9EB9-318A8A494A97}	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}\stubpath = "C:\\Windows\\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe"	be8219d2660e4aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}\stubpath = "C:\\Windows\\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe"	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe

Executes dropped EXE 12 IoCs

pid	Process
688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
3560	{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
2620	{B406F151-218C-4890-A93B-608F648CF917}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B406F151-218C-4890-A93B-608F648CF917}.exe	{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
File created	C:\Windows\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	be8219d2660e4aexeexeexeex.exe
File created	C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
File created	C:\Windows\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
File created	C:\Windows\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
File created	C:\Windows\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
File created	C:\Windows\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
File created	C:\Windows\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
File created	C:\Windows\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
File created	C:\Windows\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
File created	C:\Windows\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
File created	C:\Windows\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5016	be8219d2660e4aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
Token: SeIncBasePriorityPrivilege	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
Token: SeIncBasePriorityPrivilege	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
Token: SeIncBasePriorityPrivilege	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
Token: SeIncBasePriorityPrivilege	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
Token: SeIncBasePriorityPrivilege	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
Token: SeIncBasePriorityPrivilege	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
Token: SeIncBasePriorityPrivilege	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
Token: SeIncBasePriorityPrivilege	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
Token: SeIncBasePriorityPrivilege	1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
Token: SeIncBasePriorityPrivilege	3560	{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 688	5016	be8219d2660e4aexeexeexeex.exe	85
PID 5016 wrote to memory of 688	5016	be8219d2660e4aexeexeexeex.exe	85
PID 5016 wrote to memory of 688	5016	be8219d2660e4aexeexeexeex.exe	85
PID 5016 wrote to memory of 2832	5016	be8219d2660e4aexeexeexeex.exe	86
PID 5016 wrote to memory of 2832	5016	be8219d2660e4aexeexeexeex.exe	86
PID 5016 wrote to memory of 2832	5016	be8219d2660e4aexeexeexeex.exe	86
PID 688 wrote to memory of 1140	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	87
PID 688 wrote to memory of 1140	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	87
PID 688 wrote to memory of 1140	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	87
PID 688 wrote to memory of 880	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	88
PID 688 wrote to memory of 880	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	88
PID 688 wrote to memory of 880	688	{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe	88
PID 1140 wrote to memory of 816	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	93
PID 1140 wrote to memory of 816	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	93
PID 1140 wrote to memory of 816	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	93
PID 1140 wrote to memory of 3572	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	92
PID 1140 wrote to memory of 3572	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	92
PID 1140 wrote to memory of 3572	1140	{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe	92
PID 816 wrote to memory of 1980	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	94
PID 816 wrote to memory of 1980	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	94
PID 816 wrote to memory of 1980	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	94
PID 816 wrote to memory of 1696	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	95
PID 816 wrote to memory of 1696	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	95
PID 816 wrote to memory of 1696	816	{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe	95
PID 1980 wrote to memory of 2816	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	96
PID 1980 wrote to memory of 2816	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	96
PID 1980 wrote to memory of 2816	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	96
PID 1980 wrote to memory of 2256	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	97
PID 1980 wrote to memory of 2256	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	97
PID 1980 wrote to memory of 2256	1980	{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe	97
PID 2816 wrote to memory of 4548	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	98
PID 2816 wrote to memory of 4548	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	98
PID 2816 wrote to memory of 4548	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	98
PID 2816 wrote to memory of 1832	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	99
PID 2816 wrote to memory of 1832	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	99
PID 2816 wrote to memory of 1832	2816	{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe	99
PID 4548 wrote to memory of 4196	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	100
PID 4548 wrote to memory of 4196	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	100
PID 4548 wrote to memory of 4196	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	100
PID 4548 wrote to memory of 3688	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	101
PID 4548 wrote to memory of 3688	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	101
PID 4548 wrote to memory of 3688	4548	{F43F6295-5732-401c-9980-AB441C1D16FA}.exe	101
PID 4196 wrote to memory of 8	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	102
PID 4196 wrote to memory of 8	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	102
PID 4196 wrote to memory of 8	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	102
PID 4196 wrote to memory of 3660	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	103
PID 4196 wrote to memory of 3660	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	103
PID 4196 wrote to memory of 3660	4196	{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe	103
PID 8 wrote to memory of 4724	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	104
PID 8 wrote to memory of 4724	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	104
PID 8 wrote to memory of 4724	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	104
PID 8 wrote to memory of 1080	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	105
PID 8 wrote to memory of 1080	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	105
PID 8 wrote to memory of 1080	8	{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe	105
PID 4724 wrote to memory of 1388	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	106
PID 4724 wrote to memory of 1388	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	106
PID 4724 wrote to memory of 1388	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	106
PID 4724 wrote to memory of 4108	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	107
PID 4724 wrote to memory of 4108	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	107
PID 4724 wrote to memory of 4108	4724	{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe	107
PID 1388 wrote to memory of 3560	1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe	108
PID 1388 wrote to memory of 3560	1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe	108
PID 1388 wrote to memory of 3560	1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe	108
PID 1388 wrote to memory of 4816	1388	{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe	109

C:\Users\Admin\AppData\Local\Temp\be8219d2660e4aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\be8219d2660e4aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
  C:\Windows\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
    C:\Windows\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{199FB~1.EXE > nul
      4⤵
      PID:3572
  - - C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
      C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
        
        C:\Windows\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
        
        C:\Windows\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
        
        C:\Windows\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
        
        C:\Windows\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
        
        C:\Windows\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
        
        C:\Windows\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
        
        C:\Windows\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
        
        C:\Windows\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\{B406F151-218C-4890-A93B-608F648CF917}.exe
        
        C:\Windows\{B406F151-218C-4890-A93B-608F648CF917}.exe
        13⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F9B1~1.EXE > nul
        13⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2AFC~1.EXE > nul
        12⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C96BE~1.EXE > nul
        11⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3612~1.EXE > nul
        10⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D6C~1.EXE > nul
        9⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F43F6~1.EXE > nul
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{606C3~1.EXE > nul
        7⤵
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE55B~1.EXE > nul
        6⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9313D~1.EXE > nul
        5⤵
        
        PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DCC7~1.EXE > nul
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE8219~1.EXE > nul
  2⤵
  PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe

Filesize
372KB

MD5
2930fe319170dff3f6ce21bba51c7e5c

SHA1
cb67b5df96fc242950ddf3719cd631327a1cda44

SHA256
d2c652cb56addd7e3f9d7dc587321c86014b13c8135103513edd7b010be8bcba

SHA512
a9ab37fb278badd144e86a82fcab60d0328aa8735c225773f1e96157695223f26db221df143226cb42fc43eaeab3d102f5b52df8dbef875450d6570d5beae77d

Download Submit
C:\Windows\{199FB3CD-EBE0-40a1-96CF-A1C57B807689}.exe

Filesize
372KB

MD5
2930fe319170dff3f6ce21bba51c7e5c

SHA1
cb67b5df96fc242950ddf3719cd631327a1cda44

SHA256
d2c652cb56addd7e3f9d7dc587321c86014b13c8135103513edd7b010be8bcba

SHA512
a9ab37fb278badd144e86a82fcab60d0328aa8735c225773f1e96157695223f26db221df143226cb42fc43eaeab3d102f5b52df8dbef875450d6570d5beae77d

Download Submit
C:\Windows\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe

Filesize
372KB

MD5
f2a27b32e5197321775902b07df21ac4

SHA1
f67def76fc43cd9ba5bd6a1264fe7f86e2cdf993

SHA256
8d3a04ca8ea2c6b9736e500d1f088d4711fc388907ac008320698f07808035ca

SHA512
55ce6500982e5e8c0ad03e094dfb71698ab2b168a01a8e6d907635901d09ab6af511e7f94b0185af4ccc7873837b08b28c01a9580d9f3ed317180299d376f1c2

Download Submit
C:\Windows\{4DCC79FF-B020-494a-BC8F-36F529D9F28C}.exe

Filesize
372KB

MD5
f2a27b32e5197321775902b07df21ac4

SHA1
f67def76fc43cd9ba5bd6a1264fe7f86e2cdf993

SHA256
8d3a04ca8ea2c6b9736e500d1f088d4711fc388907ac008320698f07808035ca

SHA512
55ce6500982e5e8c0ad03e094dfb71698ab2b168a01a8e6d907635901d09ab6af511e7f94b0185af4ccc7873837b08b28c01a9580d9f3ed317180299d376f1c2

Download Submit
C:\Windows\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe

Filesize
372KB

MD5
6d8eeb4c315f22a819d478df7ee01fbe

SHA1
085214a0b637a5979dcff24e05c4fc621e361abd

SHA256
3925cb7add1f6d2e122124b8ddbee9f0ec0098a9d6aba7b2758ee301e2e08901

SHA512
ac8ff8fb0c3121bd2028f32dd416f52c39873a3971d940ffe4db6052e0fa56757fa74f50b42834e8be8212509eb60aa9c39746c94cd916bd6dc1076d4aea210a

Download Submit
C:\Windows\{606C3609-3CDE-43ff-9EB9-318A8A494A97}.exe

Filesize
372KB

MD5
6d8eeb4c315f22a819d478df7ee01fbe

SHA1
085214a0b637a5979dcff24e05c4fc621e361abd

SHA256
3925cb7add1f6d2e122124b8ddbee9f0ec0098a9d6aba7b2758ee301e2e08901

SHA512
ac8ff8fb0c3121bd2028f32dd416f52c39873a3971d940ffe4db6052e0fa56757fa74f50b42834e8be8212509eb60aa9c39746c94cd916bd6dc1076d4aea210a

Download Submit
C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe

Filesize
372KB

MD5
520c22b7173fd2f952f9a19ec322644d

SHA1
57f5ad4df614f0d2c236b8bb03a506c0afab4458

SHA256
ffa577e791419444f2d737f2a04fa9a4db482777a1439022e473fd69c26d9777

SHA512
3ad534107745f8a40078a33c9744fbf68809801995a24848e134716cbb45c8e56b967b14339ac6853abafbf623125fba9c110e887d9c88a51e35e3c30ab0bd1b

Download Submit
C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe

Filesize
372KB

MD5
520c22b7173fd2f952f9a19ec322644d

SHA1
57f5ad4df614f0d2c236b8bb03a506c0afab4458

SHA256
ffa577e791419444f2d737f2a04fa9a4db482777a1439022e473fd69c26d9777

SHA512
3ad534107745f8a40078a33c9744fbf68809801995a24848e134716cbb45c8e56b967b14339ac6853abafbf623125fba9c110e887d9c88a51e35e3c30ab0bd1b

Download Submit
C:\Windows\{9313DAA5-DB33-48ee-BB23-E150C42F368B}.exe

Filesize
372KB

MD5
520c22b7173fd2f952f9a19ec322644d

SHA1
57f5ad4df614f0d2c236b8bb03a506c0afab4458

SHA256
ffa577e791419444f2d737f2a04fa9a4db482777a1439022e473fd69c26d9777

SHA512
3ad534107745f8a40078a33c9744fbf68809801995a24848e134716cbb45c8e56b967b14339ac6853abafbf623125fba9c110e887d9c88a51e35e3c30ab0bd1b

Download Submit
C:\Windows\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe

Filesize
372KB

MD5
d6597d80aa2c86ee99512e3e1bc6eaa2

SHA1
90a127e9b984f8c1cc283e07202a8d1383c172f7

SHA256
e20528df942138ee0cdf06bd158d575c1bacf198b5bb43da12cacffa4267fc61

SHA512
717cf3248a09bb2cf0447b972c7c86bd378653072d68e7e10f7624a1e471beb454007903c9c59825cf585c346e239817bb075cf01175f63fbbffae646ec07edf

Download Submit
C:\Windows\{9F9B1D64-9630-4558-9B59-4C35CDE06FE8}.exe

Filesize
372KB

MD5
d6597d80aa2c86ee99512e3e1bc6eaa2

SHA1
90a127e9b984f8c1cc283e07202a8d1383c172f7

SHA256
e20528df942138ee0cdf06bd158d575c1bacf198b5bb43da12cacffa4267fc61

SHA512
717cf3248a09bb2cf0447b972c7c86bd378653072d68e7e10f7624a1e471beb454007903c9c59825cf585c346e239817bb075cf01175f63fbbffae646ec07edf

Download Submit
C:\Windows\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe

Filesize
372KB

MD5
130a65c9f1897bb4df9c8ea68e2b0659

SHA1
6508fbd2ac7097eba7b8a4ccdc8f88495e6d98cb

SHA256
162ddfcd9deeb263566ca2d89bf5f7241800ba8ff2889e37e20ff9b7a35fe408

SHA512
21fe6130b5742d46f5258d1cfe3995d877d6a1da04e1cbf72fb237844dddc812f954003ea3ff29eda789390df1eb2eb6d9673b02d92f4cba1dc9613263a26296

Download Submit
C:\Windows\{B2AFCDF8-471D-46bc-92DA-E36DD51D87F9}.exe

Filesize
372KB

MD5
130a65c9f1897bb4df9c8ea68e2b0659

SHA1
6508fbd2ac7097eba7b8a4ccdc8f88495e6d98cb

SHA256
162ddfcd9deeb263566ca2d89bf5f7241800ba8ff2889e37e20ff9b7a35fe408

SHA512
21fe6130b5742d46f5258d1cfe3995d877d6a1da04e1cbf72fb237844dddc812f954003ea3ff29eda789390df1eb2eb6d9673b02d92f4cba1dc9613263a26296

Download Submit
C:\Windows\{B406F151-218C-4890-A93B-608F648CF917}.exe

Filesize
372KB

MD5
8b61a247658ff30b26cb9c3934ddb0e8

SHA1
2f061f92526e2a82aa84d21d15ae3e91ab764275

SHA256
fefd2c882a4b6f52a03dac72105721ee8b6ddd27d56045c9d1917c8b2affc407

SHA512
d19b269397ba57911a5ec1136ca733532f0588c239bc120a89426aaeb5fc6e85b64364bb351ca9779bfbbb8ec6ad12dd9a405126a9bb0c1ef8451afb7ed88e51

Download Submit
C:\Windows\{B406F151-218C-4890-A93B-608F648CF917}.exe

Filesize
372KB

MD5
8b61a247658ff30b26cb9c3934ddb0e8

SHA1
2f061f92526e2a82aa84d21d15ae3e91ab764275

SHA256
fefd2c882a4b6f52a03dac72105721ee8b6ddd27d56045c9d1917c8b2affc407

SHA512
d19b269397ba57911a5ec1136ca733532f0588c239bc120a89426aaeb5fc6e85b64364bb351ca9779bfbbb8ec6ad12dd9a405126a9bb0c1ef8451afb7ed88e51

Download Submit
C:\Windows\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe

Filesize
372KB

MD5
e29c4981e3795ff867fca15435a87729

SHA1
c96e64ef1e0e397f2ebddde38dfc79bec61742b2

SHA256
1ab31e936b05d43c3f17c846a7f14c4984c6a5458286b5f01b62fafe17fe3002

SHA512
9bc441c7d8510259584922fc1a741f4986c0558f8c2cefe9b16eda2fdde3b5c21ed7003c2e2cb133f6f4bc446589d0c71fed72a87813d129c7c2379e416585dd

Download Submit
C:\Windows\{C96BEC6E-0EDF-4321-8F7C-7CC5F02F1EB6}.exe

Filesize
372KB

MD5
e29c4981e3795ff867fca15435a87729

SHA1
c96e64ef1e0e397f2ebddde38dfc79bec61742b2

SHA256
1ab31e936b05d43c3f17c846a7f14c4984c6a5458286b5f01b62fafe17fe3002

SHA512
9bc441c7d8510259584922fc1a741f4986c0558f8c2cefe9b16eda2fdde3b5c21ed7003c2e2cb133f6f4bc446589d0c71fed72a87813d129c7c2379e416585dd

Download Submit
C:\Windows\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe

Filesize
372KB

MD5
2d50e5c80d1493aa3f0012410ea051d5

SHA1
d8fccc4cea1440cd99107a7f43995a2e049c1bd7

SHA256
5bd308deff3e2568f540a458d3a8a494aad85b8089cf58feae35a1d1491a1fe6

SHA512
ffb43c925d436a388dd58374e087df9bc120652c28987e630c4e8b94bc3a3ff10e6e5436cd2b17bcd03f36541346c914abbfe554d4e5d2cba847c6ffc25bc53b

Download Submit
C:\Windows\{F2D6C0A7-6989-4cdc-B658-1107E0716D8F}.exe

Filesize
372KB

MD5
2d50e5c80d1493aa3f0012410ea051d5

SHA1
d8fccc4cea1440cd99107a7f43995a2e049c1bd7

SHA256
5bd308deff3e2568f540a458d3a8a494aad85b8089cf58feae35a1d1491a1fe6

SHA512
ffb43c925d436a388dd58374e087df9bc120652c28987e630c4e8b94bc3a3ff10e6e5436cd2b17bcd03f36541346c914abbfe554d4e5d2cba847c6ffc25bc53b

Download Submit
C:\Windows\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe

Filesize
372KB

MD5
1b48cd1fe745f8bcecb06fc63011aa58

SHA1
059388b15b6989170c58605743655d3a9f893d0f

SHA256
1082ef7f905c3aadf248b518a9d3bc117a03d42508cf65add97c564d343fde67

SHA512
31f2bb8605c1ff6a00250789f03e15e597ccd391a2c4d6ca943a243ae27d3e10234ba6ca9b3b03c3d770d0c696fe1f473e85df202e83128b025783e73e8c59bf

Download Submit
C:\Windows\{F36129E8-DF0F-44d0-9FCD-FDCF2DEF2FE7}.exe

Filesize
372KB

MD5
1b48cd1fe745f8bcecb06fc63011aa58

SHA1
059388b15b6989170c58605743655d3a9f893d0f

SHA256
1082ef7f905c3aadf248b518a9d3bc117a03d42508cf65add97c564d343fde67

SHA512
31f2bb8605c1ff6a00250789f03e15e597ccd391a2c4d6ca943a243ae27d3e10234ba6ca9b3b03c3d770d0c696fe1f473e85df202e83128b025783e73e8c59bf

Download Submit
C:\Windows\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe

Filesize
372KB

MD5
e3ec224eba868f55056fdff71a27e0fb

SHA1
7d2e3935d0c06afc383f8054e5545d47da5b1e8f

SHA256
bed61af6e487cfa0fbb0d23979f2987d29db61d373df3efa0aaeb0d6b20d8540

SHA512
e3fea9625551960c6148753491afca45054c282401b39b4e5887b5a8b2c86829230536cd76b168616a6ec6074e49e64735175ee8b71d2eceae4d147196a5e5a6

Download Submit
C:\Windows\{F43F6295-5732-401c-9980-AB441C1D16FA}.exe

Filesize
372KB

MD5
e3ec224eba868f55056fdff71a27e0fb

SHA1
7d2e3935d0c06afc383f8054e5545d47da5b1e8f

SHA256
bed61af6e487cfa0fbb0d23979f2987d29db61d373df3efa0aaeb0d6b20d8540

SHA512
e3fea9625551960c6148753491afca45054c282401b39b4e5887b5a8b2c86829230536cd76b168616a6ec6074e49e64735175ee8b71d2eceae4d147196a5e5a6

Download Submit
C:\Windows\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe

Filesize
372KB

MD5
92166afba6a5f6905d533b49798ceaa8

SHA1
7d3ca51063e697c95ae97e5d851a6bdf1298ee54

SHA256
8e27adc851e4f69925d3e574b3f7c9ac754fa1891dfc1c07594ab160207ff12a

SHA512
20be5e03c8f6981944fe484c22dc52a95fa2dbc7a473173dd32159892997a28fa6a3b61d36c17f67c5b10ad6499f9dccebde1cb362f5ed8fcf385a4e03720c02

Download Submit
C:\Windows\{FE55B018-75C1-4ecc-B7EE-1993ADC7C933}.exe

Filesize
372KB

MD5
92166afba6a5f6905d533b49798ceaa8

SHA1
7d3ca51063e697c95ae97e5d851a6bdf1298ee54

SHA256
8e27adc851e4f69925d3e574b3f7c9ac754fa1891dfc1c07594ab160207ff12a

SHA512
20be5e03c8f6981944fe484c22dc52a95fa2dbc7a473173dd32159892997a28fa6a3b61d36c17f67c5b10ad6499f9dccebde1cb362f5ed8fcf385a4e03720c02

Download Submit