701f98f5926c1c2314d00c6765c04280d9e4cc04ea493b3bcd7d2e163c262e8a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1601477aaa4deexeexeexeex.exe
Size

372KB
MD5

c1601477aaa4de91145464f1b99a2b71
SHA1

39a81405e287ab8212bb5ede8286a67add67eebf
SHA256

701f98f5926c1c2314d00c6765c04280d9e4cc04ea493b3bcd7d2e163c262e8a
SHA512

b80242ff2b99a73b834f047741cb22f72fbbb6207e21e03916e8ab456d95dfac95a25fc5917a29ef2f415bd23bbee64a5bf0e1869567c9c04d2f966c98f726a7
SSDEEP

3072:CEGh0ocmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGHl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C86BCB99-985D-435d-B392-3DD93691DC97}	c1601477aaa4deexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81752B6E-4B80-46d8-B75F-2B62CF167238}\stubpath = "C:\\Windows\\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe"	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A20F37-3424-4f5e-B67D-255C286FA34C}	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB85C083-756E-446b-8705-CFA1FB6A8961}	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C86BCB99-985D-435d-B392-3DD93691DC97}\stubpath = "C:\\Windows\\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe"	c1601477aaa4deexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E375A5D-969F-4297-B6A1-6E442EE0F568}\stubpath = "C:\\Windows\\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe"	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF933DF-51B0-4203-8283-634FA5FDB681}	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A20F37-3424-4f5e-B67D-255C286FA34C}\stubpath = "C:\\Windows\\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe"	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB85C083-756E-446b-8705-CFA1FB6A8961}\stubpath = "C:\\Windows\\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe"	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81752B6E-4B80-46d8-B75F-2B62CF167238}	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E375A5D-969F-4297-B6A1-6E442EE0F568}	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}\stubpath = "C:\\Windows\\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe"	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E19B4D-4D87-4555-B592-B2709E570EE2}\stubpath = "C:\\Windows\\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe"	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}\stubpath = "C:\\Windows\\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe"	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}\stubpath = "C:\\Windows\\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe"	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF933DF-51B0-4203-8283-634FA5FDB681}\stubpath = "C:\\Windows\\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe"	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E19B4D-4D87-4555-B592-B2709E570EE2}	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}\stubpath = "C:\\Windows\\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe"	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe

Executes dropped EXE 11 IoCs

pid	Process
3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe
1268	{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
File created	C:\Windows\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	c1601477aaa4deexeexeexeex.exe
File created	C:\Windows\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
File created	C:\Windows\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
File created	C:\Windows\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
File created	C:\Windows\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
File created	C:\Windows\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
File created	C:\Windows\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
File created	C:\Windows\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
File created	C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
File created	C:\Windows\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4944	c1601477aaa4deexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
Token: SeIncBasePriorityPrivilege	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
Token: SeIncBasePriorityPrivilege	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
Token: SeIncBasePriorityPrivilege	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
Token: SeIncBasePriorityPrivilege	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
Token: SeIncBasePriorityPrivilege	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
Token: SeIncBasePriorityPrivilege	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
Token: SeIncBasePriorityPrivilege	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
Token: SeIncBasePriorityPrivilege	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
Token: SeIncBasePriorityPrivilege	652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3320	4944	c1601477aaa4deexeexeexeex.exe	84
PID 4944 wrote to memory of 3320	4944	c1601477aaa4deexeexeexeex.exe	84
PID 4944 wrote to memory of 3320	4944	c1601477aaa4deexeexeexeex.exe	84
PID 4944 wrote to memory of 560	4944	c1601477aaa4deexeexeexeex.exe	85
PID 4944 wrote to memory of 560	4944	c1601477aaa4deexeexeexeex.exe	85
PID 4944 wrote to memory of 560	4944	c1601477aaa4deexeexeexeex.exe	85
PID 3320 wrote to memory of 4672	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	88
PID 3320 wrote to memory of 4672	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	88
PID 3320 wrote to memory of 4672	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	88
PID 3320 wrote to memory of 1648	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	89
PID 3320 wrote to memory of 1648	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	89
PID 3320 wrote to memory of 1648	3320	{C86BCB99-985D-435d-B392-3DD93691DC97}.exe	89
PID 4672 wrote to memory of 768	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	92
PID 4672 wrote to memory of 768	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	92
PID 4672 wrote to memory of 768	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	92
PID 4672 wrote to memory of 1832	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	91
PID 4672 wrote to memory of 1832	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	91
PID 4672 wrote to memory of 1832	4672	{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe	91
PID 768 wrote to memory of 1100	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	93
PID 768 wrote to memory of 1100	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	93
PID 768 wrote to memory of 1100	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	93
PID 768 wrote to memory of 3416	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	94
PID 768 wrote to memory of 3416	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	94
PID 768 wrote to memory of 3416	768	{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe	94
PID 1100 wrote to memory of 2236	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	96
PID 1100 wrote to memory of 2236	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	96
PID 1100 wrote to memory of 2236	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	96
PID 1100 wrote to memory of 2120	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	97
PID 1100 wrote to memory of 2120	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	97
PID 1100 wrote to memory of 2120	1100	{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe	97
PID 2236 wrote to memory of 2096	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	98
PID 2236 wrote to memory of 2096	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	98
PID 2236 wrote to memory of 2096	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	98
PID 2236 wrote to memory of 4872	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	99
PID 2236 wrote to memory of 4872	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	99
PID 2236 wrote to memory of 4872	2236	{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe	99
PID 2096 wrote to memory of 4532	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	100
PID 2096 wrote to memory of 4532	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	100
PID 2096 wrote to memory of 4532	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	100
PID 2096 wrote to memory of 3420	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	101
PID 2096 wrote to memory of 3420	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	101
PID 2096 wrote to memory of 3420	2096	{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe	101
PID 4532 wrote to memory of 692	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	102
PID 4532 wrote to memory of 692	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	102
PID 4532 wrote to memory of 692	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	102
PID 4532 wrote to memory of 4552	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	103
PID 4532 wrote to memory of 4552	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	103
PID 4532 wrote to memory of 4552	4532	{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe	103
PID 692 wrote to memory of 3248	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	106
PID 692 wrote to memory of 3248	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	106
PID 692 wrote to memory of 3248	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	106
PID 692 wrote to memory of 2808	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	107
PID 692 wrote to memory of 2808	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	107
PID 692 wrote to memory of 2808	692	{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe	107
PID 3248 wrote to memory of 652	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	108
PID 3248 wrote to memory of 652	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	108
PID 3248 wrote to memory of 652	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	108
PID 3248 wrote to memory of 4416	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	109
PID 3248 wrote to memory of 4416	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	109
PID 3248 wrote to memory of 4416	3248	{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe	109
PID 652 wrote to memory of 1268	652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe	110
PID 652 wrote to memory of 1268	652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe	110
PID 652 wrote to memory of 1268	652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe	110
PID 652 wrote to memory of 456	652	{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe	111

C:\Users\Admin\AppData\Local\Temp\c1601477aaa4deexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c1601477aaa4deexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
  C:\Windows\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
    C:\Windows\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81752~1.EXE > nul
      4⤵
      PID:1832
  - - C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
      C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
        
        C:\Windows\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
        
        C:\Windows\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
        
        C:\Windows\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
        
        C:\Windows\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
        
        C:\Windows\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
        
        C:\Windows\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe
        
        C:\Windows\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe
        
        C:\Windows\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE00C~1.EXE > nul
        12⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB85C~1.EXE > nul
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95E19~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FC3~1.EXE > nul
        9⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A20~1.EXE > nul
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF93~1.EXE > nul
        7⤵
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E375~1.EXE > nul
        6⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B57D8~1.EXE > nul
        5⤵
        
        PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C86BC~1.EXE > nul
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C16014~1.EXE > nul
  2⤵
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe

Filesize
372KB

MD5
fd9eb256eb27d1ceadb4e4a201e1b250

SHA1
67b9e0be5b6a0cd39330aeb55e2409e2459951a6

SHA256
e69b385994a18e60d47bbfaa3b1000052dfa67e3a38df25b1db4f4dfc76963e6

SHA512
6f50e997e2a041d373a8a201c1868ce8b54c4fffdb4563594ca745c6b3e2215c283c56f706b6853d0627ba59e62a9968a10bb7e10c25b2308a0ade70a4082c36

Download Submit
C:\Windows\{0E375A5D-969F-4297-B6A1-6E442EE0F568}.exe

Filesize
372KB

MD5
fd9eb256eb27d1ceadb4e4a201e1b250

SHA1
67b9e0be5b6a0cd39330aeb55e2409e2459951a6

SHA256
e69b385994a18e60d47bbfaa3b1000052dfa67e3a38df25b1db4f4dfc76963e6

SHA512
6f50e997e2a041d373a8a201c1868ce8b54c4fffdb4563594ca745c6b3e2215c283c56f706b6853d0627ba59e62a9968a10bb7e10c25b2308a0ade70a4082c36

Download Submit
C:\Windows\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe

Filesize
372KB

MD5
a94f0b8f9d942ebc0dbcdff933de4887

SHA1
f57b5804a95bdf4f10888f239ac519aae5b66041

SHA256
e94ab9017723afb6a7c1c35bb52536fe0b5abcb3261fbc4d5ea45603c304bea6

SHA512
0fb010be4bd9eebd1591283e124597ea57c1a0382426a09dbc7695086ae70d3cc46d6ca361a76b42b1c7ee4903f5a9a6e83e281976724c3a7b027b6f42e98afd

Download Submit
C:\Windows\{1A0B7535-6D46-4ffc-9B27-C0862A1F6CD1}.exe

Filesize
372KB

MD5
a94f0b8f9d942ebc0dbcdff933de4887

SHA1
f57b5804a95bdf4f10888f239ac519aae5b66041

SHA256
e94ab9017723afb6a7c1c35bb52536fe0b5abcb3261fbc4d5ea45603c304bea6

SHA512
0fb010be4bd9eebd1591283e124597ea57c1a0382426a09dbc7695086ae70d3cc46d6ca361a76b42b1c7ee4903f5a9a6e83e281976724c3a7b027b6f42e98afd

Download Submit
C:\Windows\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe

Filesize
372KB

MD5
8e607eb4235843da84f9bbc63206dafb

SHA1
ef1ba9f90d047ecdfb4d56f7dff50e95e61160ce

SHA256
fe3cb6632b61dd1c57f5c2645039af00286d7e7dbbd28338ff5dffe0c5320959

SHA512
274abe3e3db7ea5db204135adb51c195aed6ef77435c42f0eb1ffd7b15c9275840588789d38fdd9ed585c5cf8ce7ba70fbf6ddce6a4ba2ffccb2b2204ff68ef8

Download Submit
C:\Windows\{53FC3AF6-7B74-4444-8901-0B899D4CD5EB}.exe

Filesize
372KB

MD5
8e607eb4235843da84f9bbc63206dafb

SHA1
ef1ba9f90d047ecdfb4d56f7dff50e95e61160ce

SHA256
fe3cb6632b61dd1c57f5c2645039af00286d7e7dbbd28338ff5dffe0c5320959

SHA512
274abe3e3db7ea5db204135adb51c195aed6ef77435c42f0eb1ffd7b15c9275840588789d38fdd9ed585c5cf8ce7ba70fbf6ddce6a4ba2ffccb2b2204ff68ef8

Download Submit
C:\Windows\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe

Filesize
372KB

MD5
562c3bea4bf2fff78563970b17ec715b

SHA1
450c2638ca475e7e1663ec15215af615c4eecefd

SHA256
ecc92a2484f63a25df8e763a82efc294cea9541b72de4513df975e591e8f2cfe

SHA512
859990f301e3d4e77a1c3dd397786bae0a228b339b1228bac12742de8104d813d275571ebbe47f31f7b2b2d6c91bcd9f52ff85ae749d0c7254441ed0199291f4

Download Submit
C:\Windows\{66A20F37-3424-4f5e-B67D-255C286FA34C}.exe

Filesize
372KB

MD5
562c3bea4bf2fff78563970b17ec715b

SHA1
450c2638ca475e7e1663ec15215af615c4eecefd

SHA256
ecc92a2484f63a25df8e763a82efc294cea9541b72de4513df975e591e8f2cfe

SHA512
859990f301e3d4e77a1c3dd397786bae0a228b339b1228bac12742de8104d813d275571ebbe47f31f7b2b2d6c91bcd9f52ff85ae749d0c7254441ed0199291f4

Download Submit
C:\Windows\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe

Filesize
372KB

MD5
a5a83518cd7b90122a716a9bd775c2c4

SHA1
4e97339d071f8033d53f36be8b2371d9255b35b6

SHA256
941def254e01815ca5bd8479861fd7e31da44f5a3522c093aee38691ade4b457

SHA512
18cacfd67ff5cb05cb9c6cc8321848b4a0b5cf71e286316796037425bff28406c16acb95fdb7a70eeb5681b0ce9d1ccea325f3cb4738145fff3a46bff3292b95

Download Submit
C:\Windows\{81752B6E-4B80-46d8-B75F-2B62CF167238}.exe

Filesize
372KB

MD5
a5a83518cd7b90122a716a9bd775c2c4

SHA1
4e97339d071f8033d53f36be8b2371d9255b35b6

SHA256
941def254e01815ca5bd8479861fd7e31da44f5a3522c093aee38691ade4b457

SHA512
18cacfd67ff5cb05cb9c6cc8321848b4a0b5cf71e286316796037425bff28406c16acb95fdb7a70eeb5681b0ce9d1ccea325f3cb4738145fff3a46bff3292b95

Download Submit
C:\Windows\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe

Filesize
372KB

MD5
e2cefc20d3a995cd5ce3c68df810a862

SHA1
d572e63dba0f419c84de86afa8184d38084246eb

SHA256
a0bd16a9902ada153124b326ba36bfd442babf61806484c156afdea717500e1a

SHA512
fef986d026c1653c603d8bcc02e2c2e8266f49287258ba4351aa1a79ffb683c31341a05e421cf7f9a681d2a6371f2969cbb0c9263c016718cb1420b6d49df626

Download Submit
C:\Windows\{8CF933DF-51B0-4203-8283-634FA5FDB681}.exe

Filesize
372KB

MD5
e2cefc20d3a995cd5ce3c68df810a862

SHA1
d572e63dba0f419c84de86afa8184d38084246eb

SHA256
a0bd16a9902ada153124b326ba36bfd442babf61806484c156afdea717500e1a

SHA512
fef986d026c1653c603d8bcc02e2c2e8266f49287258ba4351aa1a79ffb683c31341a05e421cf7f9a681d2a6371f2969cbb0c9263c016718cb1420b6d49df626

Download Submit
C:\Windows\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe

Filesize
372KB

MD5
973c6857a4c7ee76b7e0bac97a405a5d

SHA1
22ad98f1270b83f3173fdb8cd20a05423ceb175a

SHA256
58932544f29236f950e3b4f86d88ab0aa358a5b99f4ac90afbda077b47c17d7c

SHA512
b8571eda452830712f0be62f67eefc49ca29b6c610a32495d60eedc4fd8fc2fc070df6f188a3c57c6a3139067b370cb8bda58e17435caf120eefb54c84e8ff42

Download Submit
C:\Windows\{95E19B4D-4D87-4555-B592-B2709E570EE2}.exe

Filesize
372KB

MD5
973c6857a4c7ee76b7e0bac97a405a5d

SHA1
22ad98f1270b83f3173fdb8cd20a05423ceb175a

SHA256
58932544f29236f950e3b4f86d88ab0aa358a5b99f4ac90afbda077b47c17d7c

SHA512
b8571eda452830712f0be62f67eefc49ca29b6c610a32495d60eedc4fd8fc2fc070df6f188a3c57c6a3139067b370cb8bda58e17435caf120eefb54c84e8ff42

Download Submit
C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe

Filesize
372KB

MD5
7d602e616def71ba342b38dccd578d25

SHA1
77f9974ffa1fd5c5a72a95d1ff8436d52f0580bc

SHA256
4924270159a5e0e179502715f692f8c04a0b806195a011276f6d0cd14760f172

SHA512
0381a5cfd943086200a79e6632eedcc114545e1f037e5b9d1a9e6b9685cd689fa9908fec1bf303943582bb35b7ff0ae0aba98ea790c0362265e3c9e667c62a4a

Download Submit
C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe

Filesize
372KB

MD5
7d602e616def71ba342b38dccd578d25

SHA1
77f9974ffa1fd5c5a72a95d1ff8436d52f0580bc

SHA256
4924270159a5e0e179502715f692f8c04a0b806195a011276f6d0cd14760f172

SHA512
0381a5cfd943086200a79e6632eedcc114545e1f037e5b9d1a9e6b9685cd689fa9908fec1bf303943582bb35b7ff0ae0aba98ea790c0362265e3c9e667c62a4a

Download Submit
C:\Windows\{B57D8212-DDFB-44a0-8A8B-DA10E9F2EFFD}.exe

Filesize
372KB

MD5
7d602e616def71ba342b38dccd578d25

SHA1
77f9974ffa1fd5c5a72a95d1ff8436d52f0580bc

SHA256
4924270159a5e0e179502715f692f8c04a0b806195a011276f6d0cd14760f172

SHA512
0381a5cfd943086200a79e6632eedcc114545e1f037e5b9d1a9e6b9685cd689fa9908fec1bf303943582bb35b7ff0ae0aba98ea790c0362265e3c9e667c62a4a

Download Submit
C:\Windows\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe

Filesize
372KB

MD5
01bfba0db9ef47133f3c96c71fe48e3d

SHA1
993c57a288438a923bda5b346c6097cbdde86d98

SHA256
611cf835e1f931243bc509dfa00f09c3ee325bf7a644f1a8608c1795c0dc473e

SHA512
82b372b58994e0ed0295615b04ac9c5f2380b96ba6a5fc637b29db01f9a5ba9fec0423cb56a0ba7636a68c002d5e97d62ab1117d19ff3558ee39089a1746c0f5

Download Submit
C:\Windows\{BB85C083-756E-446b-8705-CFA1FB6A8961}.exe

Filesize
372KB

MD5
01bfba0db9ef47133f3c96c71fe48e3d

SHA1
993c57a288438a923bda5b346c6097cbdde86d98

SHA256
611cf835e1f931243bc509dfa00f09c3ee325bf7a644f1a8608c1795c0dc473e

SHA512
82b372b58994e0ed0295615b04ac9c5f2380b96ba6a5fc637b29db01f9a5ba9fec0423cb56a0ba7636a68c002d5e97d62ab1117d19ff3558ee39089a1746c0f5

Download Submit
C:\Windows\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe

Filesize
372KB

MD5
98c0abf5de57f2120f78dc243573e7ea

SHA1
482d81b2a531a2117bb587b38b39150ad78e928c

SHA256
8482749fbd1efa00ed3e0e54e8f41caf55e10dc29cc258d03f4620e9448492d3

SHA512
78b8d4654a9687683a432e9cd1f35c89de839bfa54b57d739d084413555b0814f7f79ee7d40e447c458c0ee1eb7c09196970c962928938825b38f5079d169a44

Download Submit
C:\Windows\{C86BCB99-985D-435d-B392-3DD93691DC97}.exe

Filesize
372KB

MD5
98c0abf5de57f2120f78dc243573e7ea

SHA1
482d81b2a531a2117bb587b38b39150ad78e928c

SHA256
8482749fbd1efa00ed3e0e54e8f41caf55e10dc29cc258d03f4620e9448492d3

SHA512
78b8d4654a9687683a432e9cd1f35c89de839bfa54b57d739d084413555b0814f7f79ee7d40e447c458c0ee1eb7c09196970c962928938825b38f5079d169a44

Download Submit
C:\Windows\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe

Filesize
372KB

MD5
e1b997f24d98173521f42c64d1bd751e

SHA1
fa4f5a9503c9c4e96bde383bcba13616e23ef372

SHA256
e0a3ae7b470b1a8760db2f8e19388e4da5f2ab66e45fa2197734ba764ae90bac

SHA512
2b5edcb39ee70e81ce58128cab1bf2d6b79db376dfda74340ff1ecd3c7eb4292e8dc8eebd9fbfcb6dabb5f7a598b62702e0042c6c9a9410cdf2c4f16c9821cdb

Download Submit
C:\Windows\{DE00C019-BA7A-4c67-B81D-A215192B8AE1}.exe

Filesize
372KB

MD5
e1b997f24d98173521f42c64d1bd751e

SHA1
fa4f5a9503c9c4e96bde383bcba13616e23ef372

SHA256
e0a3ae7b470b1a8760db2f8e19388e4da5f2ab66e45fa2197734ba764ae90bac

SHA512
2b5edcb39ee70e81ce58128cab1bf2d6b79db376dfda74340ff1ecd3c7eb4292e8dc8eebd9fbfcb6dabb5f7a598b62702e0042c6c9a9410cdf2c4f16c9821cdb

Download Submit