3a423fab62db5d8d063b92dad2c35c789e9285059f578ad90591f7823fb5cd80

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca008bdadc7c45exeexeexeex.exe
Size

372KB
MD5

ca008bdadc7c45272c33f8db1f7f61e7
SHA1

8e3b896f74d8aaf3c9e2a079b2476081c8e6f65b
SHA256

3a423fab62db5d8d063b92dad2c35c789e9285059f578ad90591f7823fb5cd80
SHA512

d698e58c85766ed84750d1b246467a15b3b60667f69204969c1d7b99d58f8a8bb59e1289d1533b78189f870dfe978d79c1019988abdb160b6de1c5415622c7da
SSDEEP

3072:CEGh0ormlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGsl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10C716C-4E83-4105-BBFD-C52F14E60615}\stubpath = "C:\\Windows\\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe"	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3761F04F-A381-472f-8BC9-A8E201692671}\stubpath = "C:\\Windows\\{3761F04F-A381-472f-8BC9-A8E201692671}.exe"	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B667A369-296A-408a-A76F-A4D4C19D8CF6}	{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C99A6427-A907-46a1-A386-44C7B8420A2C}\stubpath = "C:\\Windows\\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe"	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3761F04F-A381-472f-8BC9-A8E201692671}	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B667A369-296A-408a-A76F-A4D4C19D8CF6}\stubpath = "C:\\Windows\\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe"	{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}\stubpath = "C:\\Windows\\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe"	ca008bdadc7c45exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}\stubpath = "C:\\Windows\\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe"	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}\stubpath = "C:\\Windows\\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe"	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C99A6427-A907-46a1-A386-44C7B8420A2C}	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}	ca008bdadc7c45exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10C716C-4E83-4105-BBFD-C52F14E60615}	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}\stubpath = "C:\\Windows\\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe"	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}	{3761F04F-A381-472f-8BC9-A8E201692671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}\stubpath = "C:\\Windows\\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe"	{3761F04F-A381-472f-8BC9-A8E201692671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}\stubpath = "C:\\Windows\\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe"	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}\stubpath = "C:\\Windows\\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe"	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}\stubpath = "C:\\Windows\\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe"	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe

Executes dropped EXE 12 IoCs

pid	Process
3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe
4920	{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
932	{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
File created	C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
File created	C:\Windows\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
File created	C:\Windows\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
File created	C:\Windows\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
File created	C:\Windows\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
File created	C:\Windows\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
File created	C:\Windows\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	ca008bdadc7c45exeexeexeex.exe
File created	C:\Windows\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe	{3761F04F-A381-472f-8BC9-A8E201692671}.exe
File created	C:\Windows\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
File created	C:\Windows\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe	{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
File created	C:\Windows\{3761F04F-A381-472f-8BC9-A8E201692671}.exe	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1980	ca008bdadc7c45exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
Token: SeIncBasePriorityPrivilege	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
Token: SeIncBasePriorityPrivilege	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
Token: SeIncBasePriorityPrivilege	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
Token: SeIncBasePriorityPrivilege	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
Token: SeIncBasePriorityPrivilege	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
Token: SeIncBasePriorityPrivilege	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
Token: SeIncBasePriorityPrivilege	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
Token: SeIncBasePriorityPrivilege	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
Token: SeIncBasePriorityPrivilege	1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe
Token: SeIncBasePriorityPrivilege	4920	{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3928	1980	ca008bdadc7c45exeexeexeex.exe	84
PID 1980 wrote to memory of 3928	1980	ca008bdadc7c45exeexeexeex.exe	84
PID 1980 wrote to memory of 3928	1980	ca008bdadc7c45exeexeexeex.exe	84
PID 1980 wrote to memory of 1688	1980	ca008bdadc7c45exeexeexeex.exe	85
PID 1980 wrote to memory of 1688	1980	ca008bdadc7c45exeexeexeex.exe	85
PID 1980 wrote to memory of 1688	1980	ca008bdadc7c45exeexeexeex.exe	85
PID 3928 wrote to memory of 3808	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	86
PID 3928 wrote to memory of 3808	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	86
PID 3928 wrote to memory of 3808	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	86
PID 3928 wrote to memory of 4476	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	87
PID 3928 wrote to memory of 4476	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	87
PID 3928 wrote to memory of 4476	3928	{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe	87
PID 3808 wrote to memory of 1848	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	92
PID 3808 wrote to memory of 1848	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	92
PID 3808 wrote to memory of 1848	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	92
PID 3808 wrote to memory of 2356	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	91
PID 3808 wrote to memory of 2356	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	91
PID 3808 wrote to memory of 2356	3808	{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe	91
PID 1848 wrote to memory of 3824	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	93
PID 1848 wrote to memory of 3824	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	93
PID 1848 wrote to memory of 3824	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	93
PID 1848 wrote to memory of 3768	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	94
PID 1848 wrote to memory of 3768	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	94
PID 1848 wrote to memory of 3768	1848	{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe	94
PID 3824 wrote to memory of 4024	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	95
PID 3824 wrote to memory of 4024	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	95
PID 3824 wrote to memory of 4024	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	95
PID 3824 wrote to memory of 1952	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	96
PID 3824 wrote to memory of 1952	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	96
PID 3824 wrote to memory of 1952	3824	{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe	96
PID 4024 wrote to memory of 3816	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	98
PID 4024 wrote to memory of 3816	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	98
PID 4024 wrote to memory of 3816	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	98
PID 4024 wrote to memory of 1784	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	99
PID 4024 wrote to memory of 1784	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	99
PID 4024 wrote to memory of 1784	4024	{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe	99
PID 3816 wrote to memory of 3396	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	100
PID 3816 wrote to memory of 3396	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	100
PID 3816 wrote to memory of 3396	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	100
PID 3816 wrote to memory of 4048	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	101
PID 3816 wrote to memory of 4048	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	101
PID 3816 wrote to memory of 4048	3816	{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe	101
PID 3396 wrote to memory of 4876	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	103
PID 3396 wrote to memory of 4876	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	103
PID 3396 wrote to memory of 4876	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	103
PID 3396 wrote to memory of 2724	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	104
PID 3396 wrote to memory of 2724	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	104
PID 3396 wrote to memory of 2724	3396	{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe	104
PID 4876 wrote to memory of 4704	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	111
PID 4876 wrote to memory of 4704	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	111
PID 4876 wrote to memory of 4704	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	111
PID 4876 wrote to memory of 2744	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	112
PID 4876 wrote to memory of 2744	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	112
PID 4876 wrote to memory of 2744	4876	{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe	112
PID 4704 wrote to memory of 1392	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	113
PID 4704 wrote to memory of 1392	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	113
PID 4704 wrote to memory of 1392	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	113
PID 4704 wrote to memory of 1980	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	114
PID 4704 wrote to memory of 1980	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	114
PID 4704 wrote to memory of 1980	4704	{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe	114
PID 1392 wrote to memory of 4920	1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe	115
PID 1392 wrote to memory of 4920	1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe	115
PID 1392 wrote to memory of 4920	1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe	115
PID 1392 wrote to memory of 1328	1392	{3761F04F-A381-472f-8BC9-A8E201692671}.exe	116

C:\Users\Admin\AppData\Local\Temp\ca008bdadc7c45exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ca008bdadc7c45exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
  C:\Windows\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
    C:\Windows\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F1B9~1.EXE > nul
      4⤵
      PID:2356
  - - C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
      C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
        
        C:\Windows\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
        
        C:\Windows\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
        
        C:\Windows\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
        
        C:\Windows\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
        
        C:\Windows\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
        
        C:\Windows\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{3761F04F-A381-472f-8BC9-A8E201692671}.exe
        
        C:\Windows\{3761F04F-A381-472f-8BC9-A8E201692671}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
        
        C:\Windows\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe
        
        C:\Windows\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe
        13⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1F2~1.EXE > nul
        13⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3761F~1.EXE > nul
        12⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C99A6~1.EXE > nul
        11⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED3E~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB55D~1.EXE > nul
        9⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B428F~1.EXE > nul
        8⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B89B0~1.EXE > nul
        7⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FDFE~1.EXE > nul
        6⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10C7~1.EXE > nul
        5⤵
        
        PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D22~1.EXE > nul
    3⤵
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CA008B~1.EXE > nul
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe

Filesize
372KB

MD5
5d40d28d538247cf1a0166b25559955a

SHA1
d004be28bd28dcb74ae981aa1e7a9b7c22ff02b1

SHA256
b02fd4db3696dd442d3012dc73e4d92e92f848f0df7c31fce638bda89bc656ae

SHA512
04c58ddf47f26e6e66fc7c26266495e982a3b0e1c872ee79431d27a833c5b634efa4b8a716bc52ba537d05c0cd42ba71f17a859275e7209912cae63cde409bb6

Download Submit
C:\Windows\{1FDFE06B-D3C5-4bc9-8F7A-FAD02F9F17EB}.exe

Filesize
372KB

MD5
5d40d28d538247cf1a0166b25559955a

SHA1
d004be28bd28dcb74ae981aa1e7a9b7c22ff02b1

SHA256
b02fd4db3696dd442d3012dc73e4d92e92f848f0df7c31fce638bda89bc656ae

SHA512
04c58ddf47f26e6e66fc7c26266495e982a3b0e1c872ee79431d27a833c5b634efa4b8a716bc52ba537d05c0cd42ba71f17a859275e7209912cae63cde409bb6

Download Submit
C:\Windows\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe

Filesize
372KB

MD5
24e2bfcb642895dce32dc9eb76c9003d

SHA1
5edb0120a68c37003af822c904d2822ddc52b915

SHA256
60417666e0395e716cd59e94d9c3a50fe08d5a545e6449feb0a79e4410cd8ba3

SHA512
4240e033fa99709bf41616cf9523c067ca62ce8d6b6f6c717d63f9391e9dc4e616972f450634c02aaef4dd07e605b8f8c4c7654fe06e2885116256b74c2d2330

Download Submit
C:\Windows\{2ED3E010-8041-45d2-8F2E-6E052F2581A1}.exe

Filesize
372KB

MD5
24e2bfcb642895dce32dc9eb76c9003d

SHA1
5edb0120a68c37003af822c904d2822ddc52b915

SHA256
60417666e0395e716cd59e94d9c3a50fe08d5a545e6449feb0a79e4410cd8ba3

SHA512
4240e033fa99709bf41616cf9523c067ca62ce8d6b6f6c717d63f9391e9dc4e616972f450634c02aaef4dd07e605b8f8c4c7654fe06e2885116256b74c2d2330

Download Submit
C:\Windows\{3761F04F-A381-472f-8BC9-A8E201692671}.exe

Filesize
372KB

MD5
f6275997f0aa46ec06ac6d21145f0137

SHA1
85a07921cfa8227fc6680a34b15a2e30ea7931f3

SHA256
9c1b41624acb1b73fdabd2707ff8365940b04dc8a601effedec53d4ef6ae9430

SHA512
b3b4499043505c85c70ec61a00d2bbaf39c37f707a604e9422a43e550414c9a80359d771ec66eec49ae97cfd9cd5a1a7d4c7b37c5d84b50a65cba1f5e4ab3f17

Download Submit
C:\Windows\{3761F04F-A381-472f-8BC9-A8E201692671}.exe

Filesize
372KB

MD5
f6275997f0aa46ec06ac6d21145f0137

SHA1
85a07921cfa8227fc6680a34b15a2e30ea7931f3

SHA256
9c1b41624acb1b73fdabd2707ff8365940b04dc8a601effedec53d4ef6ae9430

SHA512
b3b4499043505c85c70ec61a00d2bbaf39c37f707a604e9422a43e550414c9a80359d771ec66eec49ae97cfd9cd5a1a7d4c7b37c5d84b50a65cba1f5e4ab3f17

Download Submit
C:\Windows\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe

Filesize
372KB

MD5
517c8c1a3b33bd7e4c61c033271e73a0

SHA1
834515aa99214756f5aacbe85b1c796ff16a08d3

SHA256
c0849b4e4c56f2c9dcaa2e6ab068aa5d5af6fa4b59fd95c547b8801352f8ae0a

SHA512
67e898c58fcf586f7d08afcec60f3309e28ec74dd3c2a21ad16887c96ed9c011f7c1016c3bae37f8d25cd803d598829507c5483b99fad36ffd3a83c847f2aabf

Download Submit
C:\Windows\{5A1F2073-6DC0-4c41-970A-3873EFF16AA4}.exe

Filesize
372KB

MD5
517c8c1a3b33bd7e4c61c033271e73a0

SHA1
834515aa99214756f5aacbe85b1c796ff16a08d3

SHA256
c0849b4e4c56f2c9dcaa2e6ab068aa5d5af6fa4b59fd95c547b8801352f8ae0a

SHA512
67e898c58fcf586f7d08afcec60f3309e28ec74dd3c2a21ad16887c96ed9c011f7c1016c3bae37f8d25cd803d598829507c5483b99fad36ffd3a83c847f2aabf

Download Submit
C:\Windows\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe

Filesize
372KB

MD5
ab72a3ee4441627a09ee4c1d003efed5

SHA1
721ed1276ed33a8dba99d0f1fe0f19728cddaedf

SHA256
236e6fe9e4437306737633361400f82f557e27dd6eb7b878c1f05a30fe9a4db9

SHA512
5798cf3c9b61c4363fe58d12febec9a263d39d185181f51eba48f26f9b7b9521814fe92918078c11abc694ca5fac719585de4fa76ee53b7f152ab7e8a27c2c02

Download Submit
C:\Windows\{8F1B9315-31C6-4e11-8AFD-124A592A01FF}.exe

Filesize
372KB

MD5
ab72a3ee4441627a09ee4c1d003efed5

SHA1
721ed1276ed33a8dba99d0f1fe0f19728cddaedf

SHA256
236e6fe9e4437306737633361400f82f557e27dd6eb7b878c1f05a30fe9a4db9

SHA512
5798cf3c9b61c4363fe58d12febec9a263d39d185181f51eba48f26f9b7b9521814fe92918078c11abc694ca5fac719585de4fa76ee53b7f152ab7e8a27c2c02

Download Submit
C:\Windows\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe

Filesize
372KB

MD5
a4f81852dfa7fb6d409a9c32022ca0b1

SHA1
39f5b8ab7731fada3af7b171f99b396d5a9dfef0

SHA256
0a9e6b9168909ebf905595b9c4739d26b59c0e998c083151c65b8d1f5b576865

SHA512
49f4e03d062a4f48ca47b7657b5ded89bb921da3e493b4ad19b04470c8bb36b1e3df36cf90ee7284f98792f68642984e0914b659c024e65b1955731be8a5b0b8

Download Submit
C:\Windows\{B428F1D2-5D99-4a9a-A44C-F2A9A2F170A1}.exe

Filesize
372KB

MD5
a4f81852dfa7fb6d409a9c32022ca0b1

SHA1
39f5b8ab7731fada3af7b171f99b396d5a9dfef0

SHA256
0a9e6b9168909ebf905595b9c4739d26b59c0e998c083151c65b8d1f5b576865

SHA512
49f4e03d062a4f48ca47b7657b5ded89bb921da3e493b4ad19b04470c8bb36b1e3df36cf90ee7284f98792f68642984e0914b659c024e65b1955731be8a5b0b8

Download Submit
C:\Windows\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe

Filesize
372KB

MD5
3b9477f32caaefb80cb8c24c571e78da

SHA1
baf6617e948daff1c002c435c114dacc55958376

SHA256
9f93e231d18db78851eafe12c9693f0354a94fa4947fcdc7b184f8e902178aee

SHA512
479f68a7cb4ba018341325e4233afc171652d68d4fb8666ce59144934222b8d37402137aa37a993a22494c77e71ece13b096cd9a94a725831f2b7f4d85a9e67b

Download Submit
C:\Windows\{B667A369-296A-408a-A76F-A4D4C19D8CF6}.exe

Filesize
372KB

MD5
3b9477f32caaefb80cb8c24c571e78da

SHA1
baf6617e948daff1c002c435c114dacc55958376

SHA256
9f93e231d18db78851eafe12c9693f0354a94fa4947fcdc7b184f8e902178aee

SHA512
479f68a7cb4ba018341325e4233afc171652d68d4fb8666ce59144934222b8d37402137aa37a993a22494c77e71ece13b096cd9a94a725831f2b7f4d85a9e67b

Download Submit
C:\Windows\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe

Filesize
372KB

MD5
a43e3a30094a7817e1c73580b2bb8b43

SHA1
16d4a97cf2cd3667a1265867013e6f710b0670d6

SHA256
62e6a787b93991a24987b7743fb988dbdbb48da48d1c4155bef397cb9cd1ec80

SHA512
dcd91fe2abe28509ed74edd84a637b5dafd8a72dcf011510c282a79765a5ab2f57d9a890ad78f88b7f14fec0c78c69353c83c366d0b8d6dcc574bb24c3fae8d4

Download Submit
C:\Windows\{B89B0FA2-BF5A-49cf-9E7B-ED5CD2EE2212}.exe

Filesize
372KB

MD5
a43e3a30094a7817e1c73580b2bb8b43

SHA1
16d4a97cf2cd3667a1265867013e6f710b0670d6

SHA256
62e6a787b93991a24987b7743fb988dbdbb48da48d1c4155bef397cb9cd1ec80

SHA512
dcd91fe2abe28509ed74edd84a637b5dafd8a72dcf011510c282a79765a5ab2f57d9a890ad78f88b7f14fec0c78c69353c83c366d0b8d6dcc574bb24c3fae8d4

Download Submit
C:\Windows\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe

Filesize
372KB

MD5
a8f3ccf194362334fc1abe1ba3f5aeb7

SHA1
ed57ba123ff84d70287b67bfb78d53e873318ac0

SHA256
b8c9d833277e2331d1d42c078cabfa04b67fed3fc032536b22a377f8e6a13a39

SHA512
44f632f6b0ad2ed9eca5c2fa413a5d4d9ac9f88233c23d303e462e634431c454f1d0a1bbebbf0c34084ddda196c721d6931105948d8f1b041783d2c7c270ad85

Download Submit
C:\Windows\{C2D22F2C-EE1C-4539-8FDC-D07FE8F02F33}.exe

Filesize
372KB

MD5
a8f3ccf194362334fc1abe1ba3f5aeb7

SHA1
ed57ba123ff84d70287b67bfb78d53e873318ac0

SHA256
b8c9d833277e2331d1d42c078cabfa04b67fed3fc032536b22a377f8e6a13a39

SHA512
44f632f6b0ad2ed9eca5c2fa413a5d4d9ac9f88233c23d303e462e634431c454f1d0a1bbebbf0c34084ddda196c721d6931105948d8f1b041783d2c7c270ad85

Download Submit
C:\Windows\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe

Filesize
372KB

MD5
401f3fd415d2938b5bd25ea208fc654e

SHA1
d16c01957610c1c39f1b0b30b6d7307099bf4787

SHA256
19863069c3c84441f69f891ab6a5110575d78141642041bb53c9a666f5c06e2b

SHA512
fc47a6a44f564e29b250b7d05508a16c5241fc589425dc04f818229f134639a416bcaf66a3a63db0cee5627bc3bdb8a8d2802ab364410c6eb17b81724cfdf81e

Download Submit
C:\Windows\{C99A6427-A907-46a1-A386-44C7B8420A2C}.exe

Filesize
372KB

MD5
401f3fd415d2938b5bd25ea208fc654e

SHA1
d16c01957610c1c39f1b0b30b6d7307099bf4787

SHA256
19863069c3c84441f69f891ab6a5110575d78141642041bb53c9a666f5c06e2b

SHA512
fc47a6a44f564e29b250b7d05508a16c5241fc589425dc04f818229f134639a416bcaf66a3a63db0cee5627bc3bdb8a8d2802ab364410c6eb17b81724cfdf81e

Download Submit
C:\Windows\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe

Filesize
372KB

MD5
7dfa7d78d642d77158d11860bf18a152

SHA1
cfd71b3b9d3f3f1fd285f3401e243ec180a90177

SHA256
2384f2bf9c67a2be3926202d20e2cd38d19123542724bc62812d707a1dc49463

SHA512
1c22689c22777f60c9c2e6188e992905e1798dddcbc12bc609091c5fbd601c5e3ae031e266ee57eff408e387f6594e4dcd9d2e8a3bbb48274b8813cb7b62ea3c

Download Submit
C:\Windows\{CB55DB70-BB0F-46a9-930C-7B69AF457F20}.exe

Filesize
372KB

MD5
7dfa7d78d642d77158d11860bf18a152

SHA1
cfd71b3b9d3f3f1fd285f3401e243ec180a90177

SHA256
2384f2bf9c67a2be3926202d20e2cd38d19123542724bc62812d707a1dc49463

SHA512
1c22689c22777f60c9c2e6188e992905e1798dddcbc12bc609091c5fbd601c5e3ae031e266ee57eff408e387f6594e4dcd9d2e8a3bbb48274b8813cb7b62ea3c

Download Submit
C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe

Filesize
372KB

MD5
985c05fad28431e18d5766cd52ffb01c

SHA1
f2d7722b034986bd2e47bbda838294f9fce4d3d8

SHA256
28ae02aa8828595390d87004fda9f2d04c5819d16de8abf4a3b49b3d06492b00

SHA512
349b50b90c655be056c58440b5010f4659c3bbe56f65c851c52843602472015101e11103b65c89b808f7608e8262055839738ebe9e32ba04c1c98f79d0266fa8

Download Submit
C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe

Filesize
372KB

MD5
985c05fad28431e18d5766cd52ffb01c

SHA1
f2d7722b034986bd2e47bbda838294f9fce4d3d8

SHA256
28ae02aa8828595390d87004fda9f2d04c5819d16de8abf4a3b49b3d06492b00

SHA512
349b50b90c655be056c58440b5010f4659c3bbe56f65c851c52843602472015101e11103b65c89b808f7608e8262055839738ebe9e32ba04c1c98f79d0266fa8

Download Submit
C:\Windows\{E10C716C-4E83-4105-BBFD-C52F14E60615}.exe

Filesize
372KB

MD5
985c05fad28431e18d5766cd52ffb01c

SHA1
f2d7722b034986bd2e47bbda838294f9fce4d3d8

SHA256
28ae02aa8828595390d87004fda9f2d04c5819d16de8abf4a3b49b3d06492b00

SHA512
349b50b90c655be056c58440b5010f4659c3bbe56f65c851c52843602472015101e11103b65c89b808f7608e8262055839738ebe9e32ba04c1c98f79d0266fa8

Download Submit