abed710a0fde90820865ba5ad3ca1f3b4ed8fd74c04fbf0d5cfa84481ce0d560

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cda675ef830932exeexeexeex.exe
Size

168KB
MD5

cda675ef8309321cdbfbc5c075c4c689
SHA1

5c22784e9f9736002410ee7fd81e79cafff0a8b6
SHA256

abed710a0fde90820865ba5ad3ca1f3b4ed8fd74c04fbf0d5cfa84481ce0d560
SHA512

f18d764422e9e708490bc72581955d444bff9ff2bc5631bbe0f1127072f9910e76da8963642343488bae7ef59bddf3e2b587765133716fded63db6054ccb4049
SSDEEP

1536:1EGh0o9lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}	cda675ef830932exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}\stubpath = "C:\\Windows\\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe"	cda675ef830932exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}\stubpath = "C:\\Windows\\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe"	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}\stubpath = "C:\\Windows\\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe"	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}\stubpath = "C:\\Windows\\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe"	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}\stubpath = "C:\\Windows\\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe"	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D35F208-6D48-4ad1-AAF0-305D467742CF}	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}\stubpath = "C:\\Windows\\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe"	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}\stubpath = "C:\\Windows\\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe"	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}\stubpath = "C:\\Windows\\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe"	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D35F208-6D48-4ad1-AAF0-305D467742CF}\stubpath = "C:\\Windows\\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe"	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}\stubpath = "C:\\Windows\\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe"	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1702CA48-A534-4d3b-A085-C8F2753A17AD}	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1702CA48-A534-4d3b-A085-C8F2753A17AD}\stubpath = "C:\\Windows\\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe"	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}	{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}\stubpath = "C:\\Windows\\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe"	{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe

Executes dropped EXE 12 IoCs

pid	Process
4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
2672	{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe
1244	{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	cda675ef830932exeexeexeex.exe
File created	C:\Windows\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
File created	C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
File created	C:\Windows\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
File created	C:\Windows\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
File created	C:\Windows\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
File created	C:\Windows\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
File created	C:\Windows\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
File created	C:\Windows\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
File created	C:\Windows\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
File created	C:\Windows\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
File created	C:\Windows\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe	{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4792	cda675ef830932exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
Token: SeIncBasePriorityPrivilege	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
Token: SeIncBasePriorityPrivilege	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
Token: SeIncBasePriorityPrivilege	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
Token: SeIncBasePriorityPrivilege	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
Token: SeIncBasePriorityPrivilege	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
Token: SeIncBasePriorityPrivilege	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
Token: SeIncBasePriorityPrivilege	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
Token: SeIncBasePriorityPrivilege	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
Token: SeIncBasePriorityPrivilege	2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
Token: SeIncBasePriorityPrivilege	2672	{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4988	4792	cda675ef830932exeexeexeex.exe	88
PID 4792 wrote to memory of 4988	4792	cda675ef830932exeexeexeex.exe	88
PID 4792 wrote to memory of 4988	4792	cda675ef830932exeexeexeex.exe	88
PID 4792 wrote to memory of 3244	4792	cda675ef830932exeexeexeex.exe	89
PID 4792 wrote to memory of 3244	4792	cda675ef830932exeexeexeex.exe	89
PID 4792 wrote to memory of 3244	4792	cda675ef830932exeexeexeex.exe	89
PID 4988 wrote to memory of 4540	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	90
PID 4988 wrote to memory of 4540	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	90
PID 4988 wrote to memory of 4540	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	90
PID 4988 wrote to memory of 4060	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	91
PID 4988 wrote to memory of 4060	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	91
PID 4988 wrote to memory of 4060	4988	{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe	91
PID 4540 wrote to memory of 2216	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	95
PID 4540 wrote to memory of 2216	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	95
PID 4540 wrote to memory of 2216	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	95
PID 4540 wrote to memory of 2412	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	96
PID 4540 wrote to memory of 2412	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	96
PID 4540 wrote to memory of 2412	4540	{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe	96
PID 2216 wrote to memory of 1656	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	97
PID 2216 wrote to memory of 1656	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	97
PID 2216 wrote to memory of 1656	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	97
PID 2216 wrote to memory of 4888	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	98
PID 2216 wrote to memory of 4888	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	98
PID 2216 wrote to memory of 4888	2216	{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe	98
PID 1656 wrote to memory of 4084	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	99
PID 1656 wrote to memory of 4084	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	99
PID 1656 wrote to memory of 4084	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	99
PID 1656 wrote to memory of 2628	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	100
PID 1656 wrote to memory of 2628	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	100
PID 1656 wrote to memory of 2628	1656	{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe	100
PID 4084 wrote to memory of 2656	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	102
PID 4084 wrote to memory of 2656	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	102
PID 4084 wrote to memory of 2656	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	102
PID 4084 wrote to memory of 3044	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	103
PID 4084 wrote to memory of 3044	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	103
PID 4084 wrote to memory of 3044	4084	{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe	103
PID 2656 wrote to memory of 1612	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	104
PID 2656 wrote to memory of 1612	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	104
PID 2656 wrote to memory of 1612	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	104
PID 2656 wrote to memory of 3324	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	105
PID 2656 wrote to memory of 3324	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	105
PID 2656 wrote to memory of 3324	2656	{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe	105
PID 1612 wrote to memory of 5064	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	106
PID 1612 wrote to memory of 5064	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	106
PID 1612 wrote to memory of 5064	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	106
PID 1612 wrote to memory of 3520	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	107
PID 1612 wrote to memory of 3520	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	107
PID 1612 wrote to memory of 3520	1612	{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe	107
PID 5064 wrote to memory of 880	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	108
PID 5064 wrote to memory of 880	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	108
PID 5064 wrote to memory of 880	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	108
PID 5064 wrote to memory of 652	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	109
PID 5064 wrote to memory of 652	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	109
PID 5064 wrote to memory of 652	5064	{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe	109
PID 880 wrote to memory of 2644	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	110
PID 880 wrote to memory of 2644	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	110
PID 880 wrote to memory of 2644	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	110
PID 880 wrote to memory of 1816	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	111
PID 880 wrote to memory of 1816	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	111
PID 880 wrote to memory of 1816	880	{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe	111
PID 2644 wrote to memory of 2672	2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe	112
PID 2644 wrote to memory of 2672	2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe	112
PID 2644 wrote to memory of 2672	2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe	112
PID 2644 wrote to memory of 2212	2644	{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe	113

C:\Users\Admin\AppData\Local\Temp\cda675ef830932exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\cda675ef830932exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
  C:\Windows\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
    C:\Windows\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
      C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
        
        C:\Windows\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
        
        C:\Windows\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
        
        C:\Windows\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
        
        C:\Windows\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
        
        C:\Windows\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
        
        C:\Windows\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
        
        C:\Windows\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe
        
        C:\Windows\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe
        
        C:\Windows\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe
        13⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1702C~1.EXE > nul
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85212~1.EXE > nul
        12⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D35F~1.EXE > nul
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9980~1.EXE > nul
        10⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B20E2~1.EXE > nul
        9⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B30E5~1.EXE > nul
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37ED0~1.EXE > nul
        7⤵
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE89~1.EXE > nul
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D17AB~1.EXE > nul
        5⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC276~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70A7E~1.EXE > nul
    3⤵
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CDA675~1.EXE > nul
  2⤵
  PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe

Filesize
168KB

MD5
535e1c70ecfcc8fc7fd4c4bcd5dd6340

SHA1
de082f0a9c4433717db5fed3ec0ef0cebd8c2331

SHA256
f8f22917a1394eb8bc56f7efd2f2bbf3ecc05955336d0d5d5272b8e2fa962b2f

SHA512
8c4aa602d1fdbb38912860f5b3eb91e134950af8788141d609bbe251003e0cf110a8f21e51749131f66f8b0e23168b90044f73194e437fb1a2633996b5f8def0

Download Submit
C:\Windows\{1702CA48-A534-4d3b-A085-C8F2753A17AD}.exe

Filesize
168KB

MD5
535e1c70ecfcc8fc7fd4c4bcd5dd6340

SHA1
de082f0a9c4433717db5fed3ec0ef0cebd8c2331

SHA256
f8f22917a1394eb8bc56f7efd2f2bbf3ecc05955336d0d5d5272b8e2fa962b2f

SHA512
8c4aa602d1fdbb38912860f5b3eb91e134950af8788141d609bbe251003e0cf110a8f21e51749131f66f8b0e23168b90044f73194e437fb1a2633996b5f8def0

Download Submit
C:\Windows\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe

Filesize
168KB

MD5
bf671baffae2f003589db3070625bbe0

SHA1
9d027031fe3f1ef2a0b1a5974932f107d99d68de

SHA256
8e3be54eec86a9dd3d310cbd4ca9407851edc3e1bf24ae6072a28fc662080496

SHA512
1a5ddc2de8ef3e3117112a24c93966967a7a4fa62796e20682e1b695369d744b6c44e807adde90224599c3a5af8addca2c2bf3f04e9ee79184fd6fc4748ba13f

Download Submit
C:\Windows\{37ED0CF5-801F-493a-9F7F-842CE406F2B1}.exe

Filesize
168KB

MD5
bf671baffae2f003589db3070625bbe0

SHA1
9d027031fe3f1ef2a0b1a5974932f107d99d68de

SHA256
8e3be54eec86a9dd3d310cbd4ca9407851edc3e1bf24ae6072a28fc662080496

SHA512
1a5ddc2de8ef3e3117112a24c93966967a7a4fa62796e20682e1b695369d744b6c44e807adde90224599c3a5af8addca2c2bf3f04e9ee79184fd6fc4748ba13f

Download Submit
C:\Windows\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe

Filesize
168KB

MD5
3354102c400bbc465aea04b9bb5c3de0

SHA1
9da04fdbbb8044df9185d8db2352a686cee007b2

SHA256
5e685c6a5bafdbd1f4154ea840ab98209805e707c1691d2752c45cc5bbd3bdd1

SHA512
bc4006677e0d5fd7d7d74c8717caf686999b41cf71b80f6b31ada5f21d2d00d40c2a4e3d59b7aadf90b17f594ea2f8808df7d190b8f71c660796bd8a33faa8b3

Download Submit
C:\Windows\{6AE89504-67A1-4a0f-BDA9-782AC054D21F}.exe

Filesize
168KB

MD5
3354102c400bbc465aea04b9bb5c3de0

SHA1
9da04fdbbb8044df9185d8db2352a686cee007b2

SHA256
5e685c6a5bafdbd1f4154ea840ab98209805e707c1691d2752c45cc5bbd3bdd1

SHA512
bc4006677e0d5fd7d7d74c8717caf686999b41cf71b80f6b31ada5f21d2d00d40c2a4e3d59b7aadf90b17f594ea2f8808df7d190b8f71c660796bd8a33faa8b3

Download Submit
C:\Windows\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe

Filesize
168KB

MD5
3559ccdc38747c6ff759d0322ff96547

SHA1
ded7edb2f2377a3999f0a4b79b00966b33aa29b2

SHA256
35bb31ac6deb914a2cc81c6706e6164f89653c63a7bf7d5c5e220fcba16f7725

SHA512
57c0eefcb87d846a9a25fe349d29f1456e2504c3ebd367998368f4b8e0b58cc7765c670359c8cd1ab0636bbf211b4708c81e43ca8d609dd20fd992262d745633

Download Submit
C:\Windows\{70A7E7CB-50BB-443e-B65C-E2D466E49C88}.exe

Filesize
168KB

MD5
3559ccdc38747c6ff759d0322ff96547

SHA1
ded7edb2f2377a3999f0a4b79b00966b33aa29b2

SHA256
35bb31ac6deb914a2cc81c6706e6164f89653c63a7bf7d5c5e220fcba16f7725

SHA512
57c0eefcb87d846a9a25fe349d29f1456e2504c3ebd367998368f4b8e0b58cc7765c670359c8cd1ab0636bbf211b4708c81e43ca8d609dd20fd992262d745633

Download Submit
C:\Windows\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe

Filesize
168KB

MD5
3553d8f27a824e802af65f1cecd9f7e3

SHA1
72aa89fba5dabe83d4533af6bc90471eb2a24ff5

SHA256
1df83d844c5aaf9aa943f8b3bd11b0697e3b0569ea52a6f5aa5b36eea6d69a95

SHA512
7fe007d8c167a0a840063dbd1f6e91b806bef5ee040cbbf44a8e250559396c6b34ec132dab177f1f5d6659e22cc8e86f221c27c9b29166927248ec1cba61852c

Download Submit
C:\Windows\{852124EF-CAFC-4aa9-A863-920FFF5E45D6}.exe

Filesize
168KB

MD5
3553d8f27a824e802af65f1cecd9f7e3

SHA1
72aa89fba5dabe83d4533af6bc90471eb2a24ff5

SHA256
1df83d844c5aaf9aa943f8b3bd11b0697e3b0569ea52a6f5aa5b36eea6d69a95

SHA512
7fe007d8c167a0a840063dbd1f6e91b806bef5ee040cbbf44a8e250559396c6b34ec132dab177f1f5d6659e22cc8e86f221c27c9b29166927248ec1cba61852c

Download Submit
C:\Windows\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe

Filesize
168KB

MD5
a76e20e08824fcf18c42a07b14b8e50f

SHA1
b3cb171134ce8a7fb8d95b8e4b99349ae7d19476

SHA256
122b3e489a4b1ac1d198d7b491b66d491e527bdbd3651ea11f50a2c0431818ba

SHA512
74a4b1a12fd2f321672a7e39b63bac0c12992e2390ab0d4bd6873dbea3f9321eaef3d975351a51cdfe498af297cd07c51f1b6ad0a5207a02eebf3ae68e849f11

Download Submit
C:\Windows\{8D35F208-6D48-4ad1-AAF0-305D467742CF}.exe

Filesize
168KB

MD5
a76e20e08824fcf18c42a07b14b8e50f

SHA1
b3cb171134ce8a7fb8d95b8e4b99349ae7d19476

SHA256
122b3e489a4b1ac1d198d7b491b66d491e527bdbd3651ea11f50a2c0431818ba

SHA512
74a4b1a12fd2f321672a7e39b63bac0c12992e2390ab0d4bd6873dbea3f9321eaef3d975351a51cdfe498af297cd07c51f1b6ad0a5207a02eebf3ae68e849f11

Download Submit
C:\Windows\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe

Filesize
168KB

MD5
229606a136ee3b25767cd28e55e40810

SHA1
b96f2c7ee956b1d66f9a520c8a705e1997b82ed0

SHA256
8e43c47484f0d2044eaa941c95beffc270074bafc6a2866c7655e243c0eb07de

SHA512
db4ea25c632b9682298f9fe6489b8c6da4619f4ed0de2463a86f9d932678f60ba770392d789e4b92fc11b1853d2c229104372d184df4ecabdd4a6f76fa77c9c4

Download Submit
C:\Windows\{9F1EADF5-1CF4-453a-A962-29BC49DAEE39}.exe

Filesize
168KB

MD5
229606a136ee3b25767cd28e55e40810

SHA1
b96f2c7ee956b1d66f9a520c8a705e1997b82ed0

SHA256
8e43c47484f0d2044eaa941c95beffc270074bafc6a2866c7655e243c0eb07de

SHA512
db4ea25c632b9682298f9fe6489b8c6da4619f4ed0de2463a86f9d932678f60ba770392d789e4b92fc11b1853d2c229104372d184df4ecabdd4a6f76fa77c9c4

Download Submit
C:\Windows\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe

Filesize
168KB

MD5
2fbcd36b70a5a9ea3aff5171719f1314

SHA1
bad7e69b90972ad3577f97e42edbc328ad9aff4e

SHA256
d253aa61a13f1f0c9aedbc2f7ef513b0210290f9cbacb4ddc37f1e4dbc3415b4

SHA512
133271b82185e6b356b4f768c1cbb33689ea6c6dc2645878219e97a531ebbb9f19b20c866e271224d3f531c485fcb261c7b0e4d30c9efff7cd61fcf1a4595a53

Download Submit
C:\Windows\{B20E2F35-8B77-44eb-8FE9-BF5B832A702F}.exe

Filesize
168KB

MD5
2fbcd36b70a5a9ea3aff5171719f1314

SHA1
bad7e69b90972ad3577f97e42edbc328ad9aff4e

SHA256
d253aa61a13f1f0c9aedbc2f7ef513b0210290f9cbacb4ddc37f1e4dbc3415b4

SHA512
133271b82185e6b356b4f768c1cbb33689ea6c6dc2645878219e97a531ebbb9f19b20c866e271224d3f531c485fcb261c7b0e4d30c9efff7cd61fcf1a4595a53

Download Submit
C:\Windows\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe

Filesize
168KB

MD5
8724cdc886e59a10868f3dd8cacb9916

SHA1
5f74f999de5a8e66f63faa5e7c2b3195d9159684

SHA256
38f9181d5cb4bde00303e881900e988fc897dae7d0db4952a408aebfb21b45b7

SHA512
f394cf9c4b631b406d9aa4865010041cf847e7941bfc2e1eb4d86a8b3929146f0f535969affa2d74f69c89dad8e4b0af7aaca2166763dfb895106bab6bd6d78d

Download Submit
C:\Windows\{B30E5FCE-8D6C-45a3-A79E-3889FD71136A}.exe

Filesize
168KB

MD5
8724cdc886e59a10868f3dd8cacb9916

SHA1
5f74f999de5a8e66f63faa5e7c2b3195d9159684

SHA256
38f9181d5cb4bde00303e881900e988fc897dae7d0db4952a408aebfb21b45b7

SHA512
f394cf9c4b631b406d9aa4865010041cf847e7941bfc2e1eb4d86a8b3929146f0f535969affa2d74f69c89dad8e4b0af7aaca2166763dfb895106bab6bd6d78d

Download Submit
C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe

Filesize
168KB

MD5
5d9cf26eacf4df3a0c2e495d4d92d331

SHA1
504a57d30ff71053829224b794c1e811dbd11f56

SHA256
b4fc90c11775b963ee47b962340846832a6d6e1b99c3d6671d66db93dccf56d9

SHA512
2fb6dd56277ea4b361f1cac677c31a4e48ff9f98c89516f6de9de80d6d72c7d3bd028f1e09005962a4f2914a3efed00914230ae78d011e46ae0f929e3a9844e5

Download Submit
C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe

Filesize
168KB

MD5
5d9cf26eacf4df3a0c2e495d4d92d331

SHA1
504a57d30ff71053829224b794c1e811dbd11f56

SHA256
b4fc90c11775b963ee47b962340846832a6d6e1b99c3d6671d66db93dccf56d9

SHA512
2fb6dd56277ea4b361f1cac677c31a4e48ff9f98c89516f6de9de80d6d72c7d3bd028f1e09005962a4f2914a3efed00914230ae78d011e46ae0f929e3a9844e5

Download Submit
C:\Windows\{D17ABBB4-AEC9-4f05-BFC6-31C15D2D86B8}.exe

Filesize
168KB

MD5
5d9cf26eacf4df3a0c2e495d4d92d331

SHA1
504a57d30ff71053829224b794c1e811dbd11f56

SHA256
b4fc90c11775b963ee47b962340846832a6d6e1b99c3d6671d66db93dccf56d9

SHA512
2fb6dd56277ea4b361f1cac677c31a4e48ff9f98c89516f6de9de80d6d72c7d3bd028f1e09005962a4f2914a3efed00914230ae78d011e46ae0f929e3a9844e5

Download Submit
C:\Windows\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe

Filesize
168KB

MD5
3935e6f4d2a264751a5e82fdf73e6896

SHA1
a1b21a8b72b6e7b28ee370390b211c5f9324db9e

SHA256
555431a581b06e97ad0308aa057ccd510effe30997dd5f51ed4b7a53f45b6ca4

SHA512
a46a6f75bcdc92d7d09a9bd0e32fad468096c0aeedcbb0aa904c48fac7985efe99373a33667bfd11e892ed1d1c69f884e44a418048b3cf40df2361709ed772e9

Download Submit
C:\Windows\{DC276DA0-D5C1-4703-9D24-DC9BB49074B3}.exe

Filesize
168KB

MD5
3935e6f4d2a264751a5e82fdf73e6896

SHA1
a1b21a8b72b6e7b28ee370390b211c5f9324db9e

SHA256
555431a581b06e97ad0308aa057ccd510effe30997dd5f51ed4b7a53f45b6ca4

SHA512
a46a6f75bcdc92d7d09a9bd0e32fad468096c0aeedcbb0aa904c48fac7985efe99373a33667bfd11e892ed1d1c69f884e44a418048b3cf40df2361709ed772e9

Download Submit
C:\Windows\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe

Filesize
168KB

MD5
f1aa11acdb5b7dc9c3dba753f9ea84b1

SHA1
427fc6f9db57acf9d4ececf1102650512049399a

SHA256
6def6771b3449bda344e848688510e27f26bc83f33bcac1eae0bad869efc7ad9

SHA512
9441e88c3c66a5384154e07f25c285be8ca43b99f7706436f6bb85228b2320637489ce0dcb60bcf7c6814fa5aea81436799a7ee25114f0c393b0c7a8dd0b8ba6

Download Submit
C:\Windows\{E99809DB-61D2-4a2a-BA4A-80348F52FACC}.exe

Filesize
168KB

MD5
f1aa11acdb5b7dc9c3dba753f9ea84b1

SHA1
427fc6f9db57acf9d4ececf1102650512049399a

SHA256
6def6771b3449bda344e848688510e27f26bc83f33bcac1eae0bad869efc7ad9

SHA512
9441e88c3c66a5384154e07f25c285be8ca43b99f7706436f6bb85228b2320637489ce0dcb60bcf7c6814fa5aea81436799a7ee25114f0c393b0c7a8dd0b8ba6

Download Submit