ee5ac6f48ec42be7a828e8ecedebb442d93e4d07d781572fa31aff4237abb4aa

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1681256b1cd8bexeexeexeex.exe
Size

372KB
MD5

d1681256b1cd8bd1e221acadf8b696d3
SHA1

5c26717c69408c38bb5718bd0791529ac316f2af
SHA256

ee5ac6f48ec42be7a828e8ecedebb442d93e4d07d781572fa31aff4237abb4aa
SHA512

1ac50bfa0e6be8a8994b2079d9611376f7eb098615f662d5857698ca431cd7b50424ff9fa4720290f4a36d40cb1f1a2d0111e5866136a0034acb24b8d05d9b24
SSDEEP

3072:CEGh0obmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGgl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}\stubpath = "C:\\Windows\\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe"	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{700F0592-F76C-4dac-A713-CD82B1CF7113}	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA5B618-94E5-4640-80E9-661321C63B55}	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA5B618-94E5-4640-80E9-661321C63B55}\stubpath = "C:\\Windows\\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe"	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}	{39D19813-325E-428a-A511-7E657B6CC47D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}	{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}\stubpath = "C:\\Windows\\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe"	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1660D28C-0DED-4c47-8581-56E2A2BA597E}	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79417059-57B0-4f0a-95EC-025EB47712F9}	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D19813-325E-428a-A511-7E657B6CC47D}	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}\stubpath = "C:\\Windows\\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe"	{39D19813-325E-428a-A511-7E657B6CC47D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}\stubpath = "C:\\Windows\\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe"	d1681256b1cd8bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{700F0592-F76C-4dac-A713-CD82B1CF7113}\stubpath = "C:\\Windows\\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe"	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79417059-57B0-4f0a-95EC-025EB47712F9}\stubpath = "C:\\Windows\\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe"	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C43716F-C8B1-49a4-880C-37439581C2A1}\stubpath = "C:\\Windows\\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe"	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}\stubpath = "C:\\Windows\\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe"	{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}	d1681256b1cd8bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1660D28C-0DED-4c47-8581-56E2A2BA597E}\stubpath = "C:\\Windows\\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe"	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}\stubpath = "C:\\Windows\\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe"	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C43716F-C8B1-49a4-880C-37439581C2A1}	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D19813-325E-428a-A511-7E657B6CC47D}\stubpath = "C:\\Windows\\{39D19813-325E-428a-A511-7E657B6CC47D}.exe"	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe
4092	{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe
4388	{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
File created	C:\Windows\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
File created	C:\Windows\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	d1681256b1cd8bexeexeexeex.exe
File created	C:\Windows\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
File created	C:\Windows\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
File created	C:\Windows\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
File created	C:\Windows\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
File created	C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
File created	C:\Windows\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
File created	C:\Windows\{39D19813-325E-428a-A511-7E657B6CC47D}.exe	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
File created	C:\Windows\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe	{39D19813-325E-428a-A511-7E657B6CC47D}.exe
File created	C:\Windows\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe	{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	976	d1681256b1cd8bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
Token: SeIncBasePriorityPrivilege	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
Token: SeIncBasePriorityPrivilege	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
Token: SeIncBasePriorityPrivilege	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
Token: SeIncBasePriorityPrivilege	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
Token: SeIncBasePriorityPrivilege	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
Token: SeIncBasePriorityPrivilege	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
Token: SeIncBasePriorityPrivilege	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
Token: SeIncBasePriorityPrivilege	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
Token: SeIncBasePriorityPrivilege	4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe
Token: SeIncBasePriorityPrivilege	4092	{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4964	976	d1681256b1cd8bexeexeexeex.exe	84
PID 976 wrote to memory of 4964	976	d1681256b1cd8bexeexeexeex.exe	84
PID 976 wrote to memory of 4964	976	d1681256b1cd8bexeexeexeex.exe	84
PID 976 wrote to memory of 3132	976	d1681256b1cd8bexeexeexeex.exe	85
PID 976 wrote to memory of 3132	976	d1681256b1cd8bexeexeexeex.exe	85
PID 976 wrote to memory of 3132	976	d1681256b1cd8bexeexeexeex.exe	85
PID 4964 wrote to memory of 4132	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	86
PID 4964 wrote to memory of 4132	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	86
PID 4964 wrote to memory of 4132	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	86
PID 4964 wrote to memory of 1304	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	87
PID 4964 wrote to memory of 1304	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	87
PID 4964 wrote to memory of 1304	4964	{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe	87
PID 4132 wrote to memory of 872	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	91
PID 4132 wrote to memory of 872	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	91
PID 4132 wrote to memory of 872	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	91
PID 4132 wrote to memory of 4828	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	92
PID 4132 wrote to memory of 4828	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	92
PID 4132 wrote to memory of 4828	4132	{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe	92
PID 872 wrote to memory of 116	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	93
PID 872 wrote to memory of 116	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	93
PID 872 wrote to memory of 116	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	93
PID 872 wrote to memory of 1524	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	94
PID 872 wrote to memory of 1524	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	94
PID 872 wrote to memory of 1524	872	{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe	94
PID 116 wrote to memory of 1880	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	95
PID 116 wrote to memory of 1880	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	95
PID 116 wrote to memory of 1880	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	95
PID 116 wrote to memory of 1804	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	96
PID 116 wrote to memory of 1804	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	96
PID 116 wrote to memory of 1804	116	{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe	96
PID 1880 wrote to memory of 4016	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	98
PID 1880 wrote to memory of 4016	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	98
PID 1880 wrote to memory of 4016	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	98
PID 1880 wrote to memory of 2572	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	99
PID 1880 wrote to memory of 2572	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	99
PID 1880 wrote to memory of 2572	1880	{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe	99
PID 4016 wrote to memory of 4984	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	100
PID 4016 wrote to memory of 4984	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	100
PID 4016 wrote to memory of 4984	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	100
PID 4016 wrote to memory of 4688	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	101
PID 4016 wrote to memory of 4688	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	101
PID 4016 wrote to memory of 4688	4016	{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe	101
PID 4984 wrote to memory of 4952	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	103
PID 4984 wrote to memory of 4952	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	103
PID 4984 wrote to memory of 4952	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	103
PID 4984 wrote to memory of 2792	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	104
PID 4984 wrote to memory of 2792	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	104
PID 4984 wrote to memory of 2792	4984	{4EA5B618-94E5-4640-80E9-661321C63B55}.exe	104
PID 4952 wrote to memory of 4556	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	111
PID 4952 wrote to memory of 4556	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	111
PID 4952 wrote to memory of 4556	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	111
PID 4952 wrote to memory of 4476	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	112
PID 4952 wrote to memory of 4476	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	112
PID 4952 wrote to memory of 4476	4952	{79417059-57B0-4f0a-95EC-025EB47712F9}.exe	112
PID 4556 wrote to memory of 4276	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	113
PID 4556 wrote to memory of 4276	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	113
PID 4556 wrote to memory of 4276	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	113
PID 4556 wrote to memory of 400	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	114
PID 4556 wrote to memory of 400	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	114
PID 4556 wrote to memory of 400	4556	{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe	114
PID 4276 wrote to memory of 4092	4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe	115
PID 4276 wrote to memory of 4092	4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe	115
PID 4276 wrote to memory of 4092	4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe	115
PID 4276 wrote to memory of 2384	4276	{39D19813-325E-428a-A511-7E657B6CC47D}.exe	116

C:\Users\Admin\AppData\Local\Temp\d1681256b1cd8bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d1681256b1cd8bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
  C:\Windows\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
    C:\Windows\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
      C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
        
        C:\Windows\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
      - C:\Windows\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
        
        C:\Windows\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
        
        C:\Windows\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
        
        C:\Windows\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
        
        C:\Windows\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
        
        C:\Windows\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{39D19813-325E-428a-A511-7E657B6CC47D}.exe
        
        C:\Windows\{39D19813-325E-428a-A511-7E657B6CC47D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe
        
        C:\Windows\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe
        
        C:\Windows\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{366D7~1.EXE > nul
        13⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39D19~1.EXE > nul
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C437~1.EXE > nul
        11⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79417~1.EXE > nul
        10⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA5B~1.EXE > nul
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{700F0~1.EXE > nul
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDF34~1.EXE > nul
        7⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1660D~1.EXE > nul
        6⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F654B~1.EXE > nul
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{13AB1~1.EXE > nul
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF78~1.EXE > nul
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D16812~1.EXE > nul
  2⤵
  PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe

Filesize
372KB

MD5
bb38a703bf83b4f8135d8728de6bfb47

SHA1
a10c715851b528908cff801beff288419898258f

SHA256
fc1d5ac34272fbc8dd9bf3a0ad85f0673c766ded588e60ca56a24bbf1514af4d

SHA512
087225d52cd0ae4af9ed540fd189070f67273e243bcf57f4438c8fd666abc197b94c7ce3b8205f0648e8fd7e952793df66c5bc07cf198e59d21014628f682f61

Download Submit
C:\Windows\{13AB15FC-C7CE-46c8-BC42-28A84049B2B2}.exe

Filesize
372KB

MD5
bb38a703bf83b4f8135d8728de6bfb47

SHA1
a10c715851b528908cff801beff288419898258f

SHA256
fc1d5ac34272fbc8dd9bf3a0ad85f0673c766ded588e60ca56a24bbf1514af4d

SHA512
087225d52cd0ae4af9ed540fd189070f67273e243bcf57f4438c8fd666abc197b94c7ce3b8205f0648e8fd7e952793df66c5bc07cf198e59d21014628f682f61

Download Submit
C:\Windows\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe

Filesize
372KB

MD5
0ef50de220b0787de0c6ba9c206d8e03

SHA1
272d5892a2f13864afe4140fe46ee828f49a35b6

SHA256
e5221e678cf67fe8e5af3196caba021a80531daaea171956c172b3b18de78dd5

SHA512
5ed225bff8dd7e18e31124d4cbf23142e0081fd4a81e44fdaf3df147923acee9aff2878f5611fcdf52abb11f73988b4f38e7a1db0b5415254b9e33bf5368bba7

Download Submit
C:\Windows\{1660D28C-0DED-4c47-8581-56E2A2BA597E}.exe

Filesize
372KB

MD5
0ef50de220b0787de0c6ba9c206d8e03

SHA1
272d5892a2f13864afe4140fe46ee828f49a35b6

SHA256
e5221e678cf67fe8e5af3196caba021a80531daaea171956c172b3b18de78dd5

SHA512
5ed225bff8dd7e18e31124d4cbf23142e0081fd4a81e44fdaf3df147923acee9aff2878f5611fcdf52abb11f73988b4f38e7a1db0b5415254b9e33bf5368bba7

Download Submit
C:\Windows\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe

Filesize
372KB

MD5
277d50e7042207cfa25634e56a20bb5d

SHA1
545a8ac7b9e0071b17e1c06c711be136bcbb43cc

SHA256
02476c053674964fdd94575a9a0ed8ea6a566c9dd5831d98503061e1931ae3e6

SHA512
52bbc9a2f0828992c3d1d2e590179e9e041e49ca40178623c6f14d0c99876e150028735977851adc04bba0fbcb7775116f9f5c4fce17a4a905792de9f0f120f4

Download Submit
C:\Windows\{366D7E65-0C53-4f14-966A-0A6748CBB4C7}.exe

Filesize
372KB

MD5
277d50e7042207cfa25634e56a20bb5d

SHA1
545a8ac7b9e0071b17e1c06c711be136bcbb43cc

SHA256
02476c053674964fdd94575a9a0ed8ea6a566c9dd5831d98503061e1931ae3e6

SHA512
52bbc9a2f0828992c3d1d2e590179e9e041e49ca40178623c6f14d0c99876e150028735977851adc04bba0fbcb7775116f9f5c4fce17a4a905792de9f0f120f4

Download Submit
C:\Windows\{39D19813-325E-428a-A511-7E657B6CC47D}.exe

Filesize
372KB

MD5
a497aa037badc2ef00b0c74622ba52f1

SHA1
1f1decbe9df14f0c67ebdadd7cebf6dc65c0bf5e

SHA256
25d46ed921365d776b24ab5ee8a772d349b13b8068eb7e62e00cb4ce92da76c7

SHA512
9d693c58b7414bd86c1401aad9993ba4e3f6dddf3c0db5409ac0141ac32082aa51d40da53f147d674956d99d9f84e64477df98a9362f93473d8f541a436c7585

Download Submit
C:\Windows\{39D19813-325E-428a-A511-7E657B6CC47D}.exe

Filesize
372KB

MD5
a497aa037badc2ef00b0c74622ba52f1

SHA1
1f1decbe9df14f0c67ebdadd7cebf6dc65c0bf5e

SHA256
25d46ed921365d776b24ab5ee8a772d349b13b8068eb7e62e00cb4ce92da76c7

SHA512
9d693c58b7414bd86c1401aad9993ba4e3f6dddf3c0db5409ac0141ac32082aa51d40da53f147d674956d99d9f84e64477df98a9362f93473d8f541a436c7585

Download Submit
C:\Windows\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe

Filesize
372KB

MD5
4b9e95f67d1635a41ae40f3213c9b83d

SHA1
b98afe50deaa9f9eadf2bb63d5c347414be97a76

SHA256
f884ab7e75a259af054b64fee80ad55df1f8fa871cdefdc65fe3d34640069a2d

SHA512
5e6a89a784863da88b82beef2e135a15ad1a468fb9181e5329b9afcf90f7ef42420eb7aaf733b3dfb9e798b5e5cfcdafc23d3877ca2d3753eb1a9a6ed743706c

Download Submit
C:\Windows\{4EA5B618-94E5-4640-80E9-661321C63B55}.exe

Filesize
372KB

MD5
4b9e95f67d1635a41ae40f3213c9b83d

SHA1
b98afe50deaa9f9eadf2bb63d5c347414be97a76

SHA256
f884ab7e75a259af054b64fee80ad55df1f8fa871cdefdc65fe3d34640069a2d

SHA512
5e6a89a784863da88b82beef2e135a15ad1a468fb9181e5329b9afcf90f7ef42420eb7aaf733b3dfb9e798b5e5cfcdafc23d3877ca2d3753eb1a9a6ed743706c

Download Submit
C:\Windows\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe

Filesize
372KB

MD5
1291004e87907662440ef11026769440

SHA1
99221bcd4829842cd01b8068adb6cfbace2b96dd

SHA256
936ef62dc43147041605ffc637ac8453844b07d95f615e0722b347e0f64046cb

SHA512
4af0e5a753e0dea64977c2faa4383b2c00fc47f5a52dc9c709ec88ea4d5a3cfd1bf71d562e439940bcedf003ba0cf432260220a7e960b840f70d03dc7b96bd3e

Download Submit
C:\Windows\{700F0592-F76C-4dac-A713-CD82B1CF7113}.exe

Filesize
372KB

MD5
1291004e87907662440ef11026769440

SHA1
99221bcd4829842cd01b8068adb6cfbace2b96dd

SHA256
936ef62dc43147041605ffc637ac8453844b07d95f615e0722b347e0f64046cb

SHA512
4af0e5a753e0dea64977c2faa4383b2c00fc47f5a52dc9c709ec88ea4d5a3cfd1bf71d562e439940bcedf003ba0cf432260220a7e960b840f70d03dc7b96bd3e

Download Submit
C:\Windows\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe

Filesize
372KB

MD5
7eecb024bb958138e73abfbbddd2ddd9

SHA1
5b95592700bf7411520707452d65e24f4a950f7d

SHA256
3a1987e069838b8818f14b34b3764958218df8b5385e3064712d9fb8bbdb221c

SHA512
470c8dd9b5c0d5dfed32ffaf919097c909959976c5fb4860194af39d11c186663f4ddab4f7f3ddefea7af270fc49343d90c68c27307d68759bb006b5a7a6adc8

Download Submit
C:\Windows\{79417059-57B0-4f0a-95EC-025EB47712F9}.exe

Filesize
372KB

MD5
7eecb024bb958138e73abfbbddd2ddd9

SHA1
5b95592700bf7411520707452d65e24f4a950f7d

SHA256
3a1987e069838b8818f14b34b3764958218df8b5385e3064712d9fb8bbdb221c

SHA512
470c8dd9b5c0d5dfed32ffaf919097c909959976c5fb4860194af39d11c186663f4ddab4f7f3ddefea7af270fc49343d90c68c27307d68759bb006b5a7a6adc8

Download Submit
C:\Windows\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe

Filesize
372KB

MD5
131fcec9715fd24ea59a37f444617e6c

SHA1
f439006a6f9c105ef32b8f232b5984512c339ad3

SHA256
17be6486f3e4a10a6ce40d5cba94855d30d42e10b6d6e6e676974493580396e5

SHA512
0fd46d052702fa150602d6f36a220942ab1bc261eb50e331c8a274b9ced1b95e510e8d940e8738a2e8014b52295e48e36e46c2a2c3cfaba5f62a9418de43746b

Download Submit
C:\Windows\{7CF780D6-2919-4ad5-A65A-F841E32A2FC3}.exe

Filesize
372KB

MD5
131fcec9715fd24ea59a37f444617e6c

SHA1
f439006a6f9c105ef32b8f232b5984512c339ad3

SHA256
17be6486f3e4a10a6ce40d5cba94855d30d42e10b6d6e6e676974493580396e5

SHA512
0fd46d052702fa150602d6f36a220942ab1bc261eb50e331c8a274b9ced1b95e510e8d940e8738a2e8014b52295e48e36e46c2a2c3cfaba5f62a9418de43746b

Download Submit
C:\Windows\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe

Filesize
372KB

MD5
6d8a26d314771df4af9f159ce285c004

SHA1
f8bff65fc3355b9fd948cefe6b6ee3efaf2fcbe6

SHA256
c2f7174b19ac50e97b6a3301acddb7c477bc9a29c807144cdc7b5d35d32e3c30

SHA512
afaac1f67dbaed22494ffdcd4d7db440c18e2141f6cdef932e8a2fdea401fc3d860b3890a80041b24922822bdce80f9701480ecfdc92dd2f7dd8ada8d8141e03

Download Submit
C:\Windows\{8C43716F-C8B1-49a4-880C-37439581C2A1}.exe

Filesize
372KB

MD5
6d8a26d314771df4af9f159ce285c004

SHA1
f8bff65fc3355b9fd948cefe6b6ee3efaf2fcbe6

SHA256
c2f7174b19ac50e97b6a3301acddb7c477bc9a29c807144cdc7b5d35d32e3c30

SHA512
afaac1f67dbaed22494ffdcd4d7db440c18e2141f6cdef932e8a2fdea401fc3d860b3890a80041b24922822bdce80f9701480ecfdc92dd2f7dd8ada8d8141e03

Download Submit
C:\Windows\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe

Filesize
372KB

MD5
b403ddc03531673b6719ede0f3109625

SHA1
86db7344881b9ef333850951db60f2177e3f67b2

SHA256
634b9ab61510c3fbaadadd7763bdfe86698e0707ae53717323353c8e247a1d0c

SHA512
667955d58f0afca9c2ad1312b1b37fd3c82ae09ac7f0d2459f0443c976d8207105a284c0f66e4dfa57e5f4274d3b2f2258f61292cdd7de4c17676944a775a4b7

Download Submit
C:\Windows\{9D76B1F0-3515-4974-AE00-CFA5830E5EFA}.exe

Filesize
372KB

MD5
b403ddc03531673b6719ede0f3109625

SHA1
86db7344881b9ef333850951db60f2177e3f67b2

SHA256
634b9ab61510c3fbaadadd7763bdfe86698e0707ae53717323353c8e247a1d0c

SHA512
667955d58f0afca9c2ad1312b1b37fd3c82ae09ac7f0d2459f0443c976d8207105a284c0f66e4dfa57e5f4274d3b2f2258f61292cdd7de4c17676944a775a4b7

Download Submit
C:\Windows\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe

Filesize
372KB

MD5
0fd363c6485eb5980c3928238d539785

SHA1
94a5f83ac28bb265cc3c0f8b1fd4ac0333956107

SHA256
633048890ef21aa28524aeb4a4253bfca6b949dde2e79bf716b9a59f8c79137e

SHA512
f997fdbe790cf4bd46bdd8d7b4824250f6c6e0ba265d28e8ab1c2dcb638910d60fd0697af16135fe13885cb93e1d09cf0a2dde00533fa6fda301925cd6083cc3

Download Submit
C:\Windows\{EDF34FA9-2A05-44c7-ADD6-36DFD1CFDA71}.exe

Filesize
372KB

MD5
0fd363c6485eb5980c3928238d539785

SHA1
94a5f83ac28bb265cc3c0f8b1fd4ac0333956107

SHA256
633048890ef21aa28524aeb4a4253bfca6b949dde2e79bf716b9a59f8c79137e

SHA512
f997fdbe790cf4bd46bdd8d7b4824250f6c6e0ba265d28e8ab1c2dcb638910d60fd0697af16135fe13885cb93e1d09cf0a2dde00533fa6fda301925cd6083cc3

Download Submit
C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe

Filesize
372KB

MD5
a8c90e3eb90a9e8cc8439101508351bb

SHA1
90ee87e1610e0b1da720dc0cfa19fc47fa3ad5cd

SHA256
2c9ab2acbc77e4d51d88eda23e20de8760e7e7bc9a925cc8b7dc894e949f522e

SHA512
22fab6279616270fd10e125dbdd47cc8a0738c60e4bc1b6fbdb9716f6d71eb7a2c2404dfe591426c3d00520ca0bce844e0dea17ee9cf7dc62a0488315f2538f7

Download Submit
C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe

Filesize
372KB

MD5
a8c90e3eb90a9e8cc8439101508351bb

SHA1
90ee87e1610e0b1da720dc0cfa19fc47fa3ad5cd

SHA256
2c9ab2acbc77e4d51d88eda23e20de8760e7e7bc9a925cc8b7dc894e949f522e

SHA512
22fab6279616270fd10e125dbdd47cc8a0738c60e4bc1b6fbdb9716f6d71eb7a2c2404dfe591426c3d00520ca0bce844e0dea17ee9cf7dc62a0488315f2538f7

Download Submit
C:\Windows\{F654BCB2-6B9D-4aba-AECE-1C20B9BC402F}.exe

Filesize
372KB

MD5
a8c90e3eb90a9e8cc8439101508351bb

SHA1
90ee87e1610e0b1da720dc0cfa19fc47fa3ad5cd

SHA256
2c9ab2acbc77e4d51d88eda23e20de8760e7e7bc9a925cc8b7dc894e949f522e

SHA512
22fab6279616270fd10e125dbdd47cc8a0738c60e4bc1b6fbdb9716f6d71eb7a2c2404dfe591426c3d00520ca0bce844e0dea17ee9cf7dc62a0488315f2538f7

Download Submit