874a77cfb6cf64a59476e1cb80864a96719c6f894749053d0a81d55df2145717

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5b16161601394exeexeexeex.exe
Size

204KB
MD5

d5b16161601394a059fede0ef70d3254
SHA1

8c3fe17b99f566945ab2b8b02ab28a6444b465b1
SHA256

874a77cfb6cf64a59476e1cb80864a96719c6f894749053d0a81d55df2145717
SHA512

48623f914be7b4134cc0e1219a5a7cb20af101bc38a6176ee23ec0e80d957be5ad6fec87fd47b36df7412091ab169d86711e80aff24b6248d8b6e332113867bf
SSDEEP

1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{531B86D1-54A3-434d-8768-50F6DCADAA96}\stubpath = "C:\\Windows\\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe"	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080424B4-B38C-4167-8936-23DEAF30E6A1}	{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}\stubpath = "C:\\Windows\\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe"	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA86681E-F840-4925-8332-5748343BA29B}	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA86681E-F840-4925-8332-5748343BA29B}\stubpath = "C:\\Windows\\{EA86681E-F840-4925-8332-5748343BA29B}.exe"	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080424B4-B38C-4167-8936-23DEAF30E6A1}\stubpath = "C:\\Windows\\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe"	{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843E3782-258B-470f-9ED3-89C2E8A46AF9}	d5b16161601394exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}\stubpath = "C:\\Windows\\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe"	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A295B1-E465-4f38-B96F-AFB45F4663E3}\stubpath = "C:\\Windows\\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe"	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED6F024-24AC-4b82-91BC-B3213196E6FA}\stubpath = "C:\\Windows\\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe"	{EA86681E-F840-4925-8332-5748343BA29B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}\stubpath = "C:\\Windows\\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe"	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843E3782-258B-470f-9ED3-89C2E8A46AF9}\stubpath = "C:\\Windows\\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe"	d5b16161601394exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A295B1-E465-4f38-B96F-AFB45F4663E3}	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED6F024-24AC-4b82-91BC-B3213196E6FA}	{EA86681E-F840-4925-8332-5748343BA29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}\stubpath = "C:\\Windows\\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe"	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}\stubpath = "C:\\Windows\\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe"	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}\stubpath = "C:\\Windows\\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe"	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{531B86D1-54A3-434d-8768-50F6DCADAA96}	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe

Executes dropped EXE 12 IoCs

pid	Process
5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe
1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
4632	{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
3616	{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
File created	C:\Windows\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
File created	C:\Windows\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
File created	C:\Windows\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe	{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
File created	C:\Windows\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
File created	C:\Windows\{EA86681E-F840-4925-8332-5748343BA29B}.exe	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
File created	C:\Windows\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
File created	C:\Windows\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	{EA86681E-F840-4925-8332-5748343BA29B}.exe
File created	C:\Windows\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
File created	C:\Windows\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	d5b16161601394exeexeexeex.exe
File created	C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
File created	C:\Windows\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	d5b16161601394exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
Token: SeIncBasePriorityPrivilege	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
Token: SeIncBasePriorityPrivilege	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
Token: SeIncBasePriorityPrivilege	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
Token: SeIncBasePriorityPrivilege	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe
Token: SeIncBasePriorityPrivilege	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
Token: SeIncBasePriorityPrivilege	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
Token: SeIncBasePriorityPrivilege	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
Token: SeIncBasePriorityPrivilege	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
Token: SeIncBasePriorityPrivilege	3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
Token: SeIncBasePriorityPrivilege	4632	{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5056	1184	d5b16161601394exeexeexeex.exe	85
PID 1184 wrote to memory of 5056	1184	d5b16161601394exeexeexeex.exe	85
PID 1184 wrote to memory of 5056	1184	d5b16161601394exeexeexeex.exe	85
PID 1184 wrote to memory of 4844	1184	d5b16161601394exeexeexeex.exe	86
PID 1184 wrote to memory of 4844	1184	d5b16161601394exeexeexeex.exe	86
PID 1184 wrote to memory of 4844	1184	d5b16161601394exeexeexeex.exe	86
PID 5056 wrote to memory of 2528	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	87
PID 5056 wrote to memory of 2528	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	87
PID 5056 wrote to memory of 2528	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	87
PID 5056 wrote to memory of 2652	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	88
PID 5056 wrote to memory of 2652	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	88
PID 5056 wrote to memory of 2652	5056	{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe	88
PID 2528 wrote to memory of 400	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	98
PID 2528 wrote to memory of 400	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	98
PID 2528 wrote to memory of 400	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	98
PID 2528 wrote to memory of 4780	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	99
PID 2528 wrote to memory of 4780	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	99
PID 2528 wrote to memory of 4780	2528	{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe	99
PID 400 wrote to memory of 4360	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	100
PID 400 wrote to memory of 4360	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	100
PID 400 wrote to memory of 4360	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	100
PID 400 wrote to memory of 1368	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	101
PID 400 wrote to memory of 1368	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	101
PID 400 wrote to memory of 1368	400	{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe	101
PID 4360 wrote to memory of 3088	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	102
PID 4360 wrote to memory of 3088	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	102
PID 4360 wrote to memory of 3088	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	102
PID 4360 wrote to memory of 1188	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	103
PID 4360 wrote to memory of 1188	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	103
PID 4360 wrote to memory of 1188	4360	{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe	103
PID 3088 wrote to memory of 1328	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	104
PID 3088 wrote to memory of 1328	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	104
PID 3088 wrote to memory of 1328	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	104
PID 3088 wrote to memory of 3896	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	105
PID 3088 wrote to memory of 3896	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	105
PID 3088 wrote to memory of 3896	3088	{EA86681E-F840-4925-8332-5748343BA29B}.exe	105
PID 1328 wrote to memory of 1052	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	108
PID 1328 wrote to memory of 1052	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	108
PID 1328 wrote to memory of 1052	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	108
PID 1328 wrote to memory of 4836	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	107
PID 1328 wrote to memory of 4836	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	107
PID 1328 wrote to memory of 4836	1328	{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe	107
PID 1052 wrote to memory of 2288	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	109
PID 1052 wrote to memory of 2288	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	109
PID 1052 wrote to memory of 2288	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	109
PID 1052 wrote to memory of 4492	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	110
PID 1052 wrote to memory of 4492	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	110
PID 1052 wrote to memory of 4492	1052	{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe	110
PID 2288 wrote to memory of 220	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	111
PID 2288 wrote to memory of 220	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	111
PID 2288 wrote to memory of 220	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	111
PID 2288 wrote to memory of 3496	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	112
PID 2288 wrote to memory of 3496	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	112
PID 2288 wrote to memory of 3496	2288	{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe	112
PID 220 wrote to memory of 3736	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	113
PID 220 wrote to memory of 3736	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	113
PID 220 wrote to memory of 3736	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	113
PID 220 wrote to memory of 3580	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	114
PID 220 wrote to memory of 3580	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	114
PID 220 wrote to memory of 3580	220	{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe	114
PID 3736 wrote to memory of 4632	3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe	115
PID 3736 wrote to memory of 4632	3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe	115
PID 3736 wrote to memory of 4632	3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe	115
PID 3736 wrote to memory of 4852	3736	{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe	116

C:\Users\Admin\AppData\Local\Temp\d5b16161601394exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d5b16161601394exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
  C:\Windows\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
    C:\Windows\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
      C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
        
        C:\Windows\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{EA86681E-F840-4925-8332-5748343BA29B}.exe
        
        C:\Windows\{EA86681E-F840-4925-8332-5748343BA29B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
        
        C:\Windows\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AED6F~1.EXE > nul
        8⤵
        
        PID:4836
        
        C:\Windows\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
        
        C:\Windows\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
        
        C:\Windows\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
        
        C:\Windows\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
        
        C:\Windows\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
        
        C:\Windows\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe
        
        C:\Windows\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe
        13⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{531B8~1.EXE > nul
        13⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1903D~1.EXE > nul
        12⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0512C~1.EXE > nul
        11⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE655~1.EXE > nul
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7D4D~1.EXE > nul
        9⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA866~1.EXE > nul
        7⤵
        
        PID:3896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A29~1.EXE > nul
        6⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1466B~1.EXE > nul
        5⤵
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC0C~1.EXE > nul
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{843E3~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D5B161~1.EXE > nul
  2⤵
  PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe

Filesize
204KB

MD5
dc2de86d8e85f10ce8ddac7fd333e7f8

SHA1
7a5c8cdd66b2c8d2a05656af8e5312b6b4777707

SHA256
bae7f18dcb60deff43c855fe153ecb0dc4a349a8167a0a201a9ec6310da7bc88

SHA512
f3a6de7030405176b53f7b10e1d6f56ff62fcbb4e2364922576b4e5f9f6f74525485c46c4e18a308a6d421515538eb0c805921b0832fdb071f55ad27c998125e

Download Submit
C:\Windows\{0512CE9E-51A3-45fe-92F9-BC1AC1E99499}.exe

Filesize
204KB

MD5
dc2de86d8e85f10ce8ddac7fd333e7f8

SHA1
7a5c8cdd66b2c8d2a05656af8e5312b6b4777707

SHA256
bae7f18dcb60deff43c855fe153ecb0dc4a349a8167a0a201a9ec6310da7bc88

SHA512
f3a6de7030405176b53f7b10e1d6f56ff62fcbb4e2364922576b4e5f9f6f74525485c46c4e18a308a6d421515538eb0c805921b0832fdb071f55ad27c998125e

Download Submit
C:\Windows\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe

Filesize
204KB

MD5
0111b3ce0859c6edeab7b7b0cc3effc9

SHA1
21f972748d81053476c59421bffc69baa7712e5d

SHA256
f3d3c1821cc8918150c6012fd154a69cf30c4d482db25dcb4899c25a98938d2a

SHA512
be93717b61248e5a2c66536810124daa1b8c380b12b16fee5f99fec04578829f3431e4114eb14591f7d052a87537e442ca507c3105e75fa22a7877aca4a30520

Download Submit
C:\Windows\{080424B4-B38C-4167-8936-23DEAF30E6A1}.exe

Filesize
204KB

MD5
0111b3ce0859c6edeab7b7b0cc3effc9

SHA1
21f972748d81053476c59421bffc69baa7712e5d

SHA256
f3d3c1821cc8918150c6012fd154a69cf30c4d482db25dcb4899c25a98938d2a

SHA512
be93717b61248e5a2c66536810124daa1b8c380b12b16fee5f99fec04578829f3431e4114eb14591f7d052a87537e442ca507c3105e75fa22a7877aca4a30520

Download Submit
C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe

Filesize
204KB

MD5
fe0d29c9c4be323f1a2fba201d9fe2aa

SHA1
abe8b6ed9f7ab6436488b64985f6294678d2c3c2

SHA256
6cc4866c2adb968edafa4f67de6bd5f8ebf041d3a34cd96d6c83892654b99c0c

SHA512
cdd577b3fb418bc0758bc71760fd72f83c342f9538a2ff2c8f0225d3b470440089ec1b32a6599549ace6a5f67c33872e55bf8e58208732846335a6bfff22a578

Download Submit
C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe

Filesize
204KB

MD5
fe0d29c9c4be323f1a2fba201d9fe2aa

SHA1
abe8b6ed9f7ab6436488b64985f6294678d2c3c2

SHA256
6cc4866c2adb968edafa4f67de6bd5f8ebf041d3a34cd96d6c83892654b99c0c

SHA512
cdd577b3fb418bc0758bc71760fd72f83c342f9538a2ff2c8f0225d3b470440089ec1b32a6599549ace6a5f67c33872e55bf8e58208732846335a6bfff22a578

Download Submit
C:\Windows\{1466B65A-1682-4cfd-95FE-6C1E1280EE27}.exe

Filesize
204KB

MD5
fe0d29c9c4be323f1a2fba201d9fe2aa

SHA1
abe8b6ed9f7ab6436488b64985f6294678d2c3c2

SHA256
6cc4866c2adb968edafa4f67de6bd5f8ebf041d3a34cd96d6c83892654b99c0c

SHA512
cdd577b3fb418bc0758bc71760fd72f83c342f9538a2ff2c8f0225d3b470440089ec1b32a6599549ace6a5f67c33872e55bf8e58208732846335a6bfff22a578

Download Submit
C:\Windows\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe

Filesize
204KB

MD5
0c98ee8ea21b1ec4c7a187c0a28456fd

SHA1
2d9cbd203d86eaede9ae98ba4040a891f959cb42

SHA256
4e2bbfb455f7915c042492d9bc9bbf3ab6b09fc7d32d1dd2ff9f5e97ac18d7f8

SHA512
5e903658322895850e524c895aaa995c93abaae1155de9d4317115d96fe09f4d11126bfc5ccb7693f718d57790f8c6fde98c5d2e8d5f8ec5ce80c83fea9bdcfc

Download Submit
C:\Windows\{1903D0B7-1C5C-4c77-B5F7-F938A196C422}.exe

Filesize
204KB

MD5
0c98ee8ea21b1ec4c7a187c0a28456fd

SHA1
2d9cbd203d86eaede9ae98ba4040a891f959cb42

SHA256
4e2bbfb455f7915c042492d9bc9bbf3ab6b09fc7d32d1dd2ff9f5e97ac18d7f8

SHA512
5e903658322895850e524c895aaa995c93abaae1155de9d4317115d96fe09f4d11126bfc5ccb7693f718d57790f8c6fde98c5d2e8d5f8ec5ce80c83fea9bdcfc

Download Submit
C:\Windows\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe

Filesize
204KB

MD5
8fa90d44ebb4c4e7b2729509a70332ec

SHA1
e6a6fd25be22412225c7777ff3597b7cfd4f4a0a

SHA256
cd57856cfccee43223f9a75b395213976d0f756a0e7193b9cc25c29f2b88f5c0

SHA512
e24f8bd35d2b3198dfde26bc6adeb819c79c1f5d553db14dea53418a5ba71ab81199fdfb4d22b5c870127cef0b21bd4c014c342f5735118d1844a1d99ce2ca25

Download Submit
C:\Windows\{531B86D1-54A3-434d-8768-50F6DCADAA96}.exe

Filesize
204KB

MD5
8fa90d44ebb4c4e7b2729509a70332ec

SHA1
e6a6fd25be22412225c7777ff3597b7cfd4f4a0a

SHA256
cd57856cfccee43223f9a75b395213976d0f756a0e7193b9cc25c29f2b88f5c0

SHA512
e24f8bd35d2b3198dfde26bc6adeb819c79c1f5d553db14dea53418a5ba71ab81199fdfb4d22b5c870127cef0b21bd4c014c342f5735118d1844a1d99ce2ca25

Download Submit
C:\Windows\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe

Filesize
204KB

MD5
aeedebf8a2fa35a905a6a459cb3c1f26

SHA1
4562dc7ebab1cd7229cee5deecc7e0e13ac3faef

SHA256
26f25e531938d3d28db729fcd6c49e1c1b7b9c8b373d50bab340cc31c5ba2e25

SHA512
5aeb51bc1087037ffa5f7144d6d2c7aeaf78b1332b89ebd017616b0252f8ae54cffa3644bdf89452d98662d94ac8b18031ef5fc76b8fc6095e8d288ee8233552

Download Submit
C:\Windows\{66A295B1-E465-4f38-B96F-AFB45F4663E3}.exe

Filesize
204KB

MD5
aeedebf8a2fa35a905a6a459cb3c1f26

SHA1
4562dc7ebab1cd7229cee5deecc7e0e13ac3faef

SHA256
26f25e531938d3d28db729fcd6c49e1c1b7b9c8b373d50bab340cc31c5ba2e25

SHA512
5aeb51bc1087037ffa5f7144d6d2c7aeaf78b1332b89ebd017616b0252f8ae54cffa3644bdf89452d98662d94ac8b18031ef5fc76b8fc6095e8d288ee8233552

Download Submit
C:\Windows\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe

Filesize
204KB

MD5
bd35178f0211b835ee30155d850f43d7

SHA1
edd6868ae6788ed302d68f0f3e344535debf4919

SHA256
f57e9ab5801a00968bb76b49e3350b69ce29087a504cd266bc1c65f53db3f7ec

SHA512
5246d94b7dc5b4960cd4969f866b3adaab5f51c05ee9129feac81783bf20987e2c29bbd04ff572d940cf4cbb8a3361906a132e7bbbd1a740ddfa25670cc0a1f2

Download Submit
C:\Windows\{843E3782-258B-470f-9ED3-89C2E8A46AF9}.exe

Filesize
204KB

MD5
bd35178f0211b835ee30155d850f43d7

SHA1
edd6868ae6788ed302d68f0f3e344535debf4919

SHA256
f57e9ab5801a00968bb76b49e3350b69ce29087a504cd266bc1c65f53db3f7ec

SHA512
5246d94b7dc5b4960cd4969f866b3adaab5f51c05ee9129feac81783bf20987e2c29bbd04ff572d940cf4cbb8a3361906a132e7bbbd1a740ddfa25670cc0a1f2

Download Submit
C:\Windows\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe

Filesize
204KB

MD5
58cdd95dd1676b3af6461018c3497603

SHA1
e7973c006248e35396731a318b29b6b1fb97bc5b

SHA256
dbd0f9e8aca5b5c8aad583d529c22cb0dd5eb3a05175aaaea86f3e68d23409a2

SHA512
95c1c2034df42f99b23e6e40e2f23bae4f66b5fc2f485513ac7bbd17c258b8f0868a91367ed44da0fee102187c28d1d61ab99d3adfb756e5d5d9fddf1105efb1

Download Submit
C:\Windows\{AED6F024-24AC-4b82-91BC-B3213196E6FA}.exe

Filesize
204KB

MD5
58cdd95dd1676b3af6461018c3497603

SHA1
e7973c006248e35396731a318b29b6b1fb97bc5b

SHA256
dbd0f9e8aca5b5c8aad583d529c22cb0dd5eb3a05175aaaea86f3e68d23409a2

SHA512
95c1c2034df42f99b23e6e40e2f23bae4f66b5fc2f485513ac7bbd17c258b8f0868a91367ed44da0fee102187c28d1d61ab99d3adfb756e5d5d9fddf1105efb1

Download Submit
C:\Windows\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe

Filesize
204KB

MD5
4e9abb0fe49f4c65f4bdf2d505d5aba4

SHA1
e70059d5f68b08bb2948074339cee07b40c225f5

SHA256
e150d4c2d0084d9d07d9a948f44f9f4b4ba627e4259a0035abedd29e6eeb0a0f

SHA512
e32cf0a5c95ffa9861b0e1a9f55ecffaed0cd968000640c0b2c3754b753377d18907bbcef9d023befea2870e84103ffc0c8d3646786a111355c63a80d228d01f

Download Submit
C:\Windows\{C7D4D35F-CD0A-4b9d-8098-7A5A4EDE78BD}.exe

Filesize
204KB

MD5
4e9abb0fe49f4c65f4bdf2d505d5aba4

SHA1
e70059d5f68b08bb2948074339cee07b40c225f5

SHA256
e150d4c2d0084d9d07d9a948f44f9f4b4ba627e4259a0035abedd29e6eeb0a0f

SHA512
e32cf0a5c95ffa9861b0e1a9f55ecffaed0cd968000640c0b2c3754b753377d18907bbcef9d023befea2870e84103ffc0c8d3646786a111355c63a80d228d01f

Download Submit
C:\Windows\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe

Filesize
204KB

MD5
58b8403cbe923deb1ed39bdac197c58f

SHA1
c13878da664a7b22b1330cbeca8bb20521e501a7

SHA256
b9100a9b1a9397b3385477245ab45b0e579cf9c4052846023aeee916645c5a9e

SHA512
f999eb3f1e414405d35375d1dfbfe8782e8d5df5e4817be0e04f2110080f1a342730a80d6a511d66903260fba75b269f3194645d3477b42c345a24059c8b4040

Download Submit
C:\Windows\{CCC0C42A-CEB4-4b2e-943D-1662CFDEED45}.exe

Filesize
204KB

MD5
58b8403cbe923deb1ed39bdac197c58f

SHA1
c13878da664a7b22b1330cbeca8bb20521e501a7

SHA256
b9100a9b1a9397b3385477245ab45b0e579cf9c4052846023aeee916645c5a9e

SHA512
f999eb3f1e414405d35375d1dfbfe8782e8d5df5e4817be0e04f2110080f1a342730a80d6a511d66903260fba75b269f3194645d3477b42c345a24059c8b4040

Download Submit
C:\Windows\{EA86681E-F840-4925-8332-5748343BA29B}.exe

Filesize
204KB

MD5
c40cf1404e705a6f236eaea452987bc8

SHA1
f682f2a1b95300a600dc5c733abe7fdbb2d65ea1

SHA256
ed07045f27a6b1b93bd5f8ec218de85d37c71ed3d5353efac27e4f9c4b44ff39

SHA512
d1fce5d0dc806fc62ac31d83e3914902918ee1d564bd307d8a4afb56fbfc32a3924c0e7a9aeae7b45811cfb4a46a03d0f9c4d32f35d340f1d5f275f80450b05b

Download Submit
C:\Windows\{EA86681E-F840-4925-8332-5748343BA29B}.exe

Filesize
204KB

MD5
c40cf1404e705a6f236eaea452987bc8

SHA1
f682f2a1b95300a600dc5c733abe7fdbb2d65ea1

SHA256
ed07045f27a6b1b93bd5f8ec218de85d37c71ed3d5353efac27e4f9c4b44ff39

SHA512
d1fce5d0dc806fc62ac31d83e3914902918ee1d564bd307d8a4afb56fbfc32a3924c0e7a9aeae7b45811cfb4a46a03d0f9c4d32f35d340f1d5f275f80450b05b

Download Submit
C:\Windows\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe

Filesize
204KB

MD5
a73a631d1eb978a4dee99f39d6bcd650

SHA1
028f9aa1749232ff7e23db758b1d54f162e7fbd0

SHA256
d23f52f5d40649c300db82bb5f516df4f4fbd315850bb71e124c241301c7fe55

SHA512
91dbfc9a7ee95529f61a39e47c9de4ff45e1c8c118043208f14e8d30f09763d8ed99f71c5786155de088dce55930e62816623aedcf57ad9069e9a23623ffe80e

Download Submit
C:\Windows\{EE65540C-EC3A-4384-8AB0-C91A742DD9AF}.exe

Filesize
204KB

MD5
a73a631d1eb978a4dee99f39d6bcd650

SHA1
028f9aa1749232ff7e23db758b1d54f162e7fbd0

SHA256
d23f52f5d40649c300db82bb5f516df4f4fbd315850bb71e124c241301c7fe55

SHA512
91dbfc9a7ee95529f61a39e47c9de4ff45e1c8c118043208f14e8d30f09763d8ed99f71c5786155de088dce55930e62816623aedcf57ad9069e9a23623ffe80e

Download Submit