f2d3584dbead45682f2b7caf7429fe6ca4b7c9fedca121d8b3af0fdd4e6a4618

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d996697b3201faexeexeexeex.exe
Size

204KB
MD5

d996697b3201fab608f61e2c4abfaced
SHA1

4121b4008f8d7f35aba814d247e3178d886beec9
SHA256

f2d3584dbead45682f2b7caf7429fe6ca4b7c9fedca121d8b3af0fdd4e6a4618
SHA512

369d98fad5f9c1b6316b63a8d8e398c69f841e363076485ea6df525be1eadfd2b17c495f3dac10764878d32e35a35bf83ebc9a6619f161b715b70c9308f7e52d
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{379049E7-3445-48af-AB40-CF0A67168A1E}\stubpath = "C:\\Windows\\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe"	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E57D12D-497E-43bd-8365-847FDFE34F8D}	{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}\stubpath = "C:\\Windows\\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe"	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}\stubpath = "C:\\Windows\\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe"	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}\stubpath = "C:\\Windows\\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe"	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC727D01-2895-491d-93BA-617C191CA6B4}\stubpath = "C:\\Windows\\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe"	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{117AA870-2E04-44cf-BD99-3467A782349F}	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}	{117AA870-2E04-44cf-BD99-3467A782349F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}\stubpath = "C:\\Windows\\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe"	d996697b3201faexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}\stubpath = "C:\\Windows\\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe"	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCE44A3-AAFD-4e52-8008-1777092714BA}\stubpath = "C:\\Windows\\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe"	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{379049E7-3445-48af-AB40-CF0A67168A1E}	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}\stubpath = "C:\\Windows\\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe"	{117AA870-2E04-44cf-BD99-3467A782349F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E57D12D-497E-43bd-8365-847FDFE34F8D}\stubpath = "C:\\Windows\\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe"	{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}	d996697b3201faexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCE44A3-AAFD-4e52-8008-1777092714BA}	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}\stubpath = "C:\\Windows\\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe"	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC727D01-2895-491d-93BA-617C191CA6B4}	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{117AA870-2E04-44cf-BD99-3467A782349F}\stubpath = "C:\\Windows\\{117AA870-2E04-44cf-BD99-3467A782349F}.exe"	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe
3656	{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe
1300	{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
File created	C:\Windows\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
File created	C:\Windows\{117AA870-2E04-44cf-BD99-3467A782349F}.exe	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
File created	C:\Windows\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe	{117AA870-2E04-44cf-BD99-3467A782349F}.exe
File created	C:\Windows\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	d996697b3201faexeexeexeex.exe
File created	C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
File created	C:\Windows\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
File created	C:\Windows\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
File created	C:\Windows\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
File created	C:\Windows\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
File created	C:\Windows\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
File created	C:\Windows\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe	{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2072	d996697b3201faexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
Token: SeIncBasePriorityPrivilege	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
Token: SeIncBasePriorityPrivilege	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
Token: SeIncBasePriorityPrivilege	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
Token: SeIncBasePriorityPrivilege	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
Token: SeIncBasePriorityPrivilege	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
Token: SeIncBasePriorityPrivilege	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
Token: SeIncBasePriorityPrivilege	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
Token: SeIncBasePriorityPrivilege	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
Token: SeIncBasePriorityPrivilege	2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe
Token: SeIncBasePriorityPrivilege	3656	{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4620	2072	d996697b3201faexeexeexeex.exe	84
PID 2072 wrote to memory of 4620	2072	d996697b3201faexeexeexeex.exe	84
PID 2072 wrote to memory of 4620	2072	d996697b3201faexeexeexeex.exe	84
PID 2072 wrote to memory of 4884	2072	d996697b3201faexeexeexeex.exe	85
PID 2072 wrote to memory of 4884	2072	d996697b3201faexeexeexeex.exe	85
PID 2072 wrote to memory of 4884	2072	d996697b3201faexeexeexeex.exe	85
PID 4620 wrote to memory of 3976	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	86
PID 4620 wrote to memory of 3976	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	86
PID 4620 wrote to memory of 3976	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	86
PID 4620 wrote to memory of 5060	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	87
PID 4620 wrote to memory of 5060	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	87
PID 4620 wrote to memory of 5060	4620	{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe	87
PID 3976 wrote to memory of 2212	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	92
PID 3976 wrote to memory of 2212	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	92
PID 3976 wrote to memory of 2212	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	92
PID 3976 wrote to memory of 4064	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	91
PID 3976 wrote to memory of 4064	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	91
PID 3976 wrote to memory of 4064	3976	{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe	91
PID 2212 wrote to memory of 1972	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	93
PID 2212 wrote to memory of 1972	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	93
PID 2212 wrote to memory of 1972	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	93
PID 2212 wrote to memory of 4120	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	94
PID 2212 wrote to memory of 4120	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	94
PID 2212 wrote to memory of 4120	2212	{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe	94
PID 1972 wrote to memory of 1856	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	95
PID 1972 wrote to memory of 1856	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	95
PID 1972 wrote to memory of 1856	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	95
PID 1972 wrote to memory of 3756	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	96
PID 1972 wrote to memory of 3756	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	96
PID 1972 wrote to memory of 3756	1972	{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe	96
PID 1856 wrote to memory of 1044	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	98
PID 1856 wrote to memory of 1044	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	98
PID 1856 wrote to memory of 1044	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	98
PID 1856 wrote to memory of 2200	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	99
PID 1856 wrote to memory of 2200	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	99
PID 1856 wrote to memory of 2200	1856	{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe	99
PID 1044 wrote to memory of 868	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	100
PID 1044 wrote to memory of 868	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	100
PID 1044 wrote to memory of 868	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	100
PID 1044 wrote to memory of 4960	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	101
PID 1044 wrote to memory of 4960	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	101
PID 1044 wrote to memory of 4960	1044	{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe	101
PID 868 wrote to memory of 2984	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	103
PID 868 wrote to memory of 2984	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	103
PID 868 wrote to memory of 2984	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	103
PID 868 wrote to memory of 5068	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	104
PID 868 wrote to memory of 5068	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	104
PID 868 wrote to memory of 5068	868	{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe	104
PID 2984 wrote to memory of 1620	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	111
PID 2984 wrote to memory of 1620	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	111
PID 2984 wrote to memory of 1620	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	111
PID 2984 wrote to memory of 1768	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	112
PID 2984 wrote to memory of 1768	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	112
PID 2984 wrote to memory of 1768	2984	{379049E7-3445-48af-AB40-CF0A67168A1E}.exe	112
PID 1620 wrote to memory of 2548	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	113
PID 1620 wrote to memory of 2548	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	113
PID 1620 wrote to memory of 2548	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	113
PID 1620 wrote to memory of 3592	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	114
PID 1620 wrote to memory of 3592	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	114
PID 1620 wrote to memory of 3592	1620	{BC727D01-2895-491d-93BA-617C191CA6B4}.exe	114
PID 2548 wrote to memory of 3656	2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe	115
PID 2548 wrote to memory of 3656	2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe	115
PID 2548 wrote to memory of 3656	2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe	115
PID 2548 wrote to memory of 3788	2548	{117AA870-2E04-44cf-BD99-3467A782349F}.exe	116

C:\Users\Admin\AppData\Local\Temp\d996697b3201faexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d996697b3201faexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
  C:\Windows\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
    C:\Windows\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1E39D~1.EXE > nul
      4⤵
      PID:4064
  - - C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
      C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
        
        C:\Windows\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
        
        C:\Windows\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
        
        C:\Windows\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
        
        C:\Windows\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
        
        C:\Windows\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
        
        C:\Windows\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{117AA870-2E04-44cf-BD99-3467A782349F}.exe
        
        C:\Windows\{117AA870-2E04-44cf-BD99-3467A782349F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe
        
        C:\Windows\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
        
        C:\Windows\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe
        
        C:\Windows\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C27FD~1.EXE > nul
        13⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{117AA~1.EXE > nul
        12⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC727~1.EXE > nul
        11⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37904~1.EXE > nul
        10⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADCE4~1.EXE > nul
        9⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4783C~1.EXE > nul
        8⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B06AD~1.EXE > nul
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B4A3~1.EXE > nul
        6⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D675~1.EXE > nul
        5⤵
        
        PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE505~1.EXE > nul
    3⤵
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D99669~1.EXE > nul
  2⤵
  PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{117AA870-2E04-44cf-BD99-3467A782349F}.exe

Filesize
204KB

MD5
1d2cb459e1f1cd37841939e3af624ea2

SHA1
ae872d13133291ec0ae57944b108c9615066eb8d

SHA256
8cdd663b21dab568d8d678b07d0245187235b6e12da5544f4a5a2be5eee20774

SHA512
416b2b620c430d0774ca1e35d7386ee4afed4c5f7cf397c56bd234a020922dcda838a504894440f5f6b8223a62dc97eef4bb88a455c4becf498cd6f7f0d66599

Download Submit
C:\Windows\{117AA870-2E04-44cf-BD99-3467A782349F}.exe

Filesize
204KB

MD5
1d2cb459e1f1cd37841939e3af624ea2

SHA1
ae872d13133291ec0ae57944b108c9615066eb8d

SHA256
8cdd663b21dab568d8d678b07d0245187235b6e12da5544f4a5a2be5eee20774

SHA512
416b2b620c430d0774ca1e35d7386ee4afed4c5f7cf397c56bd234a020922dcda838a504894440f5f6b8223a62dc97eef4bb88a455c4becf498cd6f7f0d66599

Download Submit
C:\Windows\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe

Filesize
204KB

MD5
f9899f7b399186ae65a2bf3c57148a44

SHA1
480b51251efe1645b54fc00a405026d90f0d036f

SHA256
fa538248e105b8ff4bee313c6a994805b2c220ec013207792c80f91c6e831413

SHA512
ed6bc11d640aae008bfb068c1b4c959b88d01884ac8af05a400f0d390b719fff1bbe91eeb05816314c1079ce2ef1fc9282d0e23972025d8ebecee7b38931b988

Download Submit
C:\Windows\{1E39DCF2-D8FB-408b-BEC5-49535B08F722}.exe

Filesize
204KB

MD5
f9899f7b399186ae65a2bf3c57148a44

SHA1
480b51251efe1645b54fc00a405026d90f0d036f

SHA256
fa538248e105b8ff4bee313c6a994805b2c220ec013207792c80f91c6e831413

SHA512
ed6bc11d640aae008bfb068c1b4c959b88d01884ac8af05a400f0d390b719fff1bbe91eeb05816314c1079ce2ef1fc9282d0e23972025d8ebecee7b38931b988

Download Submit
C:\Windows\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe

Filesize
204KB

MD5
1feb21afab84d7c48ed6b9c930d18e89

SHA1
528345850e1ef5c1cc89cc511e8ca234182d0cd1

SHA256
681088c7042e3a29a365a110992fcde1e6444cbb085d1c84c2c4f9b1bb93feec

SHA512
8a6c4d8d8fda84dd5d9b98e4a34b38d6d101eb02ed3263acc2a0301d32fff51841425cc758b519daffc1b4e9573f185c3307c31a39dda094f8d9ce932a259f2f

Download Submit
C:\Windows\{2E57D12D-497E-43bd-8365-847FDFE34F8D}.exe

Filesize
204KB

MD5
1feb21afab84d7c48ed6b9c930d18e89

SHA1
528345850e1ef5c1cc89cc511e8ca234182d0cd1

SHA256
681088c7042e3a29a365a110992fcde1e6444cbb085d1c84c2c4f9b1bb93feec

SHA512
8a6c4d8d8fda84dd5d9b98e4a34b38d6d101eb02ed3263acc2a0301d32fff51841425cc758b519daffc1b4e9573f185c3307c31a39dda094f8d9ce932a259f2f

Download Submit
C:\Windows\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe

Filesize
204KB

MD5
46cc96df507db1bed15037315b154900

SHA1
c0d98eef98abdf9dadff7a6665a9837d5a8d7a9b

SHA256
0212201d085ed64d81cb47076660ff68bf03fce407a50ddff6d84c6cc212a3f2

SHA512
77f757a6da01c1781973ba73492e2f0c1ba6f320db4bfa8d20d3093b719493fd00149dc661e839d24cb0781fdda86c734f4130acaa96f9cc8d959be75855fa9d

Download Submit
C:\Windows\{379049E7-3445-48af-AB40-CF0A67168A1E}.exe

Filesize
204KB

MD5
46cc96df507db1bed15037315b154900

SHA1
c0d98eef98abdf9dadff7a6665a9837d5a8d7a9b

SHA256
0212201d085ed64d81cb47076660ff68bf03fce407a50ddff6d84c6cc212a3f2

SHA512
77f757a6da01c1781973ba73492e2f0c1ba6f320db4bfa8d20d3093b719493fd00149dc661e839d24cb0781fdda86c734f4130acaa96f9cc8d959be75855fa9d

Download Submit
C:\Windows\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe

Filesize
204KB

MD5
a8f049a54934fc061457968a820e6820

SHA1
f8557207aedbab4f00ea60a7878ecb3b68731d64

SHA256
fd75ceb243e06f08ca4c936e8397a9d13967f35f4d0789661316a033a3eaa68d

SHA512
d272f425ee25a74a74fc5d48f9f80d8829c86bfaf44dc7626dc5728def3260199f418c35b223f1ccddc654c8f9dccd189541063903aa75e2bb1cc08db1cad124

Download Submit
C:\Windows\{4783C8BD-E4BB-4a2e-B930-2F8EAD8D10C4}.exe

Filesize
204KB

MD5
a8f049a54934fc061457968a820e6820

SHA1
f8557207aedbab4f00ea60a7878ecb3b68731d64

SHA256
fd75ceb243e06f08ca4c936e8397a9d13967f35f4d0789661316a033a3eaa68d

SHA512
d272f425ee25a74a74fc5d48f9f80d8829c86bfaf44dc7626dc5728def3260199f418c35b223f1ccddc654c8f9dccd189541063903aa75e2bb1cc08db1cad124

Download Submit
C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe

Filesize
204KB

MD5
302c24c7994bdd30464f0257e68ac392

SHA1
42d820da3533e2ccdf8af89083b38462995573b8

SHA256
cd6fc2fdb1bbc9176a6f31ed8fc0a64d2d3a51430a7813c70d9b94fd6a1c4e24

SHA512
1312a90c19c0e057b8430c41169f3ba628589fd73a6860894f077ce568666582b4cc3a0f88b4b3d95d2742cab5e17f1a081a300534c7e0a5198a4c6171299637

Download Submit
C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe

Filesize
204KB

MD5
302c24c7994bdd30464f0257e68ac392

SHA1
42d820da3533e2ccdf8af89083b38462995573b8

SHA256
cd6fc2fdb1bbc9176a6f31ed8fc0a64d2d3a51430a7813c70d9b94fd6a1c4e24

SHA512
1312a90c19c0e057b8430c41169f3ba628589fd73a6860894f077ce568666582b4cc3a0f88b4b3d95d2742cab5e17f1a081a300534c7e0a5198a4c6171299637

Download Submit
C:\Windows\{5D6753F1-96E7-48a5-91A3-0BEC053B2C60}.exe

Filesize
204KB

MD5
302c24c7994bdd30464f0257e68ac392

SHA1
42d820da3533e2ccdf8af89083b38462995573b8

SHA256
cd6fc2fdb1bbc9176a6f31ed8fc0a64d2d3a51430a7813c70d9b94fd6a1c4e24

SHA512
1312a90c19c0e057b8430c41169f3ba628589fd73a6860894f077ce568666582b4cc3a0f88b4b3d95d2742cab5e17f1a081a300534c7e0a5198a4c6171299637

Download Submit
C:\Windows\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe

Filesize
204KB

MD5
b5ded454259ec8b40367957931e79cd3

SHA1
e61ad7ac2601e0bb7033acd5aea935a03b43e8d9

SHA256
fc205a5425aef751f359c7103ac0cceff25d56d6b2b29f41601423666a584c09

SHA512
c6b43b1545990037072aefff3c3925b299a442949d8ff3601133b65f5c50156cdc9a17d2eb225cac679e44a24c9a4774e0ed43876c8e275e11863db6f4000a06

Download Submit
C:\Windows\{9B4A3DE5-FB50-4ada-BD14-86122887CEFC}.exe

Filesize
204KB

MD5
b5ded454259ec8b40367957931e79cd3

SHA1
e61ad7ac2601e0bb7033acd5aea935a03b43e8d9

SHA256
fc205a5425aef751f359c7103ac0cceff25d56d6b2b29f41601423666a584c09

SHA512
c6b43b1545990037072aefff3c3925b299a442949d8ff3601133b65f5c50156cdc9a17d2eb225cac679e44a24c9a4774e0ed43876c8e275e11863db6f4000a06

Download Submit
C:\Windows\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe

Filesize
204KB

MD5
fabe026290e1c4aa70e547bb967ae0c5

SHA1
0762e4a8cd5f84bbc67211547e1ebde19039154d

SHA256
de517cb60d2f4e77c1bf4572479fed93be6465ba7643476daa7e3dab6204a125

SHA512
87557ab7c0d288177e1e73e64989aa82562adc79571005af74b77d4d50eed727c4c4fc790be8d8cd5e6cbf955336888a6473bdc65e1c12945a9d5d61ce553b44

Download Submit
C:\Windows\{ADCE44A3-AAFD-4e52-8008-1777092714BA}.exe

Filesize
204KB

MD5
fabe026290e1c4aa70e547bb967ae0c5

SHA1
0762e4a8cd5f84bbc67211547e1ebde19039154d

SHA256
de517cb60d2f4e77c1bf4572479fed93be6465ba7643476daa7e3dab6204a125

SHA512
87557ab7c0d288177e1e73e64989aa82562adc79571005af74b77d4d50eed727c4c4fc790be8d8cd5e6cbf955336888a6473bdc65e1c12945a9d5d61ce553b44

Download Submit
C:\Windows\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe

Filesize
204KB

MD5
228c75d2c58088f00093ee2ef78d7285

SHA1
6f358eeae0f3ea4cdd850221641969dbd04388e9

SHA256
70b197520754357a7561f8ccbc6993083cd352081ad248347418aa2a0478e0ea

SHA512
347b1929cea44345d0c7a1602568f82d7a429def2a6bbcb7bd5bf011d2a94b8a40e3cfa8dc71d9065c109fbab060d4658b8cfa382b2f67d09d0f5416cacd9455

Download Submit
C:\Windows\{B06ADAAC-7E97-4e5f-93F6-35F2C3C196BE}.exe

Filesize
204KB

MD5
228c75d2c58088f00093ee2ef78d7285

SHA1
6f358eeae0f3ea4cdd850221641969dbd04388e9

SHA256
70b197520754357a7561f8ccbc6993083cd352081ad248347418aa2a0478e0ea

SHA512
347b1929cea44345d0c7a1602568f82d7a429def2a6bbcb7bd5bf011d2a94b8a40e3cfa8dc71d9065c109fbab060d4658b8cfa382b2f67d09d0f5416cacd9455

Download Submit
C:\Windows\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe

Filesize
204KB

MD5
c4228852719c13912694fbe7780228c7

SHA1
c4eaea521f26641a20f4813bf108ce35d95c8d90

SHA256
6c0d981ee21f3c044475dcb71d85674e6e9de2da42857808fe23325e9ed29414

SHA512
7514cb3b9d1a25a101282b9ee21e3d36939e85162741622a6dc5217cddcd30fed8e4dd3ea6e8d2ed4e5b98ffa10e410d42ae85ccb2193f6ab33c81a9b55f2ab5

Download Submit
C:\Windows\{BC727D01-2895-491d-93BA-617C191CA6B4}.exe

Filesize
204KB

MD5
c4228852719c13912694fbe7780228c7

SHA1
c4eaea521f26641a20f4813bf108ce35d95c8d90

SHA256
6c0d981ee21f3c044475dcb71d85674e6e9de2da42857808fe23325e9ed29414

SHA512
7514cb3b9d1a25a101282b9ee21e3d36939e85162741622a6dc5217cddcd30fed8e4dd3ea6e8d2ed4e5b98ffa10e410d42ae85ccb2193f6ab33c81a9b55f2ab5

Download Submit
C:\Windows\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe

Filesize
204KB

MD5
3f40c7776d73c792a811df3ff44c8a3a

SHA1
561d0c5bcd02ba857b9e665a90714eb6af9e996b

SHA256
4e44a4860eb35f2fad7535c500f0d031ce2bb51cd24efe43ec65f3328af0f921

SHA512
c5bb48c742132c2875e89be88b5925e7af3328a4fbdb1e270dcfe5ffb4035ae6a11613ac62c2e4862337304c30d79c55c4b7c4a3c52c6c86352451362f19c446

Download Submit
C:\Windows\{C27FDBC2-84F3-47d5-85FF-5541C1C3C2FB}.exe

Filesize
204KB

MD5
3f40c7776d73c792a811df3ff44c8a3a

SHA1
561d0c5bcd02ba857b9e665a90714eb6af9e996b

SHA256
4e44a4860eb35f2fad7535c500f0d031ce2bb51cd24efe43ec65f3328af0f921

SHA512
c5bb48c742132c2875e89be88b5925e7af3328a4fbdb1e270dcfe5ffb4035ae6a11613ac62c2e4862337304c30d79c55c4b7c4a3c52c6c86352451362f19c446

Download Submit
C:\Windows\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe

Filesize
204KB

MD5
949ab444ff4cedc2f3135fce7267118a

SHA1
78ff70153ac27030d3ca1ecaf4e25d8898f4b085

SHA256
0166c217629c2cb4e023e5bcdd22e51413492406806b66c07a70e5a8048b7a9f

SHA512
4ccf37b306ea485076d35f932a1a970b4c3ddcb4ca4ce0fc7bd27c3d5ce24cde152d26735bc7537186170d8219781f582bd50868fa213ad65ba6a74c7ff147cc

Download Submit
C:\Windows\{CE50517F-ED81-4bf9-8BBD-87C36061CA7E}.exe

Filesize
204KB

MD5
949ab444ff4cedc2f3135fce7267118a

SHA1
78ff70153ac27030d3ca1ecaf4e25d8898f4b085

SHA256
0166c217629c2cb4e023e5bcdd22e51413492406806b66c07a70e5a8048b7a9f

SHA512
4ccf37b306ea485076d35f932a1a970b4c3ddcb4ca4ce0fc7bd27c3d5ce24cde152d26735bc7537186170d8219781f582bd50868fa213ad65ba6a74c7ff147cc

Download Submit