da9aa964ad84c7ec9575429a53919a4ffbcbcb6301cebd3da83475645782b956

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005e1d27259728exeexeexeex.exe
Size

372KB
MD5

005e1d2725972824e1d78e88ecb5c4b1
SHA1

c4c1fa3b0263af300f8d7c77a523c3bad212affd
SHA256

da9aa964ad84c7ec9575429a53919a4ffbcbcb6301cebd3da83475645782b956
SHA512

6cabd36ab995184885638d6c5f90001d4fc5a806aa4a084d7fbd2b2b35d458608e064c826f71e689337bb0472fb9fe52bf43c8c5311a13eda0e98aa79efbf577
SSDEEP

3072:CEGh0o1mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG6l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20312DA7-6CF0-4c88-AC8B-879225F57A93}	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}\stubpath = "C:\\Windows\\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe"	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46FCDE7A-A4AD-444b-902C-818894CB85C6}	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB02805-A01B-4bab-A83E-0722BDF6F114}\stubpath = "C:\\Windows\\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe"	{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3B7B43-F2F3-4d27-AB12-715687256F23}\stubpath = "C:\\Windows\\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe"	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}\stubpath = "C:\\Windows\\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe"	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20312DA7-6CF0-4c88-AC8B-879225F57A93}\stubpath = "C:\\Windows\\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe"	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59241B09-DEC6-47b8-B87A-4BBE641AF952}	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59241B09-DEC6-47b8-B87A-4BBE641AF952}\stubpath = "C:\\Windows\\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe"	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7F336C-85A6-42b2-99A9-A0F527559040}	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3B7B43-F2F3-4d27-AB12-715687256F23}	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB02805-A01B-4bab-A83E-0722BDF6F114}	{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CD104B9-BA5F-4013-AF3F-520B4336F270}	005e1d27259728exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CD104B9-BA5F-4013-AF3F-520B4336F270}\stubpath = "C:\\Windows\\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe"	005e1d27259728exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}\stubpath = "C:\\Windows\\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe"	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}\stubpath = "C:\\Windows\\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe"	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}\stubpath = "C:\\Windows\\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe"	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46FCDE7A-A4AD-444b-902C-818894CB85C6}\stubpath = "C:\\Windows\\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe"	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7F336C-85A6-42b2-99A9-A0F527559040}\stubpath = "C:\\Windows\\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe"	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe
3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
2772	{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
2220	{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
File created	C:\Windows\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
File created	C:\Windows\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
File created	C:\Windows\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
File created	C:\Windows\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
File created	C:\Windows\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
File created	C:\Windows\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe	{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
File created	C:\Windows\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	005e1d27259728exeexeexeex.exe
File created	C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
File created	C:\Windows\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
File created	C:\Windows\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
File created	C:\Windows\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	440	005e1d27259728exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
Token: SeIncBasePriorityPrivilege	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
Token: SeIncBasePriorityPrivilege	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
Token: SeIncBasePriorityPrivilege	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
Token: SeIncBasePriorityPrivilege	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
Token: SeIncBasePriorityPrivilege	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
Token: SeIncBasePriorityPrivilege	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
Token: SeIncBasePriorityPrivilege	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe
Token: SeIncBasePriorityPrivilege	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
Token: SeIncBasePriorityPrivilege	1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
Token: SeIncBasePriorityPrivilege	2772	{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 2632	440	005e1d27259728exeexeexeex.exe	79
PID 440 wrote to memory of 2632	440	005e1d27259728exeexeexeex.exe	79
PID 440 wrote to memory of 2632	440	005e1d27259728exeexeexeex.exe	79
PID 440 wrote to memory of 1380	440	005e1d27259728exeexeexeex.exe	80
PID 440 wrote to memory of 1380	440	005e1d27259728exeexeexeex.exe	80
PID 440 wrote to memory of 1380	440	005e1d27259728exeexeexeex.exe	80
PID 2632 wrote to memory of 4512	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	81
PID 2632 wrote to memory of 4512	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	81
PID 2632 wrote to memory of 4512	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	81
PID 2632 wrote to memory of 4848	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	82
PID 2632 wrote to memory of 4848	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	82
PID 2632 wrote to memory of 4848	2632	{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe	82
PID 4512 wrote to memory of 4552	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	83
PID 4512 wrote to memory of 4552	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	83
PID 4512 wrote to memory of 4552	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	83
PID 4512 wrote to memory of 4596	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	84
PID 4512 wrote to memory of 4596	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	84
PID 4512 wrote to memory of 4596	4512	{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe	84
PID 4552 wrote to memory of 812	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	85
PID 4552 wrote to memory of 812	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	85
PID 4552 wrote to memory of 812	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	85
PID 4552 wrote to memory of 2516	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	86
PID 4552 wrote to memory of 2516	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	86
PID 4552 wrote to memory of 2516	4552	{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe	86
PID 812 wrote to memory of 1072	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	87
PID 812 wrote to memory of 1072	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	87
PID 812 wrote to memory of 1072	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	87
PID 812 wrote to memory of 3848	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	88
PID 812 wrote to memory of 3848	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	88
PID 812 wrote to memory of 3848	812	{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe	88
PID 1072 wrote to memory of 1976	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	89
PID 1072 wrote to memory of 1976	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	89
PID 1072 wrote to memory of 1976	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	89
PID 1072 wrote to memory of 2320	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	90
PID 1072 wrote to memory of 2320	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	90
PID 1072 wrote to memory of 2320	1072	{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe	90
PID 1976 wrote to memory of 3376	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	91
PID 1976 wrote to memory of 3376	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	91
PID 1976 wrote to memory of 3376	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	91
PID 1976 wrote to memory of 4972	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	92
PID 1976 wrote to memory of 4972	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	92
PID 1976 wrote to memory of 4972	1976	{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe	92
PID 3376 wrote to memory of 5080	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	93
PID 3376 wrote to memory of 5080	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	93
PID 3376 wrote to memory of 5080	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	93
PID 3376 wrote to memory of 1640	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	94
PID 3376 wrote to memory of 1640	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	94
PID 3376 wrote to memory of 1640	3376	{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe	94
PID 5080 wrote to memory of 3160	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	95
PID 5080 wrote to memory of 3160	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	95
PID 5080 wrote to memory of 3160	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	95
PID 5080 wrote to memory of 4788	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	96
PID 5080 wrote to memory of 4788	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	96
PID 5080 wrote to memory of 4788	5080	{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe	96
PID 3160 wrote to memory of 1920	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	97
PID 3160 wrote to memory of 1920	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	97
PID 3160 wrote to memory of 1920	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	97
PID 3160 wrote to memory of 3896	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	98
PID 3160 wrote to memory of 3896	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	98
PID 3160 wrote to memory of 3896	3160	{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe	98
PID 1920 wrote to memory of 2772	1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe	100
PID 1920 wrote to memory of 2772	1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe	100
PID 1920 wrote to memory of 2772	1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe	100
PID 1920 wrote to memory of 1496	1920	{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe	99

C:\Users\Admin\AppData\Local\Temp\005e1d27259728exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\005e1d27259728exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
  C:\Windows\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
    C:\Windows\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
      C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
        
        C:\Windows\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
        
        C:\Windows\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
        
        C:\Windows\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
        
        C:\Windows\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe
        
        C:\Windows\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
        
        C:\Windows\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
        
        C:\Windows\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF3B7~1.EXE > nul
        12⤵
        
        PID:1496
        
        C:\Windows\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
        
        C:\Windows\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe
        
        C:\Windows\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe
        13⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0EBE~1.EXE > nul
        13⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B7F3~1.EXE > nul
        11⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46FCD~1.EXE > nul
        10⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59241~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23F4F~1.EXE > nul
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7466D~1.EXE > nul
        7⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E7EB~1.EXE > nul
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20312~1.EXE > nul
        5⤵
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F68C7~1.EXE > nul
      4⤵
      PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CD10~1.EXE > nul
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\005E1D~1.EXE > nul
  2⤵
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe

Filesize
372KB

MD5
277e9458def62a9053b650e6430f4612

SHA1
f5ad242c4dad9991315831f3599a9d192c752255

SHA256
fc846c411cf2419a223c6822315d51f0eba0eeba56ca367bc2ddfd934828a9fb

SHA512
000d3cb146884c371e8af886eccc4aec3381dcea094cf8c8a1d7097b4726fd735f9a11d87c4b1f781f7d931dfa7126d1396be72f975c8daee34519f32b1f9832

Download Submit
C:\Windows\{1B7F336C-85A6-42b2-99A9-A0F527559040}.exe

Filesize
372KB

MD5
277e9458def62a9053b650e6430f4612

SHA1
f5ad242c4dad9991315831f3599a9d192c752255

SHA256
fc846c411cf2419a223c6822315d51f0eba0eeba56ca367bc2ddfd934828a9fb

SHA512
000d3cb146884c371e8af886eccc4aec3381dcea094cf8c8a1d7097b4726fd735f9a11d87c4b1f781f7d931dfa7126d1396be72f975c8daee34519f32b1f9832

Download Submit
C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe

Filesize
372KB

MD5
308a9a0449b2eff7afaa12e757726a6b

SHA1
f5d879cdd6c37c333b9554e886d3aeed15b55560

SHA256
06404447ed3444d280dff242e85bbeb8b2609bc03c64c392870cfa8d7e885b03

SHA512
00ff46610819d11addbbf844931aa08c32233f5067ee3ab0e64f40e5be3c938480b6d1066099a5182878e16ebf1a276728e76e0418aa6190d8ec400d394a63ef

Download Submit
C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe

Filesize
372KB

MD5
308a9a0449b2eff7afaa12e757726a6b

SHA1
f5d879cdd6c37c333b9554e886d3aeed15b55560

SHA256
06404447ed3444d280dff242e85bbeb8b2609bc03c64c392870cfa8d7e885b03

SHA512
00ff46610819d11addbbf844931aa08c32233f5067ee3ab0e64f40e5be3c938480b6d1066099a5182878e16ebf1a276728e76e0418aa6190d8ec400d394a63ef

Download Submit
C:\Windows\{20312DA7-6CF0-4c88-AC8B-879225F57A93}.exe

Filesize
372KB

MD5
308a9a0449b2eff7afaa12e757726a6b

SHA1
f5d879cdd6c37c333b9554e886d3aeed15b55560

SHA256
06404447ed3444d280dff242e85bbeb8b2609bc03c64c392870cfa8d7e885b03

SHA512
00ff46610819d11addbbf844931aa08c32233f5067ee3ab0e64f40e5be3c938480b6d1066099a5182878e16ebf1a276728e76e0418aa6190d8ec400d394a63ef

Download Submit
C:\Windows\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe

Filesize
372KB

MD5
022765a444f377c0d1b7812ec1278dd4

SHA1
8639bc940b8adc58b3374e3b5978c286db1c9dec

SHA256
f5c6ea2a31f00e60033ddaac8b28fbf1c89c4fe7ccef3be0def3280bc2667f66

SHA512
5f8787682fe15c772c928c35265609f7d897883674b42b91c762be8fa6a13582567cfdf3e42969bc19557d02d831ed293f1d8ad47780a5b63c9ff198abdfa0cb

Download Submit
C:\Windows\{23F4FD33-5B9A-4ebb-97AF-3DA42FC372C7}.exe

Filesize
372KB

MD5
022765a444f377c0d1b7812ec1278dd4

SHA1
8639bc940b8adc58b3374e3b5978c286db1c9dec

SHA256
f5c6ea2a31f00e60033ddaac8b28fbf1c89c4fe7ccef3be0def3280bc2667f66

SHA512
5f8787682fe15c772c928c35265609f7d897883674b42b91c762be8fa6a13582567cfdf3e42969bc19557d02d831ed293f1d8ad47780a5b63c9ff198abdfa0cb

Download Submit
C:\Windows\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe

Filesize
372KB

MD5
9cdce523955ab6007d19053b207bc040

SHA1
18b33f255c965546acde8b1ba48f6493c4047a4c

SHA256
5dae42b1d9141bcfcccb26f0c03bb952fbc3e9181db138c223f778013855d594

SHA512
d36f593c9f70db835b4885d0d92a8c2122c6268454f42aa3f64daca302802490e9b243696d7180b401acd9823a55a20f0e8d6d2307a7548c44da00da1445e5d0

Download Submit
C:\Windows\{46FCDE7A-A4AD-444b-902C-818894CB85C6}.exe

Filesize
372KB

MD5
9cdce523955ab6007d19053b207bc040

SHA1
18b33f255c965546acde8b1ba48f6493c4047a4c

SHA256
5dae42b1d9141bcfcccb26f0c03bb952fbc3e9181db138c223f778013855d594

SHA512
d36f593c9f70db835b4885d0d92a8c2122c6268454f42aa3f64daca302802490e9b243696d7180b401acd9823a55a20f0e8d6d2307a7548c44da00da1445e5d0

Download Submit
C:\Windows\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe

Filesize
372KB

MD5
9d9f97160a245605af16a14bd42aa998

SHA1
dd31b833cee7a7e47d0562bac462acb7a94f919a

SHA256
515f822edfeee6047ff20fe2bc327412cffaa0c4e2f9eaf3a757a5999377ea62

SHA512
63d0785c0f3c6e4a0407f8af82f8cda7627ea359e15a8fe24ee6a943783c8c9eb0a7c11c56822547d54e4cfbe2c6a5053b7a4620ec9ca0de37d204a25503e18b

Download Submit
C:\Windows\{59241B09-DEC6-47b8-B87A-4BBE641AF952}.exe

Filesize
372KB

MD5
9d9f97160a245605af16a14bd42aa998

SHA1
dd31b833cee7a7e47d0562bac462acb7a94f919a

SHA256
515f822edfeee6047ff20fe2bc327412cffaa0c4e2f9eaf3a757a5999377ea62

SHA512
63d0785c0f3c6e4a0407f8af82f8cda7627ea359e15a8fe24ee6a943783c8c9eb0a7c11c56822547d54e4cfbe2c6a5053b7a4620ec9ca0de37d204a25503e18b

Download Submit
C:\Windows\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe

Filesize
372KB

MD5
63041da39100c8fff008ffd914ad8817

SHA1
ae8eb290328e207dad5c3c6d8b2ab2e134c001b1

SHA256
9e2344ef2c653db3fbb9ae94ab314fa21281ecb6037001a2f06e5f03101e0c2d

SHA512
fb7399b26bfa4d9a61712a20f5e5a0d12170abd34226523016fcdb38926278bf10408e8ff3a042181216a33d6744cfd76b696423c68e4ad2cd8e5020c2a51eff

Download Submit
C:\Windows\{5E7EB347-9BD3-4b98-83DF-BE3BC10299B1}.exe

Filesize
372KB

MD5
63041da39100c8fff008ffd914ad8817

SHA1
ae8eb290328e207dad5c3c6d8b2ab2e134c001b1

SHA256
9e2344ef2c653db3fbb9ae94ab314fa21281ecb6037001a2f06e5f03101e0c2d

SHA512
fb7399b26bfa4d9a61712a20f5e5a0d12170abd34226523016fcdb38926278bf10408e8ff3a042181216a33d6744cfd76b696423c68e4ad2cd8e5020c2a51eff

Download Submit
C:\Windows\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe

Filesize
372KB

MD5
252629acf88bfb95808786517d3688d4

SHA1
1f6b77e61fd08ffe8550d0dd7f6dbe4ae5003109

SHA256
d70c4131ad9d56573755264ce8eea42f72f6878cb2c26fa213dbab22a0488b5a

SHA512
142c758896afeb423075b9a1ef382b6f966e2420aabde2a66e383c182a40f7406cc468474883c26209a1a8a48c928ceb6deee1945e213491787ba7570f563019

Download Submit
C:\Windows\{7466D6D5-CAAB-4e56-ABB9-9BC634CC483D}.exe

Filesize
372KB

MD5
252629acf88bfb95808786517d3688d4

SHA1
1f6b77e61fd08ffe8550d0dd7f6dbe4ae5003109

SHA256
d70c4131ad9d56573755264ce8eea42f72f6878cb2c26fa213dbab22a0488b5a

SHA512
142c758896afeb423075b9a1ef382b6f966e2420aabde2a66e383c182a40f7406cc468474883c26209a1a8a48c928ceb6deee1945e213491787ba7570f563019

Download Submit
C:\Windows\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe

Filesize
372KB

MD5
37d99236f56473da28e19148fd6e0475

SHA1
271a22659bbd9de8fae7b0745a95e96a0a092a22

SHA256
68f54a03950e94aaf63e948bfee8d0da298066a3918d4b4dec0310c6fbd9ddfb

SHA512
d9995de532551b8166f99d412d966e8545bacb9901629a6bf84cd75f150a4667f730954fd6b979a235c6915725eca97fb644f1e816e3125ce0bdea1451f07f17

Download Submit
C:\Windows\{7FB02805-A01B-4bab-A83E-0722BDF6F114}.exe

Filesize
372KB

MD5
37d99236f56473da28e19148fd6e0475

SHA1
271a22659bbd9de8fae7b0745a95e96a0a092a22

SHA256
68f54a03950e94aaf63e948bfee8d0da298066a3918d4b4dec0310c6fbd9ddfb

SHA512
d9995de532551b8166f99d412d966e8545bacb9901629a6bf84cd75f150a4667f730954fd6b979a235c6915725eca97fb644f1e816e3125ce0bdea1451f07f17

Download Submit
C:\Windows\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe

Filesize
372KB

MD5
f545fd203ac27dee8eac143bd4c47353

SHA1
a553aac83c82b5458379b8564caa952e596a613c

SHA256
e8629a1f8ba2bdb904062112c02b5c9b786020f40908d46b18f4f83024655574

SHA512
e9f0b7da0fe6b3bd43fbb3ab1adad914e8eaac1924c14cc62d5d94d7e9e0aac4a03ed18367d3d53b5ebfb37ebd6b17d03d3ce938d5bf03229226184deb009972

Download Submit
C:\Windows\{9CD104B9-BA5F-4013-AF3F-520B4336F270}.exe

Filesize
372KB

MD5
f545fd203ac27dee8eac143bd4c47353

SHA1
a553aac83c82b5458379b8564caa952e596a613c

SHA256
e8629a1f8ba2bdb904062112c02b5c9b786020f40908d46b18f4f83024655574

SHA512
e9f0b7da0fe6b3bd43fbb3ab1adad914e8eaac1924c14cc62d5d94d7e9e0aac4a03ed18367d3d53b5ebfb37ebd6b17d03d3ce938d5bf03229226184deb009972

Download Submit
C:\Windows\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe

Filesize
372KB

MD5
b7e10958533a8b4241d770e18877caaf

SHA1
6c4461cf6efd7185889f4377a7ec1c57e20308c0

SHA256
ba8772c0eafd4d6b8bc8e6d840230793f04af7f9db8ba0731253f213b6505158

SHA512
8ad077c4ad227c69a163f854b83c65ccad7759cdbfcb5dd9274e489efeba9999e2757a994eadb01114d30e58fe7c6c93d3e1a44ee88e4178bb67b6bc5a9f4dea

Download Submit
C:\Windows\{AF3B7B43-F2F3-4d27-AB12-715687256F23}.exe

Filesize
372KB

MD5
b7e10958533a8b4241d770e18877caaf

SHA1
6c4461cf6efd7185889f4377a7ec1c57e20308c0

SHA256
ba8772c0eafd4d6b8bc8e6d840230793f04af7f9db8ba0731253f213b6505158

SHA512
8ad077c4ad227c69a163f854b83c65ccad7759cdbfcb5dd9274e489efeba9999e2757a994eadb01114d30e58fe7c6c93d3e1a44ee88e4178bb67b6bc5a9f4dea

Download Submit
C:\Windows\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe

Filesize
372KB

MD5
101a62e41a5c37a489429c0281bdac24

SHA1
3b31d2c357da7f0b8c6f41b40ccbf01c07679e4f

SHA256
28e8db29478c7014a134fe0e66123693017d7c9b0fc62c770b3ddbd18ab2b454

SHA512
603a4e5e603c34569d78a0015bae36676461eaf0c718d48412f114ccc761edb84a5c8e6c845dc07deffd688230ff59ea06af9595dcf8525d984e52340ffe49ee

Download Submit
C:\Windows\{D0EBE049-0F9C-4f83-8508-592CA46CF6BD}.exe

Filesize
372KB

MD5
101a62e41a5c37a489429c0281bdac24

SHA1
3b31d2c357da7f0b8c6f41b40ccbf01c07679e4f

SHA256
28e8db29478c7014a134fe0e66123693017d7c9b0fc62c770b3ddbd18ab2b454

SHA512
603a4e5e603c34569d78a0015bae36676461eaf0c718d48412f114ccc761edb84a5c8e6c845dc07deffd688230ff59ea06af9595dcf8525d984e52340ffe49ee

Download Submit
C:\Windows\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe

Filesize
372KB

MD5
50b88cfb4a920209d57ac04ab836cf2e

SHA1
925de9a4fa776af83b61d92dcd440ead22c7281f

SHA256
de4ce58b42c0e7a1eee91b061053d847943c0941a7ff0e324dc67ff065f6f615

SHA512
a78f7e684beadac2cd352b4d1205c02217b15597afdf856a72255b58ad146894e0736083eedcff725b72f43454568c12ad1147bcc25127c3b8ecb3fdfee49ff3

Download Submit
C:\Windows\{F68C7521-D211-46a9-A41C-909A9FD7CA3A}.exe

Filesize
372KB

MD5
50b88cfb4a920209d57ac04ab836cf2e

SHA1
925de9a4fa776af83b61d92dcd440ead22c7281f

SHA256
de4ce58b42c0e7a1eee91b061053d847943c0941a7ff0e324dc67ff065f6f615

SHA512
a78f7e684beadac2cd352b4d1205c02217b15597afdf856a72255b58ad146894e0736083eedcff725b72f43454568c12ad1147bcc25127c3b8ecb3fdfee49ff3

Download Submit