5ebd3e4c10f4b1f6eedc04303ae6bffdfc71a1b0a9472686c6acd413e8fc5a37

Analysis

max time kernel
155s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252d8c7c326f4fexeexeexeex.exe
Size

168KB
MD5

252d8c7c326f4ff5e150f13f9f63c2d2
SHA1

6fd45c9df7189d35639d8279b5379bd4e9fe349b
SHA256

5ebd3e4c10f4b1f6eedc04303ae6bffdfc71a1b0a9472686c6acd413e8fc5a37
SHA512

0867c3a7f26e426c7cd10b97ed8943fa207dcc847d2b14b07c5063b00b9ba33c8db706fedcdd7a5911dc82742c963764e658a33d21044a21bc14b02ef46c244e
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}\stubpath = "C:\\Windows\\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe"	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}\stubpath = "C:\\Windows\\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe"	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}\stubpath = "C:\\Windows\\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe"	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80075E74-7937-455f-B515-53DEB8F1E382}	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80075E74-7937-455f-B515-53DEB8F1E382}\stubpath = "C:\\Windows\\{80075E74-7937-455f-B515-53DEB8F1E382}.exe"	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDB5001-B997-4ee3-9C1A-64165C911B57}	{80075E74-7937-455f-B515-53DEB8F1E382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}	252d8c7c326f4fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}\stubpath = "C:\\Windows\\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe"	252d8c7c326f4fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7075A7B-BEB0-47e7-9DED-549A74C03814}	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7075A7B-BEB0-47e7-9DED-549A74C03814}\stubpath = "C:\\Windows\\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe"	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3E9FD25-4267-4e83-83B7-902A154CDA50}	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3E9FD25-4267-4e83-83B7-902A154CDA50}\stubpath = "C:\\Windows\\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe"	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987DE812-AA11-41aa-BD3F-00342E9572FF}	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDB5001-B997-4ee3-9C1A-64165C911B57}\stubpath = "C:\\Windows\\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe"	{80075E74-7937-455f-B515-53DEB8F1E382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987DE812-AA11-41aa-BD3F-00342E9572FF}\stubpath = "C:\\Windows\\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe"	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}\stubpath = "C:\\Windows\\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe"	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}\stubpath = "C:\\Windows\\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe"	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe

Executes dropped EXE 11 IoCs

pid	Process
4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe
4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
836	{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
File created	C:\Windows\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
File created	C:\Windows\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
File created	C:\Windows\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	252d8c7c326f4fexeexeexeex.exe
File created	C:\Windows\{80075E74-7937-455f-B515-53DEB8F1E382}.exe	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
File created	C:\Windows\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
File created	C:\Windows\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
File created	C:\Windows\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
File created	C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	{80075E74-7937-455f-B515-53DEB8F1E382}.exe
File created	C:\Windows\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
File created	C:\Windows\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1456	252d8c7c326f4fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
Token: SeIncBasePriorityPrivilege	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe
Token: SeIncBasePriorityPrivilege	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
Token: SeIncBasePriorityPrivilege	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
Token: SeIncBasePriorityPrivilege	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
Token: SeIncBasePriorityPrivilege	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
Token: SeIncBasePriorityPrivilege	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
Token: SeIncBasePriorityPrivilege	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
Token: SeIncBasePriorityPrivilege	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
Token: SeIncBasePriorityPrivilege	5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4276	1456	252d8c7c326f4fexeexeexeex.exe	84
PID 1456 wrote to memory of 4276	1456	252d8c7c326f4fexeexeexeex.exe	84
PID 1456 wrote to memory of 4276	1456	252d8c7c326f4fexeexeexeex.exe	84
PID 1456 wrote to memory of 552	1456	252d8c7c326f4fexeexeexeex.exe	85
PID 1456 wrote to memory of 552	1456	252d8c7c326f4fexeexeexeex.exe	85
PID 1456 wrote to memory of 552	1456	252d8c7c326f4fexeexeexeex.exe	85
PID 4276 wrote to memory of 1128	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	89
PID 4276 wrote to memory of 1128	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	89
PID 4276 wrote to memory of 1128	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	89
PID 4276 wrote to memory of 2904	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	90
PID 4276 wrote to memory of 2904	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	90
PID 4276 wrote to memory of 2904	4276	{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe	90
PID 1128 wrote to memory of 4112	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	92
PID 1128 wrote to memory of 4112	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	92
PID 1128 wrote to memory of 4112	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	92
PID 1128 wrote to memory of 5052	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	91
PID 1128 wrote to memory of 5052	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	91
PID 1128 wrote to memory of 5052	1128	{80075E74-7937-455f-B515-53DEB8F1E382}.exe	91
PID 4112 wrote to memory of 5104	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	93
PID 4112 wrote to memory of 5104	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	93
PID 4112 wrote to memory of 5104	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	93
PID 4112 wrote to memory of 392	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	94
PID 4112 wrote to memory of 392	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	94
PID 4112 wrote to memory of 392	4112	{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe	94
PID 5104 wrote to memory of 3440	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	95
PID 5104 wrote to memory of 3440	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	95
PID 5104 wrote to memory of 3440	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	95
PID 5104 wrote to memory of 2020	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	96
PID 5104 wrote to memory of 2020	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	96
PID 5104 wrote to memory of 2020	5104	{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe	96
PID 3440 wrote to memory of 4692	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	97
PID 3440 wrote to memory of 4692	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	97
PID 3440 wrote to memory of 4692	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	97
PID 3440 wrote to memory of 2252	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	98
PID 3440 wrote to memory of 2252	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	98
PID 3440 wrote to memory of 2252	3440	{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe	98
PID 4692 wrote to memory of 780	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	99
PID 4692 wrote to memory of 780	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	99
PID 4692 wrote to memory of 780	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	99
PID 4692 wrote to memory of 2568	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	100
PID 4692 wrote to memory of 2568	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	100
PID 4692 wrote to memory of 2568	4692	{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe	100
PID 780 wrote to memory of 1168	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	101
PID 780 wrote to memory of 1168	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	101
PID 780 wrote to memory of 1168	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	101
PID 780 wrote to memory of 1648	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	102
PID 780 wrote to memory of 1648	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	102
PID 780 wrote to memory of 1648	780	{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe	102
PID 1168 wrote to memory of 2344	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	103
PID 1168 wrote to memory of 2344	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	103
PID 1168 wrote to memory of 2344	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	103
PID 1168 wrote to memory of 4644	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	104
PID 1168 wrote to memory of 4644	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	104
PID 1168 wrote to memory of 4644	1168	{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe	104
PID 2344 wrote to memory of 5116	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	105
PID 2344 wrote to memory of 5116	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	105
PID 2344 wrote to memory of 5116	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	105
PID 2344 wrote to memory of 3896	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	106
PID 2344 wrote to memory of 3896	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	106
PID 2344 wrote to memory of 3896	2344	{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe	106
PID 5116 wrote to memory of 836	5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe	107
PID 5116 wrote to memory of 836	5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe	107
PID 5116 wrote to memory of 836	5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe	107
PID 5116 wrote to memory of 2592	5116	{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe	108

C:\Users\Admin\AppData\Local\Temp\252d8c7c326f4fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\252d8c7c326f4fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
  C:\Windows\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{80075E74-7937-455f-B515-53DEB8F1E382}.exe
    C:\Windows\{80075E74-7937-455f-B515-53DEB8F1E382}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80075~1.EXE > nul
      4⤵
      PID:5052
  - - C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
      C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
        
        C:\Windows\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
        
        C:\Windows\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
        
        C:\Windows\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
        
        C:\Windows\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
        
        C:\Windows\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
        
        C:\Windows\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
        
        C:\Windows\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe
        
        C:\Windows\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe
        12⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E9F~1.EXE > nul
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED1A~1.EXE > nul
        11⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7075~1.EXE > nul
        10⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9F2~1.EXE > nul
        9⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA6F~1.EXE > nul
        8⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CE30~1.EXE > nul
        7⤵
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79BC1~1.EXE > nul
        6⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDB5~1.EXE > nul
        5⤵
        
        PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1D8~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\252D8C~1.EXE > nul
  2⤵
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe

Filesize
168KB

MD5
275aa16ef772e5a6c68b2429f4a1d20c

SHA1
33b0c991084f501ca4546a742b89ea0ce35103ae

SHA256
a1c1c8f9b302200d1cc29571341378dc51aa1c3a221c3d55f693208f9645233d

SHA512
bcae40e042836c9f432ae0345bab0eb838a350a047b6d8f81ca1bee976e808ed3e632e89c96cc34b546e12f37a6a48a17107560304cdcb16319d5e4260f8b1f8

Download Submit
C:\Windows\{0F1D8F77-41A5-4d69-9FFB-79C7E720CA89}.exe

Filesize
168KB

MD5
275aa16ef772e5a6c68b2429f4a1d20c

SHA1
33b0c991084f501ca4546a742b89ea0ce35103ae

SHA256
a1c1c8f9b302200d1cc29571341378dc51aa1c3a221c3d55f693208f9645233d

SHA512
bcae40e042836c9f432ae0345bab0eb838a350a047b6d8f81ca1bee976e808ed3e632e89c96cc34b546e12f37a6a48a17107560304cdcb16319d5e4260f8b1f8

Download Submit
C:\Windows\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe

Filesize
168KB

MD5
09d2666b34749ac63e2e142fbd369bf4

SHA1
ed633ed5c1718d65424751a2892f95b11462b5e8

SHA256
1b4774607d87a69118de6021044fe977e1daceab5c03b2c4802be289b8b76af6

SHA512
8c60092791fab4615de4ab442d91bc3d7cf85f4a21e1b8ee5269d6764684d0ff4793a61c11997c25144361e4818c889e28c161367a68045fffc724df38d215e6

Download Submit
C:\Windows\{1CE30AF9-E83E-4d92-9DDD-537A309113CD}.exe

Filesize
168KB

MD5
09d2666b34749ac63e2e142fbd369bf4

SHA1
ed633ed5c1718d65424751a2892f95b11462b5e8

SHA256
1b4774607d87a69118de6021044fe977e1daceab5c03b2c4802be289b8b76af6

SHA512
8c60092791fab4615de4ab442d91bc3d7cf85f4a21e1b8ee5269d6764684d0ff4793a61c11997c25144361e4818c889e28c161367a68045fffc724df38d215e6

Download Submit
C:\Windows\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe

Filesize
168KB

MD5
293120b3e5cf6311e614651f68973a3e

SHA1
6b04d4c0a38f16b276b5720c2f4e146383e42995

SHA256
3c24d9b2c26ef59208dd11d40623e96a98f3577d3bc7c489f042b28f52e72b04

SHA512
ba4da93ed7cfbcd57208b71fd42517945e1ab2fbb515a6452a52e35967bb0dc62e1c5c55cb24c715fc453bf842efd4a5812b2485d8fdf2ab399ddbbe71c3e188

Download Submit
C:\Windows\{2A9F26D6-AC66-4906-B452-F657C6EC4E84}.exe

Filesize
168KB

MD5
293120b3e5cf6311e614651f68973a3e

SHA1
6b04d4c0a38f16b276b5720c2f4e146383e42995

SHA256
3c24d9b2c26ef59208dd11d40623e96a98f3577d3bc7c489f042b28f52e72b04

SHA512
ba4da93ed7cfbcd57208b71fd42517945e1ab2fbb515a6452a52e35967bb0dc62e1c5c55cb24c715fc453bf842efd4a5812b2485d8fdf2ab399ddbbe71c3e188

Download Submit
C:\Windows\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe

Filesize
168KB

MD5
a66767ac729eb73d722cfa0c78141e04

SHA1
e5263eb4c1ee14234023aa66f679a48aacf77b3d

SHA256
06fd2cd9e1846a7cb32f61ee5258378a2e05feebae9d15c1d72412c66922feea

SHA512
55418b226f4921ffdcce825cbf60aa6b13f8c67792e309b39a5178ed5ad8d059a79695db80b42030c3dda562eab8ab9c38aeb8a267d853f5a69851afbb0b677c

Download Submit
C:\Windows\{79BC156F-BCB9-4270-AECE-F93A9487B6E4}.exe

Filesize
168KB

MD5
a66767ac729eb73d722cfa0c78141e04

SHA1
e5263eb4c1ee14234023aa66f679a48aacf77b3d

SHA256
06fd2cd9e1846a7cb32f61ee5258378a2e05feebae9d15c1d72412c66922feea

SHA512
55418b226f4921ffdcce825cbf60aa6b13f8c67792e309b39a5178ed5ad8d059a79695db80b42030c3dda562eab8ab9c38aeb8a267d853f5a69851afbb0b677c

Download Submit
C:\Windows\{80075E74-7937-455f-B515-53DEB8F1E382}.exe

Filesize
168KB

MD5
4cd0ade96218e840b4cfe052410d9454

SHA1
2ca28222e131d5072a94e015b72a171a3ec33a16

SHA256
dcf2816f5bfc4a032c64d497c9eb20a1118633b590be3f96c7e763673a46e28b

SHA512
56038eaa7db6c71961b79d503fbbc730478e8ee8a613b405c3a470a868cdc70d609b84eb9e4e346a39fec7a01855ec0a8ebb96d5e26dc4e2e58da3aa9f8b0a04

Download Submit
C:\Windows\{80075E74-7937-455f-B515-53DEB8F1E382}.exe

Filesize
168KB

MD5
4cd0ade96218e840b4cfe052410d9454

SHA1
2ca28222e131d5072a94e015b72a171a3ec33a16

SHA256
dcf2816f5bfc4a032c64d497c9eb20a1118633b590be3f96c7e763673a46e28b

SHA512
56038eaa7db6c71961b79d503fbbc730478e8ee8a613b405c3a470a868cdc70d609b84eb9e4e346a39fec7a01855ec0a8ebb96d5e26dc4e2e58da3aa9f8b0a04

Download Submit
C:\Windows\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe

Filesize
168KB

MD5
22c8b68416c7d4097a448fc1c4d5de2c

SHA1
7c920869285971a4f66ecb17def65f56fef64846

SHA256
8cc4436f07b854883898617c96a98b4652a8786c3519edc53958d26c59ad09ea

SHA512
c827a3e052440986f230f46576d05cc1edf4bc2361925e3c1c28d6fe933b2b6ce12b208949731ef334e6ded45f60f34075caa77fe09ee04a059bbfdd0359ded6

Download Submit
C:\Windows\{987DE812-AA11-41aa-BD3F-00342E9572FF}.exe

Filesize
168KB

MD5
22c8b68416c7d4097a448fc1c4d5de2c

SHA1
7c920869285971a4f66ecb17def65f56fef64846

SHA256
8cc4436f07b854883898617c96a98b4652a8786c3519edc53958d26c59ad09ea

SHA512
c827a3e052440986f230f46576d05cc1edf4bc2361925e3c1c28d6fe933b2b6ce12b208949731ef334e6ded45f60f34075caa77fe09ee04a059bbfdd0359ded6

Download Submit
C:\Windows\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe

Filesize
168KB

MD5
8a3775b0b54946fa1ba74f983c7be915

SHA1
9f862ecb5138d65aadf5729881d247ceae39360d

SHA256
a8e9ce4763e38ad10b82d8952b3f18440f312fb7a7925670b1f261e32210828b

SHA512
66e635144c5a6b2521729afebe4831a94ad0e778e0a73022391147584e42a40e5098d2ff83cbe1ca9b2ae0e9f79d825afc235d17363dc8c245dfa71474aebf5e

Download Submit
C:\Windows\{B3E9FD25-4267-4e83-83B7-902A154CDA50}.exe

Filesize
168KB

MD5
8a3775b0b54946fa1ba74f983c7be915

SHA1
9f862ecb5138d65aadf5729881d247ceae39360d

SHA256
a8e9ce4763e38ad10b82d8952b3f18440f312fb7a7925670b1f261e32210828b

SHA512
66e635144c5a6b2521729afebe4831a94ad0e778e0a73022391147584e42a40e5098d2ff83cbe1ca9b2ae0e9f79d825afc235d17363dc8c245dfa71474aebf5e

Download Submit
C:\Windows\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe

Filesize
168KB

MD5
29d72dcad99cd863f64a313d7e0ce1ff

SHA1
78c61adfe22649f9337118c7ca771830fd13074b

SHA256
ea89a4170f9312224ef60452c60cbed54e2ce04d2a46a40b3e6b7f0a7a6ac764

SHA512
61c11a937ee869fd2a7dd7dcf072a806140126bedf37be854f78e51b002d952cc72226a8ae1385430ac276b41bd6b1366c98b1aabfe175c0985c1bb96e354f8a

Download Submit
C:\Windows\{B7075A7B-BEB0-47e7-9DED-549A74C03814}.exe

Filesize
168KB

MD5
29d72dcad99cd863f64a313d7e0ce1ff

SHA1
78c61adfe22649f9337118c7ca771830fd13074b

SHA256
ea89a4170f9312224ef60452c60cbed54e2ce04d2a46a40b3e6b7f0a7a6ac764

SHA512
61c11a937ee869fd2a7dd7dcf072a806140126bedf37be854f78e51b002d952cc72226a8ae1385430ac276b41bd6b1366c98b1aabfe175c0985c1bb96e354f8a

Download Submit
C:\Windows\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe

Filesize
168KB

MD5
9925a9f81db90289ad734110b3ccb871

SHA1
931acfa174816d74c935a39719a613ba583605c1

SHA256
9b7c00c7ed48170f23483524180a4a9fc4343ab909eebb7a91e5169eeb4c8caa

SHA512
d93adc76e91dd43a18cb6641b0a70e7778621a0b231c60cb3c66f1acc2c3fab9bd7fd716bf5478f0041bb94eb606166c0b85be445bce5c7865b3a8ad487014ec

Download Submit
C:\Windows\{CBA6F887-F1C2-4515-ABE4-1DE57144C008}.exe

Filesize
168KB

MD5
9925a9f81db90289ad734110b3ccb871

SHA1
931acfa174816d74c935a39719a613ba583605c1

SHA256
9b7c00c7ed48170f23483524180a4a9fc4343ab909eebb7a91e5169eeb4c8caa

SHA512
d93adc76e91dd43a18cb6641b0a70e7778621a0b231c60cb3c66f1acc2c3fab9bd7fd716bf5478f0041bb94eb606166c0b85be445bce5c7865b3a8ad487014ec

Download Submit
C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe

Filesize
168KB

MD5
580cbaef7b7fa72d76a3a579d2b74eb3

SHA1
ad32cdb675c88d7fb6e0702f860b4c58f9f55ea7

SHA256
218c416582e9d36a9460c6d38b2f9943c52aa914c3db6062be12d7d39fecb208

SHA512
bc016c6920da58cdb8e0491531b4a978de1c2dbdde8e66a36ef695b250c0b994d1566c84bded00aaa7845c6923ca778c4350f2105c4aad389ed578db66a17aa7

Download Submit
C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe

Filesize
168KB

MD5
580cbaef7b7fa72d76a3a579d2b74eb3

SHA1
ad32cdb675c88d7fb6e0702f860b4c58f9f55ea7

SHA256
218c416582e9d36a9460c6d38b2f9943c52aa914c3db6062be12d7d39fecb208

SHA512
bc016c6920da58cdb8e0491531b4a978de1c2dbdde8e66a36ef695b250c0b994d1566c84bded00aaa7845c6923ca778c4350f2105c4aad389ed578db66a17aa7

Download Submit
C:\Windows\{CCDB5001-B997-4ee3-9C1A-64165C911B57}.exe

Filesize
168KB

MD5
580cbaef7b7fa72d76a3a579d2b74eb3

SHA1
ad32cdb675c88d7fb6e0702f860b4c58f9f55ea7

SHA256
218c416582e9d36a9460c6d38b2f9943c52aa914c3db6062be12d7d39fecb208

SHA512
bc016c6920da58cdb8e0491531b4a978de1c2dbdde8e66a36ef695b250c0b994d1566c84bded00aaa7845c6923ca778c4350f2105c4aad389ed578db66a17aa7

Download Submit
C:\Windows\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe

Filesize
168KB

MD5
5b86061cb180c8730d3fc93fcc8e43d1

SHA1
be7b04a93e6bfc78e560b547baa830ebc7dcee5e

SHA256
c2282259e7d44d82fbd032a55d8b065ad33a556b63f2ed511f410a325bcce505

SHA512
f3d22b0dcd73f8ee7e26dd3a0ef83abc7662bcdc4cabaede77a3551eeb55fb14665d7bc2d75be0743eddfe0fb4b6faf15680ce137076eb19aeb0c4cd8dbc852c

Download Submit
C:\Windows\{DED1A947-05A2-4c13-93A2-BAFF86EEA71C}.exe

Filesize
168KB

MD5
5b86061cb180c8730d3fc93fcc8e43d1

SHA1
be7b04a93e6bfc78e560b547baa830ebc7dcee5e

SHA256
c2282259e7d44d82fbd032a55d8b065ad33a556b63f2ed511f410a325bcce505

SHA512
f3d22b0dcd73f8ee7e26dd3a0ef83abc7662bcdc4cabaede77a3551eeb55fb14665d7bc2d75be0743eddfe0fb4b6faf15680ce137076eb19aeb0c4cd8dbc852c

Download Submit