5a6d5631ee5f20406b0159a11f5070e9b3b467d1ee562e4cccf9da9e5089bbec

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265d658aaf9592exeexeexeex.exe
Size

168KB
MD5

265d658aaf9592af1ee6cf45b09724d3
SHA1

e69b969541d6f95779d93ad332ab9c5e31f29779
SHA256

5a6d5631ee5f20406b0159a11f5070e9b3b467d1ee562e4cccf9da9e5089bbec
SHA512

e9761c7d5917ada1780812536966a686110261c2a1457f0f0db4c650aaef24a987c84dc3035c49d7a2cee804522846eb17332f736d31c72bb0e8505922492261
SSDEEP

1536:1EGh0o+lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o+lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}\stubpath = "C:\\Windows\\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe"	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90318F11-B818-4746-8200-B3FB2037DCDD}	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{564DF019-871D-4b97-8683-66713FA3C619}	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{564DF019-871D-4b97-8683-66713FA3C619}\stubpath = "C:\\Windows\\{564DF019-871D-4b97-8683-66713FA3C619}.exe"	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}	{564DF019-871D-4b97-8683-66713FA3C619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7DC881-635C-45ea-B32C-39FA7C21123D}	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7DC881-635C-45ea-B32C-39FA7C21123D}\stubpath = "C:\\Windows\\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe"	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41ECB449-928B-43f4-BC36-BF23F21C787A}\stubpath = "C:\\Windows\\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe"	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}\stubpath = "C:\\Windows\\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe"	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8289EAD2-F843-4197-A62C-6C0E61E72256}\stubpath = "C:\\Windows\\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe"	265d658aaf9592exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}\stubpath = "C:\\Windows\\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe"	{564DF019-871D-4b97-8683-66713FA3C619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446DD934-C14D-45f0-8C72-4EB3B4101A84}	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446DD934-C14D-45f0-8C72-4EB3B4101A84}\stubpath = "C:\\Windows\\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe"	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90318F11-B818-4746-8200-B3FB2037DCDD}\stubpath = "C:\\Windows\\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe"	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34094B33-B0FE-43ae-A955-FD66E84F05E1}	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34094B33-B0FE-43ae-A955-FD66E84F05E1}\stubpath = "C:\\Windows\\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe"	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41ECB449-928B-43f4-BC36-BF23F21C787A}	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8289EAD2-F843-4197-A62C-6C0E61E72256}	265d658aaf9592exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}\stubpath = "C:\\Windows\\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe"	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe

Executes dropped EXE 11 IoCs

pid	Process
5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe
4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe
880	{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	265d658aaf9592exeexeexeex.exe
File created	C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
File created	C:\Windows\{564DF019-871D-4b97-8683-66713FA3C619}.exe	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
File created	C:\Windows\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
File created	C:\Windows\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
File created	C:\Windows\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
File created	C:\Windows\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
File created	C:\Windows\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
File created	C:\Windows\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	{564DF019-871D-4b97-8683-66713FA3C619}.exe
File created	C:\Windows\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
File created	C:\Windows\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1300	265d658aaf9592exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
Token: SeIncBasePriorityPrivilege	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
Token: SeIncBasePriorityPrivilege	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
Token: SeIncBasePriorityPrivilege	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe
Token: SeIncBasePriorityPrivilege	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
Token: SeIncBasePriorityPrivilege	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
Token: SeIncBasePriorityPrivilege	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
Token: SeIncBasePriorityPrivilege	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
Token: SeIncBasePriorityPrivilege	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
Token: SeIncBasePriorityPrivilege	2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 5032	1300	265d658aaf9592exeexeexeex.exe	83
PID 1300 wrote to memory of 5032	1300	265d658aaf9592exeexeexeex.exe	83
PID 1300 wrote to memory of 5032	1300	265d658aaf9592exeexeexeex.exe	83
PID 1300 wrote to memory of 1232	1300	265d658aaf9592exeexeexeex.exe	84
PID 1300 wrote to memory of 1232	1300	265d658aaf9592exeexeexeex.exe	84
PID 1300 wrote to memory of 1232	1300	265d658aaf9592exeexeexeex.exe	84
PID 5032 wrote to memory of 2776	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	85
PID 5032 wrote to memory of 2776	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	85
PID 5032 wrote to memory of 2776	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	85
PID 5032 wrote to memory of 324	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	86
PID 5032 wrote to memory of 324	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	86
PID 5032 wrote to memory of 324	5032	{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe	86
PID 2776 wrote to memory of 440	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	88
PID 2776 wrote to memory of 440	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	88
PID 2776 wrote to memory of 440	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	88
PID 2776 wrote to memory of 456	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	89
PID 2776 wrote to memory of 456	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	89
PID 2776 wrote to memory of 456	2776	{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe	89
PID 440 wrote to memory of 4216	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	90
PID 440 wrote to memory of 4216	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	90
PID 440 wrote to memory of 4216	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	90
PID 440 wrote to memory of 1088	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	91
PID 440 wrote to memory of 1088	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	91
PID 440 wrote to memory of 1088	440	{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe	91
PID 4216 wrote to memory of 4740	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	92
PID 4216 wrote to memory of 4740	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	92
PID 4216 wrote to memory of 4740	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	92
PID 4216 wrote to memory of 4132	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	93
PID 4216 wrote to memory of 4132	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	93
PID 4216 wrote to memory of 4132	4216	{564DF019-871D-4b97-8683-66713FA3C619}.exe	93
PID 4740 wrote to memory of 3948	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	94
PID 4740 wrote to memory of 3948	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	94
PID 4740 wrote to memory of 3948	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	94
PID 4740 wrote to memory of 4600	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	95
PID 4740 wrote to memory of 4600	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	95
PID 4740 wrote to memory of 4600	4740	{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe	95
PID 3948 wrote to memory of 2836	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	96
PID 3948 wrote to memory of 2836	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	96
PID 3948 wrote to memory of 2836	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	96
PID 3948 wrote to memory of 3956	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	97
PID 3948 wrote to memory of 3956	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	97
PID 3948 wrote to memory of 3956	3948	{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe	97
PID 2836 wrote to memory of 5024	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	98
PID 2836 wrote to memory of 5024	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	98
PID 2836 wrote to memory of 5024	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	98
PID 2836 wrote to memory of 2844	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	99
PID 2836 wrote to memory of 2844	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	99
PID 2836 wrote to memory of 2844	2836	{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe	99
PID 5024 wrote to memory of 2828	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	100
PID 5024 wrote to memory of 2828	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	100
PID 5024 wrote to memory of 2828	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	100
PID 5024 wrote to memory of 220	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	101
PID 5024 wrote to memory of 220	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	101
PID 5024 wrote to memory of 220	5024	{90318F11-B818-4746-8200-B3FB2037DCDD}.exe	101
PID 2828 wrote to memory of 2784	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	102
PID 2828 wrote to memory of 2784	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	102
PID 2828 wrote to memory of 2784	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	102
PID 2828 wrote to memory of 2028	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	103
PID 2828 wrote to memory of 2028	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	103
PID 2828 wrote to memory of 2028	2828	{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe	103
PID 2784 wrote to memory of 880	2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe	105
PID 2784 wrote to memory of 880	2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe	105
PID 2784 wrote to memory of 880	2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe	105
PID 2784 wrote to memory of 4288	2784	{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe	104

C:\Users\Admin\AppData\Local\Temp\265d658aaf9592exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\265d658aaf9592exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
  C:\Windows\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
    C:\Windows\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
      C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\{564DF019-871D-4b97-8683-66713FA3C619}.exe
        
        C:\Windows\{564DF019-871D-4b97-8683-66713FA3C619}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
        
        C:\Windows\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
        
        C:\Windows\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
        
        C:\Windows\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
        
        C:\Windows\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
        
        C:\Windows\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe
        
        C:\Windows\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41ECB~1.EXE > nul
        12⤵
        
        PID:4288
        
        C:\Windows\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe
        
        C:\Windows\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe
        12⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34094~1.EXE > nul
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90318~1.EXE > nul
        10⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E57C8~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E7DC~1.EXE > nul
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC8BC~1.EXE > nul
        7⤵
        
        PID:4600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{564DF~1.EXE > nul
        6⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{446DD~1.EXE > nul
        5⤵
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33987~1.EXE > nul
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8289E~1.EXE > nul
    3⤵
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\265D65~1.EXE > nul
  2⤵
  PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe

Filesize
168KB

MD5
7ed0db3ef5803c1bf6156f177eee1d85

SHA1
1ac97b989bc4f690019a1e790c317d6a7d9bd6fe

SHA256
5d328c7ee97cbac096d3092cd3032b082071ced271e83510587c1ce016c71523

SHA512
95851b4d4a5e0b11b73d765b492756dc01c74e615e6480196a157363e910d738944ed4297ccf9561df4f79da8cb081b57cc403ee34146562ee3da24c5abdfa8b

Download Submit
C:\Windows\{33987E9E-A77C-4d44-B4E1-EEADEE9C7AC3}.exe

Filesize
168KB

MD5
7ed0db3ef5803c1bf6156f177eee1d85

SHA1
1ac97b989bc4f690019a1e790c317d6a7d9bd6fe

SHA256
5d328c7ee97cbac096d3092cd3032b082071ced271e83510587c1ce016c71523

SHA512
95851b4d4a5e0b11b73d765b492756dc01c74e615e6480196a157363e910d738944ed4297ccf9561df4f79da8cb081b57cc403ee34146562ee3da24c5abdfa8b

Download Submit
C:\Windows\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe

Filesize
168KB

MD5
94402c1413dd47c8c77145575f23e33e

SHA1
a4e010ae3fcbbf8ab49f39dfee960552721dec10

SHA256
a94bfa36e57cf496c4268109ffbff3992eab91170c00cc59eee2558e6f6d6daa

SHA512
28978a49202b42426ac810606e396c819a04c4a094add5786c13464b291188b97ab6e0ce94f8183958c05a6219528f417cb74ca302caf81fb3d3c05c35f75a61

Download Submit
C:\Windows\{34094B33-B0FE-43ae-A955-FD66E84F05E1}.exe

Filesize
168KB

MD5
94402c1413dd47c8c77145575f23e33e

SHA1
a4e010ae3fcbbf8ab49f39dfee960552721dec10

SHA256
a94bfa36e57cf496c4268109ffbff3992eab91170c00cc59eee2558e6f6d6daa

SHA512
28978a49202b42426ac810606e396c819a04c4a094add5786c13464b291188b97ab6e0ce94f8183958c05a6219528f417cb74ca302caf81fb3d3c05c35f75a61

Download Submit
C:\Windows\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe

Filesize
168KB

MD5
8713e3f6077c4b3bb94af65d5f95417d

SHA1
66bd6cc6fac71f6dad6fe174aa6e380536d193cd

SHA256
5f02c29302aff9d122aa93587c2e4ce224226895c73e3562b73d3ba703ac93c3

SHA512
2813fa74081cc46f4ffc87b0b0799e21b1216fcdf1f0529cd69633aa9b85c2aab6ffd5c69f9fa6e04bb3396f4b0f4943b9c366e12cbe53288330dbb0dcb81358

Download Submit
C:\Windows\{41ECB449-928B-43f4-BC36-BF23F21C787A}.exe

Filesize
168KB

MD5
8713e3f6077c4b3bb94af65d5f95417d

SHA1
66bd6cc6fac71f6dad6fe174aa6e380536d193cd

SHA256
5f02c29302aff9d122aa93587c2e4ce224226895c73e3562b73d3ba703ac93c3

SHA512
2813fa74081cc46f4ffc87b0b0799e21b1216fcdf1f0529cd69633aa9b85c2aab6ffd5c69f9fa6e04bb3396f4b0f4943b9c366e12cbe53288330dbb0dcb81358

Download Submit
C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe

Filesize
168KB

MD5
c82e6b5a236092b40ccad366c38d3df0

SHA1
c191dd18623a5d2224ce5073de488ce3e66f7296

SHA256
3f6fc00401ef56a4738377d8b116dd54e9892d90c5991436523a2575aae88cf7

SHA512
0349d90b63c1f662ee397f1468e76e8841999652d4ab71feed01d868691f2b6ba8f90ae9dbdc126dd6396a8847113056858d7d4e50950e46375be01d741eaa60

Download Submit
C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe

Filesize
168KB

MD5
c82e6b5a236092b40ccad366c38d3df0

SHA1
c191dd18623a5d2224ce5073de488ce3e66f7296

SHA256
3f6fc00401ef56a4738377d8b116dd54e9892d90c5991436523a2575aae88cf7

SHA512
0349d90b63c1f662ee397f1468e76e8841999652d4ab71feed01d868691f2b6ba8f90ae9dbdc126dd6396a8847113056858d7d4e50950e46375be01d741eaa60

Download Submit
C:\Windows\{446DD934-C14D-45f0-8C72-4EB3B4101A84}.exe

Filesize
168KB

MD5
c82e6b5a236092b40ccad366c38d3df0

SHA1
c191dd18623a5d2224ce5073de488ce3e66f7296

SHA256
3f6fc00401ef56a4738377d8b116dd54e9892d90c5991436523a2575aae88cf7

SHA512
0349d90b63c1f662ee397f1468e76e8841999652d4ab71feed01d868691f2b6ba8f90ae9dbdc126dd6396a8847113056858d7d4e50950e46375be01d741eaa60

Download Submit
C:\Windows\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe

Filesize
168KB

MD5
60e318c39fe10cee8c694d08ed1917bf

SHA1
eaa3acd90b849d3ee1ebb71ac921419bfc979dbe

SHA256
0b61b69fa2270d0f5a4e5743a74b91e6a72321e18413d5758de6ac93d3be3276

SHA512
f8b0bda6809335be071b7ad23bf4e1caf748a14f2835ce0ae8bc57fefb7815ccaa66b40e6b8f6120638cd472d53ef94bb61cb2503422e1135a35dd2d226940ff

Download Submit
C:\Windows\{4E7DC881-635C-45ea-B32C-39FA7C21123D}.exe

Filesize
168KB

MD5
60e318c39fe10cee8c694d08ed1917bf

SHA1
eaa3acd90b849d3ee1ebb71ac921419bfc979dbe

SHA256
0b61b69fa2270d0f5a4e5743a74b91e6a72321e18413d5758de6ac93d3be3276

SHA512
f8b0bda6809335be071b7ad23bf4e1caf748a14f2835ce0ae8bc57fefb7815ccaa66b40e6b8f6120638cd472d53ef94bb61cb2503422e1135a35dd2d226940ff

Download Submit
C:\Windows\{564DF019-871D-4b97-8683-66713FA3C619}.exe

Filesize
168KB

MD5
f642cb3a87e4ac9b93bc5fc9196e855f

SHA1
3b9ad62823463e2efe3a31b47c5600ca4bf250a3

SHA256
73aefb35f82961dc6f295e8a7948f82d2390d897200ac054e75ada9f70bddaf9

SHA512
7ad4419accd1b7fb432b239f77b0050ed69f0e1b44e4fce6a539a993c4e982d9bc932906690ca4be1987f8bf7bc4059690e9b4f6dfae32a878294b40508e7374

Download Submit
C:\Windows\{564DF019-871D-4b97-8683-66713FA3C619}.exe

Filesize
168KB

MD5
f642cb3a87e4ac9b93bc5fc9196e855f

SHA1
3b9ad62823463e2efe3a31b47c5600ca4bf250a3

SHA256
73aefb35f82961dc6f295e8a7948f82d2390d897200ac054e75ada9f70bddaf9

SHA512
7ad4419accd1b7fb432b239f77b0050ed69f0e1b44e4fce6a539a993c4e982d9bc932906690ca4be1987f8bf7bc4059690e9b4f6dfae32a878294b40508e7374

Download Submit
C:\Windows\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe

Filesize
168KB

MD5
237e19be994354a712c10cafbcd52a2a

SHA1
9f2deea2aff42aa74cf4d35ee90febeb8752ba4f

SHA256
ad40b248eb3f5934c3505ecefe56f12b89d402844e0b3bf53950fd5a1d6bf3f7

SHA512
61c0cc15204da835ae4379545dc3de4c62ae4963f7a48eb313c4ba01f4eb7c9415bacb55578f3f2035db2a9b59ddd455d57b94d1168e50da204223a2545a3c3b

Download Submit
C:\Windows\{8289EAD2-F843-4197-A62C-6C0E61E72256}.exe

Filesize
168KB

MD5
237e19be994354a712c10cafbcd52a2a

SHA1
9f2deea2aff42aa74cf4d35ee90febeb8752ba4f

SHA256
ad40b248eb3f5934c3505ecefe56f12b89d402844e0b3bf53950fd5a1d6bf3f7

SHA512
61c0cc15204da835ae4379545dc3de4c62ae4963f7a48eb313c4ba01f4eb7c9415bacb55578f3f2035db2a9b59ddd455d57b94d1168e50da204223a2545a3c3b

Download Submit
C:\Windows\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe

Filesize
168KB

MD5
c3ce51c5822d6568adaae70fe8f179ea

SHA1
aef2dfb772a274e552f577f3cabb40c333df96cf

SHA256
4439ab7f18db728d3f950fa5abd1c76d99532ba5b6c5a8d72081bda751eb31e6

SHA512
316909e0a99755cdcae19803a346038e95f590d118de33654db36de90d1318271e278855b36569f59dbcab2bcc37a42a2ac1bf026e43de106453556e564afc60

Download Submit
C:\Windows\{90318F11-B818-4746-8200-B3FB2037DCDD}.exe

Filesize
168KB

MD5
c3ce51c5822d6568adaae70fe8f179ea

SHA1
aef2dfb772a274e552f577f3cabb40c333df96cf

SHA256
4439ab7f18db728d3f950fa5abd1c76d99532ba5b6c5a8d72081bda751eb31e6

SHA512
316909e0a99755cdcae19803a346038e95f590d118de33654db36de90d1318271e278855b36569f59dbcab2bcc37a42a2ac1bf026e43de106453556e564afc60

Download Submit
C:\Windows\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe

Filesize
168KB

MD5
90ffe9f93550faf93d2d77ff97c55236

SHA1
135b5aa5b1f1d06be8b60aea0a00c50e31dd2015

SHA256
521041386c902c7a0423e8d76c72ac21ff9be83268071433f9a3d26966dad20b

SHA512
6b08908df84258cea758a433df585b420a93aa538c234bcee2b7c84354ea203f25c324f9f3bb4af7b17c9f40632ddf380b02120460065756356b3aadbbb5fc41

Download Submit
C:\Windows\{AC8BCFAB-D3F4-41c3-970F-2EB33EAB3F16}.exe

Filesize
168KB

MD5
90ffe9f93550faf93d2d77ff97c55236

SHA1
135b5aa5b1f1d06be8b60aea0a00c50e31dd2015

SHA256
521041386c902c7a0423e8d76c72ac21ff9be83268071433f9a3d26966dad20b

SHA512
6b08908df84258cea758a433df585b420a93aa538c234bcee2b7c84354ea203f25c324f9f3bb4af7b17c9f40632ddf380b02120460065756356b3aadbbb5fc41

Download Submit
C:\Windows\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe

Filesize
168KB

MD5
3af77f78a175fc671008bb4d3142cc93

SHA1
4a04b945ea4d8ca84b040f980dbbc91699f13bf7

SHA256
3ce8a8259fca282c4330d432f9c22f9681470d67b1d836192496a1db89931b20

SHA512
8cbdc6f04fdb2bc6b82bbfbcb82426416bb534939e5111eb8d6d36b869cf89ad9f03af6fa416895362f0c605f1384afff03e2819e4d2becdcb8e01a70932baff

Download Submit
C:\Windows\{CAEE9117-E837-4a8f-849F-A705F4FFEE29}.exe

Filesize
168KB

MD5
3af77f78a175fc671008bb4d3142cc93

SHA1
4a04b945ea4d8ca84b040f980dbbc91699f13bf7

SHA256
3ce8a8259fca282c4330d432f9c22f9681470d67b1d836192496a1db89931b20

SHA512
8cbdc6f04fdb2bc6b82bbfbcb82426416bb534939e5111eb8d6d36b869cf89ad9f03af6fa416895362f0c605f1384afff03e2819e4d2becdcb8e01a70932baff

Download Submit
C:\Windows\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe

Filesize
168KB

MD5
b55a8bb85b7e6c821f98a5115858300b

SHA1
0dd53e46ad5e15ea28432e123f20de3ee567c3d5

SHA256
16272eddac704168b3b4475466ce2a885cbfea87efffcae6062f28daf29ca51a

SHA512
09bdcb6f1e5203f0ad08ead2cd9ed97fecef813eed2b336363deeed5fb04fa17a124134d49e95b6594dc79d743020256500e7d759bbf78edc928d6fb2e0022b1

Download Submit
C:\Windows\{E57C8B8B-3ABA-4ffc-B728-05CC2E07E416}.exe

Filesize
168KB

MD5
b55a8bb85b7e6c821f98a5115858300b

SHA1
0dd53e46ad5e15ea28432e123f20de3ee567c3d5

SHA256
16272eddac704168b3b4475466ce2a885cbfea87efffcae6062f28daf29ca51a

SHA512
09bdcb6f1e5203f0ad08ead2cd9ed97fecef813eed2b336363deeed5fb04fa17a124134d49e95b6594dc79d743020256500e7d759bbf78edc928d6fb2e0022b1

Download Submit