bd488c06a4454c2b3a33d9698d4cbe13de334a015f5c1bef679403eb259d7ad9

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2170ad63b67d8eexeexeexeex.exe
Size

204KB
MD5

2170ad63b67d8e000f371fbfa48b7843
SHA1

aa2cd074a647dc67033f9f3fefbf28d1a2ee3172
SHA256

bd488c06a4454c2b3a33d9698d4cbe13de334a015f5c1bef679403eb259d7ad9
SHA512

8c0ac29c378aaba41fae81697bf6a49f24bc9706d3fc34687516d2d3820b69e0be23f1cb615de164c9fdd5349f05adf34caa6dc5ce0c84a25886851a6381e298
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ojl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82E844D-7668-46da-8156-214AC85DA46B}	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A679636A-8136-43d7-9232-18EE93EA8B6C}	{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D500A1-774C-409f-BAB5-70E45A5F1D17}	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D500A1-774C-409f-BAB5-70E45A5F1D17}\stubpath = "C:\\Windows\\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe"	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}\stubpath = "C:\\Windows\\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe"	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}\stubpath = "C:\\Windows\\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe"	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}\stubpath = "C:\\Windows\\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe"	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3263236B-A99F-4bda-B8CE-FEA7C5075324}	{C82E844D-7668-46da-8156-214AC85DA46B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A679636A-8136-43d7-9232-18EE93EA8B6C}\stubpath = "C:\\Windows\\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe"	{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C92F713-E3E6-422b-A730-8A45E7F01C91}	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}\stubpath = "C:\\Windows\\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe"	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C92F713-E3E6-422b-A730-8A45E7F01C91}\stubpath = "C:\\Windows\\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe"	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82E844D-7668-46da-8156-214AC85DA46B}\stubpath = "C:\\Windows\\{C82E844D-7668-46da-8156-214AC85DA46B}.exe"	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E6F04F-C1E7-4832-9E90-665F5930297C}	2170ad63b67d8eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E6F04F-C1E7-4832-9E90-665F5930297C}\stubpath = "C:\\Windows\\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe"	2170ad63b67d8eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}\stubpath = "C:\\Windows\\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe"	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}\stubpath = "C:\\Windows\\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe"	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3263236B-A99F-4bda-B8CE-FEA7C5075324}\stubpath = "C:\\Windows\\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe"	{C82E844D-7668-46da-8156-214AC85DA46B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe
5060	{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
2484	{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
File created	C:\Windows\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
File created	C:\Windows\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe	{C82E844D-7668-46da-8156-214AC85DA46B}.exe
File created	C:\Windows\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe	{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
File created	C:\Windows\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
File created	C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
File created	C:\Windows\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
File created	C:\Windows\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
File created	C:\Windows\{C82E844D-7668-46da-8156-214AC85DA46B}.exe	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
File created	C:\Windows\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	2170ad63b67d8eexeexeexeex.exe
File created	C:\Windows\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
File created	C:\Windows\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1312	2170ad63b67d8eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
Token: SeIncBasePriorityPrivilege	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
Token: SeIncBasePriorityPrivilege	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
Token: SeIncBasePriorityPrivilege	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
Token: SeIncBasePriorityPrivilege	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
Token: SeIncBasePriorityPrivilege	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
Token: SeIncBasePriorityPrivilege	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
Token: SeIncBasePriorityPrivilege	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
Token: SeIncBasePriorityPrivilege	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
Token: SeIncBasePriorityPrivilege	1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe
Token: SeIncBasePriorityPrivilege	5060	{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2496	1312	2170ad63b67d8eexeexeexeex.exe	84
PID 1312 wrote to memory of 2496	1312	2170ad63b67d8eexeexeexeex.exe	84
PID 1312 wrote to memory of 2496	1312	2170ad63b67d8eexeexeexeex.exe	84
PID 1312 wrote to memory of 2276	1312	2170ad63b67d8eexeexeexeex.exe	85
PID 1312 wrote to memory of 2276	1312	2170ad63b67d8eexeexeexeex.exe	85
PID 1312 wrote to memory of 2276	1312	2170ad63b67d8eexeexeexeex.exe	85
PID 2496 wrote to memory of 3340	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	86
PID 2496 wrote to memory of 3340	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	86
PID 2496 wrote to memory of 3340	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	86
PID 2496 wrote to memory of 4780	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	87
PID 2496 wrote to memory of 4780	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	87
PID 2496 wrote to memory of 4780	2496	{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe	87
PID 3340 wrote to memory of 5080	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	92
PID 3340 wrote to memory of 5080	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	92
PID 3340 wrote to memory of 5080	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	92
PID 3340 wrote to memory of 3680	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	91
PID 3340 wrote to memory of 3680	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	91
PID 3340 wrote to memory of 3680	3340	{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe	91
PID 5080 wrote to memory of 3812	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	93
PID 5080 wrote to memory of 3812	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	93
PID 5080 wrote to memory of 3812	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	93
PID 5080 wrote to memory of 3688	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	94
PID 5080 wrote to memory of 3688	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	94
PID 5080 wrote to memory of 3688	5080	{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe	94
PID 3812 wrote to memory of 540	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	95
PID 3812 wrote to memory of 540	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	95
PID 3812 wrote to memory of 540	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	95
PID 3812 wrote to memory of 4896	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	96
PID 3812 wrote to memory of 4896	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	96
PID 3812 wrote to memory of 4896	3812	{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe	96
PID 540 wrote to memory of 3100	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	97
PID 540 wrote to memory of 3100	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	97
PID 540 wrote to memory of 3100	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	97
PID 540 wrote to memory of 1080	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	98
PID 540 wrote to memory of 1080	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	98
PID 540 wrote to memory of 1080	540	{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe	98
PID 3100 wrote to memory of 5024	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	99
PID 3100 wrote to memory of 5024	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	99
PID 3100 wrote to memory of 5024	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	99
PID 3100 wrote to memory of 1464	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	100
PID 3100 wrote to memory of 1464	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	100
PID 3100 wrote to memory of 1464	3100	{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe	100
PID 5024 wrote to memory of 464	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	101
PID 5024 wrote to memory of 464	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	101
PID 5024 wrote to memory of 464	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	101
PID 5024 wrote to memory of 4284	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	102
PID 5024 wrote to memory of 4284	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	102
PID 5024 wrote to memory of 4284	5024	{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe	102
PID 464 wrote to memory of 4520	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	103
PID 464 wrote to memory of 4520	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	103
PID 464 wrote to memory of 4520	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	103
PID 464 wrote to memory of 1412	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	104
PID 464 wrote to memory of 1412	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	104
PID 464 wrote to memory of 1412	464	{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe	104
PID 4520 wrote to memory of 1012	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	105
PID 4520 wrote to memory of 1012	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	105
PID 4520 wrote to memory of 1012	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	105
PID 4520 wrote to memory of 5020	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	106
PID 4520 wrote to memory of 5020	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	106
PID 4520 wrote to memory of 5020	4520	{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe	106
PID 1012 wrote to memory of 5060	1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe	107
PID 1012 wrote to memory of 5060	1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe	107
PID 1012 wrote to memory of 5060	1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe	107
PID 1012 wrote to memory of 4268	1012	{C82E844D-7668-46da-8156-214AC85DA46B}.exe	108

C:\Users\Admin\AppData\Local\Temp\2170ad63b67d8eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2170ad63b67d8eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
  C:\Windows\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
    C:\Windows\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E3DB9~1.EXE > nul
      4⤵
      PID:3680
  - - C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
      C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Windows\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
        
        C:\Windows\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
        
        C:\Windows\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
        
        C:\Windows\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
        
        C:\Windows\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
        
        C:\Windows\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
        
        C:\Windows\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\{C82E844D-7668-46da-8156-214AC85DA46B}.exe
        
        C:\Windows\{C82E844D-7668-46da-8156-214AC85DA46B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
        
        C:\Windows\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe
        
        C:\Windows\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe
        13⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32632~1.EXE > nul
        13⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C82E8~1.EXE > nul
        12⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CCC3~1.EXE > nul
        11⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F8EC~1.EXE > nul
        10⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{465C1~1.EXE > nul
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05D50~1.EXE > nul
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64D7D~1.EXE > nul
        7⤵
        
        PID:1080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C92F~1.EXE > nul
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7CB~1.EXE > nul
        5⤵
        
        PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24E6F~1.EXE > nul
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2170AD~1.EXE > nul
  2⤵
  PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe

Filesize
204KB

MD5
c61a4bfd22b6f586e7c2cd00eae863d5

SHA1
cdcb35bab3b88ba7afe96919b4053b74379fd3f1

SHA256
a96e9f70b83f4d0fd12ec5433abb669a195093bd40b3d60a0e59811d65f0330d

SHA512
3d1c2e0701c78c450fa17c513df8802640bea17c0ed47428ffbf9b6dc6024c64dadab1f1ac8f20275b5a8a56265b384d50674e8dfc8312387af6b3afd634b6d8

Download Submit
C:\Windows\{05D500A1-774C-409f-BAB5-70E45A5F1D17}.exe

Filesize
204KB

MD5
c61a4bfd22b6f586e7c2cd00eae863d5

SHA1
cdcb35bab3b88ba7afe96919b4053b74379fd3f1

SHA256
a96e9f70b83f4d0fd12ec5433abb669a195093bd40b3d60a0e59811d65f0330d

SHA512
3d1c2e0701c78c450fa17c513df8802640bea17c0ed47428ffbf9b6dc6024c64dadab1f1ac8f20275b5a8a56265b384d50674e8dfc8312387af6b3afd634b6d8

Download Submit
C:\Windows\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe

Filesize
204KB

MD5
018393a02cd7af3b6f1779c43cbd7b8f

SHA1
af7f7b6dd98af66cedf93469d1f392eeecd56254

SHA256
b32127d3cb852de1fcee3ab29b0f61d056d651072f7950b4df6e4d93272f5ec8

SHA512
fb3244176ed1683b628d7e41633e2a61097f531e702b3b54933757aef39a36ad09949606863db609a67b5d3dbd435b3710fd87eff5ee75cc3d253e9dcce3d9b4

Download Submit
C:\Windows\{24E6F04F-C1E7-4832-9E90-665F5930297C}.exe

Filesize
204KB

MD5
018393a02cd7af3b6f1779c43cbd7b8f

SHA1
af7f7b6dd98af66cedf93469d1f392eeecd56254

SHA256
b32127d3cb852de1fcee3ab29b0f61d056d651072f7950b4df6e4d93272f5ec8

SHA512
fb3244176ed1683b628d7e41633e2a61097f531e702b3b54933757aef39a36ad09949606863db609a67b5d3dbd435b3710fd87eff5ee75cc3d253e9dcce3d9b4

Download Submit
C:\Windows\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe

Filesize
204KB

MD5
4152fa72e8b14761b0bedd32cf868f05

SHA1
70672ec8e5ba85d52140b0d922b58fa0a5b18e94

SHA256
d661066a6d915cabafe5f3c4fe431eefb72a7dcfbb3ac8664fc2f04d5e7db64a

SHA512
4865145dacdd48006cd0a5c5b3e2ee89f36b6b4ed1c1d131de6b3c37f17958666137b5b083a244569729aad1a811c8ced9687e0bed7501f37803d6786422f938

Download Submit
C:\Windows\{2CCC3B0E-20F8-4d6b-A023-D6D87C072CF4}.exe

Filesize
204KB

MD5
4152fa72e8b14761b0bedd32cf868f05

SHA1
70672ec8e5ba85d52140b0d922b58fa0a5b18e94

SHA256
d661066a6d915cabafe5f3c4fe431eefb72a7dcfbb3ac8664fc2f04d5e7db64a

SHA512
4865145dacdd48006cd0a5c5b3e2ee89f36b6b4ed1c1d131de6b3c37f17958666137b5b083a244569729aad1a811c8ced9687e0bed7501f37803d6786422f938

Download Submit
C:\Windows\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe

Filesize
204KB

MD5
91be18afd644d0525bcc2d09ec8fc710

SHA1
205601101b98ecb6d05b75c3eb42140e1765f573

SHA256
e58790e377499806ba226c117e7fc7bf2ca3e33c2b880b6b7d39793b8ebbcadb

SHA512
955295cfb9925c69efcd25cf5a8a68afb3e88313dbce09b05394477c92a529e64f7804a9949a2b02d5a39233d8705c46b1fd936a0939f9586ddfd2083ca58b8a

Download Submit
C:\Windows\{3263236B-A99F-4bda-B8CE-FEA7C5075324}.exe

Filesize
204KB

MD5
91be18afd644d0525bcc2d09ec8fc710

SHA1
205601101b98ecb6d05b75c3eb42140e1765f573

SHA256
e58790e377499806ba226c117e7fc7bf2ca3e33c2b880b6b7d39793b8ebbcadb

SHA512
955295cfb9925c69efcd25cf5a8a68afb3e88313dbce09b05394477c92a529e64f7804a9949a2b02d5a39233d8705c46b1fd936a0939f9586ddfd2083ca58b8a

Download Submit
C:\Windows\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe

Filesize
204KB

MD5
8615efcdcbfeba162142405b6d2b3804

SHA1
65031766afe7b94cc730195cdb84f438c9034826

SHA256
0007195324a47b6cea7384a92ada87fe5290e24b58a07e6ab36de5fee4e10419

SHA512
1cc542611130e7f66fe4f8e41c54739d0d262157c9bb0ad790b73b08ca8bd90d79895a83ecd2d46fcecd9e586c3e6ac4cb545d0d4c4aebe604bf4058c7baf382

Download Submit
C:\Windows\{465C1870-1C21-4aa8-B3E1-CE81B031CE65}.exe

Filesize
204KB

MD5
8615efcdcbfeba162142405b6d2b3804

SHA1
65031766afe7b94cc730195cdb84f438c9034826

SHA256
0007195324a47b6cea7384a92ada87fe5290e24b58a07e6ab36de5fee4e10419

SHA512
1cc542611130e7f66fe4f8e41c54739d0d262157c9bb0ad790b73b08ca8bd90d79895a83ecd2d46fcecd9e586c3e6ac4cb545d0d4c4aebe604bf4058c7baf382

Download Submit
C:\Windows\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe

Filesize
204KB

MD5
01194d07a1317b9a6dbff317884fc500

SHA1
b5b31761415c7273a5062df415e3f80c8d0c05cd

SHA256
3ba278c27d64867edefe97da3e55e619fb9e114c3f321d0dd79468fcb9f115e3

SHA512
859bc1e86d60ce3db03b8a2958cd4950b2efaac74b25a50d0cef3f505bed68a6ebcefde6bea0ee9f834c7a6b032317ded3772049a9dab7e15b5616fdaadde1fd

Download Submit
C:\Windows\{5F8EC497-FD6D-406d-9EB3-455E0982C76B}.exe

Filesize
204KB

MD5
01194d07a1317b9a6dbff317884fc500

SHA1
b5b31761415c7273a5062df415e3f80c8d0c05cd

SHA256
3ba278c27d64867edefe97da3e55e619fb9e114c3f321d0dd79468fcb9f115e3

SHA512
859bc1e86d60ce3db03b8a2958cd4950b2efaac74b25a50d0cef3f505bed68a6ebcefde6bea0ee9f834c7a6b032317ded3772049a9dab7e15b5616fdaadde1fd

Download Submit
C:\Windows\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe

Filesize
204KB

MD5
d7731335dbd9c24e27500b90dc2ca097

SHA1
1fa4eb4890b6911bcbc74cb95c091c0406670ffe

SHA256
7f5d2cba2795bbe65bc5f91a9cd258b3b5a68f4c3e74c686cee05cf3e4553a18

SHA512
345703d749bea9707d64bafa5404360297c4ea298314eed4f1d745cb67b3affba672f3a7518d8fb9c5a33975c7fc46844ebd6c1770c7129d58a998c6a7174b04

Download Submit
C:\Windows\{64D7DFE9-9449-4452-9DFF-24BE0EFAA63B}.exe

Filesize
204KB

MD5
d7731335dbd9c24e27500b90dc2ca097

SHA1
1fa4eb4890b6911bcbc74cb95c091c0406670ffe

SHA256
7f5d2cba2795bbe65bc5f91a9cd258b3b5a68f4c3e74c686cee05cf3e4553a18

SHA512
345703d749bea9707d64bafa5404360297c4ea298314eed4f1d745cb67b3affba672f3a7518d8fb9c5a33975c7fc46844ebd6c1770c7129d58a998c6a7174b04

Download Submit
C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe

Filesize
204KB

MD5
05c0fd994294ff13de0373a9fdeee5ae

SHA1
2efe004b738828e9851a056aaf76db2560173540

SHA256
21069ce128c9a18cf6d79825ba330bf749a95a6597fe44106d51ed8e4779dd75

SHA512
2c78bbf61cb7ed3b2bc2143a9e3ff9b569ed14e1f4ccf860bb146867fdcef95d22886dd3b44ca01ce21bba5bcc67e80a0a818cfec4184cf51e16cda517d74336

Download Submit
C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe

Filesize
204KB

MD5
05c0fd994294ff13de0373a9fdeee5ae

SHA1
2efe004b738828e9851a056aaf76db2560173540

SHA256
21069ce128c9a18cf6d79825ba330bf749a95a6597fe44106d51ed8e4779dd75

SHA512
2c78bbf61cb7ed3b2bc2143a9e3ff9b569ed14e1f4ccf860bb146867fdcef95d22886dd3b44ca01ce21bba5bcc67e80a0a818cfec4184cf51e16cda517d74336

Download Submit
C:\Windows\{7A7CBADC-2B42-458e-AF09-3B8EDEE1A23C}.exe

Filesize
204KB

MD5
05c0fd994294ff13de0373a9fdeee5ae

SHA1
2efe004b738828e9851a056aaf76db2560173540

SHA256
21069ce128c9a18cf6d79825ba330bf749a95a6597fe44106d51ed8e4779dd75

SHA512
2c78bbf61cb7ed3b2bc2143a9e3ff9b569ed14e1f4ccf860bb146867fdcef95d22886dd3b44ca01ce21bba5bcc67e80a0a818cfec4184cf51e16cda517d74336

Download Submit
C:\Windows\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe

Filesize
204KB

MD5
c0fce0a1f8405d40db23ee394bc8fd49

SHA1
e18776581042eebc37803648d2eb580d990d5e22

SHA256
663294d505578d5bf758a13febec41510d9fffbd73a3e533d64eb04bee3b2467

SHA512
a381380b336c32e4b4fe3528dda3605ba052a0232a47d7f5f865410bbaf9fb1536e9bbca84957cded71817c4ed182dff765b74bf93fefe32b675143adda4e371

Download Submit
C:\Windows\{7C92F713-E3E6-422b-A730-8A45E7F01C91}.exe

Filesize
204KB

MD5
c0fce0a1f8405d40db23ee394bc8fd49

SHA1
e18776581042eebc37803648d2eb580d990d5e22

SHA256
663294d505578d5bf758a13febec41510d9fffbd73a3e533d64eb04bee3b2467

SHA512
a381380b336c32e4b4fe3528dda3605ba052a0232a47d7f5f865410bbaf9fb1536e9bbca84957cded71817c4ed182dff765b74bf93fefe32b675143adda4e371

Download Submit
C:\Windows\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe

Filesize
204KB

MD5
f919e22316c95251a5973e7a81ca6e0a

SHA1
f72086c9481bfc3cfa04822650d8d4bbe1eadd55

SHA256
9fa74c845dd5f44ef6e138602a69b9e8197a10762f25ebb4da2c14e1edcb2e4b

SHA512
21e9afb76559a9b96206f7f1be9a855acc7888fdfaceb6394ebe2cde98db7f497063b41c0fae3dcf65b0ba0e6e55ed41bc28071efaa1da02997d0116a10020cd

Download Submit
C:\Windows\{A679636A-8136-43d7-9232-18EE93EA8B6C}.exe

Filesize
204KB

MD5
f919e22316c95251a5973e7a81ca6e0a

SHA1
f72086c9481bfc3cfa04822650d8d4bbe1eadd55

SHA256
9fa74c845dd5f44ef6e138602a69b9e8197a10762f25ebb4da2c14e1edcb2e4b

SHA512
21e9afb76559a9b96206f7f1be9a855acc7888fdfaceb6394ebe2cde98db7f497063b41c0fae3dcf65b0ba0e6e55ed41bc28071efaa1da02997d0116a10020cd

Download Submit
C:\Windows\{C82E844D-7668-46da-8156-214AC85DA46B}.exe

Filesize
204KB

MD5
e39d0e5ca96528edd0d48e1cf2352c4e

SHA1
ffefecd13871d8f46da868835c12e0729422dd94

SHA256
b6046834dad228867006d292f856f8b30f2cfd553bea99a131a05ca2b944f55b

SHA512
26577f803f2276facb6d33c2636e9357ca392a7f02357cb84b010e7018203fb265828a91a44ba146f2c6b7c49b0e43afa92fb84f622d24b3ff2eac141effac7d

Download Submit
C:\Windows\{C82E844D-7668-46da-8156-214AC85DA46B}.exe

Filesize
204KB

MD5
e39d0e5ca96528edd0d48e1cf2352c4e

SHA1
ffefecd13871d8f46da868835c12e0729422dd94

SHA256
b6046834dad228867006d292f856f8b30f2cfd553bea99a131a05ca2b944f55b

SHA512
26577f803f2276facb6d33c2636e9357ca392a7f02357cb84b010e7018203fb265828a91a44ba146f2c6b7c49b0e43afa92fb84f622d24b3ff2eac141effac7d

Download Submit
C:\Windows\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe

Filesize
204KB

MD5
54dee179cfc6dc0917c2683937765a80

SHA1
1846cd88ecdef167d070b022ccc1e776734eb43d

SHA256
dcb8ab109dbe1d262ef8e15167fc7ed62a0e8834f9b2739c92bd3e699ef8bdd5

SHA512
ddc9c1a71a45ffb7131ddc81029e1ef83c620e2a5e439cdf64c8e20c6f65e890a5516390f5d4173f7d61c6d3352b86c40b1a7a0cb0c38cb20d3024442f905ac7

Download Submit
C:\Windows\{E3DB9A84-3BE9-4db5-95CB-D2378453F1D4}.exe

Filesize
204KB

MD5
54dee179cfc6dc0917c2683937765a80

SHA1
1846cd88ecdef167d070b022ccc1e776734eb43d

SHA256
dcb8ab109dbe1d262ef8e15167fc7ed62a0e8834f9b2739c92bd3e699ef8bdd5

SHA512
ddc9c1a71a45ffb7131ddc81029e1ef83c620e2a5e439cdf64c8e20c6f65e890a5516390f5d4173f7d61c6d3352b86c40b1a7a0cb0c38cb20d3024442f905ac7

Download Submit