1bedaed5486ca756874c6fc8fe2375315f098f1c46552eadc1374cca3f772413

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e04f19d8bf75bexeexeexeex.exe
Size

204KB
MD5

2e04f19d8bf75bd17c4cf0d04667400a
SHA1

209c86f6539fbe5aed2cad42b997ceb7d02b7dfc
SHA256

1bedaed5486ca756874c6fc8fe2375315f098f1c46552eadc1374cca3f772413
SHA512

8ca0bc33dc20d9e0b8aa197a34acfe6f5f50a8a1e040b2ecf0be0c8560faa4fb65c81c20965a80853c86fadd077c2e9f2b5cf49456e8e3e8fa8d7adf48bec10a
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68194B2B-42CD-4646-B9DA-180B0E027B32}\stubpath = "C:\\Windows\\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe"	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}\stubpath = "C:\\Windows\\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe"	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}	{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DBD2B7-1D31-4e75-A195-8447781B69AA}	{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DBD2B7-1D31-4e75-A195-8447781B69AA}\stubpath = "C:\\Windows\\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe"	{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}	{8C976B73-264C-4127-A047-F716B51C55AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{009213A8-8A4F-4710-9927-5BDC1108F77E}	{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551AC0F4-0025-464e-B9D9-C1D036A4A324}\stubpath = "C:\\Windows\\{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe"	{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C976B73-264C-4127-A047-F716B51C55AF}	2e04f19d8bf75bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}\stubpath = "C:\\Windows\\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe"	{8C976B73-264C-4127-A047-F716B51C55AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534373BB-71AC-4a78-A4E9-73EF2898D274}	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44EF620-B908-4679-A25C-DBE7254C1FE7}\stubpath = "C:\\Windows\\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe"	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}\stubpath = "C:\\Windows\\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe"	{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{731392F6-9496-4c9a-823F-D90D868F2C54}	{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C976B73-264C-4127-A047-F716B51C55AF}\stubpath = "C:\\Windows\\{8C976B73-264C-4127-A047-F716B51C55AF}.exe"	2e04f19d8bf75bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}\stubpath = "C:\\Windows\\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe"	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44EF620-B908-4679-A25C-DBE7254C1FE7}	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}\stubpath = "C:\\Windows\\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe"	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68194B2B-42CD-4646-B9DA-180B0E027B32}	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{009213A8-8A4F-4710-9927-5BDC1108F77E}\stubpath = "C:\\Windows\\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe"	{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{731392F6-9496-4c9a-823F-D90D868F2C54}\stubpath = "C:\\Windows\\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe"	{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534373BB-71AC-4a78-A4E9-73EF2898D274}\stubpath = "C:\\Windows\\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe"	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551AC0F4-0025-464e-B9D9-C1D036A4A324}	{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe
2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
2096	{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
2076	{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
2684	{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
2492	{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
2732	{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe
2696	{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe	{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
File created	C:\Windows\{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe	{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe
File created	C:\Windows\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	{8C976B73-264C-4127-A047-F716B51C55AF}.exe
File created	C:\Windows\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
File created	C:\Windows\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
File created	C:\Windows\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe	{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
File created	C:\Windows\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe	{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
File created	C:\Windows\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe	{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
File created	C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe	2e04f19d8bf75bexeexeexeex.exe
File created	C:\Windows\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
File created	C:\Windows\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
File created	C:\Windows\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
File created	C:\Windows\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2e04f19d8bf75bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe
Token: SeIncBasePriorityPrivilege	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
Token: SeIncBasePriorityPrivilege	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
Token: SeIncBasePriorityPrivilege	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
Token: SeIncBasePriorityPrivilege	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
Token: SeIncBasePriorityPrivilege	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
Token: SeIncBasePriorityPrivilege	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
Token: SeIncBasePriorityPrivilege	2096	{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
Token: SeIncBasePriorityPrivilege	2076	{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
Token: SeIncBasePriorityPrivilege	2684	{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
Token: SeIncBasePriorityPrivilege	2492	{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
Token: SeIncBasePriorityPrivilege	2732	{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2188	2200	2e04f19d8bf75bexeexeexeex.exe	29
PID 2200 wrote to memory of 2188	2200	2e04f19d8bf75bexeexeexeex.exe	29
PID 2200 wrote to memory of 2188	2200	2e04f19d8bf75bexeexeexeex.exe	29
PID 2200 wrote to memory of 2188	2200	2e04f19d8bf75bexeexeexeex.exe	29
PID 2200 wrote to memory of 2264	2200	2e04f19d8bf75bexeexeexeex.exe	30
PID 2200 wrote to memory of 2264	2200	2e04f19d8bf75bexeexeexeex.exe	30
PID 2200 wrote to memory of 2264	2200	2e04f19d8bf75bexeexeexeex.exe	30
PID 2200 wrote to memory of 2264	2200	2e04f19d8bf75bexeexeexeex.exe	30
PID 2188 wrote to memory of 2120	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	31
PID 2188 wrote to memory of 2120	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	31
PID 2188 wrote to memory of 2120	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	31
PID 2188 wrote to memory of 2120	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	31
PID 2188 wrote to memory of 2220	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	32
PID 2188 wrote to memory of 2220	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	32
PID 2188 wrote to memory of 2220	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	32
PID 2188 wrote to memory of 2220	2188	{8C976B73-264C-4127-A047-F716B51C55AF}.exe	32
PID 2120 wrote to memory of 2960	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	33
PID 2120 wrote to memory of 2960	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	33
PID 2120 wrote to memory of 2960	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	33
PID 2120 wrote to memory of 2960	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	33
PID 2120 wrote to memory of 1676	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	34
PID 2120 wrote to memory of 1676	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	34
PID 2120 wrote to memory of 1676	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	34
PID 2120 wrote to memory of 1676	2120	{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe	34
PID 2960 wrote to memory of 1716	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	35
PID 2960 wrote to memory of 1716	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	35
PID 2960 wrote to memory of 1716	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	35
PID 2960 wrote to memory of 1716	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	35
PID 2960 wrote to memory of 2228	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	36
PID 2960 wrote to memory of 2228	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	36
PID 2960 wrote to memory of 2228	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	36
PID 2960 wrote to memory of 2228	2960	{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe	36
PID 1716 wrote to memory of 864	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	37
PID 1716 wrote to memory of 864	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	37
PID 1716 wrote to memory of 864	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	37
PID 1716 wrote to memory of 864	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	37
PID 1716 wrote to memory of 2104	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	38
PID 1716 wrote to memory of 2104	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	38
PID 1716 wrote to memory of 2104	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	38
PID 1716 wrote to memory of 2104	1716	{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe	38
PID 864 wrote to memory of 992	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	39
PID 864 wrote to memory of 992	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	39
PID 864 wrote to memory of 992	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	39
PID 864 wrote to memory of 992	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	39
PID 864 wrote to memory of 2112	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	40
PID 864 wrote to memory of 2112	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	40
PID 864 wrote to memory of 2112	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	40
PID 864 wrote to memory of 2112	864	{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe	40
PID 992 wrote to memory of 2988	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	41
PID 992 wrote to memory of 2988	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	41
PID 992 wrote to memory of 2988	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	41
PID 992 wrote to memory of 2988	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	41
PID 992 wrote to memory of 2448	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	42
PID 992 wrote to memory of 2448	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	42
PID 992 wrote to memory of 2448	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	42
PID 992 wrote to memory of 2448	992	{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe	42
PID 2988 wrote to memory of 2096	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	43
PID 2988 wrote to memory of 2096	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	43
PID 2988 wrote to memory of 2096	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	43
PID 2988 wrote to memory of 2096	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	43
PID 2988 wrote to memory of 2396	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	44
PID 2988 wrote to memory of 2396	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	44
PID 2988 wrote to memory of 2396	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	44
PID 2988 wrote to memory of 2396	2988	{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe	44

C:\Users\Admin\AppData\Local\Temp\2e04f19d8bf75bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2e04f19d8bf75bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe
  C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
    C:\Windows\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
      C:\Windows\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
        
        C:\Windows\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
        
        C:\Windows\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
        
        C:\Windows\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
        
        C:\Windows\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
        
        C:\Windows\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
        
        C:\Windows\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
        
        C:\Windows\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
        
        C:\Windows\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe
        
        C:\Windows\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe
        
        C:\Windows\{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe
        14⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17DBD~1.EXE > nul
        14⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73139~1.EXE > nul
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00921~1.EXE > nul
        12⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FCE2~1.EXE > nul
        11⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FE80~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68194~1.EXE > nul
        9⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A01~1.EXE > nul
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B44EF~1.EXE > nul
        7⤵
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B012E~1.EXE > nul
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53437~1.EXE > nul
        5⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2171~1.EXE > nul
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C976~1.EXE > nul
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E04F1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe

Filesize
204KB

MD5
d7fd9a53862dbc305a516e7dd4c5b6dc

SHA1
bf0ab43e72be85b2ca7570d8568a1fbc3c53fdba

SHA256
17f7c94403bb2fe933d0ac783b27245a55e8397d3669c64c825d8a09d964be5a

SHA512
a8b2a5ffd5bb6aae7a921e4a055fb244ad5d7b49f9701871a1a82bed7bd053d0eb0b7ae25342c7cc5725afaa5a2d305c1819816986eea5588184f9cd148f5c56

Download Submit
C:\Windows\{009213A8-8A4F-4710-9927-5BDC1108F77E}.exe

Filesize
204KB

MD5
d7fd9a53862dbc305a516e7dd4c5b6dc

SHA1
bf0ab43e72be85b2ca7570d8568a1fbc3c53fdba

SHA256
17f7c94403bb2fe933d0ac783b27245a55e8397d3669c64c825d8a09d964be5a

SHA512
a8b2a5ffd5bb6aae7a921e4a055fb244ad5d7b49f9701871a1a82bed7bd053d0eb0b7ae25342c7cc5725afaa5a2d305c1819816986eea5588184f9cd148f5c56

Download Submit
C:\Windows\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe

Filesize
204KB

MD5
c9b2b81fa8f77cce818265ae1680cab8

SHA1
20c6d9e90668c4458daae1e8b330ec8de8b5864a

SHA256
a07c12c9c592c6c269824aece1f17a2568e740f4d74da8c4d3a109ebb706baf3

SHA512
ede67c2df66125063c99f47c85272bb64a2df43952ec087eb162db44e430854732d4d4b53053a32e8af465819e74b3779664111446d69ec6eb6d51543a479b05

Download Submit
C:\Windows\{0FCE2A96-6D9F-4112-8376-2C2B56906E64}.exe

Filesize
204KB

MD5
c9b2b81fa8f77cce818265ae1680cab8

SHA1
20c6d9e90668c4458daae1e8b330ec8de8b5864a

SHA256
a07c12c9c592c6c269824aece1f17a2568e740f4d74da8c4d3a109ebb706baf3

SHA512
ede67c2df66125063c99f47c85272bb64a2df43952ec087eb162db44e430854732d4d4b53053a32e8af465819e74b3779664111446d69ec6eb6d51543a479b05

Download Submit
C:\Windows\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe

Filesize
204KB

MD5
4bd22fc0113f9ad789c57392b4d11b40

SHA1
cb71bced47454b484d1ca92d63dae15f04bb83d4

SHA256
2ca02651556936a183249afe9fbf7b5c95719a8a7ce50a1f5ef512fc0554e7b6

SHA512
fe27ef6b91cff11bf998f2304127482584bc22ac0885aad2421ce3c8800339cf723d96a26c089fcb7aa7f5c6accfae15694526f6ae9761f583161daed6304826

Download Submit
C:\Windows\{17DBD2B7-1D31-4e75-A195-8447781B69AA}.exe

Filesize
204KB

MD5
4bd22fc0113f9ad789c57392b4d11b40

SHA1
cb71bced47454b484d1ca92d63dae15f04bb83d4

SHA256
2ca02651556936a183249afe9fbf7b5c95719a8a7ce50a1f5ef512fc0554e7b6

SHA512
fe27ef6b91cff11bf998f2304127482584bc22ac0885aad2421ce3c8800339cf723d96a26c089fcb7aa7f5c6accfae15694526f6ae9761f583161daed6304826

Download Submit
C:\Windows\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe

Filesize
204KB

MD5
5e73852fcffddeb190e219081e944b29

SHA1
9eb53433fa364fbb08dfac2379a69f992c42d58f

SHA256
34e9eb03005f50ce765d13a984ab3adf1f21df0b3e6be4f88ac207e2f77b4c02

SHA512
49a4744e49819e0e11bead69b30270e7654b6ea590305f87f3731a6d90ed940da6e975226fff49ce0a435a460135a7978b77a4587a417e8b8c1169546156f6aa

Download Submit
C:\Windows\{2FE80EE7-C602-4589-AC9D-9478EA2975F8}.exe

Filesize
204KB

MD5
5e73852fcffddeb190e219081e944b29

SHA1
9eb53433fa364fbb08dfac2379a69f992c42d58f

SHA256
34e9eb03005f50ce765d13a984ab3adf1f21df0b3e6be4f88ac207e2f77b4c02

SHA512
49a4744e49819e0e11bead69b30270e7654b6ea590305f87f3731a6d90ed940da6e975226fff49ce0a435a460135a7978b77a4587a417e8b8c1169546156f6aa

Download Submit
C:\Windows\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe

Filesize
204KB

MD5
f2441ef828d05bac0394fd00a8554a3b

SHA1
04dde4019976db40e5d9374e2048d31d6830cfd9

SHA256
f652236db2b0dbacbeb3f71507c2beb1a6b2500b47a18ebe53298d2c1315c9a6

SHA512
7174873e8e1d5aa2c717c37b0a034f75e44db4e831b18363cd1a88f98c70d651336be13928d66216a272e31d9ab12339ae67753fd96b62493843799f8f534fad

Download Submit
C:\Windows\{534373BB-71AC-4a78-A4E9-73EF2898D274}.exe

Filesize
204KB

MD5
f2441ef828d05bac0394fd00a8554a3b

SHA1
04dde4019976db40e5d9374e2048d31d6830cfd9

SHA256
f652236db2b0dbacbeb3f71507c2beb1a6b2500b47a18ebe53298d2c1315c9a6

SHA512
7174873e8e1d5aa2c717c37b0a034f75e44db4e831b18363cd1a88f98c70d651336be13928d66216a272e31d9ab12339ae67753fd96b62493843799f8f534fad

Download Submit
C:\Windows\{551AC0F4-0025-464e-B9D9-C1D036A4A324}.exe

Filesize
204KB

MD5
46cc4c2e2b8cde528c1920bfc78750e1

SHA1
466b54beab54210c8e4157e96b876ecd6fc3a3e9

SHA256
a1defd63cfe2e59570688c4319addcb30c57c1e1b8ce66229b8706c8314a1667

SHA512
5790c728a605e8e5a4352c6e62968ad608d3a12a5a2a303048d5cc3ae9d246649891c65e91420d7a1973778e790fd54a3cb3627a69b4b738755855a752d37126

Download Submit
C:\Windows\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe

Filesize
204KB

MD5
723a61e7f4b867e659f77fc597dacf15

SHA1
310d5884a959f099f377aeff57b099c61d7d75ff

SHA256
fc0d80f9adf98e0f2d07ca14729aaca427da0fa70ca6804755b9656ded279139

SHA512
94106ee2772c4c489ec82bfb4a1b2de1b62c68ed2bdc296f7b93ec253600ea255070c0b625ed5ff63078405899ea30165609bb827bc5cb837b58f2724ab26337

Download Submit
C:\Windows\{68194B2B-42CD-4646-B9DA-180B0E027B32}.exe

Filesize
204KB

MD5
723a61e7f4b867e659f77fc597dacf15

SHA1
310d5884a959f099f377aeff57b099c61d7d75ff

SHA256
fc0d80f9adf98e0f2d07ca14729aaca427da0fa70ca6804755b9656ded279139

SHA512
94106ee2772c4c489ec82bfb4a1b2de1b62c68ed2bdc296f7b93ec253600ea255070c0b625ed5ff63078405899ea30165609bb827bc5cb837b58f2724ab26337

Download Submit
C:\Windows\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe

Filesize
204KB

MD5
4247b0facf1502801169ec3ee2fe0643

SHA1
415abe0b3893d29e5f6f4580d5af2ea3cc741eec

SHA256
76e0ab21fc5e76e558e9af99e7f8fabda19c84d0550b3cdc650babcebb6581d9

SHA512
7be4558320793390dcbc1486649eb60baf5f67ec455f1845596278d110daf475a49986ebaf1b4ba394ebbdbdf59e548bde5328c1791e633647e176f305b9607d

Download Submit
C:\Windows\{731392F6-9496-4c9a-823F-D90D868F2C54}.exe

Filesize
204KB

MD5
4247b0facf1502801169ec3ee2fe0643

SHA1
415abe0b3893d29e5f6f4580d5af2ea3cc741eec

SHA256
76e0ab21fc5e76e558e9af99e7f8fabda19c84d0550b3cdc650babcebb6581d9

SHA512
7be4558320793390dcbc1486649eb60baf5f67ec455f1845596278d110daf475a49986ebaf1b4ba394ebbdbdf59e548bde5328c1791e633647e176f305b9607d

Download Submit
C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe

Filesize
204KB

MD5
0c0bdcc7f8da6f1a518e4b1e262f7cd8

SHA1
33f029352162819aeaca39fc1be6baa7adc2b88f

SHA256
d5b299d4739bdfc5985bb6be8c83a633477d0c155ef030dde84bc101416a42b4

SHA512
d9994136b6e3610d26f42f316b535958fb00d5df26a12b82d61486b5cd4e6d739b5e03dc0caaea8f9f7bf792895b8c0f2ddc9348369a74c741b1637d25e2c753

Download Submit
C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe

Filesize
204KB

MD5
0c0bdcc7f8da6f1a518e4b1e262f7cd8

SHA1
33f029352162819aeaca39fc1be6baa7adc2b88f

SHA256
d5b299d4739bdfc5985bb6be8c83a633477d0c155ef030dde84bc101416a42b4

SHA512
d9994136b6e3610d26f42f316b535958fb00d5df26a12b82d61486b5cd4e6d739b5e03dc0caaea8f9f7bf792895b8c0f2ddc9348369a74c741b1637d25e2c753

Download Submit
C:\Windows\{8C976B73-264C-4127-A047-F716B51C55AF}.exe

Filesize
204KB

MD5
0c0bdcc7f8da6f1a518e4b1e262f7cd8

SHA1
33f029352162819aeaca39fc1be6baa7adc2b88f

SHA256
d5b299d4739bdfc5985bb6be8c83a633477d0c155ef030dde84bc101416a42b4

SHA512
d9994136b6e3610d26f42f316b535958fb00d5df26a12b82d61486b5cd4e6d739b5e03dc0caaea8f9f7bf792895b8c0f2ddc9348369a74c741b1637d25e2c753

Download Submit
C:\Windows\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe

Filesize
204KB

MD5
21b74cb284afa871516f44afa95d61b0

SHA1
c5be5e6ca97f5fce9911d4712f45644e9c92e817

SHA256
0c8759a914bac25183e278cd00135fa140a2a1f99a62cbc42635b96506af9e00

SHA512
a6fdd17c345709db1d2b885d032a83f57b9ad2cee17ce5b19dbd0b02bbf1a6bddfd225cdc1d99437d280bcc4230b51f7bb1d6b76e57df6f2f069c2de8dc6c6c5

Download Submit
C:\Windows\{B012EBA3-4CEF-40c5-B732-D262FADC04EA}.exe

Filesize
204KB

MD5
21b74cb284afa871516f44afa95d61b0

SHA1
c5be5e6ca97f5fce9911d4712f45644e9c92e817

SHA256
0c8759a914bac25183e278cd00135fa140a2a1f99a62cbc42635b96506af9e00

SHA512
a6fdd17c345709db1d2b885d032a83f57b9ad2cee17ce5b19dbd0b02bbf1a6bddfd225cdc1d99437d280bcc4230b51f7bb1d6b76e57df6f2f069c2de8dc6c6c5

Download Submit
C:\Windows\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe

Filesize
204KB

MD5
7d9e3406319cc473931ee5580ef3707e

SHA1
33eb37615dff6e0c54d7b18939370c6d7f5a152a

SHA256
5baab44d89734e1e26c5d38c9bc3170ac53e816126863fe734d22d609b8737e6

SHA512
5fd38d8a8f706c8bb366463deb90fd349a6ec50d23281a509edd2097aacc0564068dd2055b3c2abb872325a7c3f3117815ebd3923475c3771b6be46f44de8b14

Download Submit
C:\Windows\{B44EF620-B908-4679-A25C-DBE7254C1FE7}.exe

Filesize
204KB

MD5
7d9e3406319cc473931ee5580ef3707e

SHA1
33eb37615dff6e0c54d7b18939370c6d7f5a152a

SHA256
5baab44d89734e1e26c5d38c9bc3170ac53e816126863fe734d22d609b8737e6

SHA512
5fd38d8a8f706c8bb366463deb90fd349a6ec50d23281a509edd2097aacc0564068dd2055b3c2abb872325a7c3f3117815ebd3923475c3771b6be46f44de8b14

Download Submit
C:\Windows\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe

Filesize
204KB

MD5
99685dc4358f77588f7a199ac3d6463f

SHA1
d3cc574c0c15404137410ea3213522457c0c6a69

SHA256
d35c23f628110641ce955a3b7653d31a0f5339b709318480eded482f7b720005

SHA512
e09379061233a782ecc20aa11ddda7e4a15bdee47623a33cfbe8375f019300e4353db769200b99be3f9f5754be3e01ddf4e699e91d55e7ee9e704ba4042475f0

Download Submit
C:\Windows\{D21712F6-5DBF-4c4a-A255-4E9B133A5937}.exe

Filesize
204KB

MD5
99685dc4358f77588f7a199ac3d6463f

SHA1
d3cc574c0c15404137410ea3213522457c0c6a69

SHA256
d35c23f628110641ce955a3b7653d31a0f5339b709318480eded482f7b720005

SHA512
e09379061233a782ecc20aa11ddda7e4a15bdee47623a33cfbe8375f019300e4353db769200b99be3f9f5754be3e01ddf4e699e91d55e7ee9e704ba4042475f0

Download Submit
C:\Windows\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe

Filesize
204KB

MD5
0a4ba116631af969867c671db67d9265

SHA1
56d2fd89dc1ab349ba85ae1a555e439895a94a2c

SHA256
0414b62ddbe0501fcc964f69bbb0b02eb5d846e23ade584794fec4e026e57651

SHA512
01e24acbf520236ee1a0d15b8b620b7ea6d08453cf36b8bfdbae1eaa62e515aef787f56d4f754f4bd484ebe9d2767f9509a09301a4539ac41569390525152f92

Download Submit
C:\Windows\{D5A01C34-3FBA-4bc7-A4E0-A077C0882F0B}.exe

Filesize
204KB

MD5
0a4ba116631af969867c671db67d9265

SHA1
56d2fd89dc1ab349ba85ae1a555e439895a94a2c

SHA256
0414b62ddbe0501fcc964f69bbb0b02eb5d846e23ade584794fec4e026e57651

SHA512
01e24acbf520236ee1a0d15b8b620b7ea6d08453cf36b8bfdbae1eaa62e515aef787f56d4f754f4bd484ebe9d2767f9509a09301a4539ac41569390525152f92

Download Submit