1bedaed5486ca756874c6fc8fe2375315f098f1c46552eadc1374cca3f772413

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e04f19d8bf75bexeexeexeex.exe
Size

204KB
MD5

2e04f19d8bf75bd17c4cf0d04667400a
SHA1

209c86f6539fbe5aed2cad42b997ceb7d02b7dfc
SHA256

1bedaed5486ca756874c6fc8fe2375315f098f1c46552eadc1374cca3f772413
SHA512

8ca0bc33dc20d9e0b8aa197a34acfe6f5f50a8a1e040b2ecf0be0c8560faa4fb65c81c20965a80853c86fadd077c2e9f2b5cf49456e8e3e8fa8d7adf48bec10a
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFA76BA1-E035-4969-9828-652DD267E655}\stubpath = "C:\\Windows\\{CFA76BA1-E035-4969-9828-652DD267E655}.exe"	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}\stubpath = "C:\\Windows\\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe"	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}\stubpath = "C:\\Windows\\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe"	{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8873AA-3784-4a14-B047-3F299BF67AED}	2e04f19d8bf75bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}\stubpath = "C:\\Windows\\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe"	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}\stubpath = "C:\\Windows\\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe"	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{083C02AE-8E77-4567-AE34-270D1CA4F76C}\stubpath = "C:\\Windows\\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe"	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{083C02AE-8E77-4567-AE34-270D1CA4F76C}	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEDC9300-F68B-4452-8B70-AB416B79AB33}	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFA76BA1-E035-4969-9828-652DD267E655}	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}\stubpath = "C:\\Windows\\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe"	{902A74CE-8563-495f-BA15-3205E6414661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}	{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}	{902A74CE-8563-495f-BA15-3205E6414661}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8873AA-3784-4a14-B047-3F299BF67AED}\stubpath = "C:\\Windows\\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe"	2e04f19d8bf75bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}\stubpath = "C:\\Windows\\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe"	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}\stubpath = "C:\\Windows\\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe"	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEDC9300-F68B-4452-8B70-AB416B79AB33}\stubpath = "C:\\Windows\\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe"	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902A74CE-8563-495f-BA15-3205E6414661}	{CFA76BA1-E035-4969-9828-652DD267E655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902A74CE-8563-495f-BA15-3205E6414661}\stubpath = "C:\\Windows\\{902A74CE-8563-495f-BA15-3205E6414661}.exe"	{CFA76BA1-E035-4969-9828-652DD267E655}.exe

Executes dropped EXE 12 IoCs

pid	Process
1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe
2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe
3536	{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
3792	{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{902A74CE-8563-495f-BA15-3205E6414661}.exe	{CFA76BA1-E035-4969-9828-652DD267E655}.exe
File created	C:\Windows\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe	{902A74CE-8563-495f-BA15-3205E6414661}.exe
File created	C:\Windows\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
File created	C:\Windows\{CFA76BA1-E035-4969-9828-652DD267E655}.exe	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
File created	C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
File created	C:\Windows\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
File created	C:\Windows\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
File created	C:\Windows\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
File created	C:\Windows\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
File created	C:\Windows\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe	{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
File created	C:\Windows\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	2e04f19d8bf75bexeexeexeex.exe
File created	C:\Windows\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1772	2e04f19d8bf75bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
Token: SeIncBasePriorityPrivilege	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
Token: SeIncBasePriorityPrivilege	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
Token: SeIncBasePriorityPrivilege	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
Token: SeIncBasePriorityPrivilege	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
Token: SeIncBasePriorityPrivilege	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
Token: SeIncBasePriorityPrivilege	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
Token: SeIncBasePriorityPrivilege	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
Token: SeIncBasePriorityPrivilege	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe
Token: SeIncBasePriorityPrivilege	2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe
Token: SeIncBasePriorityPrivilege	3536	{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1280	1772	2e04f19d8bf75bexeexeexeex.exe	83
PID 1772 wrote to memory of 1280	1772	2e04f19d8bf75bexeexeexeex.exe	83
PID 1772 wrote to memory of 1280	1772	2e04f19d8bf75bexeexeexeex.exe	83
PID 1772 wrote to memory of 384	1772	2e04f19d8bf75bexeexeexeex.exe	84
PID 1772 wrote to memory of 384	1772	2e04f19d8bf75bexeexeexeex.exe	84
PID 1772 wrote to memory of 384	1772	2e04f19d8bf75bexeexeexeex.exe	84
PID 1280 wrote to memory of 1960	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	85
PID 1280 wrote to memory of 1960	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	85
PID 1280 wrote to memory of 1960	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	85
PID 1280 wrote to memory of 4444	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	86
PID 1280 wrote to memory of 4444	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	86
PID 1280 wrote to memory of 4444	1280	{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe	86
PID 1960 wrote to memory of 5064	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	88
PID 1960 wrote to memory of 5064	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	88
PID 1960 wrote to memory of 5064	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	88
PID 1960 wrote to memory of 4264	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	89
PID 1960 wrote to memory of 4264	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	89
PID 1960 wrote to memory of 4264	1960	{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe	89
PID 5064 wrote to memory of 3388	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	90
PID 5064 wrote to memory of 3388	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	90
PID 5064 wrote to memory of 3388	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	90
PID 5064 wrote to memory of 1380	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	91
PID 5064 wrote to memory of 1380	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	91
PID 5064 wrote to memory of 1380	5064	{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe	91
PID 3388 wrote to memory of 1984	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	92
PID 3388 wrote to memory of 1984	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	92
PID 3388 wrote to memory of 1984	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	92
PID 3388 wrote to memory of 1132	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	93
PID 3388 wrote to memory of 1132	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	93
PID 3388 wrote to memory of 1132	3388	{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe	93
PID 1984 wrote to memory of 2936	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	94
PID 1984 wrote to memory of 2936	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	94
PID 1984 wrote to memory of 2936	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	94
PID 1984 wrote to memory of 4792	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	95
PID 1984 wrote to memory of 4792	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	95
PID 1984 wrote to memory of 4792	1984	{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe	95
PID 2936 wrote to memory of 3732	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	96
PID 2936 wrote to memory of 3732	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	96
PID 2936 wrote to memory of 3732	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	96
PID 2936 wrote to memory of 3592	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	97
PID 2936 wrote to memory of 3592	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	97
PID 2936 wrote to memory of 3592	2936	{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe	97
PID 3732 wrote to memory of 1644	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	98
PID 3732 wrote to memory of 1644	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	98
PID 3732 wrote to memory of 1644	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	98
PID 3732 wrote to memory of 4208	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	99
PID 3732 wrote to memory of 4208	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	99
PID 3732 wrote to memory of 4208	3732	{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe	99
PID 1644 wrote to memory of 2636	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	100
PID 1644 wrote to memory of 2636	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	100
PID 1644 wrote to memory of 2636	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	100
PID 1644 wrote to memory of 1972	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	101
PID 1644 wrote to memory of 1972	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	101
PID 1644 wrote to memory of 1972	1644	{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe	101
PID 2636 wrote to memory of 2572	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	103
PID 2636 wrote to memory of 2572	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	103
PID 2636 wrote to memory of 2572	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	103
PID 2636 wrote to memory of 3872	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	102
PID 2636 wrote to memory of 3872	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	102
PID 2636 wrote to memory of 3872	2636	{CFA76BA1-E035-4969-9828-652DD267E655}.exe	102
PID 2572 wrote to memory of 3536	2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe	104
PID 2572 wrote to memory of 3536	2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe	104
PID 2572 wrote to memory of 3536	2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe	104
PID 2572 wrote to memory of 2204	2572	{902A74CE-8563-495f-BA15-3205E6414661}.exe	105

C:\Users\Admin\AppData\Local\Temp\2e04f19d8bf75bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2e04f19d8bf75bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
  C:\Windows\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
    C:\Windows\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
      C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
        
        C:\Windows\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
        
        C:\Windows\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
        
        C:\Windows\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
        
        C:\Windows\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
        
        C:\Windows\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{CFA76BA1-E035-4969-9828-652DD267E655}.exe
        
        C:\Windows\{CFA76BA1-E035-4969-9828-652DD267E655}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFA76~1.EXE > nul
        11⤵
        
        PID:3872
        
        C:\Windows\{902A74CE-8563-495f-BA15-3205E6414661}.exe
        
        C:\Windows\{902A74CE-8563-495f-BA15-3205E6414661}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
        
        C:\Windows\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe
        
        C:\Windows\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C915~1.EXE > nul
        13⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{902A7~1.EXE > nul
        12⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEDC9~1.EXE > nul
        10⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F5C~1.EXE > nul
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{083C0~1.EXE > nul
        8⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B37F5~1.EXE > nul
        7⤵
        
        PID:4792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF568~1.EXE > nul
        6⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF4DA~1.EXE > nul
        5⤵
        
        PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B0A77~1.EXE > nul
      4⤵
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A887~1.EXE > nul
    3⤵
    PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E04F1~1.EXE > nul
  2⤵
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe

Filesize
204KB

MD5
dbfdd3f12016d805ac1a8d48a267c7f4

SHA1
884c416adab8262b8833b1b9df5676273a8b96fa

SHA256
3d299968a5f369764f5f365760939506a73141c5e8c025f01260edc95b14f186

SHA512
242dd010913c1493f88ccc1d1a5c187d28be47d991ddc70d7e91029b51439e41b2b97ca2dfc8f8cc07d6f2814a0f7c876a896dfe26617bdb16eda55b7a078299

Download Submit
C:\Windows\{083C02AE-8E77-4567-AE34-270D1CA4F76C}.exe

Filesize
204KB

MD5
dbfdd3f12016d805ac1a8d48a267c7f4

SHA1
884c416adab8262b8833b1b9df5676273a8b96fa

SHA256
3d299968a5f369764f5f365760939506a73141c5e8c025f01260edc95b14f186

SHA512
242dd010913c1493f88ccc1d1a5c187d28be47d991ddc70d7e91029b51439e41b2b97ca2dfc8f8cc07d6f2814a0f7c876a896dfe26617bdb16eda55b7a078299

Download Submit
C:\Windows\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe

Filesize
204KB

MD5
dec4f70c5536a808c9dbd8a7ad3864ed

SHA1
2af5da195a9dec0be67b22ddef25b41e0ef2d25f

SHA256
688111c29b4acb8fe3c81b526a8691928dbd353ab1508b5566906c9398caa4c5

SHA512
8fbe70f291b2e47eb31ae298b7ccf202dba4cb62801e5652293559e5d6ed015b7964cd7b18a7efddbf8a81636c71bcbd2493e7bf8c928b6f46ea2bede79e3e02

Download Submit
C:\Windows\{2A8873AA-3784-4a14-B047-3F299BF67AED}.exe

Filesize
204KB

MD5
dec4f70c5536a808c9dbd8a7ad3864ed

SHA1
2af5da195a9dec0be67b22ddef25b41e0ef2d25f

SHA256
688111c29b4acb8fe3c81b526a8691928dbd353ab1508b5566906c9398caa4c5

SHA512
8fbe70f291b2e47eb31ae298b7ccf202dba4cb62801e5652293559e5d6ed015b7964cd7b18a7efddbf8a81636c71bcbd2493e7bf8c928b6f46ea2bede79e3e02

Download Submit
C:\Windows\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe

Filesize
204KB

MD5
5ae877290e4334d033f9fbdb4de5ce94

SHA1
76f7da24b7f0dcc72c6c8d69224c9a5adc8f9864

SHA256
5e79a564e1ebdd016a52a7384bafeae6fb07ce5a83a01b2a9de8c8d7c0fd57a6

SHA512
903950a1fcff2dd1a7f7939644a38f5115f3229f480394925c93738951a75bf52b1f8715821297c4acd406eb11983585b9d7e16277d196a74e68fc862cf4a95e

Download Submit
C:\Windows\{42A8D31F-3145-40f1-8C1B-B3C696EFD86A}.exe

Filesize
204KB

MD5
5ae877290e4334d033f9fbdb4de5ce94

SHA1
76f7da24b7f0dcc72c6c8d69224c9a5adc8f9864

SHA256
5e79a564e1ebdd016a52a7384bafeae6fb07ce5a83a01b2a9de8c8d7c0fd57a6

SHA512
903950a1fcff2dd1a7f7939644a38f5115f3229f480394925c93738951a75bf52b1f8715821297c4acd406eb11983585b9d7e16277d196a74e68fc862cf4a95e

Download Submit
C:\Windows\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe

Filesize
204KB

MD5
5080a6f9ba5faf010796945471d517d5

SHA1
596b49a01423da4bbb78a196b37d2072ab96df52

SHA256
ffa196b5eedfe1000d8f8674470e4b440e39b704a307001f07cd8f7f04c82ef7

SHA512
a56a4b095b7c00d77680657d7fdbdf885555943113274dc14dc99c7765665715e23d9e9614673ac09bb3f4c9797c59faa38463c9d26750beccee42ee9139e494

Download Submit
C:\Windows\{44F5CB42-2D80-4b9d-94DB-43490C4BF149}.exe

Filesize
204KB

MD5
5080a6f9ba5faf010796945471d517d5

SHA1
596b49a01423da4bbb78a196b37d2072ab96df52

SHA256
ffa196b5eedfe1000d8f8674470e4b440e39b704a307001f07cd8f7f04c82ef7

SHA512
a56a4b095b7c00d77680657d7fdbdf885555943113274dc14dc99c7765665715e23d9e9614673ac09bb3f4c9797c59faa38463c9d26750beccee42ee9139e494

Download Submit
C:\Windows\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe

Filesize
204KB

MD5
e91577181825bf90dc6d71b6ae983d55

SHA1
a93cc8068de8fd269651463ae063fd0e78a347b8

SHA256
9e2b442c3fa19af8e46c85eba33c8c19197958017be3a40a26d98030edc0a8cd

SHA512
c3274b0d577c5c7b316b909b0241b878296ace081b7a58c0dc8aa7b684c686acceb82419e20dbad36bafe729a7067a3dace87f5cd4997c852a84215e09e6f217

Download Submit
C:\Windows\{4C915DF8-1DFB-41b7-8D10-F62D7103662A}.exe

Filesize
204KB

MD5
e91577181825bf90dc6d71b6ae983d55

SHA1
a93cc8068de8fd269651463ae063fd0e78a347b8

SHA256
9e2b442c3fa19af8e46c85eba33c8c19197958017be3a40a26d98030edc0a8cd

SHA512
c3274b0d577c5c7b316b909b0241b878296ace081b7a58c0dc8aa7b684c686acceb82419e20dbad36bafe729a7067a3dace87f5cd4997c852a84215e09e6f217

Download Submit
C:\Windows\{902A74CE-8563-495f-BA15-3205E6414661}.exe

Filesize
204KB

MD5
08882667e7cbc3673c070b9f90366d42

SHA1
8e14c15d8dabdf221f169ca36c88504f98ecd51d

SHA256
ed6d9d273d7d20635e323e06df5506fe3505d9c98171c2865e700bc5da0bf0b0

SHA512
c45650253657ae38a765589a2ea27fcb76ef079f0c4a66e39f1cee8d58d40a341ce8970926fbff64f41ad7784e3468ed86e5b0e604c66472ee7b24f9259f3064

Download Submit
C:\Windows\{902A74CE-8563-495f-BA15-3205E6414661}.exe

Filesize
204KB

MD5
08882667e7cbc3673c070b9f90366d42

SHA1
8e14c15d8dabdf221f169ca36c88504f98ecd51d

SHA256
ed6d9d273d7d20635e323e06df5506fe3505d9c98171c2865e700bc5da0bf0b0

SHA512
c45650253657ae38a765589a2ea27fcb76ef079f0c4a66e39f1cee8d58d40a341ce8970926fbff64f41ad7784e3468ed86e5b0e604c66472ee7b24f9259f3064

Download Submit
C:\Windows\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe

Filesize
204KB

MD5
74773008266ae528c5d0c86996fd157c

SHA1
fcbb051a316b200e653499eb1c1f68deb42d7473

SHA256
53fe09699cb8a57ae80991e1d2e24727285c21cbe8849263f2853ba04274cf6c

SHA512
1777fe92493bf0f0b342b5b90f1a5fdaa98e8f9b4a3e8ca3fb0d8adf82e34b4f0dff859b020cb4b14cd34524ecd1aba0b7408b78175f51b411392863bdcca801

Download Submit
C:\Windows\{AEDC9300-F68B-4452-8B70-AB416B79AB33}.exe

Filesize
204KB

MD5
74773008266ae528c5d0c86996fd157c

SHA1
fcbb051a316b200e653499eb1c1f68deb42d7473

SHA256
53fe09699cb8a57ae80991e1d2e24727285c21cbe8849263f2853ba04274cf6c

SHA512
1777fe92493bf0f0b342b5b90f1a5fdaa98e8f9b4a3e8ca3fb0d8adf82e34b4f0dff859b020cb4b14cd34524ecd1aba0b7408b78175f51b411392863bdcca801

Download Submit
C:\Windows\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe

Filesize
204KB

MD5
d168fd7a657ac0188160287167575d68

SHA1
72d00ba810b4d7103ed82e63293c3fd929f2dfff

SHA256
50ac626068aa5f1645bb6ace75030686a9fb7f66532e36f0aff9e5c0d62135e5

SHA512
d682c0fa5c5afe8ea0a41c1b7c993a26e6db9ecad63b4f1c099bb6c85c09470f14d15bb36a50cb342df0449eda4d16cb3ac17ba199f15fe2525883c95ea9ae24

Download Submit
C:\Windows\{AF568BFC-CD1A-4ea5-8EF4-D3EF22441E09}.exe

Filesize
204KB

MD5
d168fd7a657ac0188160287167575d68

SHA1
72d00ba810b4d7103ed82e63293c3fd929f2dfff

SHA256
50ac626068aa5f1645bb6ace75030686a9fb7f66532e36f0aff9e5c0d62135e5

SHA512
d682c0fa5c5afe8ea0a41c1b7c993a26e6db9ecad63b4f1c099bb6c85c09470f14d15bb36a50cb342df0449eda4d16cb3ac17ba199f15fe2525883c95ea9ae24

Download Submit
C:\Windows\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe

Filesize
204KB

MD5
655dbd13b044392005ad73a0dae5a8de

SHA1
f8d91611aaab12e10f48e4fe79c6c814399e7270

SHA256
0f9eb497ea93447214aa844dac715c57c932a441a5a72612e48d6bf2e0d21512

SHA512
b1b9326e76f255b0154c252b28a4e55f3598ebeac82e6495e111d1fed5b895c43417e5d987fac398f49d095bfe4faedacd7f1729139e7fb52937d9202d045183

Download Submit
C:\Windows\{B0A77C67-99CA-43d9-8FC2-0C10868F5535}.exe

Filesize
204KB

MD5
655dbd13b044392005ad73a0dae5a8de

SHA1
f8d91611aaab12e10f48e4fe79c6c814399e7270

SHA256
0f9eb497ea93447214aa844dac715c57c932a441a5a72612e48d6bf2e0d21512

SHA512
b1b9326e76f255b0154c252b28a4e55f3598ebeac82e6495e111d1fed5b895c43417e5d987fac398f49d095bfe4faedacd7f1729139e7fb52937d9202d045183

Download Submit
C:\Windows\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe

Filesize
204KB

MD5
04768d4016230df046ae8309ccd10ca1

SHA1
a4e92cefaadbcc0888f31af26e65aa378e4c5dfc

SHA256
21c2350467b27e8862a660b1be2482511629eadeb0f259e990f8434911482c5c

SHA512
619c3d4ee4fafa2b0eb74bacad346790d37ddc1d7b4e52672c7eb1605c3c238a4da42288767036ed8b099e5a3e6fc101fc22efb081c05de8fde4f42a7efd02b8

Download Submit
C:\Windows\{B37F5B09-AD38-4547-AD25-BAE8BEF8AA33}.exe

Filesize
204KB

MD5
04768d4016230df046ae8309ccd10ca1

SHA1
a4e92cefaadbcc0888f31af26e65aa378e4c5dfc

SHA256
21c2350467b27e8862a660b1be2482511629eadeb0f259e990f8434911482c5c

SHA512
619c3d4ee4fafa2b0eb74bacad346790d37ddc1d7b4e52672c7eb1605c3c238a4da42288767036ed8b099e5a3e6fc101fc22efb081c05de8fde4f42a7efd02b8

Download Submit
C:\Windows\{CFA76BA1-E035-4969-9828-652DD267E655}.exe

Filesize
204KB

MD5
a618ba2d86b30143b5cd834c9151973f

SHA1
7b7f18e2bfb2799aeca420903935da54412b15cf

SHA256
7c84285ffc3fbc368f94955229b4a7057bd1a9c86e0037df23c0856933db90a5

SHA512
6a5681c132eef478eb1682502d6d23dc61756b76391f97248f821e2ffc0fbaacbe11c992a04383f2152ef8fb8a7806fda64a72451240765599272039f2d74ed6

Download Submit
C:\Windows\{CFA76BA1-E035-4969-9828-652DD267E655}.exe

Filesize
204KB

MD5
a618ba2d86b30143b5cd834c9151973f

SHA1
7b7f18e2bfb2799aeca420903935da54412b15cf

SHA256
7c84285ffc3fbc368f94955229b4a7057bd1a9c86e0037df23c0856933db90a5

SHA512
6a5681c132eef478eb1682502d6d23dc61756b76391f97248f821e2ffc0fbaacbe11c992a04383f2152ef8fb8a7806fda64a72451240765599272039f2d74ed6

Download Submit
C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe

Filesize
204KB

MD5
138da2b2f14d632630e7a5d6df64f711

SHA1
bb551c10527de7328a7bcddc0c450e900212ec99

SHA256
f2931b2e4110edef2a34825498916f2fdf1c7006818458c6345d1378d6d96c09

SHA512
ce9dca362ea55f8cd686b6681942e27f8c40a4c745c961bbcd12045fef519d27d548d9401d2809616214fbbf0735e967c9be8d90b8ac305ebc89880d9963dbf5

Download Submit
C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe

Filesize
204KB

MD5
138da2b2f14d632630e7a5d6df64f711

SHA1
bb551c10527de7328a7bcddc0c450e900212ec99

SHA256
f2931b2e4110edef2a34825498916f2fdf1c7006818458c6345d1378d6d96c09

SHA512
ce9dca362ea55f8cd686b6681942e27f8c40a4c745c961bbcd12045fef519d27d548d9401d2809616214fbbf0735e967c9be8d90b8ac305ebc89880d9963dbf5

Download Submit
C:\Windows\{DF4DAF9F-F2B2-458e-B068-FDD432C548AD}.exe

Filesize
204KB

MD5
138da2b2f14d632630e7a5d6df64f711

SHA1
bb551c10527de7328a7bcddc0c450e900212ec99

SHA256
f2931b2e4110edef2a34825498916f2fdf1c7006818458c6345d1378d6d96c09

SHA512
ce9dca362ea55f8cd686b6681942e27f8c40a4c745c961bbcd12045fef519d27d548d9401d2809616214fbbf0735e967c9be8d90b8ac305ebc89880d9963dbf5

Download Submit