4004871d42c681ae88a2ea2c4407905476fdceae4058703cf2640bc0bcf2ae9b

Analysis

max time kernel
144s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337f075f6d785aexeexeexeex.exe
Size

408KB
MD5

337f075f6d785a27edead596bdc36cbf
SHA1

e5124aea62a2ffcb22b68ebc8f33c34770b9ecff
SHA256

4004871d42c681ae88a2ea2c4407905476fdceae4058703cf2640bc0bcf2ae9b
SHA512

1bf67547c7bcacfa773f12acff64df9b454cbe0ae41d8eae43849d5d04304a9f7f488872901b6a23681594ca0fd85f82c68aed302c1c8c2b5db070058d899bce
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGxldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}	337f075f6d785aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F88392B-EC67-4601-838B-17CC6A62A3F6}\stubpath = "C:\\Windows\\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe"	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}\stubpath = "C:\\Windows\\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe"	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}\stubpath = "C:\\Windows\\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe"	337f075f6d785aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F88392B-EC67-4601-838B-17CC6A62A3F6}	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}\stubpath = "C:\\Windows\\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe"	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}\stubpath = "C:\\Windows\\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe"	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE89308-1765-4521-8CC7-64B7C30AF42F}	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}\stubpath = "C:\\Windows\\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe"	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}\stubpath = "C:\\Windows\\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe"	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE89308-1765-4521-8CC7-64B7C30AF42F}\stubpath = "C:\\Windows\\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe"	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}\stubpath = "C:\\Windows\\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe"	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}\stubpath = "C:\\Windows\\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe"	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}\stubpath = "C:\\Windows\\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe"	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe
3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
2572	{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	337f075f6d785aexeexeexeex.exe
File created	C:\Windows\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
File created	C:\Windows\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
File created	C:\Windows\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
File created	C:\Windows\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
File created	C:\Windows\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
File created	C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
File created	C:\Windows\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
File created	C:\Windows\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
File created	C:\Windows\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
File created	C:\Windows\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	704	337f075f6d785aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
Token: SeIncBasePriorityPrivilege	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
Token: SeIncBasePriorityPrivilege	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
Token: SeIncBasePriorityPrivilege	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
Token: SeIncBasePriorityPrivilege	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
Token: SeIncBasePriorityPrivilege	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
Token: SeIncBasePriorityPrivilege	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
Token: SeIncBasePriorityPrivilege	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe
Token: SeIncBasePriorityPrivilege	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
Token: SeIncBasePriorityPrivilege	4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2212	704	337f075f6d785aexeexeexeex.exe	83
PID 704 wrote to memory of 2212	704	337f075f6d785aexeexeexeex.exe	83
PID 704 wrote to memory of 2212	704	337f075f6d785aexeexeexeex.exe	83
PID 704 wrote to memory of 2624	704	337f075f6d785aexeexeexeex.exe	84
PID 704 wrote to memory of 2624	704	337f075f6d785aexeexeexeex.exe	84
PID 704 wrote to memory of 2624	704	337f075f6d785aexeexeexeex.exe	84
PID 2212 wrote to memory of 1908	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	85
PID 2212 wrote to memory of 1908	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	85
PID 2212 wrote to memory of 1908	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	85
PID 2212 wrote to memory of 3428	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	86
PID 2212 wrote to memory of 3428	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	86
PID 2212 wrote to memory of 3428	2212	{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe	86
PID 1908 wrote to memory of 3024	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	89
PID 1908 wrote to memory of 3024	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	89
PID 1908 wrote to memory of 3024	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	89
PID 1908 wrote to memory of 2896	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	88
PID 1908 wrote to memory of 2896	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	88
PID 1908 wrote to memory of 2896	1908	{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe	88
PID 3024 wrote to memory of 1688	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	90
PID 3024 wrote to memory of 1688	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	90
PID 3024 wrote to memory of 1688	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	90
PID 3024 wrote to memory of 3404	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	91
PID 3024 wrote to memory of 3404	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	91
PID 3024 wrote to memory of 3404	3024	{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe	91
PID 1688 wrote to memory of 2236	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	92
PID 1688 wrote to memory of 2236	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	92
PID 1688 wrote to memory of 2236	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	92
PID 1688 wrote to memory of 2976	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	93
PID 1688 wrote to memory of 2976	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	93
PID 1688 wrote to memory of 2976	1688	{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe	93
PID 2236 wrote to memory of 3992	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	94
PID 2236 wrote to memory of 3992	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	94
PID 2236 wrote to memory of 3992	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	94
PID 2236 wrote to memory of 224	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	95
PID 2236 wrote to memory of 224	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	95
PID 2236 wrote to memory of 224	2236	{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe	95
PID 3992 wrote to memory of 2204	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	96
PID 3992 wrote to memory of 2204	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	96
PID 3992 wrote to memory of 2204	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	96
PID 3992 wrote to memory of 1992	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	97
PID 3992 wrote to memory of 1992	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	97
PID 3992 wrote to memory of 1992	3992	{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe	97
PID 2204 wrote to memory of 2832	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	98
PID 2204 wrote to memory of 2832	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	98
PID 2204 wrote to memory of 2832	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	98
PID 2204 wrote to memory of 712	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	99
PID 2204 wrote to memory of 712	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	99
PID 2204 wrote to memory of 712	2204	{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe	99
PID 2832 wrote to memory of 3356	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	100
PID 2832 wrote to memory of 3356	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	100
PID 2832 wrote to memory of 3356	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	100
PID 2832 wrote to memory of 388	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	101
PID 2832 wrote to memory of 388	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	101
PID 2832 wrote to memory of 388	2832	{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe	101
PID 3356 wrote to memory of 4408	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	102
PID 3356 wrote to memory of 4408	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	102
PID 3356 wrote to memory of 4408	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	102
PID 3356 wrote to memory of 2620	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	103
PID 3356 wrote to memory of 2620	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	103
PID 3356 wrote to memory of 2620	3356	{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe	103
PID 4408 wrote to memory of 2572	4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe	104
PID 4408 wrote to memory of 2572	4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe	104
PID 4408 wrote to memory of 2572	4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe	104
PID 4408 wrote to memory of 900	4408	{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe	105

C:\Users\Admin\AppData\Local\Temp\337f075f6d785aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\337f075f6d785aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704
- C:\Windows\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
  C:\Windows\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
    C:\Windows\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B821~1.EXE > nul
      4⤵
      PID:2896
  - - C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
      C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
        
        C:\Windows\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
        
        C:\Windows\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
        
        C:\Windows\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
        
        C:\Windows\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe
        
        C:\Windows\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
        
        C:\Windows\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
        
        C:\Windows\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe
        
        C:\Windows\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB637~1.EXE > nul
        12⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB99E~1.EXE > nul
        11⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EEC3~1.EXE > nul
        10⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D5E~1.EXE > nul
        9⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01A02~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F883~1.EXE > nul
        7⤵
        
        PID:224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F028D~1.EXE > nul
        6⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB4AC~1.EXE > nul
        5⤵
        
        PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2FC9~1.EXE > nul
    3⤵
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\337F07~1.EXE > nul
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe

Filesize
408KB

MD5
c15a4e2bccf4e9a8e19c7c77689fadc2

SHA1
d5f889883fe64d0ef70b5c85c1e00af33b27b212

SHA256
70a4ad0bd77f02deb51bb2220946e792f2c7917fe3828d3fb022128a172761b3

SHA512
cb4c0a234eac44b82610acecc237191014913961bb8cd04341d09ab57445c055362495ba9d64f3a2c11abfc7c4d1ae445df3cd1abc121e5854db1b6f57bb0c4a

Download Submit
C:\Windows\{01A021BC-C2FB-4cf4-BAFC-9938423942E6}.exe

Filesize
408KB

MD5
c15a4e2bccf4e9a8e19c7c77689fadc2

SHA1
d5f889883fe64d0ef70b5c85c1e00af33b27b212

SHA256
70a4ad0bd77f02deb51bb2220946e792f2c7917fe3828d3fb022128a172761b3

SHA512
cb4c0a234eac44b82610acecc237191014913961bb8cd04341d09ab57445c055362495ba9d64f3a2c11abfc7c4d1ae445df3cd1abc121e5854db1b6f57bb0c4a

Download Submit
C:\Windows\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe

Filesize
408KB

MD5
ea46bf12ed29c982d507ac43bf6097a4

SHA1
27ebabe147e98f4430f28bd945bd419b782baf7e

SHA256
d8f89d4065f43379d960a3aae3da1943cfe1c83ec7ab487b4ff7643e2bb59b66

SHA512
e581e6195ebef6c7a5f6ed65fa4d5c8136b44266322dc280fdc078edbd6f21bfac7cd4e28a34a67de3b73f9e798e1be75b5ccb3c9d0de449860817679d00fe27

Download Submit
C:\Windows\{1DE89308-1765-4521-8CC7-64B7C30AF42F}.exe

Filesize
408KB

MD5
ea46bf12ed29c982d507ac43bf6097a4

SHA1
27ebabe147e98f4430f28bd945bd419b782baf7e

SHA256
d8f89d4065f43379d960a3aae3da1943cfe1c83ec7ab487b4ff7643e2bb59b66

SHA512
e581e6195ebef6c7a5f6ed65fa4d5c8136b44266322dc280fdc078edbd6f21bfac7cd4e28a34a67de3b73f9e798e1be75b5ccb3c9d0de449860817679d00fe27

Download Submit
C:\Windows\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe

Filesize
408KB

MD5
642499d401c18384b3212a4fd1bd12c0

SHA1
25602ff2ccce77646e87d454d9bf29a99b6b9d40

SHA256
f391fc90973889ef7ebb88ed18beb5fe381631ea18d15d5fe24b9cb774c179e3

SHA512
0c39d4028db82f6827306dacb0e0baa1a87c4bc407cdee0140ebf24aa039cdb9c3e354f381f0b88ff26b6cbd5b288cc9c4aa023da6f6b7eb838d29499054c787

Download Submit
C:\Windows\{2F88392B-EC67-4601-838B-17CC6A62A3F6}.exe

Filesize
408KB

MD5
642499d401c18384b3212a4fd1bd12c0

SHA1
25602ff2ccce77646e87d454d9bf29a99b6b9d40

SHA256
f391fc90973889ef7ebb88ed18beb5fe381631ea18d15d5fe24b9cb774c179e3

SHA512
0c39d4028db82f6827306dacb0e0baa1a87c4bc407cdee0140ebf24aa039cdb9c3e354f381f0b88ff26b6cbd5b288cc9c4aa023da6f6b7eb838d29499054c787

Download Submit
C:\Windows\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe

Filesize
408KB

MD5
f27d3153d3fed358ba958824f1522e3e

SHA1
4f6c13d30e7029014efe0492ffcb92e4e27b06ad

SHA256
ce64975cca44a57dc9aaab85cc6327e5b2dd6ee91c76f207b005800054562405

SHA512
4bdebf86e635d2ad2d4b4adb3dff265c39f899359d86fbd6cbc9d959b7d8250bcc66c1ef0e19beb59fa40bd8c00ccb94125f474401f6528ceba9813e7683aed8

Download Submit
C:\Windows\{4B821A4A-8A2F-4aa8-84B1-165DFD3DECE5}.exe

Filesize
408KB

MD5
f27d3153d3fed358ba958824f1522e3e

SHA1
4f6c13d30e7029014efe0492ffcb92e4e27b06ad

SHA256
ce64975cca44a57dc9aaab85cc6327e5b2dd6ee91c76f207b005800054562405

SHA512
4bdebf86e635d2ad2d4b4adb3dff265c39f899359d86fbd6cbc9d959b7d8250bcc66c1ef0e19beb59fa40bd8c00ccb94125f474401f6528ceba9813e7683aed8

Download Submit
C:\Windows\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe

Filesize
408KB

MD5
98c1f710ac8e92d5f98bf0fc18d84473

SHA1
8ff22b88e8bf37ce2a47b89848ce1ef4afeb2fb9

SHA256
fd8380b65ed515ca6fb798970dbba6e1267a23a9f33438189b862cd5018ea6a2

SHA512
f15b47bf14ec75584641d355847f8eb2b170323e2020f8b7291bef59cecc4e95cdf9a83c266c262af713dd2b69f318da4b0cdcb46df085f5a45b2162c2f9dcb3

Download Submit
C:\Windows\{5EEC3FB5-B9D2-4847-9FC7-1782DAE06F98}.exe

Filesize
408KB

MD5
98c1f710ac8e92d5f98bf0fc18d84473

SHA1
8ff22b88e8bf37ce2a47b89848ce1ef4afeb2fb9

SHA256
fd8380b65ed515ca6fb798970dbba6e1267a23a9f33438189b862cd5018ea6a2

SHA512
f15b47bf14ec75584641d355847f8eb2b170323e2020f8b7291bef59cecc4e95cdf9a83c266c262af713dd2b69f318da4b0cdcb46df085f5a45b2162c2f9dcb3

Download Submit
C:\Windows\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe

Filesize
408KB

MD5
1e0fad2d8b0c51aa1d1da4d442a6dfb7

SHA1
970ffab950c532fe02e6ac6191d4bd82ac85c82e

SHA256
65e6abf98005e75a4c2c557af99cd5f6f31663bb450ae3b67bdc364266bfcca5

SHA512
f88018cb0e2d1e35aad4c6a0dec85eb7d31b04ed52b169d18d56107125000b0daf6325a4086fc6487579b1f06cf0f3bc4270054ff2d8bebf5b60d44149639b9c

Download Submit
C:\Windows\{A0D5E6FA-2C92-4875-98EB-6FF32FA1D751}.exe

Filesize
408KB

MD5
1e0fad2d8b0c51aa1d1da4d442a6dfb7

SHA1
970ffab950c532fe02e6ac6191d4bd82ac85c82e

SHA256
65e6abf98005e75a4c2c557af99cd5f6f31663bb450ae3b67bdc364266bfcca5

SHA512
f88018cb0e2d1e35aad4c6a0dec85eb7d31b04ed52b169d18d56107125000b0daf6325a4086fc6487579b1f06cf0f3bc4270054ff2d8bebf5b60d44149639b9c

Download Submit
C:\Windows\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe

Filesize
408KB

MD5
6fa22075b94ab8cd7bba0f02fd294f76

SHA1
1577877b9d7ee482e1befd2ba6ae4f5013d1e967

SHA256
daab776607731b17c549e36d5685aa7a4c3668ed27647dc08b70d6b8d4186017

SHA512
fd92f8fb8fbbe94c78c15eded43bb54bda390955ed4af6433b0d6cedd77c79843929db2e555fb8319b0cafcd3b202b16b4c4bde961af985460bf21e68f33c1bb

Download Submit
C:\Windows\{B2FC92F1-6E0F-4a96-B09A-FDF9EAB557C0}.exe

Filesize
408KB

MD5
6fa22075b94ab8cd7bba0f02fd294f76

SHA1
1577877b9d7ee482e1befd2ba6ae4f5013d1e967

SHA256
daab776607731b17c549e36d5685aa7a4c3668ed27647dc08b70d6b8d4186017

SHA512
fd92f8fb8fbbe94c78c15eded43bb54bda390955ed4af6433b0d6cedd77c79843929db2e555fb8319b0cafcd3b202b16b4c4bde961af985460bf21e68f33c1bb

Download Submit
C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe

Filesize
408KB

MD5
dcbc1d3778eec0146f3949007affe3e0

SHA1
b13d3f4bdff57002b05e747d1a82b2a935309b47

SHA256
6e22e52ee66de7732950220eba31798387c9c5573436f86de6153118371adecc

SHA512
2ffd1a2cd2d172f8ebbfcd5c8274338619b44680806c381e9f929d8bf37365ae112f5d5c72cfdad99b0ff1be0008941722af9ea9ac236a9a8f4358357a73453b

Download Submit
C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe

Filesize
408KB

MD5
dcbc1d3778eec0146f3949007affe3e0

SHA1
b13d3f4bdff57002b05e747d1a82b2a935309b47

SHA256
6e22e52ee66de7732950220eba31798387c9c5573436f86de6153118371adecc

SHA512
2ffd1a2cd2d172f8ebbfcd5c8274338619b44680806c381e9f929d8bf37365ae112f5d5c72cfdad99b0ff1be0008941722af9ea9ac236a9a8f4358357a73453b

Download Submit
C:\Windows\{BB4AC0B5-71F9-4446-91ED-BB3B859C0A4E}.exe

Filesize
408KB

MD5
dcbc1d3778eec0146f3949007affe3e0

SHA1
b13d3f4bdff57002b05e747d1a82b2a935309b47

SHA256
6e22e52ee66de7732950220eba31798387c9c5573436f86de6153118371adecc

SHA512
2ffd1a2cd2d172f8ebbfcd5c8274338619b44680806c381e9f929d8bf37365ae112f5d5c72cfdad99b0ff1be0008941722af9ea9ac236a9a8f4358357a73453b

Download Submit
C:\Windows\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe

Filesize
408KB

MD5
55cc5076a2c6b5999fabf8f84d2f26e2

SHA1
5db540940393de728f190e520c5852612d0cbe09

SHA256
108336a5dbc1e43d63abfe6a0ded5b3a0a8603a2b4995446ae18ecd9d0130b88

SHA512
7d99ffcd066cfd41a088066c0c8257f65411d26c86cc23bd37ed90f037aa5638a4831bbc8fc91299f738fbadcddae0006bc4a48a4474cf4408f31daefab6e0a8

Download Submit
C:\Windows\{DB637761-1E26-49bb-91C3-E3C0CF4E1FA0}.exe

Filesize
408KB

MD5
55cc5076a2c6b5999fabf8f84d2f26e2

SHA1
5db540940393de728f190e520c5852612d0cbe09

SHA256
108336a5dbc1e43d63abfe6a0ded5b3a0a8603a2b4995446ae18ecd9d0130b88

SHA512
7d99ffcd066cfd41a088066c0c8257f65411d26c86cc23bd37ed90f037aa5638a4831bbc8fc91299f738fbadcddae0006bc4a48a4474cf4408f31daefab6e0a8

Download Submit
C:\Windows\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe

Filesize
408KB

MD5
2e99fa9f84f911a37dfd2b02c07721e7

SHA1
a0ece292808f859838fc082e42980f4703908bd2

SHA256
52ef4ffcef4931a0b30f600ee12a216f0991ea26db57ec7d84a0dc38d6beb9c0

SHA512
ce16d5263462c6cd5796cccdf587c273de21798c3a4bd0b9bd302f28924274b452177201cb03804fe10e0d49c509c7f0dea74f86c454799174779910c06b6691

Download Submit
C:\Windows\{DB99EFA5-F2E6-4d7f-BED1-CF26A3710E6E}.exe

Filesize
408KB

MD5
2e99fa9f84f911a37dfd2b02c07721e7

SHA1
a0ece292808f859838fc082e42980f4703908bd2

SHA256
52ef4ffcef4931a0b30f600ee12a216f0991ea26db57ec7d84a0dc38d6beb9c0

SHA512
ce16d5263462c6cd5796cccdf587c273de21798c3a4bd0b9bd302f28924274b452177201cb03804fe10e0d49c509c7f0dea74f86c454799174779910c06b6691

Download Submit
C:\Windows\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe

Filesize
408KB

MD5
92592dd86596d72d01b52eb18bcabbd7

SHA1
faf1537a650703037946c694fe47bf9a813e9b45

SHA256
7db2e0e19c45496d24d2b09f0cca486faa3455958608000d0ac67646e8e3ac2c

SHA512
552746b13d9cbacbf1dfafc8ac5437437a1d1816ae869c2bdc92ac3d3b6894cfb217b097392e3034d3976fde6b036d0797bff2fa43e8d45a418d63237ba463c9

Download Submit
C:\Windows\{F028DEA6-41D4-425e-9CC4-8D53F5F073CC}.exe

Filesize
408KB

MD5
92592dd86596d72d01b52eb18bcabbd7

SHA1
faf1537a650703037946c694fe47bf9a813e9b45

SHA256
7db2e0e19c45496d24d2b09f0cca486faa3455958608000d0ac67646e8e3ac2c

SHA512
552746b13d9cbacbf1dfafc8ac5437437a1d1816ae869c2bdc92ac3d3b6894cfb217b097392e3034d3976fde6b036d0797bff2fa43e8d45a418d63237ba463c9

Download Submit