de5c5ecad6a001aabddc85163b35925db1a7221d79c897e874c3f36fc5f7d25d

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

768b36364ea2f5exeexeexeex.exe
Size

204KB
MD5

768b36364ea2f5a1b8c089329b53d6dd
SHA1

50288aa2cd6e0a7c4ecccaea70e451ecb3013e2a
SHA256

de5c5ecad6a001aabddc85163b35925db1a7221d79c897e874c3f36fc5f7d25d
SHA512

35f91a6d13f5126ed74ccb7d53ec0255864bad31259562a5e43f0c9ef085b8031cb6b50d350371d52c409128b48cb6108ef89d9ae6335d1ffa54d2091f4679d2
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}\stubpath = "C:\\Windows\\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe"	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C63AAB-58DB-455e-889F-246AFC821EBB}	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A0ED152-9367-466a-A423-2FF26AF209EC}	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C63AAB-58DB-455e-889F-246AFC821EBB}\stubpath = "C:\\Windows\\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe"	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}\stubpath = "C:\\Windows\\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe"	{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2890FF78-E416-4236-9C6E-9FDEA4991944}\stubpath = "C:\\Windows\\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe"	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}\stubpath = "C:\\Windows\\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe"	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD714C73-B6DA-48b2-9A16-07346186459F}	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26EEB816-7201-4321-B2CF-BA4A4C93761E}	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}\stubpath = "C:\\Windows\\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe"	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}	{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}	768b36364ea2f5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}\stubpath = "C:\\Windows\\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe"	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD714C73-B6DA-48b2-9A16-07346186459F}\stubpath = "C:\\Windows\\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe"	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26EEB816-7201-4321-B2CF-BA4A4C93761E}\stubpath = "C:\\Windows\\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe"	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2890FF78-E416-4236-9C6E-9FDEA4991944}	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19713E14-BB2A-4479-99F6-5A5D0542D592}	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}\stubpath = "C:\\Windows\\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe"	768b36364ea2f5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A0ED152-9367-466a-A423-2FF26AF209EC}\stubpath = "C:\\Windows\\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe"	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19713E14-BB2A-4479-99F6-5A5D0542D592}\stubpath = "C:\\Windows\\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe"	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe

Executes dropped EXE 12 IoCs

pid	Process
5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
912	{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
3232	{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
File created	C:\Windows\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
File created	C:\Windows\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	768b36364ea2f5exeexeexeex.exe
File created	C:\Windows\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
File created	C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
File created	C:\Windows\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
File created	C:\Windows\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
File created	C:\Windows\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe	{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
File created	C:\Windows\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
File created	C:\Windows\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
File created	C:\Windows\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
File created	C:\Windows\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5052	768b36364ea2f5exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
Token: SeIncBasePriorityPrivilege	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
Token: SeIncBasePriorityPrivilege	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
Token: SeIncBasePriorityPrivilege	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
Token: SeIncBasePriorityPrivilege	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
Token: SeIncBasePriorityPrivilege	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
Token: SeIncBasePriorityPrivilege	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
Token: SeIncBasePriorityPrivilege	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
Token: SeIncBasePriorityPrivilege	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
Token: SeIncBasePriorityPrivilege	5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
Token: SeIncBasePriorityPrivilege	912	{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 5032	5052	768b36364ea2f5exeexeexeex.exe	84
PID 5052 wrote to memory of 5032	5052	768b36364ea2f5exeexeexeex.exe	84
PID 5052 wrote to memory of 5032	5052	768b36364ea2f5exeexeexeex.exe	84
PID 5052 wrote to memory of 4024	5052	768b36364ea2f5exeexeexeex.exe	85
PID 5052 wrote to memory of 4024	5052	768b36364ea2f5exeexeexeex.exe	85
PID 5052 wrote to memory of 4024	5052	768b36364ea2f5exeexeexeex.exe	85
PID 5032 wrote to memory of 1044	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	86
PID 5032 wrote to memory of 1044	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	86
PID 5032 wrote to memory of 1044	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	86
PID 5032 wrote to memory of 4680	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	87
PID 5032 wrote to memory of 4680	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	87
PID 5032 wrote to memory of 4680	5032	{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe	87
PID 1044 wrote to memory of 4604	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	91
PID 1044 wrote to memory of 4604	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	91
PID 1044 wrote to memory of 4604	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	91
PID 1044 wrote to memory of 1532	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	92
PID 1044 wrote to memory of 1532	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	92
PID 1044 wrote to memory of 1532	1044	{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe	92
PID 4604 wrote to memory of 1212	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	93
PID 4604 wrote to memory of 1212	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	93
PID 4604 wrote to memory of 1212	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	93
PID 4604 wrote to memory of 1784	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	94
PID 4604 wrote to memory of 1784	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	94
PID 4604 wrote to memory of 1784	4604	{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe	94
PID 1212 wrote to memory of 2328	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	95
PID 1212 wrote to memory of 2328	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	95
PID 1212 wrote to memory of 2328	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	95
PID 1212 wrote to memory of 4048	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	96
PID 1212 wrote to memory of 4048	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	96
PID 1212 wrote to memory of 4048	1212	{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe	96
PID 2328 wrote to memory of 2732	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	97
PID 2328 wrote to memory of 2732	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	97
PID 2328 wrote to memory of 2732	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	97
PID 2328 wrote to memory of 3700	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	98
PID 2328 wrote to memory of 3700	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	98
PID 2328 wrote to memory of 3700	2328	{DD714C73-B6DA-48b2-9A16-07346186459F}.exe	98
PID 2732 wrote to memory of 728	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	99
PID 2732 wrote to memory of 728	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	99
PID 2732 wrote to memory of 728	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	99
PID 2732 wrote to memory of 3876	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	100
PID 2732 wrote to memory of 3876	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	100
PID 2732 wrote to memory of 3876	2732	{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe	100
PID 728 wrote to memory of 1752	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	101
PID 728 wrote to memory of 1752	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	101
PID 728 wrote to memory of 1752	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	101
PID 728 wrote to memory of 3492	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	102
PID 728 wrote to memory of 3492	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	102
PID 728 wrote to memory of 3492	728	{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe	102
PID 1752 wrote to memory of 1444	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	103
PID 1752 wrote to memory of 1444	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	103
PID 1752 wrote to memory of 1444	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	103
PID 1752 wrote to memory of 1880	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	104
PID 1752 wrote to memory of 1880	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	104
PID 1752 wrote to memory of 1880	1752	{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe	104
PID 1444 wrote to memory of 5116	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	105
PID 1444 wrote to memory of 5116	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	105
PID 1444 wrote to memory of 5116	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	105
PID 1444 wrote to memory of 2880	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	106
PID 1444 wrote to memory of 2880	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	106
PID 1444 wrote to memory of 2880	1444	{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe	106
PID 5116 wrote to memory of 912	5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe	107
PID 5116 wrote to memory of 912	5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe	107
PID 5116 wrote to memory of 912	5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe	107
PID 5116 wrote to memory of 3796	5116	{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe	108

C:\Users\Admin\AppData\Local\Temp\768b36364ea2f5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\768b36364ea2f5exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
  C:\Windows\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
    C:\Windows\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
      C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
        
        C:\Windows\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
        
        C:\Windows\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
        
        C:\Windows\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
        
        C:\Windows\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
        
        C:\Windows\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
        
        C:\Windows\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
        
        C:\Windows\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
        
        C:\Windows\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe
        
        C:\Windows\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe
        13⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19713~1.EXE > nul
        13⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C63~1.EXE > nul
        12⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD4A~1.EXE > nul
        11⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8AB~1.EXE > nul
        10⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2890F~1.EXE > nul
        9⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26EEB~1.EXE > nul
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD714~1.EXE > nul
        7⤵
        
        PID:3700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F628~1.EXE > nul
        6⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55EE2~1.EXE > nul
        5⤵
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A0ED~1.EXE > nul
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03227~1.EXE > nul
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\768B36~1.EXE > nul
  2⤵
  PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe

Filesize
204KB

MD5
0abce3e5654bedf9180a3b0db4467049

SHA1
d1ff033459dae7f1cdea29f0ae291fecbfbebb9a

SHA256
bde9d701644abc26d981eeef2940e9f929e754625655403d73f024b73ebd0e2f

SHA512
8dd687661ff12f91c741a35a60a4b81e424b7a66cf2296c1800cf9476d72e0d076f1a8245d718c9b5dd06362bf0cc51bea050f76a1782314ff283bf98aee7442

Download Submit
C:\Windows\{03227DC1-5C0D-4929-B946-BBA54AA7AFCF}.exe

Filesize
204KB

MD5
0abce3e5654bedf9180a3b0db4467049

SHA1
d1ff033459dae7f1cdea29f0ae291fecbfbebb9a

SHA256
bde9d701644abc26d981eeef2940e9f929e754625655403d73f024b73ebd0e2f

SHA512
8dd687661ff12f91c741a35a60a4b81e424b7a66cf2296c1800cf9476d72e0d076f1a8245d718c9b5dd06362bf0cc51bea050f76a1782314ff283bf98aee7442

Download Submit
C:\Windows\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe

Filesize
204KB

MD5
73dd313a1b277a91f48aa80f16c88df9

SHA1
9c8d1fb1232ce93db8a2f123603bc1a29b0ad4ec

SHA256
9d8e43435b8803d4f3d5361c84fb09c80bc97bbc95af9b11197680bcc8a54aff

SHA512
777442f46d64a5906827c4d03b3d29067f904d4fc3bc9207e2b13c33501c4626e8068becac1b85d5b496bfeac482abcf7d174bfc22d8674c2ab939ceebab9d51

Download Submit
C:\Windows\{06C63AAB-58DB-455e-889F-246AFC821EBB}.exe

Filesize
204KB

MD5
73dd313a1b277a91f48aa80f16c88df9

SHA1
9c8d1fb1232ce93db8a2f123603bc1a29b0ad4ec

SHA256
9d8e43435b8803d4f3d5361c84fb09c80bc97bbc95af9b11197680bcc8a54aff

SHA512
777442f46d64a5906827c4d03b3d29067f904d4fc3bc9207e2b13c33501c4626e8068becac1b85d5b496bfeac482abcf7d174bfc22d8674c2ab939ceebab9d51

Download Submit
C:\Windows\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe

Filesize
204KB

MD5
85adfc4661905a1165bf8285b2983813

SHA1
fb2eba6dd8096178cecc092323174986dbd1a8f9

SHA256
a917bafc4dccdde5a1124b7cad71248486822a025ff0fe38f67d0e9fd9ba32d1

SHA512
d8765273e79712de50b9755f3fa137cf9dceabdc29a1ae8e79543ab2df9af72c9b45c027415a68ce5e15e94955b62fd8ec978c3b4a20bd20574972e2caaad999

Download Submit
C:\Windows\{0A8AB7F7-D8EC-4d0a-BAA5-A417322C3333}.exe

Filesize
204KB

MD5
85adfc4661905a1165bf8285b2983813

SHA1
fb2eba6dd8096178cecc092323174986dbd1a8f9

SHA256
a917bafc4dccdde5a1124b7cad71248486822a025ff0fe38f67d0e9fd9ba32d1

SHA512
d8765273e79712de50b9755f3fa137cf9dceabdc29a1ae8e79543ab2df9af72c9b45c027415a68ce5e15e94955b62fd8ec978c3b4a20bd20574972e2caaad999

Download Submit
C:\Windows\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe

Filesize
204KB

MD5
e1aaf98c1a9c20f1cbf0037fcae6763e

SHA1
38f357fe4d86946a0fd6caf556b2f28dfd468178

SHA256
760074dbcc7ece8a2dd23c92f428e5c5e2d8247c1e2a8a89b747e5051a91d425

SHA512
3e1a60305586f6a2a0ac4be5ec084c1fa7cc8ebf982a550e7d2328b85060fcab06c9e1b4c65a02a430117dec5348d3be5c91459e9e4d8261b2b2701d114346ce

Download Submit
C:\Windows\{19713E14-BB2A-4479-99F6-5A5D0542D592}.exe

Filesize
204KB

MD5
e1aaf98c1a9c20f1cbf0037fcae6763e

SHA1
38f357fe4d86946a0fd6caf556b2f28dfd468178

SHA256
760074dbcc7ece8a2dd23c92f428e5c5e2d8247c1e2a8a89b747e5051a91d425

SHA512
3e1a60305586f6a2a0ac4be5ec084c1fa7cc8ebf982a550e7d2328b85060fcab06c9e1b4c65a02a430117dec5348d3be5c91459e9e4d8261b2b2701d114346ce

Download Submit
C:\Windows\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe

Filesize
204KB

MD5
1b359962d151843f2253eb7d7e1124f3

SHA1
c3fb2f4e3e379956183e1935d7f64ac439aafdff

SHA256
a730f0b02269703716faafde30b833acf0883f6696c2879f8a234e76996459ff

SHA512
fef8bdf3197abf90750afa086bdeed38d261f0dc68cf255241c3fbdd9a00bf0ef4ac8154625b1e85d942081d3caae7fb7311f66b02abc291e98b68cf03d47659

Download Submit
C:\Windows\{26EEB816-7201-4321-B2CF-BA4A4C93761E}.exe

Filesize
204KB

MD5
1b359962d151843f2253eb7d7e1124f3

SHA1
c3fb2f4e3e379956183e1935d7f64ac439aafdff

SHA256
a730f0b02269703716faafde30b833acf0883f6696c2879f8a234e76996459ff

SHA512
fef8bdf3197abf90750afa086bdeed38d261f0dc68cf255241c3fbdd9a00bf0ef4ac8154625b1e85d942081d3caae7fb7311f66b02abc291e98b68cf03d47659

Download Submit
C:\Windows\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe

Filesize
204KB

MD5
28d7031c9e3dba09984c0434bc83b3ab

SHA1
554846133b394a46064ff16445035d79fbe230c2

SHA256
c13b87ca78afb90c8f13dd5ed40b47ec4163a02a66d2a26c02e0e6845d67ee91

SHA512
ae1434f824165d1fce19218b4a1d874bfcac07b99537738a6e02e9c7ed6be61db7ad6dbd0efda5413528c2a0f6a690584471b0884729bb682bd2af5fd5dd3dbd

Download Submit
C:\Windows\{2890FF78-E416-4236-9C6E-9FDEA4991944}.exe

Filesize
204KB

MD5
28d7031c9e3dba09984c0434bc83b3ab

SHA1
554846133b394a46064ff16445035d79fbe230c2

SHA256
c13b87ca78afb90c8f13dd5ed40b47ec4163a02a66d2a26c02e0e6845d67ee91

SHA512
ae1434f824165d1fce19218b4a1d874bfcac07b99537738a6e02e9c7ed6be61db7ad6dbd0efda5413528c2a0f6a690584471b0884729bb682bd2af5fd5dd3dbd

Download Submit
C:\Windows\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe

Filesize
204KB

MD5
2b9a7b3c7d14f77d797fefc5274d50c5

SHA1
eca7ff80a91a326ac4662391ff62f8fc3fd0a7c4

SHA256
d756b7a122083be6ced99b77bf168448216ba744cc7220472c4edac3bcce25b5

SHA512
90b9c14153a5eea896623ee06777fa41b81a61e100d44f75ccddc1ebe3fe871b9adbde51e4604fe61199b943d878d4752028ce0b917c5e7d9f270fd1493d4ffa

Download Submit
C:\Windows\{3F6281C8-7CC5-4925-95D6-977AEFD37B01}.exe

Filesize
204KB

MD5
2b9a7b3c7d14f77d797fefc5274d50c5

SHA1
eca7ff80a91a326ac4662391ff62f8fc3fd0a7c4

SHA256
d756b7a122083be6ced99b77bf168448216ba744cc7220472c4edac3bcce25b5

SHA512
90b9c14153a5eea896623ee06777fa41b81a61e100d44f75ccddc1ebe3fe871b9adbde51e4604fe61199b943d878d4752028ce0b917c5e7d9f270fd1493d4ffa

Download Submit
C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe

Filesize
204KB

MD5
3ee609cc4edbad94f664417ace78279a

SHA1
0bf3fdc2f97b1d2e03cb54850fced3f1db4c08a4

SHA256
4e499c58f74651a755281922f84b0b079cddb3895ed244028fc1a3d0177fbe72

SHA512
624cc8fa41cd7e7cb526f08884c53c6abc36ba5f487358eed3d0aaf32ee730e19c4e537d139bc76b70c6966579bdf88eca6f0b377b413ee9d3b0b67bf7fd5202

Download Submit
C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe

Filesize
204KB

MD5
3ee609cc4edbad94f664417ace78279a

SHA1
0bf3fdc2f97b1d2e03cb54850fced3f1db4c08a4

SHA256
4e499c58f74651a755281922f84b0b079cddb3895ed244028fc1a3d0177fbe72

SHA512
624cc8fa41cd7e7cb526f08884c53c6abc36ba5f487358eed3d0aaf32ee730e19c4e537d139bc76b70c6966579bdf88eca6f0b377b413ee9d3b0b67bf7fd5202

Download Submit
C:\Windows\{55EE2A16-9453-46e5-9D19-C7C42BEB08CE}.exe

Filesize
204KB

MD5
3ee609cc4edbad94f664417ace78279a

SHA1
0bf3fdc2f97b1d2e03cb54850fced3f1db4c08a4

SHA256
4e499c58f74651a755281922f84b0b079cddb3895ed244028fc1a3d0177fbe72

SHA512
624cc8fa41cd7e7cb526f08884c53c6abc36ba5f487358eed3d0aaf32ee730e19c4e537d139bc76b70c6966579bdf88eca6f0b377b413ee9d3b0b67bf7fd5202

Download Submit
C:\Windows\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe

Filesize
204KB

MD5
b355b315b84a1956813a16a6b797a288

SHA1
722668d2e86f682e9f2eb1670afb9c1ba139d712

SHA256
be816fcd734ed5a3028851b90d30d7927db02baf4a6cb654cb66f9dae1d53a93

SHA512
59a35c4c01504071d0bae2b9462b8fe0c534a9d579f8daa3a123505ed9ad07d95214ad9ea5698059039f6aba7cd4a508efb8b3727d0c7ef42821f873331cb11c

Download Submit
C:\Windows\{8A0ED152-9367-466a-A423-2FF26AF209EC}.exe

Filesize
204KB

MD5
b355b315b84a1956813a16a6b797a288

SHA1
722668d2e86f682e9f2eb1670afb9c1ba139d712

SHA256
be816fcd734ed5a3028851b90d30d7927db02baf4a6cb654cb66f9dae1d53a93

SHA512
59a35c4c01504071d0bae2b9462b8fe0c534a9d579f8daa3a123505ed9ad07d95214ad9ea5698059039f6aba7cd4a508efb8b3727d0c7ef42821f873331cb11c

Download Submit
C:\Windows\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe

Filesize
204KB

MD5
ebf6c7753081d53d61f0926c2f0a911a

SHA1
52192e21dee78cbc2263413b12ccc899171f70bf

SHA256
e7efb424d1235ec544213a775ccdab8b87b360cc958a2b53085fc86104808071

SHA512
72e6a3e17822c823ca8d52c64cbf6f1a8391d8675767ff35032745592b3ceb98b637844eaa05570a32b3e320cfd17288e462a86c214097cbd2286f7033804e63

Download Submit
C:\Windows\{8CD4AC35-22BE-419c-A987-CC4F9E3A35B1}.exe

Filesize
204KB

MD5
ebf6c7753081d53d61f0926c2f0a911a

SHA1
52192e21dee78cbc2263413b12ccc899171f70bf

SHA256
e7efb424d1235ec544213a775ccdab8b87b360cc958a2b53085fc86104808071

SHA512
72e6a3e17822c823ca8d52c64cbf6f1a8391d8675767ff35032745592b3ceb98b637844eaa05570a32b3e320cfd17288e462a86c214097cbd2286f7033804e63

Download Submit
C:\Windows\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe

Filesize
204KB

MD5
26f438e675552bba35ce386c631b7369

SHA1
837d246c193a9f1a0403e8cd8e461a3f299da63f

SHA256
93f38cad6cfc8c2fa337f5b72c79a7d964227a780716dc7e05034af65a814d09

SHA512
9c64985ee4ca816c3819d43706d60f623d0c06657f088264ad8540addab45280a5de59bbc2359d5d4ba7fcbd85781cbd06e1418279214497bf358fa794a86e0b

Download Submit
C:\Windows\{A2C1F105-DAAF-45e1-961F-9AA2D1F9BFA9}.exe

Filesize
204KB

MD5
26f438e675552bba35ce386c631b7369

SHA1
837d246c193a9f1a0403e8cd8e461a3f299da63f

SHA256
93f38cad6cfc8c2fa337f5b72c79a7d964227a780716dc7e05034af65a814d09

SHA512
9c64985ee4ca816c3819d43706d60f623d0c06657f088264ad8540addab45280a5de59bbc2359d5d4ba7fcbd85781cbd06e1418279214497bf358fa794a86e0b

Download Submit
C:\Windows\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe

Filesize
204KB

MD5
12f45894fad9cc460ba4ca63dde3f072

SHA1
29fb77d068292a609433b2193f2fc42dc0651f02

SHA256
8b0fcaa92103dda898037529ded9a914124130dae9b81f9b90b28abe62a0081f

SHA512
07d3642bab0b0f1874c17f869773ee2a62fa7f2fef745b8a7940b258814e19deb095e11d5f7ee50af4e7e9a05ec6937cbf01ea7fe6f27448408464c6cd5afc6d

Download Submit
C:\Windows\{DD714C73-B6DA-48b2-9A16-07346186459F}.exe

Filesize
204KB

MD5
12f45894fad9cc460ba4ca63dde3f072

SHA1
29fb77d068292a609433b2193f2fc42dc0651f02

SHA256
8b0fcaa92103dda898037529ded9a914124130dae9b81f9b90b28abe62a0081f

SHA512
07d3642bab0b0f1874c17f869773ee2a62fa7f2fef745b8a7940b258814e19deb095e11d5f7ee50af4e7e9a05ec6937cbf01ea7fe6f27448408464c6cd5afc6d

Download Submit