2ec2cea651e28516040919a8e7f5655126e8fffd9f795b1501ff1eaed26c79ab

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d07c00c3248d4exeexeexeex.exe
Size

204KB
MD5

7d07c00c3248d40565ea7aa4523842c8
SHA1

a235474bb30be9040841390be46ba560cd876625
SHA256

2ec2cea651e28516040919a8e7f5655126e8fffd9f795b1501ff1eaed26c79ab
SHA512

748dcf0b6d213f8c5fc17ddd73af054fe6a6880e9b5d5cecb2f443d0fa4e8837dc335890ff6b0b0766a4f127ae558894cf2734af8fa8ea9144e1672754939d81
SSDEEP

1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oil1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}\stubpath = "C:\\Windows\\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe"	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D3F10A6-4C07-4176-867E-56055DA3BF01}\stubpath = "C:\\Windows\\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe"	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897E9B53-3217-48bf-B374-7A60C98FF447}\stubpath = "C:\\Windows\\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe"	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93462D02-E5A9-4caa-B8FB-AC058B553940}	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}	{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}\stubpath = "C:\\Windows\\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe"	7d07c00c3248d4exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9683104-149C-4a09-9DF6-D384281A7F7A}	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}\stubpath = "C:\\Windows\\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe"	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B5B920-D332-437a-AC53-4559AFA13A19}	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12040DA3-AA8F-4d53-ACE7-9459A759D978}	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9683104-149C-4a09-9DF6-D384281A7F7A}\stubpath = "C:\\Windows\\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe"	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}\stubpath = "C:\\Windows\\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe"	{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}\stubpath = "C:\\Windows\\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe"	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D3F10A6-4C07-4176-867E-56055DA3BF01}	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}\stubpath = "C:\\Windows\\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe"	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12040DA3-AA8F-4d53-ACE7-9459A759D978}\stubpath = "C:\\Windows\\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe"	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93462D02-E5A9-4caa-B8FB-AC058B553940}\stubpath = "C:\\Windows\\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe"	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}	7d07c00c3248d4exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B5B920-D332-437a-AC53-4559AFA13A19}\stubpath = "C:\\Windows\\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe"	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897E9B53-3217-48bf-B374-7A60C98FF447}	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe

Executes dropped EXE 12 IoCs

pid	Process
5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
3148	{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe
1204	{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	7d07c00c3248d4exeexeexeex.exe
File created	C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
File created	C:\Windows\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
File created	C:\Windows\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
File created	C:\Windows\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
File created	C:\Windows\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
File created	C:\Windows\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
File created	C:\Windows\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
File created	C:\Windows\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
File created	C:\Windows\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
File created	C:\Windows\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
File created	C:\Windows\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe	{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	7d07c00c3248d4exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
Token: SeIncBasePriorityPrivilege	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
Token: SeIncBasePriorityPrivilege	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
Token: SeIncBasePriorityPrivilege	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
Token: SeIncBasePriorityPrivilege	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
Token: SeIncBasePriorityPrivilege	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
Token: SeIncBasePriorityPrivilege	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
Token: SeIncBasePriorityPrivilege	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
Token: SeIncBasePriorityPrivilege	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
Token: SeIncBasePriorityPrivilege	5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
Token: SeIncBasePriorityPrivilege	3148	{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 5112	2528	7d07c00c3248d4exeexeexeex.exe	84
PID 2528 wrote to memory of 5112	2528	7d07c00c3248d4exeexeexeex.exe	84
PID 2528 wrote to memory of 5112	2528	7d07c00c3248d4exeexeexeex.exe	84
PID 2528 wrote to memory of 2112	2528	7d07c00c3248d4exeexeexeex.exe	85
PID 2528 wrote to memory of 2112	2528	7d07c00c3248d4exeexeexeex.exe	85
PID 2528 wrote to memory of 2112	2528	7d07c00c3248d4exeexeexeex.exe	85
PID 5112 wrote to memory of 3140	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	86
PID 5112 wrote to memory of 3140	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	86
PID 5112 wrote to memory of 3140	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	86
PID 5112 wrote to memory of 2260	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	87
PID 5112 wrote to memory of 2260	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	87
PID 5112 wrote to memory of 2260	5112	{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe	87
PID 3140 wrote to memory of 1788	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	91
PID 3140 wrote to memory of 1788	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	91
PID 3140 wrote to memory of 1788	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	91
PID 3140 wrote to memory of 4292	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	92
PID 3140 wrote to memory of 4292	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	92
PID 3140 wrote to memory of 4292	3140	{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe	92
PID 1788 wrote to memory of 1808	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	93
PID 1788 wrote to memory of 1808	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	93
PID 1788 wrote to memory of 1808	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	93
PID 1788 wrote to memory of 1620	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	94
PID 1788 wrote to memory of 1620	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	94
PID 1788 wrote to memory of 1620	1788	{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe	94
PID 1808 wrote to memory of 2872	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	95
PID 1808 wrote to memory of 2872	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	95
PID 1808 wrote to memory of 2872	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	95
PID 1808 wrote to memory of 4124	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	96
PID 1808 wrote to memory of 4124	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	96
PID 1808 wrote to memory of 4124	1808	{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe	96
PID 2872 wrote to memory of 3084	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	97
PID 2872 wrote to memory of 3084	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	97
PID 2872 wrote to memory of 3084	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	97
PID 2872 wrote to memory of 4844	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	98
PID 2872 wrote to memory of 4844	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	98
PID 2872 wrote to memory of 4844	2872	{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe	98
PID 3084 wrote to memory of 680	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	99
PID 3084 wrote to memory of 680	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	99
PID 3084 wrote to memory of 680	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	99
PID 3084 wrote to memory of 2716	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	100
PID 3084 wrote to memory of 2716	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	100
PID 3084 wrote to memory of 2716	3084	{26B5B920-D332-437a-AC53-4559AFA13A19}.exe	100
PID 680 wrote to memory of 3780	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	101
PID 680 wrote to memory of 3780	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	101
PID 680 wrote to memory of 3780	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	101
PID 680 wrote to memory of 2476	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	102
PID 680 wrote to memory of 2476	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	102
PID 680 wrote to memory of 2476	680	{897E9B53-3217-48bf-B374-7A60C98FF447}.exe	102
PID 3780 wrote to memory of 5024	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	103
PID 3780 wrote to memory of 5024	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	103
PID 3780 wrote to memory of 5024	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	103
PID 3780 wrote to memory of 3392	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	104
PID 3780 wrote to memory of 3392	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	104
PID 3780 wrote to memory of 3392	3780	{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe	104
PID 5024 wrote to memory of 5088	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	105
PID 5024 wrote to memory of 5088	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	105
PID 5024 wrote to memory of 5088	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	105
PID 5024 wrote to memory of 4468	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	106
PID 5024 wrote to memory of 4468	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	106
PID 5024 wrote to memory of 4468	5024	{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe	106
PID 5088 wrote to memory of 3148	5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe	107
PID 5088 wrote to memory of 3148	5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe	107
PID 5088 wrote to memory of 3148	5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe	107
PID 5088 wrote to memory of 4240	5088	{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe	108

C:\Users\Admin\AppData\Local\Temp\7d07c00c3248d4exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\7d07c00c3248d4exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
  C:\Windows\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
    C:\Windows\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
      C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
        
        C:\Windows\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
        
        C:\Windows\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
        
        C:\Windows\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
        
        C:\Windows\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
        
        C:\Windows\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
        
        C:\Windows\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
        
        C:\Windows\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe
        
        C:\Windows\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe
        
        C:\Windows\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9683~1.EXE > nul
        13⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93462~1.EXE > nul
        12⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12040~1.EXE > nul
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE8C~1.EXE > nul
        10⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{897E9~1.EXE > nul
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26B5B~1.EXE > nul
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3F1~1.EXE > nul
        7⤵
        
        PID:4844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45EF4~1.EXE > nul
        6⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B3F5~1.EXE > nul
        5⤵
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE5F5~1.EXE > nul
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D5DE~1.EXE > nul
    3⤵
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7D07C0~1.EXE > nul
  2⤵
  PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe

Filesize
204KB

MD5
061594e9f9fda15946a1220a4fee0605

SHA1
a2d9bb72d926b903689f1d153d6735be3fec8611

SHA256
7a5765e09cda7b4ca00d749673b3f2713fd49ad47609338aea3c2739e423ced3

SHA512
7e07fb59335c5ff17ec89aeb1498a19cb0d081e79441ba29ce5bdb6d4c8e89ddaba18575536fd3df0ad7414882c47550b051f889d6f0bbe6ca2eb0f432115a45

Download Submit
C:\Windows\{12040DA3-AA8F-4d53-ACE7-9459A759D978}.exe

Filesize
204KB

MD5
061594e9f9fda15946a1220a4fee0605

SHA1
a2d9bb72d926b903689f1d153d6735be3fec8611

SHA256
7a5765e09cda7b4ca00d749673b3f2713fd49ad47609338aea3c2739e423ced3

SHA512
7e07fb59335c5ff17ec89aeb1498a19cb0d081e79441ba29ce5bdb6d4c8e89ddaba18575536fd3df0ad7414882c47550b051f889d6f0bbe6ca2eb0f432115a45

Download Submit
C:\Windows\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe

Filesize
204KB

MD5
9897b5a8fa6fde9828a5072384accadf

SHA1
2022ae7e335ff60a33fe07b161c74062a8cd80da

SHA256
74ca276178e7b7582fd3e4a79de2f76fcd3e50c6c0b34b47f198dd38129c1a0c

SHA512
180cc6aec89cd6a9a26cc9135bb3796143f055a15e4e148016a72ffdfca6ad78afa9eb642a55f649169c7046962c24616b0a844f8c11ca607ae95838a3e58962

Download Submit
C:\Windows\{26B5B920-D332-437a-AC53-4559AFA13A19}.exe

Filesize
204KB

MD5
9897b5a8fa6fde9828a5072384accadf

SHA1
2022ae7e335ff60a33fe07b161c74062a8cd80da

SHA256
74ca276178e7b7582fd3e4a79de2f76fcd3e50c6c0b34b47f198dd38129c1a0c

SHA512
180cc6aec89cd6a9a26cc9135bb3796143f055a15e4e148016a72ffdfca6ad78afa9eb642a55f649169c7046962c24616b0a844f8c11ca607ae95838a3e58962

Download Submit
C:\Windows\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe

Filesize
204KB

MD5
52e1374e5cfe40b0a939f91a35f18b35

SHA1
86f9ff0e68e6b5077ceb6c0f5c30aacb7aa10861

SHA256
2591fdce0c5646651c06cca3c59c805d9da8cf0db235df70d5b3b8f009c6518e

SHA512
a80c3f423161aee953c8c42f55e2be128eb72f9c062230737216314f3a7d0018742434255f776dc98a272ff64f3a730e82308990180daff7198d42b57756b38d

Download Submit
C:\Windows\{3BE8CB23-C417-4a10-B312-D8AAB962BDC3}.exe

Filesize
204KB

MD5
52e1374e5cfe40b0a939f91a35f18b35

SHA1
86f9ff0e68e6b5077ceb6c0f5c30aacb7aa10861

SHA256
2591fdce0c5646651c06cca3c59c805d9da8cf0db235df70d5b3b8f009c6518e

SHA512
a80c3f423161aee953c8c42f55e2be128eb72f9c062230737216314f3a7d0018742434255f776dc98a272ff64f3a730e82308990180daff7198d42b57756b38d

Download Submit
C:\Windows\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe

Filesize
204KB

MD5
f82508d37d512a5cb24bb32d138cd52a

SHA1
5dc2e25c3e6811b0ac867fac87f8e75f06f98299

SHA256
bc5c1cfdb60b05d5ecb9949e3b4d0af60ca3bc3ac0baffa840ded8fe809279a7

SHA512
2faf2bff69961eec1667372c95985034dbc1618ce56e568801dfe8304c4ed1653ca6688389db43a117851605ffe402273d719c90d76acde767cdb2f6be90b183

Download Submit
C:\Windows\{45EF4097-91CB-4c83-8AB6-CCDAA45467C4}.exe

Filesize
204KB

MD5
f82508d37d512a5cb24bb32d138cd52a

SHA1
5dc2e25c3e6811b0ac867fac87f8e75f06f98299

SHA256
bc5c1cfdb60b05d5ecb9949e3b4d0af60ca3bc3ac0baffa840ded8fe809279a7

SHA512
2faf2bff69961eec1667372c95985034dbc1618ce56e568801dfe8304c4ed1653ca6688389db43a117851605ffe402273d719c90d76acde767cdb2f6be90b183

Download Submit
C:\Windows\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe

Filesize
204KB

MD5
1027e5b51d40c1bcce6c76fd753a6058

SHA1
a9ed54a8b4ccba4c7ba4e632fcb25373dcc10c87

SHA256
e167e58745be175f746e92fbf1484bbbfce28540fce799b505c1c9c862d14a8e

SHA512
c1a63ddc159c916dc4ee0f2cbfd924446e792cdb0c693765344625d7f36594332cf292246d12fad7a9defc8713a0995b61e26f71998ac7c3fcd4229146cde917

Download Submit
C:\Windows\{5D3F10A6-4C07-4176-867E-56055DA3BF01}.exe

Filesize
204KB

MD5
1027e5b51d40c1bcce6c76fd753a6058

SHA1
a9ed54a8b4ccba4c7ba4e632fcb25373dcc10c87

SHA256
e167e58745be175f746e92fbf1484bbbfce28540fce799b505c1c9c862d14a8e

SHA512
c1a63ddc159c916dc4ee0f2cbfd924446e792cdb0c693765344625d7f36594332cf292246d12fad7a9defc8713a0995b61e26f71998ac7c3fcd4229146cde917

Download Submit
C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe

Filesize
204KB

MD5
6c826b570ba4abcb374cda9599cfc63b

SHA1
4d2f469a86c072eb0bbbc180045a11ae91a08645

SHA256
750a0886a01939ce2bad8cf1346959d149a026ff2be1a49dcf8ae9f044e7b331

SHA512
a80d2ede932b52ce59f0d5d69ef877bb88f4843ec17a7ead0a3996099f787e1b1f0e43a1ac15388901fe65d880935280f329e848a685014a41792411b5d45150

Download Submit
C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe

Filesize
204KB

MD5
6c826b570ba4abcb374cda9599cfc63b

SHA1
4d2f469a86c072eb0bbbc180045a11ae91a08645

SHA256
750a0886a01939ce2bad8cf1346959d149a026ff2be1a49dcf8ae9f044e7b331

SHA512
a80d2ede932b52ce59f0d5d69ef877bb88f4843ec17a7ead0a3996099f787e1b1f0e43a1ac15388901fe65d880935280f329e848a685014a41792411b5d45150

Download Submit
C:\Windows\{6B3F57D9-AE07-4af0-AE68-34CAA7522F16}.exe

Filesize
204KB

MD5
6c826b570ba4abcb374cda9599cfc63b

SHA1
4d2f469a86c072eb0bbbc180045a11ae91a08645

SHA256
750a0886a01939ce2bad8cf1346959d149a026ff2be1a49dcf8ae9f044e7b331

SHA512
a80d2ede932b52ce59f0d5d69ef877bb88f4843ec17a7ead0a3996099f787e1b1f0e43a1ac15388901fe65d880935280f329e848a685014a41792411b5d45150

Download Submit
C:\Windows\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe

Filesize
204KB

MD5
36c91b60dec2292333691a069a72acfc

SHA1
77c9f52f176c39c14bab9b55f77d4cb4e8990541

SHA256
1d04322e39209299914f7c2a277e615f75ea85ec867b2208c0b06f73613160c2

SHA512
30a4ecb23c40bd56c04614a80d9feb5f3b0622a8fd205575977a869a02e6bb39ee09fba885a2fd878e9f8916d59d3166baff9a3983317dd2f547e7b86aadee2c

Download Submit
C:\Windows\{897E9B53-3217-48bf-B374-7A60C98FF447}.exe

Filesize
204KB

MD5
36c91b60dec2292333691a069a72acfc

SHA1
77c9f52f176c39c14bab9b55f77d4cb4e8990541

SHA256
1d04322e39209299914f7c2a277e615f75ea85ec867b2208c0b06f73613160c2

SHA512
30a4ecb23c40bd56c04614a80d9feb5f3b0622a8fd205575977a869a02e6bb39ee09fba885a2fd878e9f8916d59d3166baff9a3983317dd2f547e7b86aadee2c

Download Submit
C:\Windows\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe

Filesize
204KB

MD5
44483819d8827284152ce5b5327fea09

SHA1
61d600a07bc51bed96269c1ae7224c0efd4e34d3

SHA256
e119f98a38f387b3fbe04be34c200a15da4776ba4a78ebca074f73e74f968161

SHA512
fafeff5df5f048f94d5991b55202451d42205167279c0a3562a757437e036b9e04380f6bf5e4145a82fb679f11657012fb3e5738bf3159c5207c88887fd673dc

Download Submit
C:\Windows\{93462D02-E5A9-4caa-B8FB-AC058B553940}.exe

Filesize
204KB

MD5
44483819d8827284152ce5b5327fea09

SHA1
61d600a07bc51bed96269c1ae7224c0efd4e34d3

SHA256
e119f98a38f387b3fbe04be34c200a15da4776ba4a78ebca074f73e74f968161

SHA512
fafeff5df5f048f94d5991b55202451d42205167279c0a3562a757437e036b9e04380f6bf5e4145a82fb679f11657012fb3e5738bf3159c5207c88887fd673dc

Download Submit
C:\Windows\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe

Filesize
204KB

MD5
1f4f3064bc360cdd4b40d919eb1c21db

SHA1
3dd41a5d16d1e6c90b047e3017943d4a87b73c96

SHA256
bd1c4864895fffd94a1be82bce78e1b0579e400ed6d5c7c2aaa3f25cf8a2be6e

SHA512
7bd753ecd2238e455bbfd452e61db241a100b7378e75013d09f73dad1650daa897fbeda541fbaeb65e7e82755a02e82791818f98bb926f87b0fcf564580cbe98

Download Submit
C:\Windows\{9D5DE193-4DD7-4f96-91DA-FFC81DA19670}.exe

Filesize
204KB

MD5
1f4f3064bc360cdd4b40d919eb1c21db

SHA1
3dd41a5d16d1e6c90b047e3017943d4a87b73c96

SHA256
bd1c4864895fffd94a1be82bce78e1b0579e400ed6d5c7c2aaa3f25cf8a2be6e

SHA512
7bd753ecd2238e455bbfd452e61db241a100b7378e75013d09f73dad1650daa897fbeda541fbaeb65e7e82755a02e82791818f98bb926f87b0fcf564580cbe98

Download Submit
C:\Windows\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe

Filesize
204KB

MD5
e4e66ff3eb0a2e952e2327875fa1ec04

SHA1
b48fb2b0a689447ebe30711ac7e9783a76c10a20

SHA256
944187cec2a57a8f3fc1818217650b87749025e05577d58bd1b644d3c980a3d2

SHA512
84b06b79532b9d0c3d3ae9641ff1c3ab5c18d559819046e6561f80269718181b5dd852a8035d5b73c8080d8d9ede9979f5e08c0ab3cd11e53a43a005eba8adc1

Download Submit
C:\Windows\{F9683104-149C-4a09-9DF6-D384281A7F7A}.exe

Filesize
204KB

MD5
e4e66ff3eb0a2e952e2327875fa1ec04

SHA1
b48fb2b0a689447ebe30711ac7e9783a76c10a20

SHA256
944187cec2a57a8f3fc1818217650b87749025e05577d58bd1b644d3c980a3d2

SHA512
84b06b79532b9d0c3d3ae9641ff1c3ab5c18d559819046e6561f80269718181b5dd852a8035d5b73c8080d8d9ede9979f5e08c0ab3cd11e53a43a005eba8adc1

Download Submit
C:\Windows\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe

Filesize
204KB

MD5
6270e9f6b068345f81e48a9ed9492997

SHA1
8fbe7768eff15ba99b76d0ed4038914719ad8f45

SHA256
cd9e121357df64676f1eb9ad581323299166a41f0d47311876c7e9259c90199a

SHA512
7de20a43e07babe9ad5ef0814c8ee5a4b1a755fe126b7cee729e410dfbb4dbe47ee4b0fe60e8e6585ac65b171a28c1d0b00a5417e0c5a56b8f07b7b79a2a2b80

Download Submit
C:\Windows\{FE5F5217-EB35-4161-8E21-CB474DC5D3ED}.exe

Filesize
204KB

MD5
6270e9f6b068345f81e48a9ed9492997

SHA1
8fbe7768eff15ba99b76d0ed4038914719ad8f45

SHA256
cd9e121357df64676f1eb9ad581323299166a41f0d47311876c7e9259c90199a

SHA512
7de20a43e07babe9ad5ef0814c8ee5a4b1a755fe126b7cee729e410dfbb4dbe47ee4b0fe60e8e6585ac65b171a28c1d0b00a5417e0c5a56b8f07b7b79a2a2b80

Download Submit
C:\Windows\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe

Filesize
204KB

MD5
acccc95b40d200f819f9a4e31435b2d5

SHA1
c8ad0d25f128ab2c070f221703b8466cd8553920

SHA256
a3cffaf83c8323458213c6499895654e1d6a0bcec6eceb52dc1127f2058e53c5

SHA512
1ce33ce7d515512bf7b2fd96067a5f84d34de10f2bca8fe9c24ec03de8d08a1ea5162578a5fe42b7d0329f0de9f8308ddecd467ef270afeb67b46f83cad12b98

Download Submit
C:\Windows\{FE83D1C3-9D3D-4216-98B4-1AA45A2A1F4E}.exe

Filesize
204KB

MD5
acccc95b40d200f819f9a4e31435b2d5

SHA1
c8ad0d25f128ab2c070f221703b8466cd8553920

SHA256
a3cffaf83c8323458213c6499895654e1d6a0bcec6eceb52dc1127f2058e53c5

SHA512
1ce33ce7d515512bf7b2fd96067a5f84d34de10f2bca8fe9c24ec03de8d08a1ea5162578a5fe42b7d0329f0de9f8308ddecd467ef270afeb67b46f83cad12b98

Download Submit