94dc52f922371dab02ca88d1c218582a6316bfece2d734a5c07b16b8db4a160f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca1d4bf2211ccexeexeexeex.exe
Size

168KB
MD5

8ca1d4bf2211ccc99ea26dbb1400e942
SHA1

e014845276894a438697c89b14f87e30afa2d73d
SHA256

94dc52f922371dab02ca88d1c218582a6316bfece2d734a5c07b16b8db4a160f
SHA512

e651f1656c902168d932e57bd2a12b45a81b11704dfc849582e23e2f94727332547ae67e03047a6a729c0041793a2390bcd0de6213d3a8f4bc330ae84ff6191a
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBD74AD-0A54-435b-863E-55D3EFED1070}\stubpath = "C:\\Windows\\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe"	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}\stubpath = "C:\\Windows\\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe"	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}\stubpath = "C:\\Windows\\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe"	{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44868018-5469-4244-BB07-75E134905250}	{E6F462D5-0380-4880-82AE-998675026C58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBD74AD-0A54-435b-863E-55D3EFED1070}	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF1879C-C411-4d77-BAF7-A095465A98BC}	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF1879C-C411-4d77-BAF7-A095465A98BC}\stubpath = "C:\\Windows\\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe"	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDEFB759-49E2-4e30-B404-0AC50F526A32}\stubpath = "C:\\Windows\\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe"	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F462D5-0380-4880-82AE-998675026C58}\stubpath = "C:\\Windows\\{E6F462D5-0380-4880-82AE-998675026C58}.exe"	8ca1d4bf2211ccexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}	{44868018-5469-4244-BB07-75E134905250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}	{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}\stubpath = "C:\\Windows\\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe"	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}\stubpath = "C:\\Windows\\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe"	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}\stubpath = "C:\\Windows\\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe"	{44868018-5469-4244-BB07-75E134905250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDEFB759-49E2-4e30-B404-0AC50F526A32}	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D979E285-A4A8-4390-ACF9-6A3A65680792}	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D979E285-A4A8-4390-ACF9-6A3A65680792}\stubpath = "C:\\Windows\\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe"	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}\stubpath = "C:\\Windows\\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe"	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F462D5-0380-4880-82AE-998675026C58}	8ca1d4bf2211ccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44868018-5469-4244-BB07-75E134905250}\stubpath = "C:\\Windows\\{44868018-5469-4244-BB07-75E134905250}.exe"	{E6F462D5-0380-4880-82AE-998675026C58}.exe

Executes dropped EXE 12 IoCs

pid	Process
3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe
4108	{44868018-5469-4244-BB07-75E134905250}.exe
2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
4456	{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
1836	{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
File created	C:\Windows\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe	{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
File created	C:\Windows\{E6F462D5-0380-4880-82AE-998675026C58}.exe	8ca1d4bf2211ccexeexeexeex.exe
File created	C:\Windows\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
File created	C:\Windows\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
File created	C:\Windows\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
File created	C:\Windows\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
File created	C:\Windows\{44868018-5469-4244-BB07-75E134905250}.exe	{E6F462D5-0380-4880-82AE-998675026C58}.exe
File created	C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	{44868018-5469-4244-BB07-75E134905250}.exe
File created	C:\Windows\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
File created	C:\Windows\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
File created	C:\Windows\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3508	8ca1d4bf2211ccexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe
Token: SeIncBasePriorityPrivilege	4108	{44868018-5469-4244-BB07-75E134905250}.exe
Token: SeIncBasePriorityPrivilege	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
Token: SeIncBasePriorityPrivilege	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
Token: SeIncBasePriorityPrivilege	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
Token: SeIncBasePriorityPrivilege	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
Token: SeIncBasePriorityPrivilege	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
Token: SeIncBasePriorityPrivilege	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
Token: SeIncBasePriorityPrivilege	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
Token: SeIncBasePriorityPrivilege	3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
Token: SeIncBasePriorityPrivilege	4456	{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3640	3508	8ca1d4bf2211ccexeexeexeex.exe	84
PID 3508 wrote to memory of 3640	3508	8ca1d4bf2211ccexeexeexeex.exe	84
PID 3508 wrote to memory of 3640	3508	8ca1d4bf2211ccexeexeexeex.exe	84
PID 3508 wrote to memory of 2164	3508	8ca1d4bf2211ccexeexeexeex.exe	85
PID 3508 wrote to memory of 2164	3508	8ca1d4bf2211ccexeexeexeex.exe	85
PID 3508 wrote to memory of 2164	3508	8ca1d4bf2211ccexeexeexeex.exe	85
PID 3640 wrote to memory of 4108	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	86
PID 3640 wrote to memory of 4108	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	86
PID 3640 wrote to memory of 4108	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	86
PID 3640 wrote to memory of 1412	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	87
PID 3640 wrote to memory of 1412	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	87
PID 3640 wrote to memory of 1412	3640	{E6F462D5-0380-4880-82AE-998675026C58}.exe	87
PID 4108 wrote to memory of 2104	4108	{44868018-5469-4244-BB07-75E134905250}.exe	92
PID 4108 wrote to memory of 2104	4108	{44868018-5469-4244-BB07-75E134905250}.exe	92
PID 4108 wrote to memory of 2104	4108	{44868018-5469-4244-BB07-75E134905250}.exe	92
PID 4108 wrote to memory of 5092	4108	{44868018-5469-4244-BB07-75E134905250}.exe	91
PID 4108 wrote to memory of 5092	4108	{44868018-5469-4244-BB07-75E134905250}.exe	91
PID 4108 wrote to memory of 5092	4108	{44868018-5469-4244-BB07-75E134905250}.exe	91
PID 2104 wrote to memory of 4916	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	93
PID 2104 wrote to memory of 4916	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	93
PID 2104 wrote to memory of 4916	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	93
PID 2104 wrote to memory of 3832	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	94
PID 2104 wrote to memory of 3832	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	94
PID 2104 wrote to memory of 3832	2104	{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe	94
PID 4916 wrote to memory of 3584	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	95
PID 4916 wrote to memory of 3584	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	95
PID 4916 wrote to memory of 3584	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	95
PID 4916 wrote to memory of 704	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	96
PID 4916 wrote to memory of 704	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	96
PID 4916 wrote to memory of 704	4916	{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe	96
PID 3584 wrote to memory of 2228	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	97
PID 3584 wrote to memory of 2228	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	97
PID 3584 wrote to memory of 2228	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	97
PID 3584 wrote to memory of 1756	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	98
PID 3584 wrote to memory of 1756	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	98
PID 3584 wrote to memory of 1756	3584	{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe	98
PID 2228 wrote to memory of 4912	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	99
PID 2228 wrote to memory of 4912	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	99
PID 2228 wrote to memory of 4912	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	99
PID 2228 wrote to memory of 1456	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	100
PID 2228 wrote to memory of 1456	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	100
PID 2228 wrote to memory of 1456	2228	{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe	100
PID 4912 wrote to memory of 4956	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	101
PID 4912 wrote to memory of 4956	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	101
PID 4912 wrote to memory of 4956	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	101
PID 4912 wrote to memory of 1800	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	102
PID 4912 wrote to memory of 1800	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	102
PID 4912 wrote to memory of 1800	4912	{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe	102
PID 4956 wrote to memory of 2928	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	103
PID 4956 wrote to memory of 2928	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	103
PID 4956 wrote to memory of 2928	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	103
PID 4956 wrote to memory of 1272	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	104
PID 4956 wrote to memory of 1272	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	104
PID 4956 wrote to memory of 1272	4956	{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe	104
PID 2928 wrote to memory of 3224	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	105
PID 2928 wrote to memory of 3224	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	105
PID 2928 wrote to memory of 3224	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	105
PID 2928 wrote to memory of 3768	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	106
PID 2928 wrote to memory of 3768	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	106
PID 2928 wrote to memory of 3768	2928	{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe	106
PID 3224 wrote to memory of 4456	3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe	107
PID 3224 wrote to memory of 4456	3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe	107
PID 3224 wrote to memory of 4456	3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe	107
PID 3224 wrote to memory of 4968	3224	{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe	108

C:\Users\Admin\AppData\Local\Temp\8ca1d4bf2211ccexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8ca1d4bf2211ccexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\{E6F462D5-0380-4880-82AE-998675026C58}.exe
  C:\Windows\{E6F462D5-0380-4880-82AE-998675026C58}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\{44868018-5469-4244-BB07-75E134905250}.exe
    C:\Windows\{44868018-5469-4244-BB07-75E134905250}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44868~1.EXE > nul
      4⤵
      PID:5092
  - - C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
      C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
        
        C:\Windows\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
        
        C:\Windows\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
        
        C:\Windows\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
        
        C:\Windows\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
        
        C:\Windows\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
        
        C:\Windows\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
        
        C:\Windows\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
        
        C:\Windows\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe
        
        C:\Windows\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe
        13⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3C6F~1.EXE > nul
        13⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D979E~1.EXE > nul
        12⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B9DF~1.EXE > nul
        11⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{152BA~1.EXE > nul
        10⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F6B~1.EXE > nul
        9⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDEFB~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF18~1.EXE > nul
        7⤵
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DBD7~1.EXE > nul
        6⤵
        
        PID:704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B861~1.EXE > nul
        5⤵
        
        PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F46~1.EXE > nul
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8CA1D4~1.EXE > nul
  2⤵
  PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe

Filesize
168KB

MD5
e00dfaf57f452ec29c647ad3496ac181

SHA1
36bb51500cba0da24a594d8b18ccfb0c4a98dbae

SHA256
8978dade711bbec2e54d8f661ff17a9e788d627775afb0b717724f9201192a09

SHA512
af43148d46d7fd19406e09bd9848ac7f5ba792529448df091d09753cbfe1d176a639618236acd63040f2c415ba09d6bd443e38e2f5bf18bc465a2d8ce2cb9dab

Download Submit
C:\Windows\{152BAFC3-0AF8-4f9b-8784-762DBF24F91F}.exe

Filesize
168KB

MD5
e00dfaf57f452ec29c647ad3496ac181

SHA1
36bb51500cba0da24a594d8b18ccfb0c4a98dbae

SHA256
8978dade711bbec2e54d8f661ff17a9e788d627775afb0b717724f9201192a09

SHA512
af43148d46d7fd19406e09bd9848ac7f5ba792529448df091d09753cbfe1d176a639618236acd63040f2c415ba09d6bd443e38e2f5bf18bc465a2d8ce2cb9dab

Download Submit
C:\Windows\{44868018-5469-4244-BB07-75E134905250}.exe

Filesize
168KB

MD5
a6c3d6722ac6c6dcb3f923d1f6df0a5e

SHA1
ba2168c5c4b1716c337e78739799fb571fb665bf

SHA256
98ffd94130b5cf718fb39837c42b4bd2db0e63e6f50efbf497056d320ee74b4a

SHA512
a3f7c9714d60fb45025af5e4d3ca24a0e31707c1f50f135021665ae5a9456b8622470e4cdfc46d6d0514690728b63830ac18e5221d9a9e2bed0d995864a4c2d2

Download Submit
C:\Windows\{44868018-5469-4244-BB07-75E134905250}.exe

Filesize
168KB

MD5
a6c3d6722ac6c6dcb3f923d1f6df0a5e

SHA1
ba2168c5c4b1716c337e78739799fb571fb665bf

SHA256
98ffd94130b5cf718fb39837c42b4bd2db0e63e6f50efbf497056d320ee74b4a

SHA512
a3f7c9714d60fb45025af5e4d3ca24a0e31707c1f50f135021665ae5a9456b8622470e4cdfc46d6d0514690728b63830ac18e5221d9a9e2bed0d995864a4c2d2

Download Submit
C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe

Filesize
168KB

MD5
4a54aac38747d7c1dd0ffd0b0ee7d2a3

SHA1
c57902cc6a67e34c187dc3cb4d32dc2b4be82e54

SHA256
e9b7457b4109d5602829c1134dece6d6f4d2172f0966d71ca07333d4e6fdb380

SHA512
fd48daadf9642bbeac031bb4ed04ab786d69441571af9f5d38450361000de443275c0048dc0d864e5c72fddb1e111b1a9ca3bc5820be47fefd64fa82606085b2

Download Submit
C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe

Filesize
168KB

MD5
4a54aac38747d7c1dd0ffd0b0ee7d2a3

SHA1
c57902cc6a67e34c187dc3cb4d32dc2b4be82e54

SHA256
e9b7457b4109d5602829c1134dece6d6f4d2172f0966d71ca07333d4e6fdb380

SHA512
fd48daadf9642bbeac031bb4ed04ab786d69441571af9f5d38450361000de443275c0048dc0d864e5c72fddb1e111b1a9ca3bc5820be47fefd64fa82606085b2

Download Submit
C:\Windows\{5B861EF2-1EFB-4b47-99E5-4433CCDE842F}.exe

Filesize
168KB

MD5
4a54aac38747d7c1dd0ffd0b0ee7d2a3

SHA1
c57902cc6a67e34c187dc3cb4d32dc2b4be82e54

SHA256
e9b7457b4109d5602829c1134dece6d6f4d2172f0966d71ca07333d4e6fdb380

SHA512
fd48daadf9642bbeac031bb4ed04ab786d69441571af9f5d38450361000de443275c0048dc0d864e5c72fddb1e111b1a9ca3bc5820be47fefd64fa82606085b2

Download Submit
C:\Windows\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe

Filesize
168KB

MD5
b6b4bf528681b8042bc10bd377c842cc

SHA1
91a42fea638e64a9bc5f0c87c5bcde3dc9578865

SHA256
4fcf084efea545fec1006c458eeefa3abc5cd5197a2d26930e434b1399f64451

SHA512
dda071730bc8935965a31ea07381946a7a574bfe140c96d0a4cadddc3e9cd9d6e16d32b5257a27b5decab77c8aa9b2390da5b87b3280e57230a0fb9480970d75

Download Submit
C:\Windows\{5DBD74AD-0A54-435b-863E-55D3EFED1070}.exe

Filesize
168KB

MD5
b6b4bf528681b8042bc10bd377c842cc

SHA1
91a42fea638e64a9bc5f0c87c5bcde3dc9578865

SHA256
4fcf084efea545fec1006c458eeefa3abc5cd5197a2d26930e434b1399f64451

SHA512
dda071730bc8935965a31ea07381946a7a574bfe140c96d0a4cadddc3e9cd9d6e16d32b5257a27b5decab77c8aa9b2390da5b87b3280e57230a0fb9480970d75

Download Submit
C:\Windows\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe

Filesize
168KB

MD5
c077b4e6ca7d1e7d318fcd8764420d4d

SHA1
b9c9455582ce3b2427c3fb89a7ddffcfed522bac

SHA256
7afb9b1ee508b0c0eda6bcbb4094f36368dfd43f548b4500f1a08e0eb0dc785e

SHA512
a4ed66bb222ab960eec9a776b235876e74eeb8da8c5eb6de672a7721495e08ae11a1359a4ab98e55fcfaf8a21c7591fc508db5535c98f3dd9a176a3c9cb2f380

Download Submit
C:\Windows\{6B9DFE75-FD3D-4210-9BBB-1F9AFD02F45C}.exe

Filesize
168KB

MD5
c077b4e6ca7d1e7d318fcd8764420d4d

SHA1
b9c9455582ce3b2427c3fb89a7ddffcfed522bac

SHA256
7afb9b1ee508b0c0eda6bcbb4094f36368dfd43f548b4500f1a08e0eb0dc785e

SHA512
a4ed66bb222ab960eec9a776b235876e74eeb8da8c5eb6de672a7721495e08ae11a1359a4ab98e55fcfaf8a21c7591fc508db5535c98f3dd9a176a3c9cb2f380

Download Submit
C:\Windows\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe

Filesize
168KB

MD5
fc91678f10d04eac10d23f90a37c1e13

SHA1
6f4adf1ba6577178af7611f15a1242c7bbc82238

SHA256
06a1fe92fb12e87119e5e6b8f29941e161b2dbcd0991ad26b5145bde32ddb7b0

SHA512
f8682a77acf7bbf49e9c8d6bc3ef7e4a3cf7d0d42819c65044f42a9b24c482f9308da49c3bd589dfa379942dc11f5f15e1b35e700e2611403937b5bea57681dd

Download Submit
C:\Windows\{7FF1879C-C411-4d77-BAF7-A095465A98BC}.exe

Filesize
168KB

MD5
fc91678f10d04eac10d23f90a37c1e13

SHA1
6f4adf1ba6577178af7611f15a1242c7bbc82238

SHA256
06a1fe92fb12e87119e5e6b8f29941e161b2dbcd0991ad26b5145bde32ddb7b0

SHA512
f8682a77acf7bbf49e9c8d6bc3ef7e4a3cf7d0d42819c65044f42a9b24c482f9308da49c3bd589dfa379942dc11f5f15e1b35e700e2611403937b5bea57681dd

Download Submit
C:\Windows\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe

Filesize
168KB

MD5
c82a3722c1b0444105f4de88c9620f0d

SHA1
827f6ba53d336b294c955f643f8369a770b21ef1

SHA256
c1b3941701e680db8045e71ae8cbd8c16f732b9cc20abd7fe3e3c1ffec62bae8

SHA512
084010fdb3f7ee524cff2f435edfdefdbe64988ff872355689ede8401562ca93847991ed42f2aafaeb062493e073e150a47f3e677c24be159c8c1a03a406bdb6

Download Submit
C:\Windows\{83F6BAE1-89F3-4bdb-83AC-AE1C40311433}.exe

Filesize
168KB

MD5
c82a3722c1b0444105f4de88c9620f0d

SHA1
827f6ba53d336b294c955f643f8369a770b21ef1

SHA256
c1b3941701e680db8045e71ae8cbd8c16f732b9cc20abd7fe3e3c1ffec62bae8

SHA512
084010fdb3f7ee524cff2f435edfdefdbe64988ff872355689ede8401562ca93847991ed42f2aafaeb062493e073e150a47f3e677c24be159c8c1a03a406bdb6

Download Submit
C:\Windows\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe

Filesize
168KB

MD5
139c2eaa411e5ea18778118bb890102f

SHA1
a8a7087b2d4c8f3d4c191eaf5fe8a933517797ae

SHA256
6f72574d6b7ffb21b1942177c8c111ed4f3a28d5ddd807cf7ac8c574747d0962

SHA512
baa20040c196d3f07270a3b798241b61d13625c0aa662d2ccad0a69261275be0aa868d4b4d966c2978d7bcc2c9abdac837a783a8d1f39a0d2183fc218e26dd7b

Download Submit
C:\Windows\{D979E285-A4A8-4390-ACF9-6A3A65680792}.exe

Filesize
168KB

MD5
139c2eaa411e5ea18778118bb890102f

SHA1
a8a7087b2d4c8f3d4c191eaf5fe8a933517797ae

SHA256
6f72574d6b7ffb21b1942177c8c111ed4f3a28d5ddd807cf7ac8c574747d0962

SHA512
baa20040c196d3f07270a3b798241b61d13625c0aa662d2ccad0a69261275be0aa868d4b4d966c2978d7bcc2c9abdac837a783a8d1f39a0d2183fc218e26dd7b

Download Submit
C:\Windows\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe

Filesize
168KB

MD5
3b13d6f1f02b2d58bc986f7531c9929a

SHA1
7d927bd56f9a7efcc3892b4af52b858edf9d4d96

SHA256
6151c48e1bf8aa086464dbe8d6d964a4ddcfc79557d91896976c1ff4f850579a

SHA512
6ba8750b5a575e6c811c221d6b51cdcc44e9322e63bbb000ee5debddb3128036cfd4ad70bb05b24822fe11f8f25b309b981727697245421c454f29c9c8637854

Download Submit
C:\Windows\{E3C6F0F0-C990-4233-8652-CB9C211B70CF}.exe

Filesize
168KB

MD5
3b13d6f1f02b2d58bc986f7531c9929a

SHA1
7d927bd56f9a7efcc3892b4af52b858edf9d4d96

SHA256
6151c48e1bf8aa086464dbe8d6d964a4ddcfc79557d91896976c1ff4f850579a

SHA512
6ba8750b5a575e6c811c221d6b51cdcc44e9322e63bbb000ee5debddb3128036cfd4ad70bb05b24822fe11f8f25b309b981727697245421c454f29c9c8637854

Download Submit
C:\Windows\{E6F462D5-0380-4880-82AE-998675026C58}.exe

Filesize
168KB

MD5
8cb8c655ac261ce28843318c378ea24b

SHA1
9c03310d360a6a5857c2b05c8719f1e3f22f1775

SHA256
5ff99a6c01930ba1b4388d93ecdd2a26f10590b4b787a03293ecfa97c3d2ad00

SHA512
e20fd02d3cdae2eb79759efcf779f8c8340ca49c047912e1fa546d416e612eb50143ea556ee45d17cff499ffab0b4aee55943b5905fa61d5fec1e6eeb909e445

Download Submit
C:\Windows\{E6F462D5-0380-4880-82AE-998675026C58}.exe

Filesize
168KB

MD5
8cb8c655ac261ce28843318c378ea24b

SHA1
9c03310d360a6a5857c2b05c8719f1e3f22f1775

SHA256
5ff99a6c01930ba1b4388d93ecdd2a26f10590b4b787a03293ecfa97c3d2ad00

SHA512
e20fd02d3cdae2eb79759efcf779f8c8340ca49c047912e1fa546d416e612eb50143ea556ee45d17cff499ffab0b4aee55943b5905fa61d5fec1e6eeb909e445

Download Submit
C:\Windows\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe

Filesize
168KB

MD5
47d2ae81e41001a424b8cd49d8e4d268

SHA1
dde3b9242a898e1d767936b038e6111cca0b1c1d

SHA256
13c8eca5cfbf89cb923c7dfc5bd9c88ee7956225c4e854330f3d6943a43c4281

SHA512
2ea4d8043729d848940dbd0bb27bc8207bafe5624ca4d692215018943ba6a465d5ca8d1aabd8ca938bdee76788850e13cf69111860fcb473bc9b2ec2ff6b14db

Download Submit
C:\Windows\{E7797AF2-8DDC-4009-9F3B-4B380B2E1F63}.exe

Filesize
168KB

MD5
47d2ae81e41001a424b8cd49d8e4d268

SHA1
dde3b9242a898e1d767936b038e6111cca0b1c1d

SHA256
13c8eca5cfbf89cb923c7dfc5bd9c88ee7956225c4e854330f3d6943a43c4281

SHA512
2ea4d8043729d848940dbd0bb27bc8207bafe5624ca4d692215018943ba6a465d5ca8d1aabd8ca938bdee76788850e13cf69111860fcb473bc9b2ec2ff6b14db

Download Submit
C:\Windows\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe

Filesize
168KB

MD5
27fd9350f27c343c4a87135ac63f11db

SHA1
b64b4baaceffbfbab5d17ece8e5a0038e305be53

SHA256
4d3bf4533b5e473318e385f6e1e087b962ae3f992720ecab5d07101ae347a301

SHA512
a4e14dbfa3e079a7d96e320a3f3ca06e26ffd0119fa0fac23fa63a2e2814f9db1845b820ff64df3aba61d93d7373c83bc017ce454816c109137768f0103454b8

Download Submit
C:\Windows\{EDEFB759-49E2-4e30-B404-0AC50F526A32}.exe

Filesize
168KB

MD5
27fd9350f27c343c4a87135ac63f11db

SHA1
b64b4baaceffbfbab5d17ece8e5a0038e305be53

SHA256
4d3bf4533b5e473318e385f6e1e087b962ae3f992720ecab5d07101ae347a301

SHA512
a4e14dbfa3e079a7d96e320a3f3ca06e26ffd0119fa0fac23fa63a2e2814f9db1845b820ff64df3aba61d93d7373c83bc017ce454816c109137768f0103454b8

Download Submit