2fc78fefdf5992b54b40b9b6b01fac55ada2701b37d19b5a0e2845ca6f9ae37e

Analysis

max time kernel
174s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e070f83083882exeexeexeex.exe
Size

204KB
MD5

8e070f8308388270db2540c52627e0bd
SHA1

1c8b770ee07bc215a9199be4317f18e32afd4013
SHA256

2fc78fefdf5992b54b40b9b6b01fac55ada2701b37d19b5a0e2845ca6f9ae37e
SHA512

7ca39662e13615982779b5f4e800fbf9a5089797c7959b7822b08e6714d7dbfdbbd04464832ace8da9277b26c71f765cdd5767510f837b03e97ef06565f06315
SSDEEP

1536:1EGh0oQl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oQl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C774E47-2847-4b69-88C7-B4CD2348880A}\stubpath = "C:\\Windows\\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe"	8e070f83083882exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E95084-4C84-4600-BA93-25F97A575D51}\stubpath = "C:\\Windows\\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe"	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723B1B27-DD2C-4759-9622-688132AE7061}	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}	{723B1B27-DD2C-4759-9622-688132AE7061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}\stubpath = "C:\\Windows\\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe"	{723B1B27-DD2C-4759-9622-688132AE7061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52DA4BD-198F-4175-8DD6-192A1D97247A}\stubpath = "C:\\Windows\\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe"	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18446FF3-2D9B-410a-81B4-32A252795BB2}	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1E2A33-5C87-4709-8264-005B83072EE3}	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}\stubpath = "C:\\Windows\\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe"	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}\stubpath = "C:\\Windows\\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe"	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}\stubpath = "C:\\Windows\\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe"	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18446FF3-2D9B-410a-81B4-32A252795BB2}\stubpath = "C:\\Windows\\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe"	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00513C2E-7019-40fe-A5BC-6A63A308091B}	{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C774E47-2847-4b69-88C7-B4CD2348880A}	8e070f83083882exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1E2A33-5C87-4709-8264-005B83072EE3}\stubpath = "C:\\Windows\\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe"	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52DA4BD-198F-4175-8DD6-192A1D97247A}	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E95084-4C84-4600-BA93-25F97A575D51}	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723B1B27-DD2C-4759-9622-688132AE7061}\stubpath = "C:\\Windows\\{723B1B27-DD2C-4759-9622-688132AE7061}.exe"	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}\stubpath = "C:\\Windows\\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe"	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00513C2E-7019-40fe-A5BC-6A63A308091B}\stubpath = "C:\\Windows\\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe"	{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe

Executes dropped EXE 12 IoCs

pid	Process
4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe
3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
2972	{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe
2836	{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	{723B1B27-DD2C-4759-9622-688132AE7061}.exe
File created	C:\Windows\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
File created	C:\Windows\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
File created	C:\Windows\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
File created	C:\Windows\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	8e070f83083882exeexeexeex.exe
File created	C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
File created	C:\Windows\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
File created	C:\Windows\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
File created	C:\Windows\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe	{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe
File created	C:\Windows\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
File created	C:\Windows\{723B1B27-DD2C-4759-9622-688132AE7061}.exe	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
File created	C:\Windows\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3248	8e070f83083882exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
Token: SeIncBasePriorityPrivilege	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
Token: SeIncBasePriorityPrivilege	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
Token: SeIncBasePriorityPrivilege	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
Token: SeIncBasePriorityPrivilege	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe
Token: SeIncBasePriorityPrivilege	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
Token: SeIncBasePriorityPrivilege	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
Token: SeIncBasePriorityPrivilege	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
Token: SeIncBasePriorityPrivilege	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
Token: SeIncBasePriorityPrivilege	4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
Token: SeIncBasePriorityPrivilege	2972	{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4568	3248	8e070f83083882exeexeexeex.exe	86
PID 3248 wrote to memory of 4568	3248	8e070f83083882exeexeexeex.exe	86
PID 3248 wrote to memory of 4568	3248	8e070f83083882exeexeexeex.exe	86
PID 3248 wrote to memory of 4560	3248	8e070f83083882exeexeexeex.exe	87
PID 3248 wrote to memory of 4560	3248	8e070f83083882exeexeexeex.exe	87
PID 3248 wrote to memory of 4560	3248	8e070f83083882exeexeexeex.exe	87
PID 4568 wrote to memory of 376	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	88
PID 4568 wrote to memory of 376	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	88
PID 4568 wrote to memory of 376	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	88
PID 4568 wrote to memory of 924	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	89
PID 4568 wrote to memory of 924	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	89
PID 4568 wrote to memory of 924	4568	{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe	89
PID 376 wrote to memory of 852	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	91
PID 376 wrote to memory of 852	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	91
PID 376 wrote to memory of 852	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	91
PID 376 wrote to memory of 4800	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	90
PID 376 wrote to memory of 4800	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	90
PID 376 wrote to memory of 4800	376	{C7E95084-4C84-4600-BA93-25F97A575D51}.exe	90
PID 852 wrote to memory of 5056	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	93
PID 852 wrote to memory of 5056	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	93
PID 852 wrote to memory of 5056	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	93
PID 852 wrote to memory of 3276	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	94
PID 852 wrote to memory of 3276	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	94
PID 852 wrote to memory of 3276	852	{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe	94
PID 5056 wrote to memory of 5036	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	95
PID 5056 wrote to memory of 5036	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	95
PID 5056 wrote to memory of 5036	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	95
PID 5056 wrote to memory of 5084	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	96
PID 5056 wrote to memory of 5084	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	96
PID 5056 wrote to memory of 5084	5056	{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe	96
PID 5036 wrote to memory of 3448	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	97
PID 5036 wrote to memory of 3448	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	97
PID 5036 wrote to memory of 3448	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	97
PID 5036 wrote to memory of 2428	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	98
PID 5036 wrote to memory of 2428	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	98
PID 5036 wrote to memory of 2428	5036	{723B1B27-DD2C-4759-9622-688132AE7061}.exe	98
PID 3448 wrote to memory of 4964	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	99
PID 3448 wrote to memory of 4964	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	99
PID 3448 wrote to memory of 4964	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	99
PID 3448 wrote to memory of 3784	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	100
PID 3448 wrote to memory of 3784	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	100
PID 3448 wrote to memory of 3784	3448	{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe	100
PID 4964 wrote to memory of 1372	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	101
PID 4964 wrote to memory of 1372	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	101
PID 4964 wrote to memory of 1372	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	101
PID 4964 wrote to memory of 776	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	102
PID 4964 wrote to memory of 776	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	102
PID 4964 wrote to memory of 776	4964	{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe	102
PID 1372 wrote to memory of 3200	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	103
PID 1372 wrote to memory of 3200	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	103
PID 1372 wrote to memory of 3200	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	103
PID 1372 wrote to memory of 4196	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	104
PID 1372 wrote to memory of 4196	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	104
PID 1372 wrote to memory of 4196	1372	{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe	104
PID 3200 wrote to memory of 4348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	105
PID 3200 wrote to memory of 4348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	105
PID 3200 wrote to memory of 4348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	105
PID 3200 wrote to memory of 3348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	106
PID 3200 wrote to memory of 3348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	106
PID 3200 wrote to memory of 3348	3200	{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe	106
PID 4348 wrote to memory of 2972	4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe	107
PID 4348 wrote to memory of 2972	4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe	107
PID 4348 wrote to memory of 2972	4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe	107
PID 4348 wrote to memory of 2560	4348	{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe	108

C:\Users\Admin\AppData\Local\Temp\8e070f83083882exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8e070f83083882exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
  C:\Windows\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
    C:\Windows\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E95~1.EXE > nul
      4⤵
      PID:4800
  - - C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
      C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
        
        C:\Windows\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Windows\{723B1B27-DD2C-4759-9622-688132AE7061}.exe
        
        C:\Windows\{723B1B27-DD2C-4759-9622-688132AE7061}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
        
        C:\Windows\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
        
        C:\Windows\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
        
        C:\Windows\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
        
        C:\Windows\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
        
        C:\Windows\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe
        
        C:\Windows\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe
        
        C:\Windows\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62CD0~1.EXE > nul
        13⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18446~1.EXE > nul
        12⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E52DA~1.EXE > nul
        11⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11141~1.EXE > nul
        10⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D7BD~1.EXE > nul
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99A15~1.EXE > nul
        8⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{723B1~1.EXE > nul
        7⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4E4D~1.EXE > nul
        6⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1E2~1.EXE > nul
        5⤵
        
        PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C774~1.EXE > nul
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E070F~1.EXE > nul
  2⤵
  PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe

Filesize
204KB

MD5
b3cd2d942d74d219d517cab4711c84e9

SHA1
54bc7cf3cd7eabe49d0005806786b9844d13dd18

SHA256
7d95530ee519c82f3692595cac756e27373f1d432e82b8be9b383423779df430

SHA512
d0d5351991c0fd3180dfd45358ffd785ee713724bbde0809b2bdea17ee2880ebe541d2940ddc0a5747cde74145245ddfa934c6f3136cac4bef890af8eb2933ae

Download Submit
C:\Windows\{00513C2E-7019-40fe-A5BC-6A63A308091B}.exe

Filesize
204KB

MD5
b3cd2d942d74d219d517cab4711c84e9

SHA1
54bc7cf3cd7eabe49d0005806786b9844d13dd18

SHA256
7d95530ee519c82f3692595cac756e27373f1d432e82b8be9b383423779df430

SHA512
d0d5351991c0fd3180dfd45358ffd785ee713724bbde0809b2bdea17ee2880ebe541d2940ddc0a5747cde74145245ddfa934c6f3136cac4bef890af8eb2933ae

Download Submit
C:\Windows\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe

Filesize
204KB

MD5
748ab461eaa4e00a8ffce672b6a5efd5

SHA1
beee75fc05ecd2abad528df9ddd64abed203ad8f

SHA256
6c47a8690f119d3e22f228a9e3c2014f392c693ac684ac4ad1d928c7ccd7cea7

SHA512
379a7401dcf4303fde30248c9f510bac1e4673aefd33c62900b231a73fa7c2b185388d4d6defa756b2d70f65bc41698dd1db8d17879e9b221a39bc111862def1

Download Submit
C:\Windows\{11141FF5-AE53-49e4-82E9-4B5E6B1B0E89}.exe

Filesize
204KB

MD5
748ab461eaa4e00a8ffce672b6a5efd5

SHA1
beee75fc05ecd2abad528df9ddd64abed203ad8f

SHA256
6c47a8690f119d3e22f228a9e3c2014f392c693ac684ac4ad1d928c7ccd7cea7

SHA512
379a7401dcf4303fde30248c9f510bac1e4673aefd33c62900b231a73fa7c2b185388d4d6defa756b2d70f65bc41698dd1db8d17879e9b221a39bc111862def1

Download Submit
C:\Windows\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe

Filesize
204KB

MD5
c565f8592d04605be963b3f5c9961b3e

SHA1
55a1051f98977b43342029c7ecb039111c21306f

SHA256
1112477b9e4ae9c69b51b494637dae3814dd8e9a03ac7d7aeec95e264f11df23

SHA512
d24563de190906f18fb820dfff4941d21ba66742bcbdda671f3fd26f531bf9a78d6bbd1400df007fc505012c6ff51426a35fa48652ec9d72c77eab728e97c014

Download Submit
C:\Windows\{18446FF3-2D9B-410a-81B4-32A252795BB2}.exe

Filesize
204KB

MD5
c565f8592d04605be963b3f5c9961b3e

SHA1
55a1051f98977b43342029c7ecb039111c21306f

SHA256
1112477b9e4ae9c69b51b494637dae3814dd8e9a03ac7d7aeec95e264f11df23

SHA512
d24563de190906f18fb820dfff4941d21ba66742bcbdda671f3fd26f531bf9a78d6bbd1400df007fc505012c6ff51426a35fa48652ec9d72c77eab728e97c014

Download Submit
C:\Windows\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe

Filesize
204KB

MD5
0a5c736b335a5466273b9a9c62b9e7fd

SHA1
0613435c1d999bc78ffc883456ce1dcbf3cdbc03

SHA256
6813851f49c5d6234c13f82b82b2ef58723007e6a61e3ffeb2129b80115e9617

SHA512
e57e195c234af574e9a34b567aabace9b295609b941f445d9b21d53232e6c1842fae99814134719f26172ba6c62b3528095ce56e760d9c6cb560682c40532b99

Download Submit
C:\Windows\{62CD0F9C-8070-494d-9BBE-69A3A68520B9}.exe

Filesize
204KB

MD5
0a5c736b335a5466273b9a9c62b9e7fd

SHA1
0613435c1d999bc78ffc883456ce1dcbf3cdbc03

SHA256
6813851f49c5d6234c13f82b82b2ef58723007e6a61e3ffeb2129b80115e9617

SHA512
e57e195c234af574e9a34b567aabace9b295609b941f445d9b21d53232e6c1842fae99814134719f26172ba6c62b3528095ce56e760d9c6cb560682c40532b99

Download Submit
C:\Windows\{723B1B27-DD2C-4759-9622-688132AE7061}.exe

Filesize
204KB

MD5
53399c317246bb9245863f0eb7685dda

SHA1
339e8db5fcd155912182c7cea3bac6afd4db1046

SHA256
e3d869cd93658e7ccf4402de63ff0741faec7d8a52e2ed4bba2e2a1eaf510ebe

SHA512
95d31060e74fbe29576f54658e900ecac770416d4b5443052524c13179f68d844e00549d654a9e422a2f3fd1c62f343aa58f76b2154391bf2e81d509176df42a

Download Submit
C:\Windows\{723B1B27-DD2C-4759-9622-688132AE7061}.exe

Filesize
204KB

MD5
53399c317246bb9245863f0eb7685dda

SHA1
339e8db5fcd155912182c7cea3bac6afd4db1046

SHA256
e3d869cd93658e7ccf4402de63ff0741faec7d8a52e2ed4bba2e2a1eaf510ebe

SHA512
95d31060e74fbe29576f54658e900ecac770416d4b5443052524c13179f68d844e00549d654a9e422a2f3fd1c62f343aa58f76b2154391bf2e81d509176df42a

Download Submit
C:\Windows\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe

Filesize
204KB

MD5
64de70b191ab5bad96707369819994ba

SHA1
54efa5b60a8df93a25512aa2bb2eb0ef2fc81aa7

SHA256
b66705ad36cefb6765743a79efa878d5787c8ac1a144ae9e08bbeddb4bf6cb48

SHA512
00cf7051a1598f1f15e49c08a899d71292207871ed1cb81719bba7f61d7abf7908c9f3aa5b26b8e42165a03494bce89f5785e045d2af533ae0c1d0487d13a0e6

Download Submit
C:\Windows\{7D7BD19B-1475-4adc-BBBC-AC947D07F9D1}.exe

Filesize
204KB

MD5
64de70b191ab5bad96707369819994ba

SHA1
54efa5b60a8df93a25512aa2bb2eb0ef2fc81aa7

SHA256
b66705ad36cefb6765743a79efa878d5787c8ac1a144ae9e08bbeddb4bf6cb48

SHA512
00cf7051a1598f1f15e49c08a899d71292207871ed1cb81719bba7f61d7abf7908c9f3aa5b26b8e42165a03494bce89f5785e045d2af533ae0c1d0487d13a0e6

Download Submit
C:\Windows\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe

Filesize
204KB

MD5
021422aa5e46af17b1b7c493f33e6f70

SHA1
583544057cb79c311a1a12700317853dec7b3eb4

SHA256
c308da182db1f665838e4428ef307005be93296d7b05f26a5cac2abc7df6110d

SHA512
84af0a1e664aefabccc3e239270166a2cc018992e4c7ab4700c75da5a77f0a6cb36b869cce2284a84971d846d9b4ac4a62bb2751cc628134e4b4e387372f3f22

Download Submit
C:\Windows\{99A15057-1EA7-4f8a-9C03-45123ECDCF01}.exe

Filesize
204KB

MD5
021422aa5e46af17b1b7c493f33e6f70

SHA1
583544057cb79c311a1a12700317853dec7b3eb4

SHA256
c308da182db1f665838e4428ef307005be93296d7b05f26a5cac2abc7df6110d

SHA512
84af0a1e664aefabccc3e239270166a2cc018992e4c7ab4700c75da5a77f0a6cb36b869cce2284a84971d846d9b4ac4a62bb2751cc628134e4b4e387372f3f22

Download Submit
C:\Windows\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe

Filesize
204KB

MD5
0dc89920fe69eb32da00cac377df72c2

SHA1
9f79890100d64d461e896b89c607429c38d58198

SHA256
91a9d36df4040eb432616eb550282d78ab70fa26b47c1d6c62dac2079d61f509

SHA512
802db06e3d396c0e022f1a3ef92f23f9145729a5859df0553d8f5261f369c733a40b9f1c34dabb2a234398374684eedfc7415f85f0be54b9c60a4df2ca3d4195

Download Submit
C:\Windows\{9C774E47-2847-4b69-88C7-B4CD2348880A}.exe

Filesize
204KB

MD5
0dc89920fe69eb32da00cac377df72c2

SHA1
9f79890100d64d461e896b89c607429c38d58198

SHA256
91a9d36df4040eb432616eb550282d78ab70fa26b47c1d6c62dac2079d61f509

SHA512
802db06e3d396c0e022f1a3ef92f23f9145729a5859df0553d8f5261f369c733a40b9f1c34dabb2a234398374684eedfc7415f85f0be54b9c60a4df2ca3d4195

Download Submit
C:\Windows\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe

Filesize
204KB

MD5
82f6420fbedbcf94a1a5f54ab71ae42f

SHA1
b5ab34dbb4c3e8345fd702a0d6da2f1cc6c5e2af

SHA256
0406443730c748273f27ea9f4236e3b5219636f4e276171155e5b22b4ba8cb79

SHA512
86d529042a808b2426de61d8c8cf73eebd40af936631ae96b37d8e37f523f1ebd16087d295666a666603664439b817ec62f9585b2831aa88b7970284bef891d9

Download Submit
C:\Windows\{A4E4DC6F-FFE7-4114-9B60-C916B6BEEC06}.exe

Filesize
204KB

MD5
82f6420fbedbcf94a1a5f54ab71ae42f

SHA1
b5ab34dbb4c3e8345fd702a0d6da2f1cc6c5e2af

SHA256
0406443730c748273f27ea9f4236e3b5219636f4e276171155e5b22b4ba8cb79

SHA512
86d529042a808b2426de61d8c8cf73eebd40af936631ae96b37d8e37f523f1ebd16087d295666a666603664439b817ec62f9585b2831aa88b7970284bef891d9

Download Submit
C:\Windows\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe

Filesize
204KB

MD5
9fbb62eac1eab840a1a1a30fe702174f

SHA1
ecf135fe5eadd6e767773cf2e430f32b4a8104c6

SHA256
6fac008c3cea9d2e7fb24296627ea53c22c6a1b3258f21d838c2df878e6659ff

SHA512
d873dd14fb4fa5eb64f985ba9a63924b6658b24800be72244d7918800c645334496d0967846b4efb6089e301c7049f90b22bdaa017b4a84707ef0332be5a28be

Download Submit
C:\Windows\{C7E95084-4C84-4600-BA93-25F97A575D51}.exe

Filesize
204KB

MD5
9fbb62eac1eab840a1a1a30fe702174f

SHA1
ecf135fe5eadd6e767773cf2e430f32b4a8104c6

SHA256
6fac008c3cea9d2e7fb24296627ea53c22c6a1b3258f21d838c2df878e6659ff

SHA512
d873dd14fb4fa5eb64f985ba9a63924b6658b24800be72244d7918800c645334496d0967846b4efb6089e301c7049f90b22bdaa017b4a84707ef0332be5a28be

Download Submit
C:\Windows\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe

Filesize
204KB

MD5
2dea6612d0851ef0d60eb3e608ae9fcd

SHA1
f95300cdd0ce7742ff7dbffa06397e69b9bb0ec5

SHA256
959ef2365af89309552fde4931ce53a91065645d34039930ede8c41549109ce0

SHA512
46f7aad1976586be30aa3d728ebd1a78772de0147707bc1238dcaf1d19bdcb6d3c54a6f21190d6cdc86527b11d4251efec3e780320bf7666ca1ec04bd83cad33

Download Submit
C:\Windows\{E52DA4BD-198F-4175-8DD6-192A1D97247A}.exe

Filesize
204KB

MD5
2dea6612d0851ef0d60eb3e608ae9fcd

SHA1
f95300cdd0ce7742ff7dbffa06397e69b9bb0ec5

SHA256
959ef2365af89309552fde4931ce53a91065645d34039930ede8c41549109ce0

SHA512
46f7aad1976586be30aa3d728ebd1a78772de0147707bc1238dcaf1d19bdcb6d3c54a6f21190d6cdc86527b11d4251efec3e780320bf7666ca1ec04bd83cad33

Download Submit
C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe

Filesize
204KB

MD5
32df8bd10d5e374a13a576c5ce002c0f

SHA1
cab8615214b4b2171b590cca1e315225543dded7

SHA256
fb0536971b838cd30885df35bf818aaa9e9fac6294f3216598c19861856a8960

SHA512
bd62ae336c76ada7ee53e5c1a9d539d4a8042244a1c0a4e982fbc56e460096767fcc593af6b6114c39153b9953c0edaad6510f236493c125598ab7e50fb139fb

Download Submit
C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe

Filesize
204KB

MD5
32df8bd10d5e374a13a576c5ce002c0f

SHA1
cab8615214b4b2171b590cca1e315225543dded7

SHA256
fb0536971b838cd30885df35bf818aaa9e9fac6294f3216598c19861856a8960

SHA512
bd62ae336c76ada7ee53e5c1a9d539d4a8042244a1c0a4e982fbc56e460096767fcc593af6b6114c39153b9953c0edaad6510f236493c125598ab7e50fb139fb

Download Submit
C:\Windows\{EC1E2A33-5C87-4709-8264-005B83072EE3}.exe

Filesize
204KB

MD5
32df8bd10d5e374a13a576c5ce002c0f

SHA1
cab8615214b4b2171b590cca1e315225543dded7

SHA256
fb0536971b838cd30885df35bf818aaa9e9fac6294f3216598c19861856a8960

SHA512
bd62ae336c76ada7ee53e5c1a9d539d4a8042244a1c0a4e982fbc56e460096767fcc593af6b6114c39153b9953c0edaad6510f236493c125598ab7e50fb139fb

Download Submit