1b402a42738b6fef10126c116c7870c138d876ed43d878bb47b31ec40add691f

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd793c66e1a45aexeexeexeex.exe
Size

372KB
MD5

bd793c66e1a45ad813696e928e72cf1c
SHA1

84823c6c138871de5bc265a52c2a8a3ad75e98ca
SHA256

1b402a42738b6fef10126c116c7870c138d876ed43d878bb47b31ec40add691f
SHA512

f0b93b33e980d1ec91f14ddf2d60ab54f6c0d3e4ba897a673e1d68e8c16e81686dfe6f156e662b9b8d1f3a4dd17d279f8dbb976b5317f5b165f0c667542d2e86
SSDEEP

3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGOl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}\stubpath = "C:\\Windows\\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe"	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C519A240-A1AC-4faa-9D50-A8379F6944A5}\stubpath = "C:\\Windows\\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe"	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}\stubpath = "C:\\Windows\\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe"	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}\stubpath = "C:\\Windows\\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe"	bd793c66e1a45aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225ACCBB-2582-4f3c-B339-0D216BFF3804}	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}\stubpath = "C:\\Windows\\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe"	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}\stubpath = "C:\\Windows\\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe"	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C519A240-A1AC-4faa-9D50-A8379F6944A5}	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}\stubpath = "C:\\Windows\\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe"	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}\stubpath = "C:\\Windows\\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe"	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}\stubpath = "C:\\Windows\\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe"	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}	bd793c66e1a45aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225ACCBB-2582-4f3c-B339-0D216BFF3804}\stubpath = "C:\\Windows\\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe"	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}\stubpath = "C:\\Windows\\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe"	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe

Executes dropped EXE 11 IoCs

pid	Process
4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe
112	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	bd793c66e1a45aexeexeexeex.exe
File created	C:\Windows\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
File created	C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
File created	C:\Windows\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
File created	C:\Windows\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
File created	C:\Windows\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
File created	C:\Windows\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
File created	C:\Windows\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
File created	C:\Windows\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
File created	C:\Windows\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
File created	C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2844	bd793c66e1a45aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
Token: SeIncBasePriorityPrivilege	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
Token: SeIncBasePriorityPrivilege	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
Token: SeIncBasePriorityPrivilege	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
Token: SeIncBasePriorityPrivilege	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
Token: SeIncBasePriorityPrivilege	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
Token: SeIncBasePriorityPrivilege	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
Token: SeIncBasePriorityPrivilege	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
Token: SeIncBasePriorityPrivilege	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
Token: SeIncBasePriorityPrivilege	5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4112	2844	bd793c66e1a45aexeexeexeex.exe	84
PID 2844 wrote to memory of 4112	2844	bd793c66e1a45aexeexeexeex.exe	84
PID 2844 wrote to memory of 4112	2844	bd793c66e1a45aexeexeexeex.exe	84
PID 2844 wrote to memory of 5044	2844	bd793c66e1a45aexeexeexeex.exe	85
PID 2844 wrote to memory of 5044	2844	bd793c66e1a45aexeexeexeex.exe	85
PID 2844 wrote to memory of 5044	2844	bd793c66e1a45aexeexeexeex.exe	85
PID 4112 wrote to memory of 3444	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	86
PID 4112 wrote to memory of 3444	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	86
PID 4112 wrote to memory of 3444	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	86
PID 4112 wrote to memory of 2012	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	87
PID 4112 wrote to memory of 2012	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	87
PID 4112 wrote to memory of 2012	4112	{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe	87
PID 3444 wrote to memory of 3600	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	91
PID 3444 wrote to memory of 3600	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	91
PID 3444 wrote to memory of 3600	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	91
PID 3444 wrote to memory of 100	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	92
PID 3444 wrote to memory of 100	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	92
PID 3444 wrote to memory of 100	3444	{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe	92
PID 3600 wrote to memory of 3488	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	93
PID 3600 wrote to memory of 3488	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	93
PID 3600 wrote to memory of 3488	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	93
PID 3600 wrote to memory of 2200	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	94
PID 3600 wrote to memory of 2200	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	94
PID 3600 wrote to memory of 2200	3600	{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe	94
PID 3488 wrote to memory of 3744	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	95
PID 3488 wrote to memory of 3744	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	95
PID 3488 wrote to memory of 3744	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	95
PID 3488 wrote to memory of 116	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	96
PID 3488 wrote to memory of 116	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	96
PID 3488 wrote to memory of 116	3488	{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe	96
PID 3744 wrote to memory of 2188	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	97
PID 3744 wrote to memory of 2188	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	97
PID 3744 wrote to memory of 2188	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	97
PID 3744 wrote to memory of 2152	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	98
PID 3744 wrote to memory of 2152	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	98
PID 3744 wrote to memory of 2152	3744	{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe	98
PID 2188 wrote to memory of 1404	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	99
PID 2188 wrote to memory of 1404	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	99
PID 2188 wrote to memory of 1404	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	99
PID 2188 wrote to memory of 4820	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	100
PID 2188 wrote to memory of 4820	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	100
PID 2188 wrote to memory of 4820	2188	{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe	100
PID 1404 wrote to memory of 1872	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	101
PID 1404 wrote to memory of 1872	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	101
PID 1404 wrote to memory of 1872	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	101
PID 1404 wrote to memory of 5108	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	102
PID 1404 wrote to memory of 5108	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	102
PID 1404 wrote to memory of 5108	1404	{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe	102
PID 1872 wrote to memory of 5104	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	103
PID 1872 wrote to memory of 5104	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	103
PID 1872 wrote to memory of 5104	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	103
PID 1872 wrote to memory of 3148	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	104
PID 1872 wrote to memory of 3148	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	104
PID 1872 wrote to memory of 3148	1872	{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe	104
PID 5104 wrote to memory of 5028	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	105
PID 5104 wrote to memory of 5028	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	105
PID 5104 wrote to memory of 5028	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	105
PID 5104 wrote to memory of 1776	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	106
PID 5104 wrote to memory of 1776	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	106
PID 5104 wrote to memory of 1776	5104	{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe	106
PID 5028 wrote to memory of 112	5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe	107
PID 5028 wrote to memory of 112	5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe	107
PID 5028 wrote to memory of 112	5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe	107
PID 5028 wrote to memory of 4740	5028	{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe	108

C:\Users\Admin\AppData\Local\Temp\bd793c66e1a45aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\bd793c66e1a45aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
  C:\Windows\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
    C:\Windows\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
      C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
        
        C:\Windows\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
        
        C:\Windows\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
        
        C:\Windows\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
        
        C:\Windows\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
        
        C:\Windows\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
        
        C:\Windows\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe
        
        C:\Windows\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
        
        C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
        12⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C5B3~1.EXE > nul
        12⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F96F~1.EXE > nul
        11⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AF95~1.EXE > nul
        10⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C119~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C519A~1.EXE > nul
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B24A5~1.EXE > nul
        7⤵
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA23C~1.EXE > nul
        6⤵
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D78F~1.EXE > nul
        5⤵
        
        PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{225AC~1.EXE > nul
      4⤵
      PID:100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4B26~1.EXE > nul
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BD793C~1.EXE > nul
  2⤵
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe

Filesize
372KB

MD5
c581780297643bf922d1b78a01f0d036

SHA1
86938a4096de0fc7c3713b97d8f2cd33ad2bfe15

SHA256
9327fbe992531e6426757e92aef94bf699c7a5254739576f967e274480fd84ce

SHA512
d9f93783823b80f72b0c34ce675f55b1913d1f8928e1f9ff7990138d9aca56753908438add07c459b27e15cb6c34310f5e8070d3ae8c233dcb1f9e02144c5c6e

Download Submit
C:\Windows\{0C119DCB-9754-4f0e-876D-B28D78CDDCB3}.exe

Filesize
372KB

MD5
c581780297643bf922d1b78a01f0d036

SHA1
86938a4096de0fc7c3713b97d8f2cd33ad2bfe15

SHA256
9327fbe992531e6426757e92aef94bf699c7a5254739576f967e274480fd84ce

SHA512
d9f93783823b80f72b0c34ce675f55b1913d1f8928e1f9ff7990138d9aca56753908438add07c459b27e15cb6c34310f5e8070d3ae8c233dcb1f9e02144c5c6e

Download Submit
C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe

Filesize
372KB

MD5
130e16b68e60597700849b73c99e97da

SHA1
7d73b77435b73434a3593a479f1cf19aedc92123

SHA256
85304ac497be5200de26f2fd40e04993ca25d59edeca392aab66bfa234e938d6

SHA512
098a9f7727b01205374460e67fc89284d3415881ee9dd12f373dd9e39f5de8683a1846ae5e7839398cee8759ecf53efd296a0b1c51c07d3e6b6f0b79f324da6a

Download Submit
C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe

Filesize
372KB

MD5
130e16b68e60597700849b73c99e97da

SHA1
7d73b77435b73434a3593a479f1cf19aedc92123

SHA256
85304ac497be5200de26f2fd40e04993ca25d59edeca392aab66bfa234e938d6

SHA512
098a9f7727b01205374460e67fc89284d3415881ee9dd12f373dd9e39f5de8683a1846ae5e7839398cee8759ecf53efd296a0b1c51c07d3e6b6f0b79f324da6a

Download Submit
C:\Windows\{0D78FA41-5690-4ab0-9A53-AB282D3ABDA9}.exe

Filesize
372KB

MD5
130e16b68e60597700849b73c99e97da

SHA1
7d73b77435b73434a3593a479f1cf19aedc92123

SHA256
85304ac497be5200de26f2fd40e04993ca25d59edeca392aab66bfa234e938d6

SHA512
098a9f7727b01205374460e67fc89284d3415881ee9dd12f373dd9e39f5de8683a1846ae5e7839398cee8759ecf53efd296a0b1c51c07d3e6b6f0b79f324da6a

Download Submit
C:\Windows\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe

Filesize
372KB

MD5
2c80a2cefc2440487b61862fb070b8a7

SHA1
e26573a8aa17f9999c99f316b81229fb5acd30b5

SHA256
3af3e1bc339500813110a59eac7d6afa6eaa940463e2b7473cb7820f22fded64

SHA512
f0300813abb68142f43dcf503ec6872b76c1546e9b6ec5924d806a96033f501c4055fa1768fbc37eb140a53fb56f014a40b1dab185230c196217782cde199404

Download Submit
C:\Windows\{225ACCBB-2582-4f3c-B339-0D216BFF3804}.exe

Filesize
372KB

MD5
2c80a2cefc2440487b61862fb070b8a7

SHA1
e26573a8aa17f9999c99f316b81229fb5acd30b5

SHA256
3af3e1bc339500813110a59eac7d6afa6eaa940463e2b7473cb7820f22fded64

SHA512
f0300813abb68142f43dcf503ec6872b76c1546e9b6ec5924d806a96033f501c4055fa1768fbc37eb140a53fb56f014a40b1dab185230c196217782cde199404

Download Submit
C:\Windows\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe

Filesize
372KB

MD5
de16a500f24acdd17344cbf592791e9c

SHA1
7e7a46880597b55e58b759bd3506807b3239072d

SHA256
c586f1c298ba426b283c5754a881c04579b056178f8a0417ea53c506193c395c

SHA512
2927bd695b873edb9e3f1ef91018e0ad79e7e43963386cc27a3af2de0767a8bfe2ea4e52e5048578616b224bcb829860fe3173c1a66c03d1d52e4b03b5f43803

Download Submit
C:\Windows\{6AF959C3-F1DB-4c90-B3A9-12B4F2B67EA2}.exe

Filesize
372KB

MD5
de16a500f24acdd17344cbf592791e9c

SHA1
7e7a46880597b55e58b759bd3506807b3239072d

SHA256
c586f1c298ba426b283c5754a881c04579b056178f8a0417ea53c506193c395c

SHA512
2927bd695b873edb9e3f1ef91018e0ad79e7e43963386cc27a3af2de0767a8bfe2ea4e52e5048578616b224bcb829860fe3173c1a66c03d1d52e4b03b5f43803

Download Submit
C:\Windows\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe

Filesize
372KB

MD5
a476b69ba56cb05b9be28b684acaaa55

SHA1
0ebb909c2861ad36651371b0d5774a9a7dda4f24

SHA256
55e69641ff7d32e420bed4b0d96177da887b94a6f4f327e0853b0f4ca8d67348

SHA512
e816c10d72cab914e9277bd783e5425fc9a547960fdaaaa501425959ad91bb2bc82ecf77025c3f1941e1cc9ef687eab0b4466c7ebe9690c5ef4354de647fa545

Download Submit
C:\Windows\{7F96FCB7-8982-4160-B96B-1E0ED8E936E8}.exe

Filesize
372KB

MD5
a476b69ba56cb05b9be28b684acaaa55

SHA1
0ebb909c2861ad36651371b0d5774a9a7dda4f24

SHA256
55e69641ff7d32e420bed4b0d96177da887b94a6f4f327e0853b0f4ca8d67348

SHA512
e816c10d72cab914e9277bd783e5425fc9a547960fdaaaa501425959ad91bb2bc82ecf77025c3f1941e1cc9ef687eab0b4466c7ebe9690c5ef4354de647fa545

Download Submit
C:\Windows\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe

Filesize
372KB

MD5
eaa8446482baf5d9e84f44b8ff5bce3a

SHA1
e970bf96f603635432eb47acabdec9fb95aae018

SHA256
5bd1bcd58acc1c768c83df68d6828cdd2e8fa9ccbf7c97cd71fde831948e1be6

SHA512
23151089da91f002bddfb9ae94905afe7cb19a32ec5651858b0d87031971f25cd37a6aedefbe89fc4e22a390d81b441116ab89c53796ca950c1c5ba6680f657a

Download Submit
C:\Windows\{9C5B3505-27EC-4d54-A359-5EECBC1F86D2}.exe

Filesize
372KB

MD5
eaa8446482baf5d9e84f44b8ff5bce3a

SHA1
e970bf96f603635432eb47acabdec9fb95aae018

SHA256
5bd1bcd58acc1c768c83df68d6828cdd2e8fa9ccbf7c97cd71fde831948e1be6

SHA512
23151089da91f002bddfb9ae94905afe7cb19a32ec5651858b0d87031971f25cd37a6aedefbe89fc4e22a390d81b441116ab89c53796ca950c1c5ba6680f657a

Download Submit
C:\Windows\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe

Filesize
372KB

MD5
0aba103ec3c372c6d830b03b6f252e9a

SHA1
037d79b07de13162d07259d323363eaa0c38b21c

SHA256
1d070e99da7d1e7ba88f24ccf7c4c9700ba940ac2d8e5df89a49bd163e6e9cf9

SHA512
4b51e8eca179a9c4efb4944a9d3a611bdf3553e7877c99e25786524114b560ae627a5ebef41632ff40d9a6ed2bb7e7477aed02498f99bc63bdd62fbc1dc2dc80

Download Submit
C:\Windows\{A4B2657E-95E2-4b2d-AB56-94FEB1308B78}.exe

Filesize
372KB

MD5
0aba103ec3c372c6d830b03b6f252e9a

SHA1
037d79b07de13162d07259d323363eaa0c38b21c

SHA256
1d070e99da7d1e7ba88f24ccf7c4c9700ba940ac2d8e5df89a49bd163e6e9cf9

SHA512
4b51e8eca179a9c4efb4944a9d3a611bdf3553e7877c99e25786524114b560ae627a5ebef41632ff40d9a6ed2bb7e7477aed02498f99bc63bdd62fbc1dc2dc80

Download Submit
C:\Windows\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe

Filesize
372KB

MD5
5cc4994f591b07004326f117871a2ca6

SHA1
5d45b59e0ebe030f8f0b59f7c537478d13e8c853

SHA256
e5e194cde756ecc4d5ddebcbe088717efdc9c9349a255d511be52dd68eb65532

SHA512
a739de16609ab8d8dd5130efb30e5fd1283c7e569f585018019f31365f8ed77e646157aabd367b8ba8646026a945889f629ecb0aa477c2a9bbacf68f4355260e

Download Submit
C:\Windows\{B24A5325-B1E3-42cd-B43E-C6CF09D25A14}.exe

Filesize
372KB

MD5
5cc4994f591b07004326f117871a2ca6

SHA1
5d45b59e0ebe030f8f0b59f7c537478d13e8c853

SHA256
e5e194cde756ecc4d5ddebcbe088717efdc9c9349a255d511be52dd68eb65532

SHA512
a739de16609ab8d8dd5130efb30e5fd1283c7e569f585018019f31365f8ed77e646157aabd367b8ba8646026a945889f629ecb0aa477c2a9bbacf68f4355260e

Download Submit
C:\Windows\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe

Filesize
372KB

MD5
6490a86a9ba8e14dcf8d472f6e5e0444

SHA1
3301a31a035055247e988352f649aa91f0b657e0

SHA256
8cdcf4a8d9f8e9064d6ddef6dcb567341337be01a61d945dd677fdaa4108c9ac

SHA512
61a46ed37bf2922bbac612f5d460b41df8f278887adc705e9a72948a41cfeceb339f5692d0a94dbafb09fc19e1a0486b56ae604ad4e44839402ac8428b458541

Download Submit
C:\Windows\{C519A240-A1AC-4faa-9D50-A8379F6944A5}.exe

Filesize
372KB

MD5
6490a86a9ba8e14dcf8d472f6e5e0444

SHA1
3301a31a035055247e988352f649aa91f0b657e0

SHA256
8cdcf4a8d9f8e9064d6ddef6dcb567341337be01a61d945dd677fdaa4108c9ac

SHA512
61a46ed37bf2922bbac612f5d460b41df8f278887adc705e9a72948a41cfeceb339f5692d0a94dbafb09fc19e1a0486b56ae604ad4e44839402ac8428b458541

Download Submit
C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe

Filesize
372KB

MD5
d80a901203e6874ec53c8da203cbf39d

SHA1
368393f07b66258226e4cda458156f598c75079c

SHA256
9741ed946f6372a8657c817bdd2a16719f1566852011cb823c126ce4e6dc8ca0

SHA512
6e329a0a81d1ded85995afb0a3dc0c242ed321c09a1be7557c1519b30f426dcdf4bf6457aedaf4699219085ef55f0c59272b3b6c556402acdee107fa2f5de4fc

Download Submit
C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe

Filesize
372KB

MD5
d80a901203e6874ec53c8da203cbf39d

SHA1
368393f07b66258226e4cda458156f598c75079c

SHA256
9741ed946f6372a8657c817bdd2a16719f1566852011cb823c126ce4e6dc8ca0

SHA512
6e329a0a81d1ded85995afb0a3dc0c242ed321c09a1be7557c1519b30f426dcdf4bf6457aedaf4699219085ef55f0c59272b3b6c556402acdee107fa2f5de4fc

Download Submit
C:\Windows\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe

Filesize
372KB

MD5
36374fa3d48aa32c9da5771d445c7fa8

SHA1
b08ac7e0acca3db00367df9b5fada9014a7f603b

SHA256
c7dc01e4e73b116116aeda9f45903ef96a066c1790cbd70edb3f16026f9b5db7

SHA512
af0cfe0c01ca1166247c34ad22a0903bb218be509ef03c57c0f79f8b3df9f550dba3092555eaf025a7c83495995ad85261c5dc5d31a8f5e47620cd9a9e56339f

Download Submit
C:\Windows\{DA23CFE9-0DFD-41ca-B809-FF7E0F622205}.exe

Filesize
372KB

MD5
36374fa3d48aa32c9da5771d445c7fa8

SHA1
b08ac7e0acca3db00367df9b5fada9014a7f603b

SHA256
c7dc01e4e73b116116aeda9f45903ef96a066c1790cbd70edb3f16026f9b5db7

SHA512
af0cfe0c01ca1166247c34ad22a0903bb218be509ef03c57c0f79f8b3df9f550dba3092555eaf025a7c83495995ad85261c5dc5d31a8f5e47620cd9a9e56339f

Download Submit