a7ceba7f1aec52a4fecd4376b7a502f001a565eb392581e26a0a7a62688a153f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 13:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2d2219f83bc1eexeexeexeex.exe
Size

408KB
MD5

c2d2219f83bc1e00574b4a02ac14031d
SHA1

9098e59789f2548f8a3fdd139318eeb8a1584d8d
SHA256

a7ceba7f1aec52a4fecd4376b7a502f001a565eb392581e26a0a7a62688a153f
SHA512

d9c02193b94cd8e3510c9c0f12e7670299a38af9465b541cc01608bb6b1794a744ae1c379f7793bc068bb47178d50b9bde8ffc048fcd32cc8cf6facc2dc30255
SSDEEP

3072:CEGh0o8l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGOldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}\stubpath = "C:\\Windows\\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe"	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}\stubpath = "C:\\Windows\\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe"	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F247671-A663-4b7e-9BFF-954F5E36064B}	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884D92AE-0135-4336-AAF3-109F7827E97D}\stubpath = "C:\\Windows\\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe"	c2d2219f83bc1eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7199DC20-9067-4f09-BFDE-A494680F61B9}\stubpath = "C:\\Windows\\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe"	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8198BA50-6077-4eda-8A3B-385764E083D4}	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8198BA50-6077-4eda-8A3B-385764E083D4}\stubpath = "C:\\Windows\\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe"	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71E1135-8C56-4c72-A236-D561CBF3BE40}\stubpath = "C:\\Windows\\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe"	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}\stubpath = "C:\\Windows\\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe"	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}\stubpath = "C:\\Windows\\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe"	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}\stubpath = "C:\\Windows\\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe"	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7199DC20-9067-4f09-BFDE-A494680F61B9}	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71E1135-8C56-4c72-A236-D561CBF3BE40}	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21629D61-EC12-41dd-A306-6510077E4CDE}	{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F247671-A663-4b7e-9BFF-954F5E36064B}\stubpath = "C:\\Windows\\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe"	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}\stubpath = "C:\\Windows\\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe"	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21629D61-EC12-41dd-A306-6510077E4CDE}\stubpath = "C:\\Windows\\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe"	{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884D92AE-0135-4336-AAF3-109F7827E97D}	c2d2219f83bc1eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe

Executes dropped EXE 12 IoCs

pid	Process
4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
4200	{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
3828	{21629D61-EC12-41dd-A306-6510077E4CDE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
File created	C:\Windows\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
File created	C:\Windows\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
File created	C:\Windows\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
File created	C:\Windows\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
File created	C:\Windows\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
File created	C:\Windows\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
File created	C:\Windows\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
File created	C:\Windows\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe	{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
File created	C:\Windows\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	c2d2219f83bc1eexeexeexeex.exe
File created	C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
File created	C:\Windows\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5088	c2d2219f83bc1eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
Token: SeIncBasePriorityPrivilege	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
Token: SeIncBasePriorityPrivilege	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
Token: SeIncBasePriorityPrivilege	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
Token: SeIncBasePriorityPrivilege	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
Token: SeIncBasePriorityPrivilege	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
Token: SeIncBasePriorityPrivilege	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
Token: SeIncBasePriorityPrivilege	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
Token: SeIncBasePriorityPrivilege	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
Token: SeIncBasePriorityPrivilege	3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
Token: SeIncBasePriorityPrivilege	4200	{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4268	5088	c2d2219f83bc1eexeexeexeex.exe	84
PID 5088 wrote to memory of 4268	5088	c2d2219f83bc1eexeexeexeex.exe	84
PID 5088 wrote to memory of 4268	5088	c2d2219f83bc1eexeexeexeex.exe	84
PID 5088 wrote to memory of 1756	5088	c2d2219f83bc1eexeexeexeex.exe	85
PID 5088 wrote to memory of 1756	5088	c2d2219f83bc1eexeexeexeex.exe	85
PID 5088 wrote to memory of 1756	5088	c2d2219f83bc1eexeexeexeex.exe	85
PID 4268 wrote to memory of 3440	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	86
PID 4268 wrote to memory of 3440	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	86
PID 4268 wrote to memory of 3440	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	86
PID 4268 wrote to memory of 708	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	87
PID 4268 wrote to memory of 708	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	87
PID 4268 wrote to memory of 708	4268	{884D92AE-0135-4336-AAF3-109F7827E97D}.exe	87
PID 3440 wrote to memory of 2696	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	91
PID 3440 wrote to memory of 2696	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	91
PID 3440 wrote to memory of 2696	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	91
PID 3440 wrote to memory of 4744	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	92
PID 3440 wrote to memory of 4744	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	92
PID 3440 wrote to memory of 4744	3440	{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe	92
PID 2696 wrote to memory of 4208	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	93
PID 2696 wrote to memory of 4208	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	93
PID 2696 wrote to memory of 4208	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	93
PID 2696 wrote to memory of 680	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	94
PID 2696 wrote to memory of 680	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	94
PID 2696 wrote to memory of 680	2696	{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe	94
PID 4208 wrote to memory of 2112	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	95
PID 4208 wrote to memory of 2112	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	95
PID 4208 wrote to memory of 2112	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	95
PID 4208 wrote to memory of 5008	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	96
PID 4208 wrote to memory of 5008	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	96
PID 4208 wrote to memory of 5008	4208	{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe	96
PID 2112 wrote to memory of 2508	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	98
PID 2112 wrote to memory of 2508	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	98
PID 2112 wrote to memory of 2508	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	98
PID 2112 wrote to memory of 4376	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	99
PID 2112 wrote to memory of 4376	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	99
PID 2112 wrote to memory of 4376	2112	{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe	99
PID 2508 wrote to memory of 1560	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	100
PID 2508 wrote to memory of 1560	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	100
PID 2508 wrote to memory of 1560	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	100
PID 2508 wrote to memory of 3608	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	101
PID 2508 wrote to memory of 3608	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	101
PID 2508 wrote to memory of 3608	2508	{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe	101
PID 1560 wrote to memory of 4780	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	102
PID 1560 wrote to memory of 4780	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	102
PID 1560 wrote to memory of 4780	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	102
PID 1560 wrote to memory of 2784	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	103
PID 1560 wrote to memory of 2784	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	103
PID 1560 wrote to memory of 2784	1560	{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe	103
PID 4780 wrote to memory of 2928	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	111
PID 4780 wrote to memory of 2928	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	111
PID 4780 wrote to memory of 2928	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	111
PID 4780 wrote to memory of 2936	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	112
PID 4780 wrote to memory of 2936	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	112
PID 4780 wrote to memory of 2936	4780	{8198BA50-6077-4eda-8A3B-385764E083D4}.exe	112
PID 2928 wrote to memory of 3936	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	113
PID 2928 wrote to memory of 3936	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	113
PID 2928 wrote to memory of 3936	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	113
PID 2928 wrote to memory of 2240	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	114
PID 2928 wrote to memory of 2240	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	114
PID 2928 wrote to memory of 2240	2928	{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe	114
PID 3936 wrote to memory of 4200	3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe	115
PID 3936 wrote to memory of 4200	3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe	115
PID 3936 wrote to memory of 4200	3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe	115
PID 3936 wrote to memory of 4908	3936	{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe	116

C:\Users\Admin\AppData\Local\Temp\c2d2219f83bc1eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2219f83bc1eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
  C:\Windows\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
    C:\Windows\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
      C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
        
        C:\Windows\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
        
        C:\Windows\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
        
        C:\Windows\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
        
        C:\Windows\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
        
        C:\Windows\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
        
        C:\Windows\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
        
        C:\Windows\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
        
        C:\Windows\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe
        
        C:\Windows\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe
        13⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71B9~1.EXE > nul
        13⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F247~1.EXE > nul
        12⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D167~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8198B~1.EXE > nul
        10⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD0FE~1.EXE > nul
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{860C0~1.EXE > nul
        8⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D84~1.EXE > nul
        7⤵
        
        PID:4376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7ED8~1.EXE > nul
        6⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71E1~1.EXE > nul
        5⤵
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7199D~1.EXE > nul
      4⤵
      PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{884D9~1.EXE > nul
    3⤵
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C2D221~1.EXE > nul
  2⤵
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe

Filesize
408KB

MD5
10402338780f6397c2c75607826de1aa

SHA1
b514404767cbe09257ad18413d360b38dfdc98d1

SHA256
0c69abe817d3a29e3454ace4810fb6fa8c6ab2eecfad16e8c269e9bfa5c01da7

SHA512
e1db9c22f9b3a1c27d64883d1544b91dfd1ebf1e0b6bce53e0b5d2f9f3dc160a13bd4f7a84da8f5ae6162d4bb425f6d51ced3c78d9f6931ad9a704b905aae683

Download Submit
C:\Windows\{1F247671-A663-4b7e-9BFF-954F5E36064B}.exe

Filesize
408KB

MD5
10402338780f6397c2c75607826de1aa

SHA1
b514404767cbe09257ad18413d360b38dfdc98d1

SHA256
0c69abe817d3a29e3454ace4810fb6fa8c6ab2eecfad16e8c269e9bfa5c01da7

SHA512
e1db9c22f9b3a1c27d64883d1544b91dfd1ebf1e0b6bce53e0b5d2f9f3dc160a13bd4f7a84da8f5ae6162d4bb425f6d51ced3c78d9f6931ad9a704b905aae683

Download Submit
C:\Windows\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe

Filesize
408KB

MD5
58e19967b8f11ccba580c5ea3a914385

SHA1
f41b0d0d71115d7814ff24fd849a0179ba994528

SHA256
645ab2ba67e1cf70954ab02d757413043fc078610e83062f47cf7240ca6f4163

SHA512
33fd515294349b7ff69d7aedf393c222d5c706056fc0864e18a2d9be46868744a496b390fe34de49e4cd4e66c0e47f5a5d721364962e5654bf2fc00cac75c714

Download Submit
C:\Windows\{21629D61-EC12-41dd-A306-6510077E4CDE}.exe

Filesize
408KB

MD5
58e19967b8f11ccba580c5ea3a914385

SHA1
f41b0d0d71115d7814ff24fd849a0179ba994528

SHA256
645ab2ba67e1cf70954ab02d757413043fc078610e83062f47cf7240ca6f4163

SHA512
33fd515294349b7ff69d7aedf393c222d5c706056fc0864e18a2d9be46868744a496b390fe34de49e4cd4e66c0e47f5a5d721364962e5654bf2fc00cac75c714

Download Submit
C:\Windows\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe

Filesize
408KB

MD5
4762bc0e0a5905e05a4388d3421d1f86

SHA1
b0fcc2533f27ccf2928f74b9d4488291ecf8a12a

SHA256
7f8437bb1b20f3b5d1d31c4cc8d98654c540611601bf5287b87441237b7a8799

SHA512
e9c04e85b63a39e959c39f785d9eb2b8f65915aa1f5bdcd26db450f1404760fd169daa33ac40aac912fce16367e6121b69a6e1788738f9a3611b99a1b99310ca

Download Submit
C:\Windows\{3D167F94-3F1D-4b85-B5C8-3C9FE27D102E}.exe

Filesize
408KB

MD5
4762bc0e0a5905e05a4388d3421d1f86

SHA1
b0fcc2533f27ccf2928f74b9d4488291ecf8a12a

SHA256
7f8437bb1b20f3b5d1d31c4cc8d98654c540611601bf5287b87441237b7a8799

SHA512
e9c04e85b63a39e959c39f785d9eb2b8f65915aa1f5bdcd26db450f1404760fd169daa33ac40aac912fce16367e6121b69a6e1788738f9a3611b99a1b99310ca

Download Submit
C:\Windows\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe

Filesize
408KB

MD5
bbe0f301ac2462cc8f6c5d58f325bf26

SHA1
4f20b7996e81dc88ac45fbc5d26417fa772daa7a

SHA256
34033dd6ecb2ff3d22df310012be741c9a9900db9432f2b2c069983e9072f90e

SHA512
82e9e1ffaeba3e8402af2500d2cf8dd4186c642c2daa8ea83a40c0be967fa5c39ec6928be5ea36eea1ff08e5f1ce3da61aea03934c1ac784dd16cad591ae4706

Download Submit
C:\Windows\{7199DC20-9067-4f09-BFDE-A494680F61B9}.exe

Filesize
408KB

MD5
bbe0f301ac2462cc8f6c5d58f325bf26

SHA1
4f20b7996e81dc88ac45fbc5d26417fa772daa7a

SHA256
34033dd6ecb2ff3d22df310012be741c9a9900db9432f2b2c069983e9072f90e

SHA512
82e9e1ffaeba3e8402af2500d2cf8dd4186c642c2daa8ea83a40c0be967fa5c39ec6928be5ea36eea1ff08e5f1ce3da61aea03934c1ac784dd16cad591ae4706

Download Submit
C:\Windows\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe

Filesize
408KB

MD5
e6a67c60b4e52ff80a214c8659b60b43

SHA1
65d87da290a05e0246d915f2a0bb5fb78715b9d2

SHA256
3b70c24c001106fc9113cb30cf5e877ec12b2d9582cbb0b19c551d0f8f65e425

SHA512
e6184d4453de54040b681795e3d3930acdb70095ca6d3e449c95977baeb52abd286a5a8992211d31f41df5a300bc85e1f1b84e7d6a08cad67cc820b8a67239e1

Download Submit
C:\Windows\{8198BA50-6077-4eda-8A3B-385764E083D4}.exe

Filesize
408KB

MD5
e6a67c60b4e52ff80a214c8659b60b43

SHA1
65d87da290a05e0246d915f2a0bb5fb78715b9d2

SHA256
3b70c24c001106fc9113cb30cf5e877ec12b2d9582cbb0b19c551d0f8f65e425

SHA512
e6184d4453de54040b681795e3d3930acdb70095ca6d3e449c95977baeb52abd286a5a8992211d31f41df5a300bc85e1f1b84e7d6a08cad67cc820b8a67239e1

Download Submit
C:\Windows\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe

Filesize
408KB

MD5
02e80896dfd6efd4a8c026d3f07bf8f4

SHA1
bbc4e6d58a4edc39e541a8f862fd26cb118e2716

SHA256
1e8d0a1e6bad66dfa168b974de49fdd081dabee450b7ee7b200a3a54338eaf4d

SHA512
08a8c13633557c301c76c8d4a3c34a66c3eb5d02dff534db45b374e957f0d39162d32eb18ceacaba535515b0e11c0fd31cc8f1f7de466a64ac627eb113d01d50

Download Submit
C:\Windows\{860C037D-0F92-4aa5-907C-4BAD88D5F36F}.exe

Filesize
408KB

MD5
02e80896dfd6efd4a8c026d3f07bf8f4

SHA1
bbc4e6d58a4edc39e541a8f862fd26cb118e2716

SHA256
1e8d0a1e6bad66dfa168b974de49fdd081dabee450b7ee7b200a3a54338eaf4d

SHA512
08a8c13633557c301c76c8d4a3c34a66c3eb5d02dff534db45b374e957f0d39162d32eb18ceacaba535515b0e11c0fd31cc8f1f7de466a64ac627eb113d01d50

Download Submit
C:\Windows\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe

Filesize
408KB

MD5
de723681ef696dd0da7b6232dc041c05

SHA1
83046590bcdcf7de2dd6909c96ad1968735b2c05

SHA256
2d81d8fa06cd809d1b8da4f4331f7f1222278b57715bf8f4378adae0092227df

SHA512
58843511d4b373f2fef38fc2ebe55801f01897f8f8e3e3d7be466afb8656f6a8e9edeb24c26bc9317fce59e8b44eab4f33265cc23d8564df1bb66e61dd690c1d

Download Submit
C:\Windows\{884D92AE-0135-4336-AAF3-109F7827E97D}.exe

Filesize
408KB

MD5
de723681ef696dd0da7b6232dc041c05

SHA1
83046590bcdcf7de2dd6909c96ad1968735b2c05

SHA256
2d81d8fa06cd809d1b8da4f4331f7f1222278b57715bf8f4378adae0092227df

SHA512
58843511d4b373f2fef38fc2ebe55801f01897f8f8e3e3d7be466afb8656f6a8e9edeb24c26bc9317fce59e8b44eab4f33265cc23d8564df1bb66e61dd690c1d

Download Submit
C:\Windows\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe

Filesize
408KB

MD5
898709eae45ddd5bc849b63aefd2324a

SHA1
19f50f4f5b59051cf041011affd22494c724ca35

SHA256
2226e324da65dfae35e18436cb7ab36b48629367b0b11da90b70a7e37e06b895

SHA512
2fee916d0ac16a5d658cead37d017847525caa2bc7847efd4ca9117408c1217e36828f22e40b07f4096b3491781657f5eef99b11d4822a83074da3b386f584fc

Download Submit
C:\Windows\{AD0FEF8A-8E87-4719-ADE5-3469DED06D8C}.exe

Filesize
408KB

MD5
898709eae45ddd5bc849b63aefd2324a

SHA1
19f50f4f5b59051cf041011affd22494c724ca35

SHA256
2226e324da65dfae35e18436cb7ab36b48629367b0b11da90b70a7e37e06b895

SHA512
2fee916d0ac16a5d658cead37d017847525caa2bc7847efd4ca9117408c1217e36828f22e40b07f4096b3491781657f5eef99b11d4822a83074da3b386f584fc

Download Submit
C:\Windows\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe

Filesize
408KB

MD5
0526638d0098d9b742215e850fc85a2a

SHA1
19ffaba980a3100749c85860d0cce5753d21557d

SHA256
0a2743d776ab26f44cdb0031af2c8d0acd46052608a4d11a6b73bf42e96ed7ed

SHA512
6fa909f8a984852a57c71c3f53a54429a6e519eec758bd7fc5387ed70825edf8c96200b5071349d920a685eff6bf007b525882ffb7516335ae0223be51ec4089

Download Submit
C:\Windows\{B2D84E85-78B3-4188-9BCF-C2DA37A9994D}.exe

Filesize
408KB

MD5
0526638d0098d9b742215e850fc85a2a

SHA1
19ffaba980a3100749c85860d0cce5753d21557d

SHA256
0a2743d776ab26f44cdb0031af2c8d0acd46052608a4d11a6b73bf42e96ed7ed

SHA512
6fa909f8a984852a57c71c3f53a54429a6e519eec758bd7fc5387ed70825edf8c96200b5071349d920a685eff6bf007b525882ffb7516335ae0223be51ec4089

Download Submit
C:\Windows\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe

Filesize
408KB

MD5
b3354fd52c53382d5770f8b5db8373c1

SHA1
a6ff28a0157c6e2dbb2ec5463da296526a7e2b8e

SHA256
7d3044ab2e5a04ed32d7f1c87f86c802d13b1097641f33c48c74ba1ec800b9b9

SHA512
2da584debc76d717ea04480d90f4fec8300bb5a902ba954e4a1bde46952210d59a3516562d89c5fe8562ca891b048159fef766382b958e08ba39e150d87dde44

Download Submit
C:\Windows\{B71B93AF-03B1-4d39-AF13-EB336C5E63E3}.exe

Filesize
408KB

MD5
b3354fd52c53382d5770f8b5db8373c1

SHA1
a6ff28a0157c6e2dbb2ec5463da296526a7e2b8e

SHA256
7d3044ab2e5a04ed32d7f1c87f86c802d13b1097641f33c48c74ba1ec800b9b9

SHA512
2da584debc76d717ea04480d90f4fec8300bb5a902ba954e4a1bde46952210d59a3516562d89c5fe8562ca891b048159fef766382b958e08ba39e150d87dde44

Download Submit
C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe

Filesize
408KB

MD5
399a0f7f550825d402c30725918d9681

SHA1
416b13584e51fb1821a0a1841502d2e1f5abd582

SHA256
b8b16d7808a8c38ccfeb95a160c397f9561b6273023d3123099490a3086a7695

SHA512
2221f2fff48b1bc167d800c023dd074e4614921af2b44765c001e06becac2e69aa6404bbba6413563189091287b89a9cf1845cda20fd4dcd12bb0d67097c690c

Download Submit
C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe

Filesize
408KB

MD5
399a0f7f550825d402c30725918d9681

SHA1
416b13584e51fb1821a0a1841502d2e1f5abd582

SHA256
b8b16d7808a8c38ccfeb95a160c397f9561b6273023d3123099490a3086a7695

SHA512
2221f2fff48b1bc167d800c023dd074e4614921af2b44765c001e06becac2e69aa6404bbba6413563189091287b89a9cf1845cda20fd4dcd12bb0d67097c690c

Download Submit
C:\Windows\{B71E1135-8C56-4c72-A236-D561CBF3BE40}.exe

Filesize
408KB

MD5
399a0f7f550825d402c30725918d9681

SHA1
416b13584e51fb1821a0a1841502d2e1f5abd582

SHA256
b8b16d7808a8c38ccfeb95a160c397f9561b6273023d3123099490a3086a7695

SHA512
2221f2fff48b1bc167d800c023dd074e4614921af2b44765c001e06becac2e69aa6404bbba6413563189091287b89a9cf1845cda20fd4dcd12bb0d67097c690c

Download Submit
C:\Windows\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe

Filesize
408KB

MD5
38bffc495fe1dfa7595b3b985e954e1c

SHA1
9abf2c32bb745b7d6807b5d577248523499f8c93

SHA256
9b703a29479218f95e80097a48c23f9859804b4f0e3d7a4436e974234000bac3

SHA512
35cb2f088fcf999e16967291dcc93bd7b07c880c1be057c303382bcbff050482cb828ae84fcf88e08ac68c3fa9b28ab967b34c3fd03ad19d57ac676ff92e1017

Download Submit
C:\Windows\{E7ED84C8-CBE3-47d3-877F-EF6086FDF757}.exe

Filesize
408KB

MD5
38bffc495fe1dfa7595b3b985e954e1c

SHA1
9abf2c32bb745b7d6807b5d577248523499f8c93

SHA256
9b703a29479218f95e80097a48c23f9859804b4f0e3d7a4436e974234000bac3

SHA512
35cb2f088fcf999e16967291dcc93bd7b07c880c1be057c303382bcbff050482cb828ae84fcf88e08ac68c3fa9b28ab967b34c3fd03ad19d57ac676ff92e1017

Download Submit