32070e944fe02ec9e2b6940f027ec4453863fc61a18bb1ec226ca4ea7600990c

Analysis

max time kernel
145s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54e0a072e85c1exeexeexeex.exe
Size

168KB
MD5

c54e0a072e85c1a65aa68e6abe11c1d4
SHA1

182c014180f5786f768e38b7f4fe294b9569ff81
SHA256

32070e944fe02ec9e2b6940f027ec4453863fc61a18bb1ec226ca4ea7600990c
SHA512

6fdbc621916d3a4b44a07922dfc835e142735b02d35d3acb29a47afa70744908ab29b54f6db62c3b73a61b38528763c677b31bae0dbad8530f293aca338800e0
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37BC74B-8297-4d90-BF80-06B9055094BC}	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}\stubpath = "C:\\Windows\\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe"	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}\stubpath = "C:\\Windows\\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe"	{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}\stubpath = "C:\\Windows\\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe"	{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{984EB291-1E74-45d8-B654-C87CB35C73CB}	{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96583580-D884-49e7-89CE-22B3C26B349E}\stubpath = "C:\\Windows\\{96583580-D884-49e7-89CE-22B3C26B349E}.exe"	{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}\stubpath = "C:\\Windows\\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe"	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78223301-0669-44c9-BEA7-7D14E94E76A6}	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80483B42-8D94-454d-B5AA-E90315132F52}\stubpath = "C:\\Windows\\{80483B42-8D94-454d-B5AA-E90315132F52}.exe"	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}	{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{984EB291-1E74-45d8-B654-C87CB35C73CB}\stubpath = "C:\\Windows\\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe"	{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96583580-D884-49e7-89CE-22B3C26B349E}	{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78223301-0669-44c9-BEA7-7D14E94E76A6}\stubpath = "C:\\Windows\\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe"	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80483B42-8D94-454d-B5AA-E90315132F52}	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}\stubpath = "C:\\Windows\\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe"	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}\stubpath = "C:\\Windows\\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe"	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}\stubpath = "C:\\Windows\\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe"	{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831DC236-DD0C-419d-8496-F1A969830BBA}	c54e0a072e85c1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831DC236-DD0C-419d-8496-F1A969830BBA}\stubpath = "C:\\Windows\\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe"	c54e0a072e85c1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37BC74B-8297-4d90-BF80-06B9055094BC}\stubpath = "C:\\Windows\\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe"	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}	{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}	{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
3052	{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
2776	{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
2188	{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
2620	{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
2900	{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
1904	{96583580-D884-49e7-89CE-22B3C26B349E}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe	{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
File created	C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	c54e0a072e85c1exeexeexeex.exe
File created	C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
File created	C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
File created	C:\Windows\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
File created	C:\Windows\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe	{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
File created	C:\Windows\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe	{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
File created	C:\Windows\{96583580-D884-49e7-89CE-22B3C26B349E}.exe	{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
File created	C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
File created	C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
File created	C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
File created	C:\Windows\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
File created	C:\Windows\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe	{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	740	c54e0a072e85c1exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Token: SeIncBasePriorityPrivilege	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Token: SeIncBasePriorityPrivilege	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Token: SeIncBasePriorityPrivilege	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
Token: SeIncBasePriorityPrivilege	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Token: SeIncBasePriorityPrivilege	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Token: SeIncBasePriorityPrivilege	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
Token: SeIncBasePriorityPrivilege	3052	{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
Token: SeIncBasePriorityPrivilege	2776	{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
Token: SeIncBasePriorityPrivilege	2188	{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
Token: SeIncBasePriorityPrivilege	2620	{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
Token: SeIncBasePriorityPrivilege	2900	{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2060	740	c54e0a072e85c1exeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	c54e0a072e85c1exeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	c54e0a072e85c1exeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	c54e0a072e85c1exeexeexeex.exe	29
PID 740 wrote to memory of 1628	740	c54e0a072e85c1exeexeexeex.exe	30
PID 740 wrote to memory of 1628	740	c54e0a072e85c1exeexeexeex.exe	30
PID 740 wrote to memory of 1628	740	c54e0a072e85c1exeexeexeex.exe	30
PID 740 wrote to memory of 1628	740	c54e0a072e85c1exeexeexeex.exe	30
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 1224 wrote to memory of 2792	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 2792	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 2792	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 2792	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 1416	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 1416	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 1416	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 1416	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 2792 wrote to memory of 1624	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 2792 wrote to memory of 1624	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 2792 wrote to memory of 1624	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 2792 wrote to memory of 1624	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 2792 wrote to memory of 2224	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 2792 wrote to memory of 2224	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 2792 wrote to memory of 2224	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 2792 wrote to memory of 2224	2792	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 1624 wrote to memory of 2348	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1624 wrote to memory of 2348	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1624 wrote to memory of 2348	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1624 wrote to memory of 2348	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1624 wrote to memory of 2288	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1624 wrote to memory of 2288	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1624 wrote to memory of 2288	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1624 wrote to memory of 2288	1624	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 2348 wrote to memory of 1552	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2348 wrote to memory of 1552	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2348 wrote to memory of 1552	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2348 wrote to memory of 1552	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2348 wrote to memory of 2140	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2348 wrote to memory of 2140	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2348 wrote to memory of 2140	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2348 wrote to memory of 2140	2348	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 2212 wrote to memory of 3052	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	43
PID 2212 wrote to memory of 3052	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	43
PID 2212 wrote to memory of 3052	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	43
PID 2212 wrote to memory of 3052	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	43
PID 2212 wrote to memory of 2096	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	44
PID 2212 wrote to memory of 2096	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	44
PID 2212 wrote to memory of 2096	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	44
PID 2212 wrote to memory of 2096	2212	{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe	44

C:\Users\Admin\AppData\Local\Temp\c54e0a072e85c1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c54e0a072e85c1exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
  C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
    C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
      C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78223~1.EXE > nul
        5⤵
        
        PID:2224
    - - C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe
        
        C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
        
        C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
        
        C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
        
        C:\Windows\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
        
        C:\Windows\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
        
        C:\Windows\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
        
        C:\Windows\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8DC~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
        
        C:\Windows\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61EAD~1.EXE > nul
        13⤵
        
        PID:2624
        
        C:\Windows\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
        
        C:\Windows\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{96583580-D884-49e7-89CE-22B3C26B349E}.exe
        
        C:\Windows\{96583580-D884-49e7-89CE-22B3C26B349E}.exe
        14⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{984EB~1.EXE > nul
        14⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A97C7~1.EXE > nul
        11⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6908~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83344~1.EXE > nul
        9⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42D5C~1.EXE > nul
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E37BC~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80483~1.EXE > nul
        6⤵
        
        PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE830~1.EXE > nul
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{831DC~1.EXE > nul
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C54E0A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe

Filesize
168KB

MD5
4ce7284459f695f25bef7999ef30f1b5

SHA1
c6ce2bc2b4a10ac5c0cca27ef19039c8556e8554

SHA256
1dfbf6e5ad77c1a3220d842e28cca52094d81f67ba7a247ad0f39a91162900ca

SHA512
9712d8520467891d50b68bb180c6f6f822785d681e41226ae604cc9ca669ce5f61e5b2747a0ea82f8949834064ba6638f0126ab710ae8a92bf37c7cae06f2a7a

Download Submit
C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe

Filesize
168KB

MD5
4ce7284459f695f25bef7999ef30f1b5

SHA1
c6ce2bc2b4a10ac5c0cca27ef19039c8556e8554

SHA256
1dfbf6e5ad77c1a3220d842e28cca52094d81f67ba7a247ad0f39a91162900ca

SHA512
9712d8520467891d50b68bb180c6f6f822785d681e41226ae604cc9ca669ce5f61e5b2747a0ea82f8949834064ba6638f0126ab710ae8a92bf37c7cae06f2a7a

Download Submit
C:\Windows\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe

Filesize
168KB

MD5
7876396f3307baebc46db70ac2d21c49

SHA1
57431d9559f2abaf3cde86811dbdfc70e0a3853d

SHA256
adf16d4f78e2592799670587beb2d0c43b600f95a24f776180023903d56526eb

SHA512
3e09e4bab481a97f5638c3b685c34253c1e73b13f4c9a51a7110abcf4ee57adfd5165285b52168ccc01d3d492f04440fbc5fb61e5daf02e1bfc5f10662f2bb35

Download Submit
C:\Windows\{61EAD917-BDD0-48f2-A5C7-C1A682BEC65B}.exe

Filesize
168KB

MD5
7876396f3307baebc46db70ac2d21c49

SHA1
57431d9559f2abaf3cde86811dbdfc70e0a3853d

SHA256
adf16d4f78e2592799670587beb2d0c43b600f95a24f776180023903d56526eb

SHA512
3e09e4bab481a97f5638c3b685c34253c1e73b13f4c9a51a7110abcf4ee57adfd5165285b52168ccc01d3d492f04440fbc5fb61e5daf02e1bfc5f10662f2bb35

Download Submit
C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe

Filesize
168KB

MD5
08a22a31505177645034cfb1668b3bdd

SHA1
2586b26d2c5d0fd481a8573eb7446578cda24fda

SHA256
0723d1de9ba3d837a8ec3d37fe913635062953fd81b880fbe20def8c00e71d3f

SHA512
b6de2c33ad082345a00477534b6d2365d1a13a07306f3c2803515f94c5a742efd68a69ca6d7fd1a299f5e27e0ce261543d5ce8c894673285cb24849b813701e7

Download Submit
C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe

Filesize
168KB

MD5
08a22a31505177645034cfb1668b3bdd

SHA1
2586b26d2c5d0fd481a8573eb7446578cda24fda

SHA256
0723d1de9ba3d837a8ec3d37fe913635062953fd81b880fbe20def8c00e71d3f

SHA512
b6de2c33ad082345a00477534b6d2365d1a13a07306f3c2803515f94c5a742efd68a69ca6d7fd1a299f5e27e0ce261543d5ce8c894673285cb24849b813701e7

Download Submit
C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe

Filesize
168KB

MD5
481ea3b3c2ea62e0138a82e4dbc6e028

SHA1
f2d8d50ff09be18f78639cb86521dd9f4308cbb5

SHA256
83cce0528194a2e07637dc5c8d8ef286cce85299d1edd32f3fcb14de9f0fc086

SHA512
43e34922fec071c48ddacd1f2942533f30886979b661e364e8f43c500bd5b4e82781b9b379be6178151e8771ac30063239cadfd36fc58562d07a9b7187c45674

Download Submit
C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe

Filesize
168KB

MD5
481ea3b3c2ea62e0138a82e4dbc6e028

SHA1
f2d8d50ff09be18f78639cb86521dd9f4308cbb5

SHA256
83cce0528194a2e07637dc5c8d8ef286cce85299d1edd32f3fcb14de9f0fc086

SHA512
43e34922fec071c48ddacd1f2942533f30886979b661e364e8f43c500bd5b4e82781b9b379be6178151e8771ac30063239cadfd36fc58562d07a9b7187c45674

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
168KB

MD5
0858d0ebf5a91bbee9392ab22b1e676b

SHA1
245e5a0f3f5fdbda985f4d4fb8b4313f7acdc490

SHA256
e0b8e6330b11719b9afffab66c703ad86bc02b4e9a24bbf94a2b93f5cc7efb45

SHA512
67c33c807f3d0e6f791bde03d04a18a8e8016acd6294f67b4e198f24a007b0e91c00cd2b7566207b36307ccd793d144d2dba60674bd3cf67f20997c72bd3706a

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
168KB

MD5
0858d0ebf5a91bbee9392ab22b1e676b

SHA1
245e5a0f3f5fdbda985f4d4fb8b4313f7acdc490

SHA256
e0b8e6330b11719b9afffab66c703ad86bc02b4e9a24bbf94a2b93f5cc7efb45

SHA512
67c33c807f3d0e6f791bde03d04a18a8e8016acd6294f67b4e198f24a007b0e91c00cd2b7566207b36307ccd793d144d2dba60674bd3cf67f20997c72bd3706a

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
168KB

MD5
0858d0ebf5a91bbee9392ab22b1e676b

SHA1
245e5a0f3f5fdbda985f4d4fb8b4313f7acdc490

SHA256
e0b8e6330b11719b9afffab66c703ad86bc02b4e9a24bbf94a2b93f5cc7efb45

SHA512
67c33c807f3d0e6f791bde03d04a18a8e8016acd6294f67b4e198f24a007b0e91c00cd2b7566207b36307ccd793d144d2dba60674bd3cf67f20997c72bd3706a

Download Submit
C:\Windows\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe

Filesize
168KB

MD5
75df0be27a68f741b3ebe331e177fbb3

SHA1
e4e526b344be742386bcb6eceea7339b72029c01

SHA256
225b782f78ab032da26c697f19749a236d1754e53dd3a57574f71f7e0df2b048

SHA512
1253858faae4da16eb89bc77b3915f14f1d1e04cd42f548324dccdd598d0d884bda3eb69e04804463062592978acf66ab3534d79af0982b29c02e4d42f3eff74

Download Submit
C:\Windows\{83344DE6-B1CA-42f9-A06A-7588D20F1F2E}.exe

Filesize
168KB

MD5
75df0be27a68f741b3ebe331e177fbb3

SHA1
e4e526b344be742386bcb6eceea7339b72029c01

SHA256
225b782f78ab032da26c697f19749a236d1754e53dd3a57574f71f7e0df2b048

SHA512
1253858faae4da16eb89bc77b3915f14f1d1e04cd42f548324dccdd598d0d884bda3eb69e04804463062592978acf66ab3534d79af0982b29c02e4d42f3eff74

Download Submit
C:\Windows\{96583580-D884-49e7-89CE-22B3C26B349E}.exe

Filesize
168KB

MD5
29ffb563a78590f9e3dae9ea208f99f4

SHA1
01af53a29a8cd16cb8c2c12efa7430f77fbc0ec9

SHA256
ccd951ed5661644f36082bf3d49f932e5863a2467e945fccc10b5931815a602b

SHA512
64054f99d34c5d89aecd06bb8d34bef3d0360f5cff87cc23defe458496529a0fc371b8ace8c3aebf2a3cf5e0e01e01a8d0bc919980d1595bb9832ce1c9712761

Download Submit
C:\Windows\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe

Filesize
168KB

MD5
bcc4df20c20ad0b1c21b6e326945fef4

SHA1
e8cde6d5f46acdb7032bfa04828a92bfcc34f8c6

SHA256
c63c0a580d96628b745ae05f20add675cf88c766d6818c03f83e3add385538c4

SHA512
422077c7c18e724e17a682e9f5e875179783157c830e4ce5d0542bfccecc92388be8c85544c4b28b49f4996f400bf03e6da9454a47294d4bc82e063c55c2ab01

Download Submit
C:\Windows\{984EB291-1E74-45d8-B654-C87CB35C73CB}.exe

Filesize
168KB

MD5
bcc4df20c20ad0b1c21b6e326945fef4

SHA1
e8cde6d5f46acdb7032bfa04828a92bfcc34f8c6

SHA256
c63c0a580d96628b745ae05f20add675cf88c766d6818c03f83e3add385538c4

SHA512
422077c7c18e724e17a682e9f5e875179783157c830e4ce5d0542bfccecc92388be8c85544c4b28b49f4996f400bf03e6da9454a47294d4bc82e063c55c2ab01

Download Submit
C:\Windows\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe

Filesize
168KB

MD5
0fa8854cf29b9d7621990a8ab22237c0

SHA1
9829a74623034ed98ea25049c4b4e3f46f467c24

SHA256
6ea8bd2e11a989898d17ca65f81f1fd906ca76936d4430e080b7fe41bc5db4d7

SHA512
b2a4e918186b364160d6528793b55cd0edc326d90c7a2e378d103f2921761769fa944e8a8f9db052af7866fd71034d92d9bbcf7a32dd065684f75c6ef01a451f

Download Submit
C:\Windows\{A97C7453-B8E3-4505-9B00-355BDBBDFAD3}.exe

Filesize
168KB

MD5
0fa8854cf29b9d7621990a8ab22237c0

SHA1
9829a74623034ed98ea25049c4b4e3f46f467c24

SHA256
6ea8bd2e11a989898d17ca65f81f1fd906ca76936d4430e080b7fe41bc5db4d7

SHA512
b2a4e918186b364160d6528793b55cd0edc326d90c7a2e378d103f2921761769fa944e8a8f9db052af7866fd71034d92d9bbcf7a32dd065684f75c6ef01a451f

Download Submit
C:\Windows\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe

Filesize
168KB

MD5
de56516cb39253700dcb433ee825a6f2

SHA1
cd5725f8ea862f0b9e0ead17f9b5f5b9bf381f56

SHA256
c91614ccded1a23b9b7715c9125905bfb89dadd583242fca1331a504a1e4ec7f

SHA512
de37076c8c85d9910a562ab837918bb9c851460ed4dde134feff2ade98f38817e8038078b2dfc849ae847e52d7b949422e18fb33796c2605ab9335dc89eb881b

Download Submit
C:\Windows\{C6908D74-29FB-43a9-9D8A-E9C10CB120ED}.exe

Filesize
168KB

MD5
de56516cb39253700dcb433ee825a6f2

SHA1
cd5725f8ea862f0b9e0ead17f9b5f5b9bf381f56

SHA256
c91614ccded1a23b9b7715c9125905bfb89dadd583242fca1331a504a1e4ec7f

SHA512
de37076c8c85d9910a562ab837918bb9c851460ed4dde134feff2ade98f38817e8038078b2dfc849ae847e52d7b949422e18fb33796c2605ab9335dc89eb881b

Download Submit
C:\Windows\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe

Filesize
168KB

MD5
9e2423a368d5aad4eebf2caa30887985

SHA1
8064bdfdc655f5ed6d824e50461015bbde429070

SHA256
b69b471cfccd74d6d979de7a9c13d279c0ef250fd976b71b79bced069268908a

SHA512
32e322504b64c860a0dd5445ed3ecf181e04275b398140ee92cacc3ad698e7a5485ab1138eb96886643f4c1ce9d25cc6fe863cc2c3c0290792f4fab32ad58123

Download Submit
C:\Windows\{DB8DC4FD-6A6C-4f21-9189-B2F4D8B1ADE4}.exe

Filesize
168KB

MD5
9e2423a368d5aad4eebf2caa30887985

SHA1
8064bdfdc655f5ed6d824e50461015bbde429070

SHA256
b69b471cfccd74d6d979de7a9c13d279c0ef250fd976b71b79bced069268908a

SHA512
32e322504b64c860a0dd5445ed3ecf181e04275b398140ee92cacc3ad698e7a5485ab1138eb96886643f4c1ce9d25cc6fe863cc2c3c0290792f4fab32ad58123

Download Submit
C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe

Filesize
168KB

MD5
5a8b44b220a34d2af1e7573cb46c8a1d

SHA1
0e8cd8e65c3ac96d5aba692b026d422e24e2fb3b

SHA256
d80801dc7c09eac5c24937b1c8402ef0e8537d852822cce24028fd304f64e269

SHA512
182aae7afba2d0de7dc68265b561f5ecafe99b0113b68d7a683774f3f769f5da05abe3daa49793090b515ee4bd5c212013bb2bd96c073d68006eaa21530f0e98

Download Submit
C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe

Filesize
168KB

MD5
5a8b44b220a34d2af1e7573cb46c8a1d

SHA1
0e8cd8e65c3ac96d5aba692b026d422e24e2fb3b

SHA256
d80801dc7c09eac5c24937b1c8402ef0e8537d852822cce24028fd304f64e269

SHA512
182aae7afba2d0de7dc68265b561f5ecafe99b0113b68d7a683774f3f769f5da05abe3daa49793090b515ee4bd5c212013bb2bd96c073d68006eaa21530f0e98

Download Submit
C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe

Filesize
168KB

MD5
b65cd0b4bbefd402a2dff10bddbad1f1

SHA1
50e32d44efa104e5d79e88a5ff7f6e8fbc923cd3

SHA256
2ff04e1e63986ad03477f8aacda9cd0ce329d71181b6af0f4a1b0490bcdf2a44

SHA512
0cc1edb5551fdfd8a9f8cac01fade21ae877927d409e1b717a23e3adf3060afa4cfd3c1fdc5f979964a5540316a5ba17acab1ce7496b6fe943e3201cce6cb0ef

Download Submit
C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe

Filesize
168KB

MD5
b65cd0b4bbefd402a2dff10bddbad1f1

SHA1
50e32d44efa104e5d79e88a5ff7f6e8fbc923cd3

SHA256
2ff04e1e63986ad03477f8aacda9cd0ce329d71181b6af0f4a1b0490bcdf2a44

SHA512
0cc1edb5551fdfd8a9f8cac01fade21ae877927d409e1b717a23e3adf3060afa4cfd3c1fdc5f979964a5540316a5ba17acab1ce7496b6fe943e3201cce6cb0ef

Download Submit