ef886fa223d0e78ebd975b2b5d5d69df199e8bac0b984195e6e45b7c5f28a132

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d92e5dc6c1cb1eexeexeexeex.exe
Size

204KB
MD5

d92e5dc6c1cb1ef8a11d53fb1c3d0a2b
SHA1

2bc22c238b7dfb25be673547e2ad42d76e98265c
SHA256

ef886fa223d0e78ebd975b2b5d5d69df199e8bac0b984195e6e45b7c5f28a132
SHA512

61768d57f7ccc66bd97d3fffa477bf0f50de90f5c29529a3040082a33c3154bbde09d5e43983e2789c861ca88b4544d7f2c002840016328e89917909acb322f7
SSDEEP

1536:1EGh0otl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0otl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B92D1B1-C152-4974-BE22-781E1334B04E}	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B92D1B1-C152-4974-BE22-781E1334B04E}\stubpath = "C:\\Windows\\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe"	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}	{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79918884-FEC3-40c7-A3AA-366B35D2CB72}	d92e5dc6c1cb1eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9255C2-C628-47a4-9D08-1BE34422809E}\stubpath = "C:\\Windows\\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe"	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}\stubpath = "C:\\Windows\\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe"	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}\stubpath = "C:\\Windows\\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe"	{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEFE62F-2755-49c4-BCCE-DED867638808}	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE7C7F9-1333-4200-83D6-D251B80969D9}	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE7C7F9-1333-4200-83D6-D251B80969D9}\stubpath = "C:\\Windows\\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe"	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79918884-FEC3-40c7-A3AA-366B35D2CB72}\stubpath = "C:\\Windows\\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe"	d92e5dc6c1cb1eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3861C257-365B-4dac-83CB-B6860E5EC621}\stubpath = "C:\\Windows\\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe"	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89324513-050D-42aa-AEA8-A20A68ABD357}	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143C3EC2-0370-4733-A96E-8028D72706EE}\stubpath = "C:\\Windows\\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe"	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9255C2-C628-47a4-9D08-1BE34422809E}	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143C3EC2-0370-4733-A96E-8028D72706EE}	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}\stubpath = "C:\\Windows\\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe"	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEFE62F-2755-49c4-BCCE-DED867638808}\stubpath = "C:\\Windows\\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe"	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3861C257-365B-4dac-83CB-B6860E5EC621}	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89324513-050D-42aa-AEA8-A20A68ABD357}\stubpath = "C:\\Windows\\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe"	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E98181-294B-465b-B583-C8E4DB0E71BB}	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E98181-294B-465b-B583-C8E4DB0E71BB}\stubpath = "C:\\Windows\\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe"	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe

Executes dropped EXE 12 IoCs

pid	Process
2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
4764	{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
1508	{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
File created	C:\Windows\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
File created	C:\Windows\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
File created	C:\Windows\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
File created	C:\Windows\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
File created	C:\Windows\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	d92e5dc6c1cb1eexeexeexeex.exe
File created	C:\Windows\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
File created	C:\Windows\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
File created	C:\Windows\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
File created	C:\Windows\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe	{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
File created	C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
File created	C:\Windows\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3812	d92e5dc6c1cb1eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
Token: SeIncBasePriorityPrivilege	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
Token: SeIncBasePriorityPrivilege	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
Token: SeIncBasePriorityPrivilege	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
Token: SeIncBasePriorityPrivilege	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
Token: SeIncBasePriorityPrivilege	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
Token: SeIncBasePriorityPrivilege	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
Token: SeIncBasePriorityPrivilege	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
Token: SeIncBasePriorityPrivilege	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
Token: SeIncBasePriorityPrivilege	4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
Token: SeIncBasePriorityPrivilege	4764	{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2016	3812	d92e5dc6c1cb1eexeexeexeex.exe	84
PID 3812 wrote to memory of 2016	3812	d92e5dc6c1cb1eexeexeexeex.exe	84
PID 3812 wrote to memory of 2016	3812	d92e5dc6c1cb1eexeexeexeex.exe	84
PID 3812 wrote to memory of 2896	3812	d92e5dc6c1cb1eexeexeexeex.exe	85
PID 3812 wrote to memory of 2896	3812	d92e5dc6c1cb1eexeexeexeex.exe	85
PID 3812 wrote to memory of 2896	3812	d92e5dc6c1cb1eexeexeexeex.exe	85
PID 2016 wrote to memory of 3116	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	86
PID 2016 wrote to memory of 3116	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	86
PID 2016 wrote to memory of 3116	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	86
PID 2016 wrote to memory of 1596	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	87
PID 2016 wrote to memory of 1596	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	87
PID 2016 wrote to memory of 1596	2016	{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe	87
PID 3116 wrote to memory of 4480	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	92
PID 3116 wrote to memory of 4480	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	92
PID 3116 wrote to memory of 4480	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	92
PID 3116 wrote to memory of 5108	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	91
PID 3116 wrote to memory of 5108	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	91
PID 3116 wrote to memory of 5108	3116	{3861C257-365B-4dac-83CB-B6860E5EC621}.exe	91
PID 4480 wrote to memory of 4872	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	93
PID 4480 wrote to memory of 4872	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	93
PID 4480 wrote to memory of 4872	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	93
PID 4480 wrote to memory of 1504	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	94
PID 4480 wrote to memory of 1504	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	94
PID 4480 wrote to memory of 1504	4480	{89324513-050D-42aa-AEA8-A20A68ABD357}.exe	94
PID 4872 wrote to memory of 4700	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	95
PID 4872 wrote to memory of 4700	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	95
PID 4872 wrote to memory of 4700	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	95
PID 4872 wrote to memory of 4020	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	96
PID 4872 wrote to memory of 4020	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	96
PID 4872 wrote to memory of 4020	4872	{143C3EC2-0370-4733-A96E-8028D72706EE}.exe	96
PID 4700 wrote to memory of 3188	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	98
PID 4700 wrote to memory of 3188	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	98
PID 4700 wrote to memory of 3188	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	98
PID 4700 wrote to memory of 2264	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	99
PID 4700 wrote to memory of 2264	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	99
PID 4700 wrote to memory of 2264	4700	{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe	99
PID 3188 wrote to memory of 1316	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	100
PID 3188 wrote to memory of 1316	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	100
PID 3188 wrote to memory of 1316	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	100
PID 3188 wrote to memory of 3600	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	101
PID 3188 wrote to memory of 3600	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	101
PID 3188 wrote to memory of 3600	3188	{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe	101
PID 1316 wrote to memory of 3628	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	102
PID 1316 wrote to memory of 3628	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	102
PID 1316 wrote to memory of 3628	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	102
PID 1316 wrote to memory of 4084	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	103
PID 1316 wrote to memory of 4084	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	103
PID 1316 wrote to memory of 4084	1316	{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe	103
PID 3628 wrote to memory of 2772	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	110
PID 3628 wrote to memory of 2772	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	110
PID 3628 wrote to memory of 2772	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	110
PID 3628 wrote to memory of 5064	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	111
PID 3628 wrote to memory of 5064	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	111
PID 3628 wrote to memory of 5064	3628	{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe	111
PID 2772 wrote to memory of 4288	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	112
PID 2772 wrote to memory of 4288	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	112
PID 2772 wrote to memory of 4288	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	112
PID 2772 wrote to memory of 3560	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	113
PID 2772 wrote to memory of 3560	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	113
PID 2772 wrote to memory of 3560	2772	{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe	113
PID 4288 wrote to memory of 4764	4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe	114
PID 4288 wrote to memory of 4764	4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe	114
PID 4288 wrote to memory of 4764	4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe	114
PID 4288 wrote to memory of 4440	4288	{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe	115

C:\Users\Admin\AppData\Local\Temp\d92e5dc6c1cb1eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d92e5dc6c1cb1eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
  C:\Windows\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
    C:\Windows\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3861C~1.EXE > nul
      4⤵
      PID:5108
  - - C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
      C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
        
        C:\Windows\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Windows\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
        
        C:\Windows\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
        
        C:\Windows\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
        
        C:\Windows\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
        
        C:\Windows\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
        
        C:\Windows\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
        
        C:\Windows\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
        
        C:\Windows\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe
        
        C:\Windows\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe
        13⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE7C~1.EXE > nul
        13⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E98~1.EXE > nul
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B92D~1.EXE > nul
        11⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FEFE~1.EXE > nul
        10⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A20DA~1.EXE > nul
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC925~1.EXE > nul
        8⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB42A~1.EXE > nul
        7⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{143C3~1.EXE > nul
        6⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89324~1.EXE > nul
        5⤵
        
        PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{79918~1.EXE > nul
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D92E5D~1.EXE > nul
  2⤵
  PID:2896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe

Filesize
204KB

MD5
f07cbd9c93a7040d2a3990a0c80f3420

SHA1
188aa755ece647a53ade70199c70409ac4d9b19c

SHA256
2d8b6e12e712057c9aea97538344a197e029a4648b95ae2a3a0638cf09f7d1a1

SHA512
a4f7d5d62ab8b5c27efa43393dac92e2ac1dd2bfef3a11391c12ab8b63465d99f6e09fba54d050ac3809e66328ff41a85500095116cda9e4e91d74df5f8d1b62

Download Submit
C:\Windows\{143C3EC2-0370-4733-A96E-8028D72706EE}.exe

Filesize
204KB

MD5
f07cbd9c93a7040d2a3990a0c80f3420

SHA1
188aa755ece647a53ade70199c70409ac4d9b19c

SHA256
2d8b6e12e712057c9aea97538344a197e029a4648b95ae2a3a0638cf09f7d1a1

SHA512
a4f7d5d62ab8b5c27efa43393dac92e2ac1dd2bfef3a11391c12ab8b63465d99f6e09fba54d050ac3809e66328ff41a85500095116cda9e4e91d74df5f8d1b62

Download Submit
C:\Windows\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe

Filesize
204KB

MD5
258c4c7a4d7f5a70581ded5159a9383f

SHA1
9727b0bea7b4ea3a5253823414905f1bf48d3050

SHA256
932d5cd676554c0a532760986bbd6f685be1084b8efeb15ba0f579dea2dacaf6

SHA512
50549266d210140bfc0da2cda87ad8a1dae89a2f2b53d59a832e943a03291bc498a1e5cf7f7e40fd5aff523e59e81e0a5212ae3e6f722f80fc29212abca9129e

Download Submit
C:\Windows\{14E98181-294B-465b-B583-C8E4DB0E71BB}.exe

Filesize
204KB

MD5
258c4c7a4d7f5a70581ded5159a9383f

SHA1
9727b0bea7b4ea3a5253823414905f1bf48d3050

SHA256
932d5cd676554c0a532760986bbd6f685be1084b8efeb15ba0f579dea2dacaf6

SHA512
50549266d210140bfc0da2cda87ad8a1dae89a2f2b53d59a832e943a03291bc498a1e5cf7f7e40fd5aff523e59e81e0a5212ae3e6f722f80fc29212abca9129e

Download Submit
C:\Windows\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe

Filesize
204KB

MD5
fc947c7473923981336cb703ce6f6ad1

SHA1
fec5572941bb2b9e83cc2f240deb876e793d9424

SHA256
6b1a7850d4582b2c14bfeda69edf8129b9cee5129320a2d0b39e0252cf0a19fb

SHA512
4f1b2a9ecf99b3089a038d6a920638642e2d8d6a18f13a5538d803944888990b9cdaf8dd76b73cd87a4908318ab963be5b8f12078f1f2b6f84f128a68a82be96

Download Submit
C:\Windows\{3861C257-365B-4dac-83CB-B6860E5EC621}.exe

Filesize
204KB

MD5
fc947c7473923981336cb703ce6f6ad1

SHA1
fec5572941bb2b9e83cc2f240deb876e793d9424

SHA256
6b1a7850d4582b2c14bfeda69edf8129b9cee5129320a2d0b39e0252cf0a19fb

SHA512
4f1b2a9ecf99b3089a038d6a920638642e2d8d6a18f13a5538d803944888990b9cdaf8dd76b73cd87a4908318ab963be5b8f12078f1f2b6f84f128a68a82be96

Download Submit
C:\Windows\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe

Filesize
204KB

MD5
60a80a36bd0e8cc598ecaf2223fecbaf

SHA1
8d78857afa86d2fe7947910cb3fcf78872decfe7

SHA256
d4514cf771c32bd8ba803988a9c7b6d43f3cb048112569d470bfc36b77a0de2d

SHA512
cd201115b88d6f3777412ddd70f42fa0924bc6c3e5b383827d8140442a85905a607376135199b3f42cb9de288410c42e52c3b09092478b95d4119bb1fffcdca9

Download Submit
C:\Windows\{5B92D1B1-C152-4974-BE22-781E1334B04E}.exe

Filesize
204KB

MD5
60a80a36bd0e8cc598ecaf2223fecbaf

SHA1
8d78857afa86d2fe7947910cb3fcf78872decfe7

SHA256
d4514cf771c32bd8ba803988a9c7b6d43f3cb048112569d470bfc36b77a0de2d

SHA512
cd201115b88d6f3777412ddd70f42fa0924bc6c3e5b383827d8140442a85905a607376135199b3f42cb9de288410c42e52c3b09092478b95d4119bb1fffcdca9

Download Submit
C:\Windows\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe

Filesize
204KB

MD5
f8a5b61c8432aa4795fd4d7e962b21e9

SHA1
5fcce456269591138ab1d2ba59dac275ad134333

SHA256
e8347715f889be944a062931a116b3e19c501c099ae1db953e54da11088e3d7f

SHA512
d4ac012eecea31d7f69dc71b2774567978ec5484a45c1dea32498659a66ac36afad8ba3b29b1f8d711ff96aea320787dc74bb857a91af1ad660ce1c36cb2a043

Download Submit
C:\Windows\{6FEFE62F-2755-49c4-BCCE-DED867638808}.exe

Filesize
204KB

MD5
f8a5b61c8432aa4795fd4d7e962b21e9

SHA1
5fcce456269591138ab1d2ba59dac275ad134333

SHA256
e8347715f889be944a062931a116b3e19c501c099ae1db953e54da11088e3d7f

SHA512
d4ac012eecea31d7f69dc71b2774567978ec5484a45c1dea32498659a66ac36afad8ba3b29b1f8d711ff96aea320787dc74bb857a91af1ad660ce1c36cb2a043

Download Submit
C:\Windows\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe

Filesize
204KB

MD5
a5a200df378877f9a3c7a8890faac1d7

SHA1
ca7d7be8b9c373a7a924bc753519154a241b525a

SHA256
370aa5c7accb04d945c783f71025500d32da11a9fd393ef86cd4df2cbb81c0bf

SHA512
7113ff19d5d73c5ecc82e9d11294898c54e0d1181ce89acc2b3b5ec7190a0553ca5f8d35c3174b656f559e8d43cc403469edd4548b18cc6c33c4e9d0fa6e04ae

Download Submit
C:\Windows\{79918884-FEC3-40c7-A3AA-366B35D2CB72}.exe

Filesize
204KB

MD5
a5a200df378877f9a3c7a8890faac1d7

SHA1
ca7d7be8b9c373a7a924bc753519154a241b525a

SHA256
370aa5c7accb04d945c783f71025500d32da11a9fd393ef86cd4df2cbb81c0bf

SHA512
7113ff19d5d73c5ecc82e9d11294898c54e0d1181ce89acc2b3b5ec7190a0553ca5f8d35c3174b656f559e8d43cc403469edd4548b18cc6c33c4e9d0fa6e04ae

Download Submit
C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe

Filesize
204KB

MD5
2c2fcc50606bd826711ebb22ee60e14b

SHA1
3a3b33f78bb1b776e70db9dd39f953a6d32034c8

SHA256
ae067d114edd9a561b96b5c3190497a7b6c6bc170f1d0882e953dddd66650266

SHA512
727c0f991cf2637a40f9bbf409d2c4708f6f4794ac9fef5bd1480140eb501d33d7da5dc249cb22f4dfd49eb562574a0cba2f38cbc80aedf7c32cc134483260eb

Download Submit
C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe

Filesize
204KB

MD5
2c2fcc50606bd826711ebb22ee60e14b

SHA1
3a3b33f78bb1b776e70db9dd39f953a6d32034c8

SHA256
ae067d114edd9a561b96b5c3190497a7b6c6bc170f1d0882e953dddd66650266

SHA512
727c0f991cf2637a40f9bbf409d2c4708f6f4794ac9fef5bd1480140eb501d33d7da5dc249cb22f4dfd49eb562574a0cba2f38cbc80aedf7c32cc134483260eb

Download Submit
C:\Windows\{89324513-050D-42aa-AEA8-A20A68ABD357}.exe

Filesize
204KB

MD5
2c2fcc50606bd826711ebb22ee60e14b

SHA1
3a3b33f78bb1b776e70db9dd39f953a6d32034c8

SHA256
ae067d114edd9a561b96b5c3190497a7b6c6bc170f1d0882e953dddd66650266

SHA512
727c0f991cf2637a40f9bbf409d2c4708f6f4794ac9fef5bd1480140eb501d33d7da5dc249cb22f4dfd49eb562574a0cba2f38cbc80aedf7c32cc134483260eb

Download Submit
C:\Windows\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe

Filesize
204KB

MD5
f58b362abc8a525445503505f88b0fad

SHA1
721cb75d04dbe795608a80c92818f607ffe78f1d

SHA256
24e67beb4dc3a9190a91ff22b723fb418474d10e0e56de7d9a76ae255d208c54

SHA512
0ee6964dbdf07039e56080e843d3e8b9e348ee5dec25695de4c277d32bda9b5be5093653b00fdb9b98735fce3b12a19c93942db8cd73de6bd78f6676bfa9d50d

Download Submit
C:\Windows\{9BE7C7F9-1333-4200-83D6-D251B80969D9}.exe

Filesize
204KB

MD5
f58b362abc8a525445503505f88b0fad

SHA1
721cb75d04dbe795608a80c92818f607ffe78f1d

SHA256
24e67beb4dc3a9190a91ff22b723fb418474d10e0e56de7d9a76ae255d208c54

SHA512
0ee6964dbdf07039e56080e843d3e8b9e348ee5dec25695de4c277d32bda9b5be5093653b00fdb9b98735fce3b12a19c93942db8cd73de6bd78f6676bfa9d50d

Download Submit
C:\Windows\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe

Filesize
204KB

MD5
c94a75d2e4cdf9740b88751246884a03

SHA1
8047c8ca953e3b0e264342e6765620e988844cf7

SHA256
85854de144fb09f1159c8889f5ae5b66a42fa91a612beadd8564ab63771b5f2d

SHA512
fb9c22b54a72154598bd5d1c47bf38ff249a52dfd4feec601ca230a1ced4e36c6d0465384d8f8d35975dcd9fa5275be3b94dcd2e21f62d343cf43f70e36040af

Download Submit
C:\Windows\{A20DA9AA-B2A8-4cb5-A5F5-864C9F599E64}.exe

Filesize
204KB

MD5
c94a75d2e4cdf9740b88751246884a03

SHA1
8047c8ca953e3b0e264342e6765620e988844cf7

SHA256
85854de144fb09f1159c8889f5ae5b66a42fa91a612beadd8564ab63771b5f2d

SHA512
fb9c22b54a72154598bd5d1c47bf38ff249a52dfd4feec601ca230a1ced4e36c6d0465384d8f8d35975dcd9fa5275be3b94dcd2e21f62d343cf43f70e36040af

Download Submit
C:\Windows\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe

Filesize
204KB

MD5
3bb8f0d7024870860689b6cfed8aab74

SHA1
d1d16f8c1d0624fa80ae376c372779e5e8cacb40

SHA256
3eb4eadf578837e2c480e239b47e7af1823601d0a0de775240c928d7a9136bfb

SHA512
61b45b3b198b79c398d242f648353b5f294827c91fa22cd3ed01952ab60f06829661085bd3151a58120adbfb4f5addf15b0f47201ab5e5ede1c462424b4207f5

Download Submit
C:\Windows\{AC9255C2-C628-47a4-9D08-1BE34422809E}.exe

Filesize
204KB

MD5
3bb8f0d7024870860689b6cfed8aab74

SHA1
d1d16f8c1d0624fa80ae376c372779e5e8cacb40

SHA256
3eb4eadf578837e2c480e239b47e7af1823601d0a0de775240c928d7a9136bfb

SHA512
61b45b3b198b79c398d242f648353b5f294827c91fa22cd3ed01952ab60f06829661085bd3151a58120adbfb4f5addf15b0f47201ab5e5ede1c462424b4207f5

Download Submit
C:\Windows\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe

Filesize
204KB

MD5
7b0ef0524305f23ac3d73969a84fc7ab

SHA1
7cdece29cf32bbf98e7fc4da8c2073edc1e637dd

SHA256
3fde4114598e5347c247921975ab9cddcc0baf77bb3fa7dbecfef359f42fc411

SHA512
e76349187411617e8a5313ecf2ad4ee03116b6e04ed2661cd27baeb2acace4ab044b37324d3b09b3c599e17248e313b1b6f2fbfe0f1e3089b738150a7d81d6e8

Download Submit
C:\Windows\{B89CA550-5D5F-4b9f-A14A-2816AFF97844}.exe

Filesize
204KB

MD5
7b0ef0524305f23ac3d73969a84fc7ab

SHA1
7cdece29cf32bbf98e7fc4da8c2073edc1e637dd

SHA256
3fde4114598e5347c247921975ab9cddcc0baf77bb3fa7dbecfef359f42fc411

SHA512
e76349187411617e8a5313ecf2ad4ee03116b6e04ed2661cd27baeb2acace4ab044b37324d3b09b3c599e17248e313b1b6f2fbfe0f1e3089b738150a7d81d6e8

Download Submit
C:\Windows\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe

Filesize
204KB

MD5
b282782aadb287215c2416f3ddd61644

SHA1
747b8331a2569a5a44a8c44918887eb699ebc589

SHA256
718839ac278649dc8f3ec5283580b0d6f4685c650b093ba4ff24e58d77103ecd

SHA512
4c2f512ee9714479be8a5c596cdbd8a3b244df22ef1e688fcc5dbdd5ff1c6dba3ec80886d0fb571d507a56d223992307f03768523f86334fc736f507aba2ca41

Download Submit
C:\Windows\{CB42ACD1-0C6C-45f6-8A20-07AC519A6F02}.exe

Filesize
204KB

MD5
b282782aadb287215c2416f3ddd61644

SHA1
747b8331a2569a5a44a8c44918887eb699ebc589

SHA256
718839ac278649dc8f3ec5283580b0d6f4685c650b093ba4ff24e58d77103ecd

SHA512
4c2f512ee9714479be8a5c596cdbd8a3b244df22ef1e688fcc5dbdd5ff1c6dba3ec80886d0fb571d507a56d223992307f03768523f86334fc736f507aba2ca41

Download Submit