96fff1de0aa73c2cf852b51f3357363c6af786f3424a94c4d776c9413e0455de

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e071d2962b5035exeexeexeex.exe
Size

168KB
MD5

e071d2962b50352a2dc1218df47fcf7f
SHA1

a3982cac9af0b7bca95e0bddca2f4b77007eb4e2
SHA256

96fff1de0aa73c2cf852b51f3357363c6af786f3424a94c4d776c9413e0455de
SHA512

62bb34961d00424c58457a6999409d4bd0096c6ce54bb7d687ec146a03ed567f320480864fc393ff69e5560af979a22ef7cf7b0d77e34b606bbc794e6b104371
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}\stubpath = "C:\\Windows\\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe"	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179D2C77-022A-4fab-9A7C-53213B4D46C8}	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E245D64C-0508-4c9c-B9B6-46077278B8E6}\stubpath = "C:\\Windows\\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe"	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}\stubpath = "C:\\Windows\\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe"	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}	{FC804BDF-B917-4e70-8959-CC33B9573402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F250EA4-D43D-4194-9CBE-234FFC52495A}	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}\stubpath = "C:\\Windows\\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe"	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179D2C77-022A-4fab-9A7C-53213B4D46C8}\stubpath = "C:\\Windows\\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe"	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}\stubpath = "C:\\Windows\\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe"	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC804BDF-B917-4e70-8959-CC33B9573402}	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}\stubpath = "C:\\Windows\\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe"	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}\stubpath = "C:\\Windows\\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe"	{FC804BDF-B917-4e70-8959-CC33B9573402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E245D64C-0508-4c9c-B9B6-46077278B8E6}	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}\stubpath = "C:\\Windows\\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe"	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F250EA4-D43D-4194-9CBE-234FFC52495A}\stubpath = "C:\\Windows\\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe"	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC804BDF-B917-4e70-8959-CC33B9573402}\stubpath = "C:\\Windows\\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe"	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785B3FA6-C5D6-4c21-B018-F701BDF29977}	e071d2962b5035exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785B3FA6-C5D6-4c21-B018-F701BDF29977}\stubpath = "C:\\Windows\\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe"	e071d2962b5035exeexeexeex.exe

Executes dropped EXE 12 IoCs

pid	Process
4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
3392	{FC804BDF-B917-4e70-8959-CC33B9573402}.exe
3696	{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	e071d2962b5035exeexeexeex.exe
File created	C:\Windows\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
File created	C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
File created	C:\Windows\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
File created	C:\Windows\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
File created	C:\Windows\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
File created	C:\Windows\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
File created	C:\Windows\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
File created	C:\Windows\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
File created	C:\Windows\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
File created	C:\Windows\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
File created	C:\Windows\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe	{FC804BDF-B917-4e70-8959-CC33B9573402}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1076	e071d2962b5035exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
Token: SeIncBasePriorityPrivilege	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
Token: SeIncBasePriorityPrivilege	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
Token: SeIncBasePriorityPrivilege	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
Token: SeIncBasePriorityPrivilege	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
Token: SeIncBasePriorityPrivilege	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
Token: SeIncBasePriorityPrivilege	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
Token: SeIncBasePriorityPrivilege	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
Token: SeIncBasePriorityPrivilege	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
Token: SeIncBasePriorityPrivilege	4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
Token: SeIncBasePriorityPrivilege	3392	{FC804BDF-B917-4e70-8959-CC33B9573402}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4440	1076	e071d2962b5035exeexeexeex.exe	92
PID 1076 wrote to memory of 4440	1076	e071d2962b5035exeexeexeex.exe	92
PID 1076 wrote to memory of 4440	1076	e071d2962b5035exeexeexeex.exe	92
PID 1076 wrote to memory of 4328	1076	e071d2962b5035exeexeexeex.exe	93
PID 1076 wrote to memory of 4328	1076	e071d2962b5035exeexeexeex.exe	93
PID 1076 wrote to memory of 4328	1076	e071d2962b5035exeexeexeex.exe	93
PID 4440 wrote to memory of 324	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	95
PID 4440 wrote to memory of 324	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	95
PID 4440 wrote to memory of 324	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	95
PID 4440 wrote to memory of 2844	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	96
PID 4440 wrote to memory of 2844	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	96
PID 4440 wrote to memory of 2844	4440	{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe	96
PID 324 wrote to memory of 1148	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	101
PID 324 wrote to memory of 1148	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	101
PID 324 wrote to memory of 1148	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	101
PID 324 wrote to memory of 4920	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	100
PID 324 wrote to memory of 4920	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	100
PID 324 wrote to memory of 4920	324	{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe	100
PID 1148 wrote to memory of 3228	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	107
PID 1148 wrote to memory of 3228	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	107
PID 1148 wrote to memory of 3228	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	107
PID 1148 wrote to memory of 400	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	108
PID 1148 wrote to memory of 400	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	108
PID 1148 wrote to memory of 400	1148	{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe	108
PID 3228 wrote to memory of 1772	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	109
PID 3228 wrote to memory of 1772	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	109
PID 3228 wrote to memory of 1772	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	109
PID 3228 wrote to memory of 2668	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	110
PID 3228 wrote to memory of 2668	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	110
PID 3228 wrote to memory of 2668	3228	{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe	110
PID 1772 wrote to memory of 872	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	111
PID 1772 wrote to memory of 872	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	111
PID 1772 wrote to memory of 872	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	111
PID 1772 wrote to memory of 2844	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	112
PID 1772 wrote to memory of 2844	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	112
PID 1772 wrote to memory of 2844	1772	{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe	112
PID 872 wrote to memory of 4056	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	114
PID 872 wrote to memory of 4056	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	114
PID 872 wrote to memory of 4056	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	114
PID 872 wrote to memory of 4028	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	115
PID 872 wrote to memory of 4028	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	115
PID 872 wrote to memory of 4028	872	{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe	115
PID 4056 wrote to memory of 1512	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	116
PID 4056 wrote to memory of 1512	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	116
PID 4056 wrote to memory of 1512	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	116
PID 4056 wrote to memory of 3936	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	117
PID 4056 wrote to memory of 3936	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	117
PID 4056 wrote to memory of 3936	4056	{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe	117
PID 1512 wrote to memory of 1068	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	118
PID 1512 wrote to memory of 1068	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	118
PID 1512 wrote to memory of 1068	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	118
PID 1512 wrote to memory of 880	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	119
PID 1512 wrote to memory of 880	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	119
PID 1512 wrote to memory of 880	1512	{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe	119
PID 1068 wrote to memory of 4880	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	120
PID 1068 wrote to memory of 4880	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	120
PID 1068 wrote to memory of 4880	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	120
PID 1068 wrote to memory of 2604	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	121
PID 1068 wrote to memory of 2604	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	121
PID 1068 wrote to memory of 2604	1068	{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe	121
PID 4880 wrote to memory of 3392	4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe	122
PID 4880 wrote to memory of 3392	4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe	122
PID 4880 wrote to memory of 3392	4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe	122
PID 4880 wrote to memory of 4272	4880	{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe	123

C:\Users\Admin\AppData\Local\Temp\e071d2962b5035exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e071d2962b5035exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
  C:\Windows\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
    C:\Windows\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{93E68~1.EXE > nul
      4⤵
      PID:4920
  - - C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
      C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
        
        C:\Windows\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
        
        C:\Windows\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
        
        C:\Windows\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
        
        C:\Windows\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
        
        C:\Windows\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
        
        C:\Windows\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
        
        C:\Windows\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe
        
        C:\Windows\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe
        
        C:\Windows\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe
        13⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC804~1.EXE > nul
        13⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69563~1.EXE > nul
        12⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B78D~1.EXE > nul
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E245D~1.EXE > nul
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{179D2~1.EXE > nul
        9⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D632E~1.EXE > nul
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{887F0~1.EXE > nul
        7⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F250~1.EXE > nul
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4CF7~1.EXE > nul
        5⤵
        
        PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{785B3~1.EXE > nul
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E071D2~1.EXE > nul
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe

Filesize
168KB

MD5
25cfa398a75f6309ef3ccd3611fd351b

SHA1
c0e04961dbb4e8dc339d98df3f325b9dadbe3c7f

SHA256
10b9e59d83f5e90fc791cb9510ff0e02e1f599ec128e840155c186c886e46c01

SHA512
e0983fcb684065ac3af9f0eb3adb5af490d75e355c4aae43fb5ede072216517ec0903a886108e6e0a163ae38d86b0d358dd07266a1113bfc4ab647eaee0e88d5

Download Submit
C:\Windows\{08EB3A2F-70B7-471f-A0E8-4DF55CD3D710}.exe

Filesize
168KB

MD5
25cfa398a75f6309ef3ccd3611fd351b

SHA1
c0e04961dbb4e8dc339d98df3f325b9dadbe3c7f

SHA256
10b9e59d83f5e90fc791cb9510ff0e02e1f599ec128e840155c186c886e46c01

SHA512
e0983fcb684065ac3af9f0eb3adb5af490d75e355c4aae43fb5ede072216517ec0903a886108e6e0a163ae38d86b0d358dd07266a1113bfc4ab647eaee0e88d5

Download Submit
C:\Windows\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe

Filesize
168KB

MD5
215a143cfb8ad7d59d6304ba145624c8

SHA1
d0b3ce9ba57b4a8ce4eab41adb0d5063230256f1

SHA256
c318a351ff5b920d1c81dd006f917b5329650f865b1e03fa7608132ea63ba851

SHA512
c32f4718c05b3259798b0e55bcd539449f9db11cd61870f7f1525d95f988fae9ceec9e2ba7faa24fd6f67f9b5edae67db301342bfc5eb904c5195c225b3cf11f

Download Submit
C:\Windows\{179D2C77-022A-4fab-9A7C-53213B4D46C8}.exe

Filesize
168KB

MD5
215a143cfb8ad7d59d6304ba145624c8

SHA1
d0b3ce9ba57b4a8ce4eab41adb0d5063230256f1

SHA256
c318a351ff5b920d1c81dd006f917b5329650f865b1e03fa7608132ea63ba851

SHA512
c32f4718c05b3259798b0e55bcd539449f9db11cd61870f7f1525d95f988fae9ceec9e2ba7faa24fd6f67f9b5edae67db301342bfc5eb904c5195c225b3cf11f

Download Submit
C:\Windows\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe

Filesize
168KB

MD5
bd06b614c8926ad97a0cb5648f855203

SHA1
c76ebac7d8a5bb0f1190c72b9944d14418a5d8c3

SHA256
ef4b647d8bee6f3f51847bf345746e794e65048d7cab8ea9aba40fcb08c674df

SHA512
fff98b0414d8a58f8ff06b58bebf54dae44f7f1dac1d01c1c91e0d07bbea3852a3c69210ec6b3a596b6c641a088db1185b9786f544102f6de766cc3956436d2e

Download Submit
C:\Windows\{4F250EA4-D43D-4194-9CBE-234FFC52495A}.exe

Filesize
168KB

MD5
bd06b614c8926ad97a0cb5648f855203

SHA1
c76ebac7d8a5bb0f1190c72b9944d14418a5d8c3

SHA256
ef4b647d8bee6f3f51847bf345746e794e65048d7cab8ea9aba40fcb08c674df

SHA512
fff98b0414d8a58f8ff06b58bebf54dae44f7f1dac1d01c1c91e0d07bbea3852a3c69210ec6b3a596b6c641a088db1185b9786f544102f6de766cc3956436d2e

Download Submit
C:\Windows\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe

Filesize
168KB

MD5
d22b71e12c23205918326f065acad1b8

SHA1
3c132b884b5741bb78bb2f327ff5ec2b28caa4cb

SHA256
e780995a48f35083157206e7316341287f4324963eb97de01dde857953b2cc53

SHA512
9b24ee642bf4dffaba55e20351f8c4ecaed91be65b96134d99effc52b081a3898d360f59aaa00d5ace0cab336a4d3f2e33c842365077ab604bff602cb0788974

Download Submit
C:\Windows\{69563388-ECDB-4956-9FD6-2B7FC2B7A952}.exe

Filesize
168KB

MD5
d22b71e12c23205918326f065acad1b8

SHA1
3c132b884b5741bb78bb2f327ff5ec2b28caa4cb

SHA256
e780995a48f35083157206e7316341287f4324963eb97de01dde857953b2cc53

SHA512
9b24ee642bf4dffaba55e20351f8c4ecaed91be65b96134d99effc52b081a3898d360f59aaa00d5ace0cab336a4d3f2e33c842365077ab604bff602cb0788974

Download Submit
C:\Windows\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe

Filesize
168KB

MD5
b0e3e3de10c72e819d9f7ee4585358c9

SHA1
cdcf4a4a4394ee97513b7666a00f41ce91b15e7a

SHA256
44a1e7503f1c94e23f6d4a128195376c7c4de33743f6f06e63811aeb8865f0be

SHA512
a13d3ec52e9f7e6f376387c6905b66052b821cf2495f0beefd0c20e67ce411a361d131d350ef54b3fdf4da5dfe65cf93cfa92066f91edb50cc709af0d55ea31f

Download Submit
C:\Windows\{785B3FA6-C5D6-4c21-B018-F701BDF29977}.exe

Filesize
168KB

MD5
b0e3e3de10c72e819d9f7ee4585358c9

SHA1
cdcf4a4a4394ee97513b7666a00f41ce91b15e7a

SHA256
44a1e7503f1c94e23f6d4a128195376c7c4de33743f6f06e63811aeb8865f0be

SHA512
a13d3ec52e9f7e6f376387c6905b66052b821cf2495f0beefd0c20e67ce411a361d131d350ef54b3fdf4da5dfe65cf93cfa92066f91edb50cc709af0d55ea31f

Download Submit
C:\Windows\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe

Filesize
168KB

MD5
1a21720b4b0037ee31da07cde8ce859e

SHA1
f55a40fa92cddba615d3b1fec1a79609bfa3be6f

SHA256
748866548458746d4442b51d834ed4dcb2f6440179818aa1c4358314506ef914

SHA512
04c3ce7cf5a52a15844214d67800bb51bb643d44ef5e6d2659ccc8d1d0d88f212d280ca977499877b59dc0aa7a42f131b27b2396942a519edc15a6c4ce479b1e

Download Submit
C:\Windows\{887F06A9-94EA-4d0d-84D5-5EA1EB7B3EB2}.exe

Filesize
168KB

MD5
1a21720b4b0037ee31da07cde8ce859e

SHA1
f55a40fa92cddba615d3b1fec1a79609bfa3be6f

SHA256
748866548458746d4442b51d834ed4dcb2f6440179818aa1c4358314506ef914

SHA512
04c3ce7cf5a52a15844214d67800bb51bb643d44ef5e6d2659ccc8d1d0d88f212d280ca977499877b59dc0aa7a42f131b27b2396942a519edc15a6c4ce479b1e

Download Submit
C:\Windows\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe

Filesize
168KB

MD5
8a9827c1502919cc5573908f7b610927

SHA1
6a34252482b78c0e5e4c311f8ac6e380ced24aea

SHA256
e37488448a6f693e58f6d3ff0d503bce85ad4dc1c291e3da3a4c656bd909f35c

SHA512
967db5719aa6d10aa0c50e314fcec06112a4d9e7a6b78b3094b3f4d3888701a6ffc7d84228b0e09c7a894a066be43ef0d512450b88f88f1675d3ca691b999d97

Download Submit
C:\Windows\{93E689E1-AF45-47b0-A5FC-0B4D9C4AA57D}.exe

Filesize
168KB

MD5
8a9827c1502919cc5573908f7b610927

SHA1
6a34252482b78c0e5e4c311f8ac6e380ced24aea

SHA256
e37488448a6f693e58f6d3ff0d503bce85ad4dc1c291e3da3a4c656bd909f35c

SHA512
967db5719aa6d10aa0c50e314fcec06112a4d9e7a6b78b3094b3f4d3888701a6ffc7d84228b0e09c7a894a066be43ef0d512450b88f88f1675d3ca691b999d97

Download Submit
C:\Windows\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe

Filesize
168KB

MD5
c6849f90b92447aa8cba3882483296cf

SHA1
25531bd9788e77037d387c43e4cda1b462575472

SHA256
e86be57c7e5877ee0b630c61f66a7624722db567599ed56f52e5f337646cd09c

SHA512
231347bcce7863e8ac0bb8384a166d3683cc81cf7c7b1a4164b56d2daed7d35a65b539b2ea32ba99e2a0007d4d477a355c75e43d0f17ecd5457f6cb966ca5425

Download Submit
C:\Windows\{9B78D1BF-229E-4ba6-866E-91AF8E2ABB31}.exe

Filesize
168KB

MD5
c6849f90b92447aa8cba3882483296cf

SHA1
25531bd9788e77037d387c43e4cda1b462575472

SHA256
e86be57c7e5877ee0b630c61f66a7624722db567599ed56f52e5f337646cd09c

SHA512
231347bcce7863e8ac0bb8384a166d3683cc81cf7c7b1a4164b56d2daed7d35a65b539b2ea32ba99e2a0007d4d477a355c75e43d0f17ecd5457f6cb966ca5425

Download Submit
C:\Windows\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe

Filesize
168KB

MD5
bf67815bb0664e64eb0cbf515c799d84

SHA1
bfe6652ae9dddb46d41e15d7a2f79fb68f662921

SHA256
9e8c6aa53ffe8f3f41ef143053f8b4afd93425d56b372dbd00909f597b83bfa8

SHA512
9841cb786a59b464f177683311a90c70e19238cc6ff353d000d443ef6a2bd14b363a5b88675e73bc23f0f11e396e08bd9719251d19dcc8e6ade56ac0fb82819e

Download Submit
C:\Windows\{D632EA4A-0665-40af-ACAC-3B2CA9C9521D}.exe

Filesize
168KB

MD5
bf67815bb0664e64eb0cbf515c799d84

SHA1
bfe6652ae9dddb46d41e15d7a2f79fb68f662921

SHA256
9e8c6aa53ffe8f3f41ef143053f8b4afd93425d56b372dbd00909f597b83bfa8

SHA512
9841cb786a59b464f177683311a90c70e19238cc6ff353d000d443ef6a2bd14b363a5b88675e73bc23f0f11e396e08bd9719251d19dcc8e6ade56ac0fb82819e

Download Submit
C:\Windows\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe

Filesize
168KB

MD5
0837f9275c7a2d3ebbd57a7539bddcff

SHA1
5063b4876f6416f76ff9005958a7b2188d28326e

SHA256
9457c97a9530df4a5e928decbb67301748ff9d5a76d4446204968ff18149cd52

SHA512
13640d60cc57ca0d1f4580c3840526d8e9a1001ea6b5452b3ce469ee0b1437811c89da565f86223ddb018d625f7875603aaa1b22b5e1ae605a0a0d36b362f4ac

Download Submit
C:\Windows\{E245D64C-0508-4c9c-B9B6-46077278B8E6}.exe

Filesize
168KB

MD5
0837f9275c7a2d3ebbd57a7539bddcff

SHA1
5063b4876f6416f76ff9005958a7b2188d28326e

SHA256
9457c97a9530df4a5e928decbb67301748ff9d5a76d4446204968ff18149cd52

SHA512
13640d60cc57ca0d1f4580c3840526d8e9a1001ea6b5452b3ce469ee0b1437811c89da565f86223ddb018d625f7875603aaa1b22b5e1ae605a0a0d36b362f4ac

Download Submit
C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe

Filesize
168KB

MD5
c529e5ad72cf7e1975d2948dc21ae17c

SHA1
179ea2d964318b086eb103db69ac80f45589e953

SHA256
64f54b402e90998e58d6970294de200158838a732daa4d3294b26e797fa0fcb8

SHA512
300a84dc9c1aaa82e38f935332c67c5a5214cc7f0f23026215d41067a39e28d802a4d71ba3acd905848ac4cbca8fee929cb97ba2593e00969cdf3bb5255a8c3a

Download Submit
C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe

Filesize
168KB

MD5
c529e5ad72cf7e1975d2948dc21ae17c

SHA1
179ea2d964318b086eb103db69ac80f45589e953

SHA256
64f54b402e90998e58d6970294de200158838a732daa4d3294b26e797fa0fcb8

SHA512
300a84dc9c1aaa82e38f935332c67c5a5214cc7f0f23026215d41067a39e28d802a4d71ba3acd905848ac4cbca8fee929cb97ba2593e00969cdf3bb5255a8c3a

Download Submit
C:\Windows\{F4CF71DD-CEBD-4225-B289-6B832CDFCDB0}.exe

Filesize
168KB

MD5
c529e5ad72cf7e1975d2948dc21ae17c

SHA1
179ea2d964318b086eb103db69ac80f45589e953

SHA256
64f54b402e90998e58d6970294de200158838a732daa4d3294b26e797fa0fcb8

SHA512
300a84dc9c1aaa82e38f935332c67c5a5214cc7f0f23026215d41067a39e28d802a4d71ba3acd905848ac4cbca8fee929cb97ba2593e00969cdf3bb5255a8c3a

Download Submit
C:\Windows\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe

Filesize
168KB

MD5
83b18a15d2640100528048c845ba73b1

SHA1
b4607632fdb7669eba627980043b7488063503df

SHA256
3204ec4b6f26faa63cb58b44f0df6afe760e5824ff5000c5897b1f8847aef9f3

SHA512
8a4d1736d7e1613e0aa833d4eb747e1fb1728ef67cd32e7b953d31c8f076df2984de747155bfa0598c9d7aabad49a1ed96cd296edc09b04624dd6b52f3cad4c0

Download Submit
C:\Windows\{FC804BDF-B917-4e70-8959-CC33B9573402}.exe

Filesize
168KB

MD5
83b18a15d2640100528048c845ba73b1

SHA1
b4607632fdb7669eba627980043b7488063503df

SHA256
3204ec4b6f26faa63cb58b44f0df6afe760e5824ff5000c5897b1f8847aef9f3

SHA512
8a4d1736d7e1613e0aa833d4eb747e1fb1728ef67cd32e7b953d31c8f076df2984de747155bfa0598c9d7aabad49a1ed96cd296edc09b04624dd6b52f3cad4c0

Download Submit