70f2aada5de7ce94d699f9d3d5a0d466de36198ff43d2b39af80d4caf1d7a41a

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8678ccfb25fccexeexeexeex.exe
Size

408KB
MD5

e8678ccfb25fcc88baa0f58f47d25445
SHA1

4ac0c965f6aa8ee82b43a420ab91671de25e49f5
SHA256

70f2aada5de7ce94d699f9d3d5a0d466de36198ff43d2b39af80d4caf1d7a41a
SHA512

2e32cda23ff3b8bdb17b1efe59ee705ec54d781f69784921b40565a75717dea15e04e427c693e876bc3e0e19dc2a3a1811eec05e451c6b3b07c74bac362b5a2a
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}\stubpath = "C:\\Windows\\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe"	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9568716A-3276-4492-A0C7-78E54DD2ECF1}\stubpath = "C:\\Windows\\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe"	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CAA216-10A1-4fa1-8780-0A948261A9F1}\stubpath = "C:\\Windows\\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe"	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}\stubpath = "C:\\Windows\\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe"	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C371E60-F8F3-42df-8B01-484E4CF82A78}\stubpath = "C:\\Windows\\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe"	e8678ccfb25fccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}\stubpath = "C:\\Windows\\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe"	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9568716A-3276-4492-A0C7-78E54DD2ECF1}	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{348C78B1-EA93-477f-B70D-D99CE92B9031}	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{348C78B1-EA93-477f-B70D-D99CE92B9031}\stubpath = "C:\\Windows\\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe"	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}\stubpath = "C:\\Windows\\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe"	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A7891A6-9D5F-4513-BF14-69E28A177291}	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A7891A6-9D5F-4513-BF14-69E28A177291}\stubpath = "C:\\Windows\\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe"	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C371E60-F8F3-42df-8B01-484E4CF82A78}	e8678ccfb25fccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59BBD419-4C71-4282-978E-D5A9095F8D33}\stubpath = "C:\\Windows\\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe"	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}\stubpath = "C:\\Windows\\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe"	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CAA216-10A1-4fa1-8780-0A948261A9F1}	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}	{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}\stubpath = "C:\\Windows\\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe"	{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59BBD419-4C71-4282-978E-D5A9095F8D33}	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe

Executes dropped EXE 12 IoCs

pid	Process
216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
4876	{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
4648	{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
File created	C:\Windows\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	e8678ccfb25fccexeexeexeex.exe
File created	C:\Windows\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
File created	C:\Windows\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
File created	C:\Windows\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
File created	C:\Windows\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
File created	C:\Windows\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
File created	C:\Windows\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
File created	C:\Windows\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe	{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
File created	C:\Windows\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
File created	C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
File created	C:\Windows\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3836	e8678ccfb25fccexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
Token: SeIncBasePriorityPrivilege	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
Token: SeIncBasePriorityPrivilege	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
Token: SeIncBasePriorityPrivilege	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
Token: SeIncBasePriorityPrivilege	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
Token: SeIncBasePriorityPrivilege	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
Token: SeIncBasePriorityPrivilege	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
Token: SeIncBasePriorityPrivilege	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
Token: SeIncBasePriorityPrivilege	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
Token: SeIncBasePriorityPrivilege	656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
Token: SeIncBasePriorityPrivilege	4876	{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 216	3836	e8678ccfb25fccexeexeexeex.exe	93
PID 3836 wrote to memory of 216	3836	e8678ccfb25fccexeexeexeex.exe	93
PID 3836 wrote to memory of 216	3836	e8678ccfb25fccexeexeexeex.exe	93
PID 3836 wrote to memory of 3292	3836	e8678ccfb25fccexeexeexeex.exe	94
PID 3836 wrote to memory of 3292	3836	e8678ccfb25fccexeexeexeex.exe	94
PID 3836 wrote to memory of 3292	3836	e8678ccfb25fccexeexeexeex.exe	94
PID 216 wrote to memory of 4412	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	95
PID 216 wrote to memory of 4412	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	95
PID 216 wrote to memory of 4412	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	95
PID 216 wrote to memory of 4592	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	96
PID 216 wrote to memory of 4592	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	96
PID 216 wrote to memory of 4592	216	{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe	96
PID 4412 wrote to memory of 5004	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	104
PID 4412 wrote to memory of 5004	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	104
PID 4412 wrote to memory of 5004	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	104
PID 4412 wrote to memory of 3796	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	103
PID 4412 wrote to memory of 3796	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	103
PID 4412 wrote to memory of 3796	4412	{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe	103
PID 5004 wrote to memory of 212	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	106
PID 5004 wrote to memory of 212	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	106
PID 5004 wrote to memory of 212	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	106
PID 5004 wrote to memory of 228	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	107
PID 5004 wrote to memory of 228	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	107
PID 5004 wrote to memory of 228	5004	{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe	107
PID 212 wrote to memory of 5028	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	108
PID 212 wrote to memory of 5028	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	108
PID 212 wrote to memory of 5028	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	108
PID 212 wrote to memory of 1896	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	109
PID 212 wrote to memory of 1896	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	109
PID 212 wrote to memory of 1896	212	{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe	109
PID 5028 wrote to memory of 3336	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	110
PID 5028 wrote to memory of 3336	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	110
PID 5028 wrote to memory of 3336	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	110
PID 5028 wrote to memory of 3400	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	111
PID 5028 wrote to memory of 3400	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	111
PID 5028 wrote to memory of 3400	5028	{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe	111
PID 3336 wrote to memory of 2200	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	113
PID 3336 wrote to memory of 2200	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	113
PID 3336 wrote to memory of 2200	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	113
PID 3336 wrote to memory of 3352	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	114
PID 3336 wrote to memory of 3352	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	114
PID 3336 wrote to memory of 3352	3336	{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe	114
PID 2200 wrote to memory of 4416	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	115
PID 2200 wrote to memory of 4416	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	115
PID 2200 wrote to memory of 4416	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	115
PID 2200 wrote to memory of 1620	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	116
PID 2200 wrote to memory of 1620	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	116
PID 2200 wrote to memory of 1620	2200	{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe	116
PID 4416 wrote to memory of 4304	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	117
PID 4416 wrote to memory of 4304	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	117
PID 4416 wrote to memory of 4304	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	117
PID 4416 wrote to memory of 216	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	118
PID 4416 wrote to memory of 216	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	118
PID 4416 wrote to memory of 216	4416	{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe	118
PID 4304 wrote to memory of 656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	119
PID 4304 wrote to memory of 656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	119
PID 4304 wrote to memory of 656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	119
PID 4304 wrote to memory of 4656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	120
PID 4304 wrote to memory of 4656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	120
PID 4304 wrote to memory of 4656	4304	{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe	120
PID 656 wrote to memory of 4876	656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe	121
PID 656 wrote to memory of 4876	656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe	121
PID 656 wrote to memory of 4876	656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe	121
PID 656 wrote to memory of 3540	656	{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe	122

C:\Users\Admin\AppData\Local\Temp\e8678ccfb25fccexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e8678ccfb25fccexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
  C:\Windows\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
    C:\Windows\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3408C~1.EXE > nul
      4⤵
      PID:3796
  - - C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
      C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
        
        C:\Windows\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
        
        C:\Windows\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
        
        C:\Windows\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
        
        C:\Windows\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
        
        C:\Windows\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
        
        C:\Windows\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
        
        C:\Windows\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
        
        C:\Windows\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe
        
        C:\Windows\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A789~1.EXE > nul
        13⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20F51~1.EXE > nul
        12⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B76~1.EXE > nul
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68CAA~1.EXE > nul
        10⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{348C7~1.EXE > nul
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7909~1.EXE > nul
        8⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95687~1.EXE > nul
        7⤵
        
        PID:3400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABDFF~1.EXE > nul
        6⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59BBD~1.EXE > nul
        5⤵
        
        PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C371~1.EXE > nul
    3⤵
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E8678C~1.EXE > nul
  2⤵
  PID:3292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe

Filesize
408KB

MD5
467bec9511ec8d3fee0e29192a747ba4

SHA1
a3b33d1900ccae00dda53911e137a4e02eab8138

SHA256
5414ab2009df25198caf9be9bbb8c35d4a7316af709a25024f2070cec1b0f0b5

SHA512
c7766fa94d315e6304edebf27f5e197ef627b04701c04c51f17a9921a791a5af316be93d9c4dd265c04397ffbc88ce4e8e3afa6a5a1028f28911a5eb5c111b5d

Download Submit
C:\Windows\{0A7891A6-9D5F-4513-BF14-69E28A177291}.exe

Filesize
408KB

MD5
467bec9511ec8d3fee0e29192a747ba4

SHA1
a3b33d1900ccae00dda53911e137a4e02eab8138

SHA256
5414ab2009df25198caf9be9bbb8c35d4a7316af709a25024f2070cec1b0f0b5

SHA512
c7766fa94d315e6304edebf27f5e197ef627b04701c04c51f17a9921a791a5af316be93d9c4dd265c04397ffbc88ce4e8e3afa6a5a1028f28911a5eb5c111b5d

Download Submit
C:\Windows\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe

Filesize
408KB

MD5
9912523f71c53aaa0153dde0f1076693

SHA1
6e711c0f87c440649ce1967c562fb3d5bb389baf

SHA256
b199849deb62a147038f5e48cd9b14952e099937b92c44cb358b8bacfeac2e53

SHA512
eff2d604cfb20095b050fbd70cad43231b7ceebc43a3d7dec1a8dd4acc4de09766d58af927420fde4186ed97356b70fc440740738843d7f521a57467293d8231

Download Submit
C:\Windows\{20F5191C-25D8-48fa-A740-A2B37DF4C2E9}.exe

Filesize
408KB

MD5
9912523f71c53aaa0153dde0f1076693

SHA1
6e711c0f87c440649ce1967c562fb3d5bb389baf

SHA256
b199849deb62a147038f5e48cd9b14952e099937b92c44cb358b8bacfeac2e53

SHA512
eff2d604cfb20095b050fbd70cad43231b7ceebc43a3d7dec1a8dd4acc4de09766d58af927420fde4186ed97356b70fc440740738843d7f521a57467293d8231

Download Submit
C:\Windows\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe

Filesize
408KB

MD5
ba9f0fe78438927a87ec8d440e559a68

SHA1
950bba4532285be059ac912a49d6a79d089f8951

SHA256
ff3ecf778d77a430143a9191aca1b80646b846af73e3ed4e5be4977e95570474

SHA512
cb2eb0d7a50c9836fb7503c2128b6b680d1322ccb4c1fff559b84b5627fe3232ced7e589c6a05edf2968a9649f95ce75656a4630fb9cd4018b73824250f514d8

Download Submit
C:\Windows\{3408CDF5-C40B-44c8-AF2F-F0216D93FB6A}.exe

Filesize
408KB

MD5
ba9f0fe78438927a87ec8d440e559a68

SHA1
950bba4532285be059ac912a49d6a79d089f8951

SHA256
ff3ecf778d77a430143a9191aca1b80646b846af73e3ed4e5be4977e95570474

SHA512
cb2eb0d7a50c9836fb7503c2128b6b680d1322ccb4c1fff559b84b5627fe3232ced7e589c6a05edf2968a9649f95ce75656a4630fb9cd4018b73824250f514d8

Download Submit
C:\Windows\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe

Filesize
408KB

MD5
2939b3e62be38b194c8de7c531136001

SHA1
890fb3dd3d684f34f8c9dd65aef341a53e400eb1

SHA256
519282927ea17464e90e3899f51fa354cac7a159f28a0c656cf767738f640733

SHA512
fb3e15d45524ba3b1f02f31d80daf2355c786364328ef0b23eadc1c39b510ac51fc6cce8ad19e840897122370ad1d9a36dc0313a50d1b08cc05f7307587a6ff8

Download Submit
C:\Windows\{348C78B1-EA93-477f-B70D-D99CE92B9031}.exe

Filesize
408KB

MD5
2939b3e62be38b194c8de7c531136001

SHA1
890fb3dd3d684f34f8c9dd65aef341a53e400eb1

SHA256
519282927ea17464e90e3899f51fa354cac7a159f28a0c656cf767738f640733

SHA512
fb3e15d45524ba3b1f02f31d80daf2355c786364328ef0b23eadc1c39b510ac51fc6cce8ad19e840897122370ad1d9a36dc0313a50d1b08cc05f7307587a6ff8

Download Submit
C:\Windows\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe

Filesize
408KB

MD5
48e7eebdd579ab488468b1867c97342b

SHA1
4d37346dfdd9721d92278cfebf748e5777578929

SHA256
35f359e62b8abfb10e479c5936fe79ff26e6327ca0066a91f772cb207d48f461

SHA512
a19bb795d98fa250f46ddc358c17cb70c0447c90df673832f7dbd8f873c6b663ef709a959b1f78968cdeff291e9cff08390c6f0a6d24a0d347aab8c6a0cfae47

Download Submit
C:\Windows\{471B9F21-9BFB-4e45-A27B-8ADDB47A04AC}.exe

Filesize
408KB

MD5
48e7eebdd579ab488468b1867c97342b

SHA1
4d37346dfdd9721d92278cfebf748e5777578929

SHA256
35f359e62b8abfb10e479c5936fe79ff26e6327ca0066a91f772cb207d48f461

SHA512
a19bb795d98fa250f46ddc358c17cb70c0447c90df673832f7dbd8f873c6b663ef709a959b1f78968cdeff291e9cff08390c6f0a6d24a0d347aab8c6a0cfae47

Download Submit
C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe

Filesize
408KB

MD5
e1944fd1f7631fab96729ee46ceec1eb

SHA1
6cfea3091e5777c2479cb1e69d068a9dcb70d2b2

SHA256
5170fad93d5fa6f066d111f5e338dd7cb74774b45642e0d291c5d3fa516260ba

SHA512
a06a1c2d0d3fe62afb4f16fc16f68da21abdded634e9cf4e0e1ce4033fc404d918f465e9cd5bca27a2cfa0af7728f62d24da656fdc8cfacec7d39222cf7fa4f3

Download Submit
C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe

Filesize
408KB

MD5
e1944fd1f7631fab96729ee46ceec1eb

SHA1
6cfea3091e5777c2479cb1e69d068a9dcb70d2b2

SHA256
5170fad93d5fa6f066d111f5e338dd7cb74774b45642e0d291c5d3fa516260ba

SHA512
a06a1c2d0d3fe62afb4f16fc16f68da21abdded634e9cf4e0e1ce4033fc404d918f465e9cd5bca27a2cfa0af7728f62d24da656fdc8cfacec7d39222cf7fa4f3

Download Submit
C:\Windows\{59BBD419-4C71-4282-978E-D5A9095F8D33}.exe

Filesize
408KB

MD5
e1944fd1f7631fab96729ee46ceec1eb

SHA1
6cfea3091e5777c2479cb1e69d068a9dcb70d2b2

SHA256
5170fad93d5fa6f066d111f5e338dd7cb74774b45642e0d291c5d3fa516260ba

SHA512
a06a1c2d0d3fe62afb4f16fc16f68da21abdded634e9cf4e0e1ce4033fc404d918f465e9cd5bca27a2cfa0af7728f62d24da656fdc8cfacec7d39222cf7fa4f3

Download Submit
C:\Windows\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe

Filesize
408KB

MD5
93a19d1673351dcefb7888c76ccc4789

SHA1
dcaa9641ae5303458a255495356475be944301e2

SHA256
8769ddaf9b45664e5c9514c619196d31b9085346c48abecc7237921884db7baa

SHA512
29d8315bfee0b005f4db77000e92b67d07ff18d24e9175590c304be51e0b57e511af3ce03f7231d8e4a63e731b53c74b57b4a2c101e1a5cedbc77ef1050d2ecc

Download Submit
C:\Windows\{68CAA216-10A1-4fa1-8780-0A948261A9F1}.exe

Filesize
408KB

MD5
93a19d1673351dcefb7888c76ccc4789

SHA1
dcaa9641ae5303458a255495356475be944301e2

SHA256
8769ddaf9b45664e5c9514c619196d31b9085346c48abecc7237921884db7baa

SHA512
29d8315bfee0b005f4db77000e92b67d07ff18d24e9175590c304be51e0b57e511af3ce03f7231d8e4a63e731b53c74b57b4a2c101e1a5cedbc77ef1050d2ecc

Download Submit
C:\Windows\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe

Filesize
408KB

MD5
16f72427f7a91668e51cbc56a424ec49

SHA1
218211176ab03858fe00623bf7db0ccdd6e8f429

SHA256
77f110579a72b737bd6380bcd4c05bef3d96204c2432025eb809591c5776fc92

SHA512
f499e074cf0386cb3fcf490f5453ae93b619405ddda2442836547a8ed4a7500eeebb11ee03b2cc46d870b2f63d3e159265f45fe79cea86e4640dacda0a2522ef

Download Submit
C:\Windows\{9568716A-3276-4492-A0C7-78E54DD2ECF1}.exe

Filesize
408KB

MD5
16f72427f7a91668e51cbc56a424ec49

SHA1
218211176ab03858fe00623bf7db0ccdd6e8f429

SHA256
77f110579a72b737bd6380bcd4c05bef3d96204c2432025eb809591c5776fc92

SHA512
f499e074cf0386cb3fcf490f5453ae93b619405ddda2442836547a8ed4a7500eeebb11ee03b2cc46d870b2f63d3e159265f45fe79cea86e4640dacda0a2522ef

Download Submit
C:\Windows\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe

Filesize
408KB

MD5
260b0801a59d0fa254836cb4c3d849d0

SHA1
ad1822e70d2894311c2dd2d88586d26e3398ad56

SHA256
7fb6fbf0f2cd01c077f31cbe8082a4ba28a61985b656c187bbf81b3f457054c4

SHA512
303962cf7f3bf627e9dca9bfd6ba36beb737930a5f59dd837abc019245e9215dc9d552b38f3679db1a01edf26b399c7b12ada069ac6ecc2c61bd8897c55c78d2

Download Submit
C:\Windows\{9C371E60-F8F3-42df-8B01-484E4CF82A78}.exe

Filesize
408KB

MD5
260b0801a59d0fa254836cb4c3d849d0

SHA1
ad1822e70d2894311c2dd2d88586d26e3398ad56

SHA256
7fb6fbf0f2cd01c077f31cbe8082a4ba28a61985b656c187bbf81b3f457054c4

SHA512
303962cf7f3bf627e9dca9bfd6ba36beb737930a5f59dd837abc019245e9215dc9d552b38f3679db1a01edf26b399c7b12ada069ac6ecc2c61bd8897c55c78d2

Download Submit
C:\Windows\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe

Filesize
408KB

MD5
748857edd2e006915d74ba6394762c76

SHA1
6f0c0807ab1b91163a692fdc31f70ff3a06756ab

SHA256
8cb82b803aa53bc8e9074a7954bd1d16a8a1ed3a8af717759aa689ae32e21bac

SHA512
46581dabd3d095f24c9c8b0305ceb0de785295b72c79a7cceb786dc4ff445f719cc4154ab8f595311fc49a07a71215cc5a1c30c97de7def210bf83eb0213ecdf

Download Submit
C:\Windows\{ABDFF52C-ABB2-4e2b-8BCE-8710F7CC15BA}.exe

Filesize
408KB

MD5
748857edd2e006915d74ba6394762c76

SHA1
6f0c0807ab1b91163a692fdc31f70ff3a06756ab

SHA256
8cb82b803aa53bc8e9074a7954bd1d16a8a1ed3a8af717759aa689ae32e21bac

SHA512
46581dabd3d095f24c9c8b0305ceb0de785295b72c79a7cceb786dc4ff445f719cc4154ab8f595311fc49a07a71215cc5a1c30c97de7def210bf83eb0213ecdf

Download Submit
C:\Windows\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe

Filesize
408KB

MD5
7227845b791f10ce5b638c6303ecec8d

SHA1
c01cb2604d0fe80c532b6e454d1cdb85271e332a

SHA256
34b1dbdb4e4188d7591c23be18fe7e76862b53070882f1bdba114c9cfb4d12d6

SHA512
77c311131fc67dccf295459186308bced556ede021cb0094a00d48669c159c69050ac5ebd510790285491e05a847b2f3839cd2d060e3a58ef55575df32892459

Download Submit
C:\Windows\{B1B760E1-0EB2-4c26-AAD5-D234DF11450B}.exe

Filesize
408KB

MD5
7227845b791f10ce5b638c6303ecec8d

SHA1
c01cb2604d0fe80c532b6e454d1cdb85271e332a

SHA256
34b1dbdb4e4188d7591c23be18fe7e76862b53070882f1bdba114c9cfb4d12d6

SHA512
77c311131fc67dccf295459186308bced556ede021cb0094a00d48669c159c69050ac5ebd510790285491e05a847b2f3839cd2d060e3a58ef55575df32892459

Download Submit
C:\Windows\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe

Filesize
408KB

MD5
d03cf62deb9eafd4a527442a7111162d

SHA1
17fc2d106a34e155b20d1ec4f0e5b0deeda148fd

SHA256
af87bef19a75c319872536847f7c2369fdabdcffce3f694f13480e8cbb5b9eb4

SHA512
04ae1cb897ece7452f38fade54c2894d92683fd989fff2094bfa818f3a77cf379e8303a21eab2d2fe59f54afaafcc4c125e376d1926be2516958d499c3f32e57

Download Submit
C:\Windows\{E7909BEB-A3E7-4f8c-A4CB-4F109D632E93}.exe

Filesize
408KB

MD5
d03cf62deb9eafd4a527442a7111162d

SHA1
17fc2d106a34e155b20d1ec4f0e5b0deeda148fd

SHA256
af87bef19a75c319872536847f7c2369fdabdcffce3f694f13480e8cbb5b9eb4

SHA512
04ae1cb897ece7452f38fade54c2894d92683fd989fff2094bfa818f3a77cf379e8303a21eab2d2fe59f54afaafcc4c125e376d1926be2516958d499c3f32e57

Download Submit