1aa1e8b2bda49c4c27d5c2c1f9d32ef17e2774ae69aef3ef1948abc7eb5bfd68

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e0841835450c6exeexeexeex.exe
Size

204KB
MD5

2e0841835450c6fce465ce1497bc8080
SHA1

28d5b0c5f7e147f294ed5eee5ba34c950bcd7c68
SHA256

1aa1e8b2bda49c4c27d5c2c1f9d32ef17e2774ae69aef3ef1948abc7eb5bfd68
SHA512

a2dadc642533f54856880e08c01749dbe14b209d91fabf3805a23b65c871e2670d8b6b0702fea2e7bc4f7038cb0cd0e6d4d377840feb8d135e0293f5f04ebeb1
SSDEEP

1536:1EGh0oHLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0orl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}\stubpath = "C:\\Windows\\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe"	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}\stubpath = "C:\\Windows\\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe"	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC92F7F-5E38-486c-8792-75FF03EF7841}\stubpath = "C:\\Windows\\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe"	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D47239-6234-4808-BD6F-3B7FE36B43CA}\stubpath = "C:\\Windows\\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe"	{3103B234-C633-46f6-A978-961CD8BAE836}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}\stubpath = "C:\\Windows\\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe"	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}\stubpath = "C:\\Windows\\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe"	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}\stubpath = "C:\\Windows\\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe"	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A0D824-276F-4878-8F65-939CF0922D29}	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}	{48A0D824-276F-4878-8F65-939CF0922D29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3103B234-C633-46f6-A978-961CD8BAE836}	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}	2e0841835450c6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3103B234-C633-46f6-A978-961CD8BAE836}\stubpath = "C:\\Windows\\{3103B234-C633-46f6-A978-961CD8BAE836}.exe"	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC92F7F-5E38-486c-8792-75FF03EF7841}	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D47239-6234-4808-BD6F-3B7FE36B43CA}	{3103B234-C633-46f6-A978-961CD8BAE836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}\stubpath = "C:\\Windows\\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe"	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A0D824-276F-4878-8F65-939CF0922D29}\stubpath = "C:\\Windows\\{48A0D824-276F-4878-8F65-939CF0922D29}.exe"	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}\stubpath = "C:\\Windows\\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe"	{48A0D824-276F-4878-8F65-939CF0922D29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}\stubpath = "C:\\Windows\\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe"	2e0841835450c6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe
2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
3616	{3103B234-C633-46f6-A978-961CD8BAE836}.exe
896	{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
File created	C:\Windows\{3103B234-C633-46f6-A978-961CD8BAE836}.exe	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
File created	C:\Windows\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe	{3103B234-C633-46f6-A978-961CD8BAE836}.exe
File created	C:\Windows\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
File created	C:\Windows\{48A0D824-276F-4878-8F65-939CF0922D29}.exe	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
File created	C:\Windows\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	{48A0D824-276F-4878-8F65-939CF0922D29}.exe
File created	C:\Windows\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
File created	C:\Windows\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
File created	C:\Windows\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
File created	C:\Windows\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	2e0841835450c6exeexeexeex.exe
File created	C:\Windows\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
File created	C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4696	2e0841835450c6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
Token: SeIncBasePriorityPrivilege	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
Token: SeIncBasePriorityPrivilege	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
Token: SeIncBasePriorityPrivilege	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
Token: SeIncBasePriorityPrivilege	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
Token: SeIncBasePriorityPrivilege	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
Token: SeIncBasePriorityPrivilege	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe
Token: SeIncBasePriorityPrivilege	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
Token: SeIncBasePriorityPrivilege	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
Token: SeIncBasePriorityPrivilege	1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
Token: SeIncBasePriorityPrivilege	3616	{3103B234-C633-46f6-A978-961CD8BAE836}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4832	4696	2e0841835450c6exeexeexeex.exe	83
PID 4696 wrote to memory of 4832	4696	2e0841835450c6exeexeexeex.exe	83
PID 4696 wrote to memory of 4832	4696	2e0841835450c6exeexeexeex.exe	83
PID 4696 wrote to memory of 5072	4696	2e0841835450c6exeexeexeex.exe	84
PID 4696 wrote to memory of 5072	4696	2e0841835450c6exeexeexeex.exe	84
PID 4696 wrote to memory of 5072	4696	2e0841835450c6exeexeexeex.exe	84
PID 4832 wrote to memory of 1948	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	85
PID 4832 wrote to memory of 1948	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	85
PID 4832 wrote to memory of 1948	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	85
PID 4832 wrote to memory of 3100	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	86
PID 4832 wrote to memory of 3100	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	86
PID 4832 wrote to memory of 3100	4832	{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe	86
PID 1948 wrote to memory of 928	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	89
PID 1948 wrote to memory of 928	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	89
PID 1948 wrote to memory of 928	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	89
PID 1948 wrote to memory of 3880	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	88
PID 1948 wrote to memory of 3880	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	88
PID 1948 wrote to memory of 3880	1948	{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe	88
PID 928 wrote to memory of 4716	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	90
PID 928 wrote to memory of 4716	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	90
PID 928 wrote to memory of 4716	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	90
PID 928 wrote to memory of 5064	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	91
PID 928 wrote to memory of 5064	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	91
PID 928 wrote to memory of 5064	928	{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe	91
PID 4716 wrote to memory of 3456	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	92
PID 4716 wrote to memory of 3456	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	92
PID 4716 wrote to memory of 3456	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	92
PID 4716 wrote to memory of 4852	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	93
PID 4716 wrote to memory of 4852	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	93
PID 4716 wrote to memory of 4852	4716	{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe	93
PID 3456 wrote to memory of 1712	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	94
PID 3456 wrote to memory of 1712	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	94
PID 3456 wrote to memory of 1712	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	94
PID 3456 wrote to memory of 2952	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	95
PID 3456 wrote to memory of 2952	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	95
PID 3456 wrote to memory of 2952	3456	{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe	95
PID 1712 wrote to memory of 3464	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	96
PID 1712 wrote to memory of 3464	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	96
PID 1712 wrote to memory of 3464	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	96
PID 1712 wrote to memory of 3500	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	97
PID 1712 wrote to memory of 3500	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	97
PID 1712 wrote to memory of 3500	1712	{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe	97
PID 3464 wrote to memory of 2512	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	98
PID 3464 wrote to memory of 2512	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	98
PID 3464 wrote to memory of 2512	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	98
PID 3464 wrote to memory of 4640	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	99
PID 3464 wrote to memory of 4640	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	99
PID 3464 wrote to memory of 4640	3464	{48A0D824-276F-4878-8F65-939CF0922D29}.exe	99
PID 2512 wrote to memory of 2156	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	100
PID 2512 wrote to memory of 2156	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	100
PID 2512 wrote to memory of 2156	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	100
PID 2512 wrote to memory of 3820	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	101
PID 2512 wrote to memory of 3820	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	101
PID 2512 wrote to memory of 3820	2512	{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe	101
PID 2156 wrote to memory of 1120	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	102
PID 2156 wrote to memory of 1120	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	102
PID 2156 wrote to memory of 1120	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	102
PID 2156 wrote to memory of 632	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	103
PID 2156 wrote to memory of 632	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	103
PID 2156 wrote to memory of 632	2156	{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe	103
PID 1120 wrote to memory of 3616	1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe	104
PID 1120 wrote to memory of 3616	1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe	104
PID 1120 wrote to memory of 3616	1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe	104
PID 1120 wrote to memory of 4632	1120	{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe	105

C:\Users\Admin\AppData\Local\Temp\2e0841835450c6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2e0841835450c6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
  C:\Windows\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
    C:\Windows\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5D578~1.EXE > nul
      4⤵
      PID:3880
  - - C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
      C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
        
        C:\Windows\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
        
        C:\Windows\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
        
        C:\Windows\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{48A0D824-276F-4878-8F65-939CF0922D29}.exe
        
        C:\Windows\{48A0D824-276F-4878-8F65-939CF0922D29}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
        
        C:\Windows\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
        
        C:\Windows\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
        
        C:\Windows\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{3103B234-C633-46f6-A978-961CD8BAE836}.exe
        
        C:\Windows\{3103B234-C633-46f6-A978-961CD8BAE836}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Windows\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe
        
        C:\Windows\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe
        13⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3103B~1.EXE > nul
        13⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEC92~1.EXE > nul
        12⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2603~1.EXE > nul
        11⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{148F2~1.EXE > nul
        10⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A0D~1.EXE > nul
        9⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC7A~1.EXE > nul
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6FC~1.EXE > nul
        7⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F20BC~1.EXE > nul
        6⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC82~1.EXE > nul
        5⤵
        
        PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65BDC~1.EXE > nul
    3⤵
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E0841~1.EXE > nul
  2⤵
  PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe

Filesize
204KB

MD5
217afdd8bbd889c495b063df703f426b

SHA1
33d3b38b189537dad9e2ef53bdb8c08581197f91

SHA256
7a11e8a87b9a0f8b741fa2341a780e380c18e1098c2c799ff9c32f548c49f5df

SHA512
373d7265b5820cd3d3a5fbeb04ba4f586ae21ab5aac8e572b47d2356f479c685cd2f1be206858791ede72840651c80fe1d685ab087c060b1f94e4b9dba30f0fc

Download Submit
C:\Windows\{148F2ABB-8CC9-4a3d-BC8E-98D4D7F711DC}.exe

Filesize
204KB

MD5
217afdd8bbd889c495b063df703f426b

SHA1
33d3b38b189537dad9e2ef53bdb8c08581197f91

SHA256
7a11e8a87b9a0f8b741fa2341a780e380c18e1098c2c799ff9c32f548c49f5df

SHA512
373d7265b5820cd3d3a5fbeb04ba4f586ae21ab5aac8e572b47d2356f479c685cd2f1be206858791ede72840651c80fe1d685ab087c060b1f94e4b9dba30f0fc

Download Submit
C:\Windows\{3103B234-C633-46f6-A978-961CD8BAE836}.exe

Filesize
204KB

MD5
534ef684fa717533e9faee71af770231

SHA1
987c9b37536033d68623eb73217c97d9326a6bfd

SHA256
3756a2debfd47aa57e488af5d3d8d5e16b1b6a836ccc919e360288676afd7c53

SHA512
d11f0255dc6dd3ca9307eb23a9ce12392ca7abc8d4c33fb7242d8a568e740e689e13b190f8aa2b39e5792079f3a0c0a00285ab32b2ed45630090e2c12ef96c53

Download Submit
C:\Windows\{3103B234-C633-46f6-A978-961CD8BAE836}.exe

Filesize
204KB

MD5
534ef684fa717533e9faee71af770231

SHA1
987c9b37536033d68623eb73217c97d9326a6bfd

SHA256
3756a2debfd47aa57e488af5d3d8d5e16b1b6a836ccc919e360288676afd7c53

SHA512
d11f0255dc6dd3ca9307eb23a9ce12392ca7abc8d4c33fb7242d8a568e740e689e13b190f8aa2b39e5792079f3a0c0a00285ab32b2ed45630090e2c12ef96c53

Download Submit
C:\Windows\{48A0D824-276F-4878-8F65-939CF0922D29}.exe

Filesize
204KB

MD5
55698908719818fbe940a9ef3d28de94

SHA1
ca6d1f9b1a38750f6c0f826f927b21f216a04883

SHA256
2c7e536cefc8e721ba06142acb98bbbae84a72b3146f16d65ced8d16e08f2c47

SHA512
30a0753126f8239a2eb9d8dfc0ae17a7493e1a698c83521bb67c5296a4ca19c612ad99c1fb00d3ec2c86206caca0ece7e9b47b5689bb0b1c82072e85698644a3

Download Submit
C:\Windows\{48A0D824-276F-4878-8F65-939CF0922D29}.exe

Filesize
204KB

MD5
55698908719818fbe940a9ef3d28de94

SHA1
ca6d1f9b1a38750f6c0f826f927b21f216a04883

SHA256
2c7e536cefc8e721ba06142acb98bbbae84a72b3146f16d65ced8d16e08f2c47

SHA512
30a0753126f8239a2eb9d8dfc0ae17a7493e1a698c83521bb67c5296a4ca19c612ad99c1fb00d3ec2c86206caca0ece7e9b47b5689bb0b1c82072e85698644a3

Download Submit
C:\Windows\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe

Filesize
204KB

MD5
da2d39c12e69aad85b132654ace78a36

SHA1
dc9c59ba9bf6cafbdf72ae9dad19874e374afe8b

SHA256
a5834724d19ab3df873cf2966e9549b16cd6f1a52e8e0187418c9ea03d0b92c5

SHA512
0623ecc8f5c7ccbeaf97f299612f86631a54504115add9b16e63e6183061cbf7163ae1f3707e5cfefd249af9fd35b50a8cd1cb5d049b88f15abf0718b9348fd7

Download Submit
C:\Windows\{5D578BBE-77F6-4e1d-BD75-39FFB94F3CA8}.exe

Filesize
204KB

MD5
da2d39c12e69aad85b132654ace78a36

SHA1
dc9c59ba9bf6cafbdf72ae9dad19874e374afe8b

SHA256
a5834724d19ab3df873cf2966e9549b16cd6f1a52e8e0187418c9ea03d0b92c5

SHA512
0623ecc8f5c7ccbeaf97f299612f86631a54504115add9b16e63e6183061cbf7163ae1f3707e5cfefd249af9fd35b50a8cd1cb5d049b88f15abf0718b9348fd7

Download Submit
C:\Windows\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe

Filesize
204KB

MD5
137ff29a184e8c22d06d972cb1877dc9

SHA1
43385d406c491544d05c755d2e48a2b1176f4f9b

SHA256
8b9b9f51b60f3555bbff5e89f359700f6bdba0863f9acf07ebe6e464da653920

SHA512
51fcfc53136df24a1f2654a49a6d310369887d3815da85eae87ff34a814e7e1dc18d9bba69ad79e495d74d8991f4243ac0d7fc2045e5a2ff4105a802aa47a251

Download Submit
C:\Windows\{65BDC26B-73C4-4bdc-B026-3CA07831D09B}.exe

Filesize
204KB

MD5
137ff29a184e8c22d06d972cb1877dc9

SHA1
43385d406c491544d05c755d2e48a2b1176f4f9b

SHA256
8b9b9f51b60f3555bbff5e89f359700f6bdba0863f9acf07ebe6e464da653920

SHA512
51fcfc53136df24a1f2654a49a6d310369887d3815da85eae87ff34a814e7e1dc18d9bba69ad79e495d74d8991f4243ac0d7fc2045e5a2ff4105a802aa47a251

Download Submit
C:\Windows\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe

Filesize
204KB

MD5
7a6a10e7ce773f46b286ede57d9dad2f

SHA1
7816f2c5d0ee3905b51036dd6a5426a5312bba6f

SHA256
d88a0c69c954c3cbab48b3b72624a6333ab2de31eb0f6805b7fb654c7987c6a2

SHA512
525cdd978710aaf58be83ff23177e198edd79bea2f6ec10a2288465936e5144b9b00770d2f8ce0b5756f9ab03ad0f04f2efe55f08dfe7c5219777e76b06c52eb

Download Submit
C:\Windows\{69D47239-6234-4808-BD6F-3B7FE36B43CA}.exe

Filesize
204KB

MD5
7a6a10e7ce773f46b286ede57d9dad2f

SHA1
7816f2c5d0ee3905b51036dd6a5426a5312bba6f

SHA256
d88a0c69c954c3cbab48b3b72624a6333ab2de31eb0f6805b7fb654c7987c6a2

SHA512
525cdd978710aaf58be83ff23177e198edd79bea2f6ec10a2288465936e5144b9b00770d2f8ce0b5756f9ab03ad0f04f2efe55f08dfe7c5219777e76b06c52eb

Download Submit
C:\Windows\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe

Filesize
204KB

MD5
428dedc1d4778c7c60af7c8c2e09691c

SHA1
00fc36e85a4df971839911e3153efdc766fbf74c

SHA256
e60b4258453bdfc7056b5461af3523543364443ea41bb638d68889c9cdcd9cef

SHA512
122e8855163847a5acb970df6a1cbd2c5889d0fa236688d6eda6d7cfb87e19b89bf2f0355ae7b76839e42dc02e872e36ac05be769bd05ae4f7c805a1a1296bb6

Download Submit
C:\Windows\{BD6FC944-0A38-4c4a-8441-13F8250AFF7A}.exe

Filesize
204KB

MD5
428dedc1d4778c7c60af7c8c2e09691c

SHA1
00fc36e85a4df971839911e3153efdc766fbf74c

SHA256
e60b4258453bdfc7056b5461af3523543364443ea41bb638d68889c9cdcd9cef

SHA512
122e8855163847a5acb970df6a1cbd2c5889d0fa236688d6eda6d7cfb87e19b89bf2f0355ae7b76839e42dc02e872e36ac05be769bd05ae4f7c805a1a1296bb6

Download Submit
C:\Windows\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe

Filesize
204KB

MD5
5db951e7815d82fb5b9423e2612ad250

SHA1
25f4cd5075985d260c2931f8c7b0cb6cd1d7103e

SHA256
5e7d6ea151fbb290410ee210cad77cc1cbe8176ce34691e87575a33f793b6929

SHA512
9bd8cc6ac2699931781ad952a3526504ccbf3839521651f44a3654a3193be435348700ffbb6f36b6f2a685c4770f27e974d87a6f275d54a250dfa7e290a707ca

Download Submit
C:\Windows\{CBC7AF0D-5D8A-4e92-95D2-5C0FB450D4CF}.exe

Filesize
204KB

MD5
5db951e7815d82fb5b9423e2612ad250

SHA1
25f4cd5075985d260c2931f8c7b0cb6cd1d7103e

SHA256
5e7d6ea151fbb290410ee210cad77cc1cbe8176ce34691e87575a33f793b6929

SHA512
9bd8cc6ac2699931781ad952a3526504ccbf3839521651f44a3654a3193be435348700ffbb6f36b6f2a685c4770f27e974d87a6f275d54a250dfa7e290a707ca

Download Submit
C:\Windows\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe

Filesize
204KB

MD5
33e97c81b13f08e4a1dd932d7b6f8e57

SHA1
8b05bee4dd3704cf790c6de5d95c068195d20939

SHA256
bf05012e1d11e709fe02f6aef19b641cc741ea2383438cd28c62c82ecd4cb740

SHA512
ce89d5f3ec068ac70326c9b961b94d9014cd162007f83a9e79430767a3ff5d42f436c89f8f25ebfe47d6537624660c06d31a72f5ddd85cbb3409e04e45ae1124

Download Submit
C:\Windows\{CEC92F7F-5E38-486c-8792-75FF03EF7841}.exe

Filesize
204KB

MD5
33e97c81b13f08e4a1dd932d7b6f8e57

SHA1
8b05bee4dd3704cf790c6de5d95c068195d20939

SHA256
bf05012e1d11e709fe02f6aef19b641cc741ea2383438cd28c62c82ecd4cb740

SHA512
ce89d5f3ec068ac70326c9b961b94d9014cd162007f83a9e79430767a3ff5d42f436c89f8f25ebfe47d6537624660c06d31a72f5ddd85cbb3409e04e45ae1124

Download Submit
C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe

Filesize
204KB

MD5
c1e99b1be9334c37d2d009c99e55c91e

SHA1
11ab7393be9f9b7d0c0cc4acfa46fe747e929f73

SHA256
8034f5802b792db2d0a1f0f9287f2c4ce54e489e17fa1ab59998401cbfc63375

SHA512
79dccf41ad60d9103dfcb0ca6975305ae5a9632ea39d1f317959d314881dc84caf172202dca5169fcf2b0e3cc01960be423a3d433e606d960da054f2bc044b36

Download Submit
C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe

Filesize
204KB

MD5
c1e99b1be9334c37d2d009c99e55c91e

SHA1
11ab7393be9f9b7d0c0cc4acfa46fe747e929f73

SHA256
8034f5802b792db2d0a1f0f9287f2c4ce54e489e17fa1ab59998401cbfc63375

SHA512
79dccf41ad60d9103dfcb0ca6975305ae5a9632ea39d1f317959d314881dc84caf172202dca5169fcf2b0e3cc01960be423a3d433e606d960da054f2bc044b36

Download Submit
C:\Windows\{ECC82444-A7EA-47d0-B943-2EB1E4FAD52F}.exe

Filesize
204KB

MD5
c1e99b1be9334c37d2d009c99e55c91e

SHA1
11ab7393be9f9b7d0c0cc4acfa46fe747e929f73

SHA256
8034f5802b792db2d0a1f0f9287f2c4ce54e489e17fa1ab59998401cbfc63375

SHA512
79dccf41ad60d9103dfcb0ca6975305ae5a9632ea39d1f317959d314881dc84caf172202dca5169fcf2b0e3cc01960be423a3d433e606d960da054f2bc044b36

Download Submit
C:\Windows\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe

Filesize
204KB

MD5
a14926579bb90a99c74e7a39fb2e3b95

SHA1
b14f349e87476ee8beef6f62be9a4255b6523f47

SHA256
46c9815888b6b80e5e6a8cbb846cd9cc3ef4d5f05f1470964a279c14388be90f

SHA512
7af79f90223a7eceb1aecc5c65212abdc8d8e313da1849ef0f0b4e17ef07ff706d4687f3ba88042859a70495c7dd7db6fa52f165dc16350dce2bcf9867776815

Download Submit
C:\Windows\{F20BCF23-BFA7-4926-BC9D-6BFEE48A5219}.exe

Filesize
204KB

MD5
a14926579bb90a99c74e7a39fb2e3b95

SHA1
b14f349e87476ee8beef6f62be9a4255b6523f47

SHA256
46c9815888b6b80e5e6a8cbb846cd9cc3ef4d5f05f1470964a279c14388be90f

SHA512
7af79f90223a7eceb1aecc5c65212abdc8d8e313da1849ef0f0b4e17ef07ff706d4687f3ba88042859a70495c7dd7db6fa52f165dc16350dce2bcf9867776815

Download Submit
C:\Windows\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe

Filesize
204KB

MD5
eda562077f765b4e5cca189bf90deaaa

SHA1
51915c1955f75970266ea90ec806586342ae64cf

SHA256
ccde26e65910a17f229de71e9eaf1dec710aeed52a383e0d8261dbb142be6595

SHA512
bf7ecd7070bdf0815d12ca6da6958ac402260b7505e0cb2e2a0036d062fec9000317a17643144c76bd3fab7c202d87ec8abc6c21e01ce9322cec3292aeb45179

Download Submit
C:\Windows\{F2603C14-F2A2-4f90-98C7-AE0EBDEF2FAF}.exe

Filesize
204KB

MD5
eda562077f765b4e5cca189bf90deaaa

SHA1
51915c1955f75970266ea90ec806586342ae64cf

SHA256
ccde26e65910a17f229de71e9eaf1dec710aeed52a383e0d8261dbb142be6595

SHA512
bf7ecd7070bdf0815d12ca6da6958ac402260b7505e0cb2e2a0036d062fec9000317a17643144c76bd3fab7c202d87ec8abc6c21e01ce9322cec3292aeb45179

Download Submit