e8e3b66977c05a5f1ecd407846ad7a5c149a80778f55d24fa6cf495d4e475300

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5124a6b4e2ffc7exeexeexeex.exe
Size

168KB
MD5

5124a6b4e2ffc7feb2fb89f0c7c3b84a
SHA1

eb3dc6bb6cf20e8211110c4559898203e850eb36
SHA256

e8e3b66977c05a5f1ecd407846ad7a5c149a80778f55d24fa6cf495d4e475300
SHA512

031c0199c8ffd2fc0e067b8bf52bdd66d66e1ec4a72597b0cf1db9512a758a30590ed7f5c03553163358b4a40e88258507e364a4e65cf5813dc70baba12bfc19
SSDEEP

1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF157602-431F-4316-84A3-98157D30B5E4}\stubpath = "C:\\Windows\\{DF157602-431F-4316-84A3-98157D30B5E4}.exe"	{A323529F-6608-4d3b-8579-37FAB4770322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68351FC0-B643-42e7-8E30-12913F1F65C9}	{DF157602-431F-4316-84A3-98157D30B5E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6920259-4C85-423a-89E5-DD0E9DF1414E}	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6920259-4C85-423a-89E5-DD0E9DF1414E}\stubpath = "C:\\Windows\\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe"	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}\stubpath = "C:\\Windows\\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe"	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}	5124a6b4e2ffc7exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A323529F-6608-4d3b-8579-37FAB4770322}\stubpath = "C:\\Windows\\{A323529F-6608-4d3b-8579-37FAB4770322}.exe"	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}\stubpath = "C:\\Windows\\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe"	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68351FC0-B643-42e7-8E30-12913F1F65C9}\stubpath = "C:\\Windows\\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe"	{DF157602-431F-4316-84A3-98157D30B5E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A023AECA-0609-4f3d-9355-E2C4857A31DD}	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A323529F-6608-4d3b-8579-37FAB4770322}	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF157602-431F-4316-84A3-98157D30B5E4}	{A323529F-6608-4d3b-8579-37FAB4770322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}\stubpath = "C:\\Windows\\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe"	5124a6b4e2ffc7exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}\stubpath = "C:\\Windows\\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe"	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}\stubpath = "C:\\Windows\\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe"	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}\stubpath = "C:\\Windows\\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe"	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A023AECA-0609-4f3d-9355-E2C4857A31DD}\stubpath = "C:\\Windows\\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe"	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe

Executes dropped EXE 11 IoCs

pid	Process
4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe
2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe
2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
3344	{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
File created	C:\Windows\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
File created	C:\Windows\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
File created	C:\Windows\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
File created	C:\Windows\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	5124a6b4e2ffc7exeexeexeex.exe
File created	C:\Windows\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
File created	C:\Windows\{A323529F-6608-4d3b-8579-37FAB4770322}.exe	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
File created	C:\Windows\{DF157602-431F-4316-84A3-98157D30B5E4}.exe	{A323529F-6608-4d3b-8579-37FAB4770322}.exe
File created	C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
File created	C:\Windows\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	{DF157602-431F-4316-84A3-98157D30B5E4}.exe
File created	C:\Windows\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4472	5124a6b4e2ffc7exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
Token: SeIncBasePriorityPrivilege	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
Token: SeIncBasePriorityPrivilege	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
Token: SeIncBasePriorityPrivilege	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe
Token: SeIncBasePriorityPrivilege	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe
Token: SeIncBasePriorityPrivilege	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
Token: SeIncBasePriorityPrivilege	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
Token: SeIncBasePriorityPrivilege	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
Token: SeIncBasePriorityPrivilege	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
Token: SeIncBasePriorityPrivilege	2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4168	4472	5124a6b4e2ffc7exeexeexeex.exe	87
PID 4472 wrote to memory of 4168	4472	5124a6b4e2ffc7exeexeexeex.exe	87
PID 4472 wrote to memory of 4168	4472	5124a6b4e2ffc7exeexeexeex.exe	87
PID 4472 wrote to memory of 5096	4472	5124a6b4e2ffc7exeexeexeex.exe	88
PID 4472 wrote to memory of 5096	4472	5124a6b4e2ffc7exeexeexeex.exe	88
PID 4472 wrote to memory of 5096	4472	5124a6b4e2ffc7exeexeexeex.exe	88
PID 4168 wrote to memory of 760	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	89
PID 4168 wrote to memory of 760	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	89
PID 4168 wrote to memory of 760	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	89
PID 4168 wrote to memory of 3552	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	90
PID 4168 wrote to memory of 3552	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	90
PID 4168 wrote to memory of 3552	4168	{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe	90
PID 760 wrote to memory of 1700	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	94
PID 760 wrote to memory of 1700	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	94
PID 760 wrote to memory of 1700	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	94
PID 760 wrote to memory of 3696	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	95
PID 760 wrote to memory of 3696	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	95
PID 760 wrote to memory of 3696	760	{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe	95
PID 1700 wrote to memory of 3672	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	96
PID 1700 wrote to memory of 3672	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	96
PID 1700 wrote to memory of 3672	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	96
PID 1700 wrote to memory of 1400	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	97
PID 1700 wrote to memory of 1400	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	97
PID 1700 wrote to memory of 1400	1700	{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe	97
PID 3672 wrote to memory of 2248	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	98
PID 3672 wrote to memory of 2248	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	98
PID 3672 wrote to memory of 2248	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	98
PID 3672 wrote to memory of 2564	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	99
PID 3672 wrote to memory of 2564	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	99
PID 3672 wrote to memory of 2564	3672	{A323529F-6608-4d3b-8579-37FAB4770322}.exe	99
PID 2248 wrote to memory of 2920	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	100
PID 2248 wrote to memory of 2920	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	100
PID 2248 wrote to memory of 2920	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	100
PID 2248 wrote to memory of 1344	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	101
PID 2248 wrote to memory of 1344	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	101
PID 2248 wrote to memory of 1344	2248	{DF157602-431F-4316-84A3-98157D30B5E4}.exe	101
PID 2920 wrote to memory of 2780	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	102
PID 2920 wrote to memory of 2780	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	102
PID 2920 wrote to memory of 2780	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	102
PID 2920 wrote to memory of 3752	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	103
PID 2920 wrote to memory of 3752	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	103
PID 2920 wrote to memory of 3752	2920	{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe	103
PID 2780 wrote to memory of 3052	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	104
PID 2780 wrote to memory of 3052	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	104
PID 2780 wrote to memory of 3052	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	104
PID 2780 wrote to memory of 212	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	105
PID 2780 wrote to memory of 212	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	105
PID 2780 wrote to memory of 212	2780	{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe	105
PID 3052 wrote to memory of 656	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	106
PID 3052 wrote to memory of 656	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	106
PID 3052 wrote to memory of 656	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	106
PID 3052 wrote to memory of 1168	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	107
PID 3052 wrote to memory of 1168	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	107
PID 3052 wrote to memory of 1168	3052	{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe	107
PID 656 wrote to memory of 2568	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	108
PID 656 wrote to memory of 2568	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	108
PID 656 wrote to memory of 2568	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	108
PID 656 wrote to memory of 3820	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	109
PID 656 wrote to memory of 3820	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	109
PID 656 wrote to memory of 3820	656	{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe	109
PID 2568 wrote to memory of 3344	2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe	110
PID 2568 wrote to memory of 3344	2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe	110
PID 2568 wrote to memory of 3344	2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe	110
PID 2568 wrote to memory of 4424	2568	{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe	111

C:\Users\Admin\AppData\Local\Temp\5124a6b4e2ffc7exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5124a6b4e2ffc7exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
  C:\Windows\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
    C:\Windows\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
      C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\{A323529F-6608-4d3b-8579-37FAB4770322}.exe
        
        C:\Windows\{A323529F-6608-4d3b-8579-37FAB4770322}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Windows\{DF157602-431F-4316-84A3-98157D30B5E4}.exe
        
        C:\Windows\{DF157602-431F-4316-84A3-98157D30B5E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
        
        C:\Windows\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
        
        C:\Windows\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
        
        C:\Windows\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
        
        C:\Windows\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
        
        C:\Windows\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe
        
        C:\Windows\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe
        12⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FB9F~1.EXE > nul
        12⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6920~1.EXE > nul
        11⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E95DF~1.EXE > nul
        10⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A023A~1.EXE > nul
        9⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68351~1.EXE > nul
        8⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF157~1.EXE > nul
        7⤵
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3235~1.EXE > nul
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC870~1.EXE > nul
        5⤵
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C22~1.EXE > nul
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D65E8~1.EXE > nul
    3⤵
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5124A6~1.EXE > nul
  2⤵
  PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe

Filesize
168KB

MD5
1f2cc8221e274841df8b39847b0f2660

SHA1
05a3c68d60455283bbc4dd5d401de3733b4eb884

SHA256
1782c9b47817a3e2ab7c377165eea27df3de762cba696e72526b4c846a5f2586

SHA512
848be9ab97113002153946be674ceb2b375b8ae782d369976d9cb6439e4fc572edc8a76deff77bb91c6f12b088367606fabbfd08b12d29bb9f72710421705ece

Download Submit
C:\Windows\{3FB9FCFC-6868-438d-8488-E01E3F4A2B8D}.exe

Filesize
168KB

MD5
1f2cc8221e274841df8b39847b0f2660

SHA1
05a3c68d60455283bbc4dd5d401de3733b4eb884

SHA256
1782c9b47817a3e2ab7c377165eea27df3de762cba696e72526b4c846a5f2586

SHA512
848be9ab97113002153946be674ceb2b375b8ae782d369976d9cb6439e4fc572edc8a76deff77bb91c6f12b088367606fabbfd08b12d29bb9f72710421705ece

Download Submit
C:\Windows\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe

Filesize
168KB

MD5
980d1daaeb6e45042c4f3276df4bfb41

SHA1
d46851a7e96c75d824635dab67e3e3b14210dc5f

SHA256
ac425f5d30ed509176c2e5cc931090d65ab833bd4556df13193912f1017ddaeb

SHA512
cc2eca6e6dc448098fd1d8826f009aa1962c67cc703813954d1e882e5f1aeab5a675c3cda90846ae3082ba820d405d908da9f5f1a56bfee40422f0fd814f6783

Download Submit
C:\Windows\{68351FC0-B643-42e7-8E30-12913F1F65C9}.exe

Filesize
168KB

MD5
980d1daaeb6e45042c4f3276df4bfb41

SHA1
d46851a7e96c75d824635dab67e3e3b14210dc5f

SHA256
ac425f5d30ed509176c2e5cc931090d65ab833bd4556df13193912f1017ddaeb

SHA512
cc2eca6e6dc448098fd1d8826f009aa1962c67cc703813954d1e882e5f1aeab5a675c3cda90846ae3082ba820d405d908da9f5f1a56bfee40422f0fd814f6783

Download Submit
C:\Windows\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe

Filesize
168KB

MD5
960bbca9a72ad187c3eb894e2ca89580

SHA1
1cceb2b5a6bbd9e2f18c06189990fe76599dc387

SHA256
a92dc22e96d58839830e129a1e05f8a96ac1bc051d43446b85cadab3f61f5f5b

SHA512
b0c01f9cef1fa5cf2b7e88ae1d2804039f21c5cf8e3a082e335a1543b4c101223cee7a927aec7e9876978b1be7021faeabcf2591f1b775e63fd70ba9df25831d

Download Submit
C:\Windows\{A023AECA-0609-4f3d-9355-E2C4857A31DD}.exe

Filesize
168KB

MD5
960bbca9a72ad187c3eb894e2ca89580

SHA1
1cceb2b5a6bbd9e2f18c06189990fe76599dc387

SHA256
a92dc22e96d58839830e129a1e05f8a96ac1bc051d43446b85cadab3f61f5f5b

SHA512
b0c01f9cef1fa5cf2b7e88ae1d2804039f21c5cf8e3a082e335a1543b4c101223cee7a927aec7e9876978b1be7021faeabcf2591f1b775e63fd70ba9df25831d

Download Submit
C:\Windows\{A323529F-6608-4d3b-8579-37FAB4770322}.exe

Filesize
168KB

MD5
2c595c944c2963e9e601b04f73b867b9

SHA1
a24b98286a7a32683073883093d0ee612abff3ad

SHA256
4e170c5ea05a356d34447010d37a584596ced9df4066fc358cd59a797d94f035

SHA512
b401bb36aadb59961c9357971b83acb6f915e64e8450db270090bcb9f5db9b902da2cabfa8610ab46c15cf20ed1c323605d301764d4aff0c10c7847f06a97dea

Download Submit
C:\Windows\{A323529F-6608-4d3b-8579-37FAB4770322}.exe

Filesize
168KB

MD5
2c595c944c2963e9e601b04f73b867b9

SHA1
a24b98286a7a32683073883093d0ee612abff3ad

SHA256
4e170c5ea05a356d34447010d37a584596ced9df4066fc358cd59a797d94f035

SHA512
b401bb36aadb59961c9357971b83acb6f915e64e8450db270090bcb9f5db9b902da2cabfa8610ab46c15cf20ed1c323605d301764d4aff0c10c7847f06a97dea

Download Submit
C:\Windows\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe

Filesize
168KB

MD5
335c77e3f095605857599aaa851e59fb

SHA1
7fce69abfb8cdbe75f6e875b76e3adbed82a7964

SHA256
6bb0689cd8567de3f59f199286f5443bf0dce316df994adb44d775c122e56b8d

SHA512
e25f9531573fa4a6d0e709d89c2d0eef5234d902ed10a549db8d9ee30d7d205b7824c9a3879e29e5ce92b5cb2a0d5c28f9dde45435b7b8dec407f895158d66ea

Download Submit
C:\Windows\{D1C228B4-3120-4762-A93E-7E92C9E1BDA8}.exe

Filesize
168KB

MD5
335c77e3f095605857599aaa851e59fb

SHA1
7fce69abfb8cdbe75f6e875b76e3adbed82a7964

SHA256
6bb0689cd8567de3f59f199286f5443bf0dce316df994adb44d775c122e56b8d

SHA512
e25f9531573fa4a6d0e709d89c2d0eef5234d902ed10a549db8d9ee30d7d205b7824c9a3879e29e5ce92b5cb2a0d5c28f9dde45435b7b8dec407f895158d66ea

Download Submit
C:\Windows\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe

Filesize
168KB

MD5
30836797752b39a00d83db8822ff4c2b

SHA1
ef687dd2f40d0d964cc3dfd423f30a19e2c7e865

SHA256
ac99eb07b612a8e66190abbe7e48095995b1749b7a14dd08b2fedf67c9fda9cc

SHA512
1f1466f3a29a1ed3c64ca1451f71aa28dbc44f4b9625186f131d27fd0bc5d70ab7533c4b902997461cce35717721104123956d751e99ce8f87e7cec1d85ec2ea

Download Submit
C:\Windows\{D65E8895-9E63-45e7-88D2-45A60FC15ADA}.exe

Filesize
168KB

MD5
30836797752b39a00d83db8822ff4c2b

SHA1
ef687dd2f40d0d964cc3dfd423f30a19e2c7e865

SHA256
ac99eb07b612a8e66190abbe7e48095995b1749b7a14dd08b2fedf67c9fda9cc

SHA512
1f1466f3a29a1ed3c64ca1451f71aa28dbc44f4b9625186f131d27fd0bc5d70ab7533c4b902997461cce35717721104123956d751e99ce8f87e7cec1d85ec2ea

Download Submit
C:\Windows\{DF157602-431F-4316-84A3-98157D30B5E4}.exe

Filesize
168KB

MD5
0267332172b8f865e61a097f9b89a61a

SHA1
9491ee7f84f6819c05e1b3c54252c61b5f53bb18

SHA256
8237e77123fcaf2f6368d66290e874c525aa84b57d830be3a9d335b10c148b67

SHA512
a57c51ffc759c85e07d685a958b8fb70961edc62c271138fada537340d3a8b41bcb1d2fb259dd4930b79b26e9a3e8d70b4ca00298d0e4d78708ea6014b523083

Download Submit
C:\Windows\{DF157602-431F-4316-84A3-98157D30B5E4}.exe

Filesize
168KB

MD5
0267332172b8f865e61a097f9b89a61a

SHA1
9491ee7f84f6819c05e1b3c54252c61b5f53bb18

SHA256
8237e77123fcaf2f6368d66290e874c525aa84b57d830be3a9d335b10c148b67

SHA512
a57c51ffc759c85e07d685a958b8fb70961edc62c271138fada537340d3a8b41bcb1d2fb259dd4930b79b26e9a3e8d70b4ca00298d0e4d78708ea6014b523083

Download Submit
C:\Windows\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe

Filesize
168KB

MD5
aebe5e3c3771a48dc923b1455125c256

SHA1
0e2f7c6381d4f4e8b2d6d3d1ea2e858f4df71854

SHA256
dd468faa328d75703ec82cf8a554c58e34d0007d16ea723836147f9cddea2af6

SHA512
dcd197e2fad5e404dcb36b483c18b62d7757a1586df672c0a3dc3edad4737a2ebb272f86eed76074e22e1e875bdd1f9e49d5cca760c89f0fe0b967cb1684c7a7

Download Submit
C:\Windows\{E6920259-4C85-423a-89E5-DD0E9DF1414E}.exe

Filesize
168KB

MD5
aebe5e3c3771a48dc923b1455125c256

SHA1
0e2f7c6381d4f4e8b2d6d3d1ea2e858f4df71854

SHA256
dd468faa328d75703ec82cf8a554c58e34d0007d16ea723836147f9cddea2af6

SHA512
dcd197e2fad5e404dcb36b483c18b62d7757a1586df672c0a3dc3edad4737a2ebb272f86eed76074e22e1e875bdd1f9e49d5cca760c89f0fe0b967cb1684c7a7

Download Submit
C:\Windows\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe

Filesize
168KB

MD5
0f7898a35dd7ab3b8c851402733c4c1e

SHA1
8b45a3bb23208d5ada2f828ad673e93acf16282c

SHA256
ecda8d1371bb756bfc1a12e7da3b51e8aa3fae708385b71396629f5bd5171380

SHA512
c11eeb3592472894560d22fdae27c82483f62bb410735766df542d82663733eaae1379e275805052b792c7d0f32936d9d448788eb6f74f2f867fbea1049fe117

Download Submit
C:\Windows\{E95DF10C-224D-43ee-9C8C-9B958E7DFE43}.exe

Filesize
168KB

MD5
0f7898a35dd7ab3b8c851402733c4c1e

SHA1
8b45a3bb23208d5ada2f828ad673e93acf16282c

SHA256
ecda8d1371bb756bfc1a12e7da3b51e8aa3fae708385b71396629f5bd5171380

SHA512
c11eeb3592472894560d22fdae27c82483f62bb410735766df542d82663733eaae1379e275805052b792c7d0f32936d9d448788eb6f74f2f867fbea1049fe117

Download Submit
C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe

Filesize
168KB

MD5
d1195f64ead0e864f05c6e79f2258946

SHA1
17c7eca9a0e3fcfcaf8ea8a152f552c913d4d689

SHA256
4193db9458c687f2aa6cdd562e6465566ab92750d41fce2e460bd2662538ae19

SHA512
b0ea1033ad547b0d91d457bc86deb6901c934d540b4f97e762875e619e4016ec00619d78222e6b888473bc74421c9377ed13874f17709a6872869298ce6018f3

Download Submit
C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe

Filesize
168KB

MD5
d1195f64ead0e864f05c6e79f2258946

SHA1
17c7eca9a0e3fcfcaf8ea8a152f552c913d4d689

SHA256
4193db9458c687f2aa6cdd562e6465566ab92750d41fce2e460bd2662538ae19

SHA512
b0ea1033ad547b0d91d457bc86deb6901c934d540b4f97e762875e619e4016ec00619d78222e6b888473bc74421c9377ed13874f17709a6872869298ce6018f3

Download Submit
C:\Windows\{EC8702D3-3A4C-4c93-AB49-C13A44F6DA91}.exe

Filesize
168KB

MD5
d1195f64ead0e864f05c6e79f2258946

SHA1
17c7eca9a0e3fcfcaf8ea8a152f552c913d4d689

SHA256
4193db9458c687f2aa6cdd562e6465566ab92750d41fce2e460bd2662538ae19

SHA512
b0ea1033ad547b0d91d457bc86deb6901c934d540b4f97e762875e619e4016ec00619d78222e6b888473bc74421c9377ed13874f17709a6872869298ce6018f3

Download Submit
C:\Windows\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe

Filesize
168KB

MD5
0c8ba524d0ab49d1d0b77573cafd7dc9

SHA1
c8e1457701ad248dca321124743fd67f7804914e

SHA256
c0b8d044e22e25ab26d2f8c6007a84b98ef4784a7df15848b952b2d49ed6229f

SHA512
859f43b7f85bde951ae31a652029d3987d01e5cd5662c13a6300839e35c610efb1c9cfd58baa0d12dd812fe59b5e7768991e081b2c07d79718afca22ae0c2f4a

Download Submit
C:\Windows\{FEEE9F8B-F5E7-4b0d-B88F-C1B6E205A597}.exe

Filesize
168KB

MD5
0c8ba524d0ab49d1d0b77573cafd7dc9

SHA1
c8e1457701ad248dca321124743fd67f7804914e

SHA256
c0b8d044e22e25ab26d2f8c6007a84b98ef4784a7df15848b952b2d49ed6229f

SHA512
859f43b7f85bde951ae31a652029d3987d01e5cd5662c13a6300839e35c610efb1c9cfd58baa0d12dd812fe59b5e7768991e081b2c07d79718afca22ae0c2f4a

Download Submit