b0129e86c879aab0b5aa4419b59ee57099c66b000065e9700494c47399e256ce

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 08:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e96515d1da3e3exeexeexeex.exe
Size

168KB
MD5

5e96515d1da3e3da7e248b4f76db342d
SHA1

eecfaad5fb654a326543e451befac320e5f65baf
SHA256

b0129e86c879aab0b5aa4419b59ee57099c66b000065e9700494c47399e256ce
SHA512

33141b3b4494583926786210821780b36f7e7741126e007acfa3604f59a086f0cff7896fb37cb2b5f5023589437b637f66bbc6e477c619cfd4da57b4b0a6517a
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}\stubpath = "C:\\Windows\\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe"	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}\stubpath = "C:\\Windows\\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe"	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA0693E-77D9-4d00-985B-07F05931ACF2}\stubpath = "C:\\Windows\\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe"	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}	5e96515d1da3e3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}\stubpath = "C:\\Windows\\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe"	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}\stubpath = "C:\\Windows\\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe"	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}\stubpath = "C:\\Windows\\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe"	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84B8158-51DE-4981-9643-8FBA3E708178}	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}\stubpath = "C:\\Windows\\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe"	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}	{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}\stubpath = "C:\\Windows\\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe"	5e96515d1da3e3exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}\stubpath = "C:\\Windows\\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe"	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84B8158-51DE-4981-9643-8FBA3E708178}\stubpath = "C:\\Windows\\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe"	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}\stubpath = "C:\\Windows\\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe"	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}\stubpath = "C:\\Windows\\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe"	{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA0693E-77D9-4d00-985B-07F05931ACF2}	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe

Executes dropped EXE 12 IoCs

pid	Process
1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
3840	{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe
664	{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	5e96515d1da3e3exeexeexeex.exe
File created	C:\Windows\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
File created	C:\Windows\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
File created	C:\Windows\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
File created	C:\Windows\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
File created	C:\Windows\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
File created	C:\Windows\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
File created	C:\Windows\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
File created	C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
File created	C:\Windows\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
File created	C:\Windows\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
File created	C:\Windows\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe	{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4748	5e96515d1da3e3exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
Token: SeIncBasePriorityPrivilege	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
Token: SeIncBasePriorityPrivilege	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
Token: SeIncBasePriorityPrivilege	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
Token: SeIncBasePriorityPrivilege	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
Token: SeIncBasePriorityPrivilege	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
Token: SeIncBasePriorityPrivilege	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
Token: SeIncBasePriorityPrivilege	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
Token: SeIncBasePriorityPrivilege	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
Token: SeIncBasePriorityPrivilege	3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
Token: SeIncBasePriorityPrivilege	3840	{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1512	4748	5e96515d1da3e3exeexeexeex.exe	84
PID 4748 wrote to memory of 1512	4748	5e96515d1da3e3exeexeexeex.exe	84
PID 4748 wrote to memory of 1512	4748	5e96515d1da3e3exeexeexeex.exe	84
PID 4748 wrote to memory of 1020	4748	5e96515d1da3e3exeexeexeex.exe	85
PID 4748 wrote to memory of 1020	4748	5e96515d1da3e3exeexeexeex.exe	85
PID 4748 wrote to memory of 1020	4748	5e96515d1da3e3exeexeexeex.exe	85
PID 1512 wrote to memory of 4168	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	86
PID 1512 wrote to memory of 4168	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	86
PID 1512 wrote to memory of 4168	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	86
PID 1512 wrote to memory of 2152	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	87
PID 1512 wrote to memory of 2152	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	87
PID 1512 wrote to memory of 2152	1512	{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe	87
PID 4168 wrote to memory of 4720	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	91
PID 4168 wrote to memory of 4720	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	91
PID 4168 wrote to memory of 4720	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	91
PID 4168 wrote to memory of 5056	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	92
PID 4168 wrote to memory of 5056	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	92
PID 4168 wrote to memory of 5056	4168	{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe	92
PID 4720 wrote to memory of 1376	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	93
PID 4720 wrote to memory of 1376	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	93
PID 4720 wrote to memory of 1376	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	93
PID 4720 wrote to memory of 1944	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	94
PID 4720 wrote to memory of 1944	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	94
PID 4720 wrote to memory of 1944	4720	{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe	94
PID 1376 wrote to memory of 1920	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	95
PID 1376 wrote to memory of 1920	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	95
PID 1376 wrote to memory of 1920	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	95
PID 1376 wrote to memory of 1296	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	96
PID 1376 wrote to memory of 1296	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	96
PID 1376 wrote to memory of 1296	1376	{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe	96
PID 1920 wrote to memory of 4376	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	97
PID 1920 wrote to memory of 4376	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	97
PID 1920 wrote to memory of 4376	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	97
PID 1920 wrote to memory of 4804	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	98
PID 1920 wrote to memory of 4804	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	98
PID 1920 wrote to memory of 4804	1920	{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe	98
PID 4376 wrote to memory of 4472	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	99
PID 4376 wrote to memory of 4472	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	99
PID 4376 wrote to memory of 4472	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	99
PID 4376 wrote to memory of 4192	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	100
PID 4376 wrote to memory of 4192	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	100
PID 4376 wrote to memory of 4192	4376	{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe	100
PID 4472 wrote to memory of 1436	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	101
PID 4472 wrote to memory of 1436	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	101
PID 4472 wrote to memory of 1436	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	101
PID 4472 wrote to memory of 2968	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	102
PID 4472 wrote to memory of 2968	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	102
PID 4472 wrote to memory of 2968	4472	{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe	102
PID 1436 wrote to memory of 3420	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	103
PID 1436 wrote to memory of 3420	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	103
PID 1436 wrote to memory of 3420	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	103
PID 1436 wrote to memory of 1172	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	104
PID 1436 wrote to memory of 1172	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	104
PID 1436 wrote to memory of 1172	1436	{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe	104
PID 3420 wrote to memory of 3292	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	105
PID 3420 wrote to memory of 3292	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	105
PID 3420 wrote to memory of 3292	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	105
PID 3420 wrote to memory of 1884	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	106
PID 3420 wrote to memory of 1884	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	106
PID 3420 wrote to memory of 1884	3420	{C84B8158-51DE-4981-9643-8FBA3E708178}.exe	106
PID 3292 wrote to memory of 3840	3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe	107
PID 3292 wrote to memory of 3840	3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe	107
PID 3292 wrote to memory of 3840	3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe	107
PID 3292 wrote to memory of 3768	3292	{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe	108

C:\Users\Admin\AppData\Local\Temp\5e96515d1da3e3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5e96515d1da3e3exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
  C:\Windows\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
    C:\Windows\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
      C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
        
        C:\Windows\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
        
        C:\Windows\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
        
        C:\Windows\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
        
        C:\Windows\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
        
        C:\Windows\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
        
        C:\Windows\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
        
        C:\Windows\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe
        
        C:\Windows\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe
        
        C:\Windows\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe
        13⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD95~1.EXE > nul
        13⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71890~1.EXE > nul
        12⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84B8~1.EXE > nul
        11⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FF7~1.EXE > nul
        10⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA06~1.EXE > nul
        9⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2462E~1.EXE > nul
        8⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF2E7~1.EXE > nul
        7⤵
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEF1~1.EXE > nul
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5DF~1.EXE > nul
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D40AB~1.EXE > nul
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26D24~1.EXE > nul
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5E9651~1.EXE > nul
  2⤵
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe

Filesize
168KB

MD5
2874e78a3620734733e97516c189bc5b

SHA1
7bdfcd28d293bd1dc21ec4564281c47ed6aa105e

SHA256
bc25835077fcaeb82d196ca16e6126296cfbffc26c63e00e28a3a407a080d23f

SHA512
3f75fa852ca2dc01572b172077ff7aa557801274b3069e3930eec0320631663ee99642dd67dff29717abd46502a71ddf32bb3f69fd722801f93df425f2a7942f

Download Submit
C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe

Filesize
168KB

MD5
2874e78a3620734733e97516c189bc5b

SHA1
7bdfcd28d293bd1dc21ec4564281c47ed6aa105e

SHA256
bc25835077fcaeb82d196ca16e6126296cfbffc26c63e00e28a3a407a080d23f

SHA512
3f75fa852ca2dc01572b172077ff7aa557801274b3069e3930eec0320631663ee99642dd67dff29717abd46502a71ddf32bb3f69fd722801f93df425f2a7942f

Download Submit
C:\Windows\{0C5DF256-3BB9-4af9-A0E1-8BA2E7968BE3}.exe

Filesize
168KB

MD5
2874e78a3620734733e97516c189bc5b

SHA1
7bdfcd28d293bd1dc21ec4564281c47ed6aa105e

SHA256
bc25835077fcaeb82d196ca16e6126296cfbffc26c63e00e28a3a407a080d23f

SHA512
3f75fa852ca2dc01572b172077ff7aa557801274b3069e3930eec0320631663ee99642dd67dff29717abd46502a71ddf32bb3f69fd722801f93df425f2a7942f

Download Submit
C:\Windows\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe

Filesize
168KB

MD5
eb014c64b8c83b80f0b20cc72e04fd97

SHA1
00bd2dd91a21e27b4d8b4ffdd21a52aa60d748ad

SHA256
198302283733608a4af7df936a81bde900678afc75b8766edf82668ae4e7a2de

SHA512
6e4da00ca3697fe57156f81a0dfe81ac74b7e54b4c72e8f14ddfc4f3eef4781b26d41c98399e54962f15c6cd82bb7c699081d1e78cbc0622d27c780b2d20e932

Download Submit
C:\Windows\{1EEF1F87-2536-4853-8BF0-98B7E90BBB8E}.exe

Filesize
168KB

MD5
eb014c64b8c83b80f0b20cc72e04fd97

SHA1
00bd2dd91a21e27b4d8b4ffdd21a52aa60d748ad

SHA256
198302283733608a4af7df936a81bde900678afc75b8766edf82668ae4e7a2de

SHA512
6e4da00ca3697fe57156f81a0dfe81ac74b7e54b4c72e8f14ddfc4f3eef4781b26d41c98399e54962f15c6cd82bb7c699081d1e78cbc0622d27c780b2d20e932

Download Submit
C:\Windows\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe

Filesize
168KB

MD5
b12f3f544f874c6ad99ae6239fae08bc

SHA1
2e0adbf6c1de09454af935de34d102ec4e6076ae

SHA256
c0f9e437d4693349a6e4653179c0e422e3d0d98038b0588ad31352e27ce4d571

SHA512
40ada71561fc2cff83ad717433aefe44ac93069a36afe299669b6db29622e5b2a86b8095a25ef22bfa29092c1b0bc130295f2f662167c8dc3f662003db95058a

Download Submit
C:\Windows\{2462E9DC-4C7D-4781-9308-BF63DB1E25B0}.exe

Filesize
168KB

MD5
b12f3f544f874c6ad99ae6239fae08bc

SHA1
2e0adbf6c1de09454af935de34d102ec4e6076ae

SHA256
c0f9e437d4693349a6e4653179c0e422e3d0d98038b0588ad31352e27ce4d571

SHA512
40ada71561fc2cff83ad717433aefe44ac93069a36afe299669b6db29622e5b2a86b8095a25ef22bfa29092c1b0bc130295f2f662167c8dc3f662003db95058a

Download Submit
C:\Windows\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe

Filesize
168KB

MD5
2498ec134b6a814a1e323f8b0fdafb2f

SHA1
7c1e4c595e00cecfe49093107de3af2d499e3616

SHA256
39672b9fcfc769c87bb9300f15311308025b7d7a73772d52a5c65f97ad69bbd8

SHA512
18310570d699243c7bfc3b5573a997fed7a8c3fab2a4872ea1f58ddab3ebf8bcf79f32f0eba7182ee6995df11b0e6626eec457dfd2a9ccd64e0ff583522cf7fd

Download Submit
C:\Windows\{26D24891-B95C-42f0-9AC3-8F3B45D41E67}.exe

Filesize
168KB

MD5
2498ec134b6a814a1e323f8b0fdafb2f

SHA1
7c1e4c595e00cecfe49093107de3af2d499e3616

SHA256
39672b9fcfc769c87bb9300f15311308025b7d7a73772d52a5c65f97ad69bbd8

SHA512
18310570d699243c7bfc3b5573a997fed7a8c3fab2a4872ea1f58ddab3ebf8bcf79f32f0eba7182ee6995df11b0e6626eec457dfd2a9ccd64e0ff583522cf7fd

Download Submit
C:\Windows\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe

Filesize
168KB

MD5
c38f179382ebf0b3dcfae3435bb1189e

SHA1
e121d7451e7886c1ebd6c5e149979c24b195a020

SHA256
2001fe5855102afc7287f45de8c4d40e8fe5009cb17e2e5788580530207d0d60

SHA512
ce157a4c5cbe12d977454c9573cfdff90e19890e38a743eec9d5a8a1af9704385811a5f8ff96a84c1f6453e1b9ad66b946c72f39e3fb6b5a87fcdf4e7416cd7c

Download Submit
C:\Windows\{3DA0693E-77D9-4d00-985B-07F05931ACF2}.exe

Filesize
168KB

MD5
c38f179382ebf0b3dcfae3435bb1189e

SHA1
e121d7451e7886c1ebd6c5e149979c24b195a020

SHA256
2001fe5855102afc7287f45de8c4d40e8fe5009cb17e2e5788580530207d0d60

SHA512
ce157a4c5cbe12d977454c9573cfdff90e19890e38a743eec9d5a8a1af9704385811a5f8ff96a84c1f6453e1b9ad66b946c72f39e3fb6b5a87fcdf4e7416cd7c

Download Submit
C:\Windows\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe

Filesize
168KB

MD5
8faefaa88a1003cc76bc44016182c403

SHA1
e657c31588e056d2fe9d42c1f1c32c2b0d585f87

SHA256
619a3ce7ab8cf8b3a841ba0f9bc97fd137aae52d6912a5d2c9d874e3f19abede

SHA512
8410199baecbef361349245818c9db54da54ee509e800cd0efdf14fcb8d658d96f6a7e3a22d634a83ab7aaeb653a0983a68e569a7f218a4d94ff866c079ef676

Download Submit
C:\Windows\{718905F6-8B14-4554-AB26-9DA5CAC64EFA}.exe

Filesize
168KB

MD5
8faefaa88a1003cc76bc44016182c403

SHA1
e657c31588e056d2fe9d42c1f1c32c2b0d585f87

SHA256
619a3ce7ab8cf8b3a841ba0f9bc97fd137aae52d6912a5d2c9d874e3f19abede

SHA512
8410199baecbef361349245818c9db54da54ee509e800cd0efdf14fcb8d658d96f6a7e3a22d634a83ab7aaeb653a0983a68e569a7f218a4d94ff866c079ef676

Download Submit
C:\Windows\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe

Filesize
168KB

MD5
06bb42a9bfd930d4984d3906d202efac

SHA1
7805398780e116ddb998e16376d25945f02effcf

SHA256
72be4b6d5925d1cdbe4135c39fb932009813c0e51518f9f609da379d7d88c4c2

SHA512
2114b68b37b5683724f90fd7457f0796ea2865e9fef73e7aaced3f78d415788555e42b72aecc8e284ea5994ca5159d1566516dfa610736f98b26994e1c5444f5

Download Submit
C:\Windows\{74FF7C34-6676-43a9-A0D1-A14C52E1211C}.exe

Filesize
168KB

MD5
06bb42a9bfd930d4984d3906d202efac

SHA1
7805398780e116ddb998e16376d25945f02effcf

SHA256
72be4b6d5925d1cdbe4135c39fb932009813c0e51518f9f609da379d7d88c4c2

SHA512
2114b68b37b5683724f90fd7457f0796ea2865e9fef73e7aaced3f78d415788555e42b72aecc8e284ea5994ca5159d1566516dfa610736f98b26994e1c5444f5

Download Submit
C:\Windows\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe

Filesize
168KB

MD5
d3215b6f4bfc18a0771084aa816f2130

SHA1
3a37117ba1ede6a46eb80b3eb85d02a917b59ea4

SHA256
761037ff81f19ba0ad7a50d1fa843ebfb8d5dc91ef44baab1addd15f6294c009

SHA512
5666fcdb1d909fa964fe3c30860a6793eecae170d803fa5630a9f0ea8f6c6a6507e3142fab10b01369e9f35c0b363813ae33f48d86a533352815c3cddee28754

Download Submit
C:\Windows\{9DD95558-EC74-4493-B7F0-917F34CE7E8F}.exe

Filesize
168KB

MD5
d3215b6f4bfc18a0771084aa816f2130

SHA1
3a37117ba1ede6a46eb80b3eb85d02a917b59ea4

SHA256
761037ff81f19ba0ad7a50d1fa843ebfb8d5dc91ef44baab1addd15f6294c009

SHA512
5666fcdb1d909fa964fe3c30860a6793eecae170d803fa5630a9f0ea8f6c6a6507e3142fab10b01369e9f35c0b363813ae33f48d86a533352815c3cddee28754

Download Submit
C:\Windows\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe

Filesize
168KB

MD5
a20a1cb22034361cc6545b76e8f4402e

SHA1
8b49f930699c8b23a8d752d4afeb0cdc913cfd1d

SHA256
07fcef5d56f263d0920b1c315a23f5a7979e9ca4237cccedd8f0b582da883610

SHA512
ea8bf396ea350e5a6b57e833f6046adb810c64580f0a4e7bea32dd137bdd48c71502d3e1ab80c3ed92d5840d5dd355669fcd0eb6a669475638ef48b01c6be6a7

Download Submit
C:\Windows\{C84B8158-51DE-4981-9643-8FBA3E708178}.exe

Filesize
168KB

MD5
a20a1cb22034361cc6545b76e8f4402e

SHA1
8b49f930699c8b23a8d752d4afeb0cdc913cfd1d

SHA256
07fcef5d56f263d0920b1c315a23f5a7979e9ca4237cccedd8f0b582da883610

SHA512
ea8bf396ea350e5a6b57e833f6046adb810c64580f0a4e7bea32dd137bdd48c71502d3e1ab80c3ed92d5840d5dd355669fcd0eb6a669475638ef48b01c6be6a7

Download Submit
C:\Windows\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe

Filesize
168KB

MD5
e2bf4b5359af6c2ce01696c34ef92474

SHA1
e5cb62b23deaa1d0ea307519e3c4712d793d558d

SHA256
161b8a1b8f58c2f79a7cf7dce5f3245c1f8f4365373da4c612f0f541c241bc9c

SHA512
38e07a72eaf399901d571e6a81f7dbc2ff648bbbecbc25f38e9a406c6405c0a20bade2bc5d580c14e2894abb593934b23ebfc5bbbaff7001f873aad11bf13e7c

Download Submit
C:\Windows\{CF2E7526-80C1-4d21-8F79-3CFDF119BA65}.exe

Filesize
168KB

MD5
e2bf4b5359af6c2ce01696c34ef92474

SHA1
e5cb62b23deaa1d0ea307519e3c4712d793d558d

SHA256
161b8a1b8f58c2f79a7cf7dce5f3245c1f8f4365373da4c612f0f541c241bc9c

SHA512
38e07a72eaf399901d571e6a81f7dbc2ff648bbbecbc25f38e9a406c6405c0a20bade2bc5d580c14e2894abb593934b23ebfc5bbbaff7001f873aad11bf13e7c

Download Submit
C:\Windows\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe

Filesize
168KB

MD5
e9659c246838e90807d4e0331db27a5d

SHA1
ec055708cd9173e1ff46c888a0a072b3d3402a18

SHA256
374b7c0513b679487cc428a1083d0da5d5d90e731bbb3f055bb8b1c5c8afc921

SHA512
240cb94f66dfd25eccde17158d85a5d131b5dae562d257f059f22707e017692c143e3fcf7f373afc4d65552117ab85bda4ef47b45cd2edf9ebc859c7940d8c1c

Download Submit
C:\Windows\{D40AB4EA-C471-40f1-92F5-1DBB2884A277}.exe

Filesize
168KB

MD5
e9659c246838e90807d4e0331db27a5d

SHA1
ec055708cd9173e1ff46c888a0a072b3d3402a18

SHA256
374b7c0513b679487cc428a1083d0da5d5d90e731bbb3f055bb8b1c5c8afc921

SHA512
240cb94f66dfd25eccde17158d85a5d131b5dae562d257f059f22707e017692c143e3fcf7f373afc4d65552117ab85bda4ef47b45cd2edf9ebc859c7940d8c1c

Download Submit
C:\Windows\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe

Filesize
168KB

MD5
2bb5a6c2a917930f370256715e72fc66

SHA1
8c69a8560b7e9320de5bfdb6ba171ab0bf81e4e2

SHA256
3b87192e02308bbba686022757c01eddd57a2be3a0594d8c6db0014e3e1ac3c4

SHA512
ca6c6c64e69cbc563af97dec70a138afd3f8c1103a365ff63a698dc2c91b69ebe7c0b7c0ae1ffc90585b7022e59e275a3d5807f9d069516859ea96f75cc2c77a

Download Submit
C:\Windows\{E27C8EDC-2CDE-4ec2-85BB-CA1A8434C743}.exe

Filesize
168KB

MD5
2bb5a6c2a917930f370256715e72fc66

SHA1
8c69a8560b7e9320de5bfdb6ba171ab0bf81e4e2

SHA256
3b87192e02308bbba686022757c01eddd57a2be3a0594d8c6db0014e3e1ac3c4

SHA512
ca6c6c64e69cbc563af97dec70a138afd3f8c1103a365ff63a698dc2c91b69ebe7c0b7c0ae1ffc90585b7022e59e275a3d5807f9d069516859ea96f75cc2c77a

Download Submit