ebddbfbab4931129558ff852ab358eecd3cfd86c4513d7c80423a379f401b1f6

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 08:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61cecde7dd5218exeexeexeex.exe
Size

372KB
MD5

61cecde7dd521865c1c8e6039a26cbb8
SHA1

81cb925f7bffc4b52525acd13e9c6333a36a4a22
SHA256

ebddbfbab4931129558ff852ab358eecd3cfd86c4513d7c80423a379f401b1f6
SHA512

efcca14f9653872c4cdcffa55e54e38d7ca0f2b79fc08a074ce4962022f4157d5da79bbb474498e4bfedc8d88843d9caf3ca6e898f2f4286e2e3625b3eee650c
SSDEEP

3072:CEGh0ofmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGcl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A73B716-88F4-488c-B996-DF174178066E}\stubpath = "C:\\Windows\\{5A73B716-88F4-488c-B996-DF174178066E}.exe"	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F96FA9-522F-44cb-B69F-236684E09493}	{5A73B716-88F4-488c-B996-DF174178066E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}	{EF957A08-B721-4549-8C79-32963C943BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}\stubpath = "C:\\Windows\\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe"	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5BD77F-527A-46c0-953F-8D753D6549EC}\stubpath = "C:\\Windows\\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe"	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}\stubpath = "C:\\Windows\\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe"	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A73B716-88F4-488c-B996-DF174178066E}	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}\stubpath = "C:\\Windows\\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe"	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B67DEB1-E5E8-487b-A116-63312F94E047}\stubpath = "C:\\Windows\\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe"	{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}\stubpath = "C:\\Windows\\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe"	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B67DEB1-E5E8-487b-A116-63312F94E047}	{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}	61cecde7dd5218exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}\stubpath = "C:\\Windows\\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe"	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5BD77F-527A-46c0-953F-8D753D6549EC}	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF957A08-B721-4549-8C79-32963C943BC6}\stubpath = "C:\\Windows\\{EF957A08-B721-4549-8C79-32963C943BC6}.exe"	{84F96FA9-522F-44cb-B69F-236684E09493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}\stubpath = "C:\\Windows\\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe"	{EF957A08-B721-4549-8C79-32963C943BC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}\stubpath = "C:\\Windows\\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe"	61cecde7dd5218exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F96FA9-522F-44cb-B69F-236684E09493}\stubpath = "C:\\Windows\\{84F96FA9-522F-44cb-B69F-236684E09493}.exe"	{5A73B716-88F4-488c-B996-DF174178066E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF957A08-B721-4549-8C79-32963C943BC6}	{84F96FA9-522F-44cb-B69F-236684E09493}.exe

Executes dropped EXE 12 IoCs

pid	Process
408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
628	{5A73B716-88F4-488c-B996-DF174178066E}.exe
3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe
1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe
2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
2924	{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
212	{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
File created	C:\Windows\{EF957A08-B721-4549-8C79-32963C943BC6}.exe	{84F96FA9-522F-44cb-B69F-236684E09493}.exe
File created	C:\Windows\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	{EF957A08-B721-4549-8C79-32963C943BC6}.exe
File created	C:\Windows\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe	{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
File created	C:\Windows\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	61cecde7dd5218exeexeexeex.exe
File created	C:\Windows\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
File created	C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
File created	C:\Windows\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
File created	C:\Windows\{5A73B716-88F4-488c-B996-DF174178066E}.exe	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
File created	C:\Windows\{84F96FA9-522F-44cb-B69F-236684E09493}.exe	{5A73B716-88F4-488c-B996-DF174178066E}.exe
File created	C:\Windows\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
File created	C:\Windows\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4716	61cecde7dd5218exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
Token: SeIncBasePriorityPrivilege	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
Token: SeIncBasePriorityPrivilege	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
Token: SeIncBasePriorityPrivilege	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
Token: SeIncBasePriorityPrivilege	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
Token: SeIncBasePriorityPrivilege	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe
Token: SeIncBasePriorityPrivilege	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe
Token: SeIncBasePriorityPrivilege	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe
Token: SeIncBasePriorityPrivilege	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
Token: SeIncBasePriorityPrivilege	3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
Token: SeIncBasePriorityPrivilege	2924	{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 408	4716	61cecde7dd5218exeexeexeex.exe	84
PID 4716 wrote to memory of 408	4716	61cecde7dd5218exeexeexeex.exe	84
PID 4716 wrote to memory of 408	4716	61cecde7dd5218exeexeexeex.exe	84
PID 4716 wrote to memory of 5048	4716	61cecde7dd5218exeexeexeex.exe	85
PID 4716 wrote to memory of 5048	4716	61cecde7dd5218exeexeexeex.exe	85
PID 4716 wrote to memory of 5048	4716	61cecde7dd5218exeexeexeex.exe	85
PID 408 wrote to memory of 2608	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	86
PID 408 wrote to memory of 2608	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	86
PID 408 wrote to memory of 2608	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	86
PID 408 wrote to memory of 3116	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	87
PID 408 wrote to memory of 3116	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	87
PID 408 wrote to memory of 3116	408	{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe	87
PID 2608 wrote to memory of 5040	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	92
PID 2608 wrote to memory of 5040	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	92
PID 2608 wrote to memory of 5040	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	92
PID 2608 wrote to memory of 3996	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	91
PID 2608 wrote to memory of 3996	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	91
PID 2608 wrote to memory of 3996	2608	{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe	91
PID 5040 wrote to memory of 4152	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	93
PID 5040 wrote to memory of 4152	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	93
PID 5040 wrote to memory of 4152	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	93
PID 5040 wrote to memory of 3708	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	94
PID 5040 wrote to memory of 3708	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	94
PID 5040 wrote to memory of 3708	5040	{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe	94
PID 4152 wrote to memory of 2640	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	95
PID 4152 wrote to memory of 2640	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	95
PID 4152 wrote to memory of 2640	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	95
PID 4152 wrote to memory of 4836	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	96
PID 4152 wrote to memory of 4836	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	96
PID 4152 wrote to memory of 4836	4152	{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe	96
PID 2640 wrote to memory of 628	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	97
PID 2640 wrote to memory of 628	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	97
PID 2640 wrote to memory of 628	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	97
PID 2640 wrote to memory of 1556	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	98
PID 2640 wrote to memory of 1556	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	98
PID 2640 wrote to memory of 1556	2640	{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe	98
PID 628 wrote to memory of 3516	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	99
PID 628 wrote to memory of 3516	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	99
PID 628 wrote to memory of 3516	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	99
PID 628 wrote to memory of 4972	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	100
PID 628 wrote to memory of 4972	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	100
PID 628 wrote to memory of 4972	628	{5A73B716-88F4-488c-B996-DF174178066E}.exe	100
PID 3516 wrote to memory of 1796	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	101
PID 3516 wrote to memory of 1796	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	101
PID 3516 wrote to memory of 1796	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	101
PID 3516 wrote to memory of 3160	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	102
PID 3516 wrote to memory of 3160	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	102
PID 3516 wrote to memory of 3160	3516	{84F96FA9-522F-44cb-B69F-236684E09493}.exe	102
PID 1796 wrote to memory of 2992	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	103
PID 1796 wrote to memory of 2992	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	103
PID 1796 wrote to memory of 2992	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	103
PID 1796 wrote to memory of 1784	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	104
PID 1796 wrote to memory of 1784	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	104
PID 1796 wrote to memory of 1784	1796	{EF957A08-B721-4549-8C79-32963C943BC6}.exe	104
PID 2992 wrote to memory of 3472	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	105
PID 2992 wrote to memory of 3472	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	105
PID 2992 wrote to memory of 3472	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	105
PID 2992 wrote to memory of 3764	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	106
PID 2992 wrote to memory of 3764	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	106
PID 2992 wrote to memory of 3764	2992	{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe	106
PID 3472 wrote to memory of 2924	3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe	107
PID 3472 wrote to memory of 2924	3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe	107
PID 3472 wrote to memory of 2924	3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe	107
PID 3472 wrote to memory of 1904	3472	{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe	108

C:\Users\Admin\AppData\Local\Temp\61cecde7dd5218exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\61cecde7dd5218exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
  C:\Windows\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
    C:\Windows\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F5F9~1.EXE > nul
      4⤵
      PID:3996
  - - C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
      C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
        
        C:\Windows\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
        
        C:\Windows\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{5A73B716-88F4-488c-B996-DF174178066E}.exe
        
        C:\Windows\{5A73B716-88F4-488c-B996-DF174178066E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{84F96FA9-522F-44cb-B69F-236684E09493}.exe
        
        C:\Windows\{84F96FA9-522F-44cb-B69F-236684E09493}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{EF957A08-B721-4549-8C79-32963C943BC6}.exe
        
        C:\Windows\{EF957A08-B721-4549-8C79-32963C943BC6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
        
        C:\Windows\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
        
        C:\Windows\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
        
        C:\Windows\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe
        
        C:\Windows\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe
        13⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF28D~1.EXE > nul
        13⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C3B~1.EXE > nul
        12⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46BE9~1.EXE > nul
        11⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF957~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84F96~1.EXE > nul
        9⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A73B~1.EXE > nul
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F864~1.EXE > nul
        7⤵
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7154F~1.EXE > nul
        6⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A5BD~1.EXE > nul
        5⤵
        
        PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E388C~1.EXE > nul
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\61CECD~1.EXE > nul
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe

Filesize
372KB

MD5
1eec5e28433fd9d600242210409f1de4

SHA1
21503134e2ea79b1fd2733a4736d50bb477611ce

SHA256
efa06d8be7983863d43e4a800fab0f0946d8e0ead514c0cdcaea7c8aabce96e9

SHA512
21f4497d7ea5bd853fbccc529058a05588cf58630a39345e92ad98103480dc0581ea551864afe1b4aaf8af032b979fcec915db78acbd8233d9e37736aa38d1e9

Download Submit
C:\Windows\{1B67DEB1-E5E8-487b-A116-63312F94E047}.exe

Filesize
372KB

MD5
1eec5e28433fd9d600242210409f1de4

SHA1
21503134e2ea79b1fd2733a4736d50bb477611ce

SHA256
efa06d8be7983863d43e4a800fab0f0946d8e0ead514c0cdcaea7c8aabce96e9

SHA512
21f4497d7ea5bd853fbccc529058a05588cf58630a39345e92ad98103480dc0581ea551864afe1b4aaf8af032b979fcec915db78acbd8233d9e37736aa38d1e9

Download Submit
C:\Windows\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe

Filesize
372KB

MD5
e7121272810802e733d0a8d1fb404274

SHA1
628e56e865271ecd64d5b5c1dbefbed6da070dbd

SHA256
a9337ccb5541fa06d40f28223f0eb14427fc13d75ca1de3330dcd776d2dfe057

SHA512
7d49b1c9f1b6307a5841a86764573b590d77f97e76f944816edea6e3edc6e72f4e4d143e4a51164975846ddc60e05cccd0f3f3b6b5a537433f62b67997e302d0

Download Submit
C:\Windows\{46BE9F24-6A42-4129-AFD0-52C1E1458FB3}.exe

Filesize
372KB

MD5
e7121272810802e733d0a8d1fb404274

SHA1
628e56e865271ecd64d5b5c1dbefbed6da070dbd

SHA256
a9337ccb5541fa06d40f28223f0eb14427fc13d75ca1de3330dcd776d2dfe057

SHA512
7d49b1c9f1b6307a5841a86764573b590d77f97e76f944816edea6e3edc6e72f4e4d143e4a51164975846ddc60e05cccd0f3f3b6b5a537433f62b67997e302d0

Download Submit
C:\Windows\{5A73B716-88F4-488c-B996-DF174178066E}.exe

Filesize
372KB

MD5
9b200dd76900ec13a097816367a86ca6

SHA1
234139c1a9cb369e92b204941722f658e5506de4

SHA256
03258b41519f902a036f05cc32c41fc79943e1a05092b257c6eb86d10ee79439

SHA512
2e1f5b0b784a01da3bda5e71f69d322ad2e480a2bebb9500401262113b2b3cb5df7e89ed7886d621b069edb03ae900e01a02e6e25d79134bae016306456b14c7

Download Submit
C:\Windows\{5A73B716-88F4-488c-B996-DF174178066E}.exe

Filesize
372KB

MD5
9b200dd76900ec13a097816367a86ca6

SHA1
234139c1a9cb369e92b204941722f658e5506de4

SHA256
03258b41519f902a036f05cc32c41fc79943e1a05092b257c6eb86d10ee79439

SHA512
2e1f5b0b784a01da3bda5e71f69d322ad2e480a2bebb9500401262113b2b3cb5df7e89ed7886d621b069edb03ae900e01a02e6e25d79134bae016306456b14c7

Download Submit
C:\Windows\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe

Filesize
372KB

MD5
a90c0bf7cb799ba8d160e2fd8932b0fe

SHA1
b551c854656e23d009612724a45b849261547a73

SHA256
6ebbb73fc37b5df189dec5151f1ab3a6df7ffb38c3a08c42da79fe5b3305824c

SHA512
da20dbf5dfb990d859c936f3116df62f254e953097dbdaac52d0bbd52f69846ebf3d4fe29c1f5446c97cc6ac1dcb182395f92dff47a5aea8472a493c5e2d6c8d

Download Submit
C:\Windows\{6F8640DD-9E76-4c0d-B6EA-07FDD2429EA4}.exe

Filesize
372KB

MD5
a90c0bf7cb799ba8d160e2fd8932b0fe

SHA1
b551c854656e23d009612724a45b849261547a73

SHA256
6ebbb73fc37b5df189dec5151f1ab3a6df7ffb38c3a08c42da79fe5b3305824c

SHA512
da20dbf5dfb990d859c936f3116df62f254e953097dbdaac52d0bbd52f69846ebf3d4fe29c1f5446c97cc6ac1dcb182395f92dff47a5aea8472a493c5e2d6c8d

Download Submit
C:\Windows\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe

Filesize
372KB

MD5
657b295e853f8b92e0b62fe37e2ac6c5

SHA1
762c88e99e8f92eebbcd0f5fd6737f22a79ab337

SHA256
0cc4cd4b82dbc5d171e8c653cad04e9debf9d5ddf0f3e12a4d8f0d19eff9486b

SHA512
da52edea055aab1c6d157d69c7694cb4520296c350655f7c6acf905690a65cd99b788bf90f876c1678e80b66832d2ec80f7614f0bfdacbc4321174424496a194

Download Submit
C:\Windows\{7154F597-EEDE-4a6f-9E39-E265E4B52FF2}.exe

Filesize
372KB

MD5
657b295e853f8b92e0b62fe37e2ac6c5

SHA1
762c88e99e8f92eebbcd0f5fd6737f22a79ab337

SHA256
0cc4cd4b82dbc5d171e8c653cad04e9debf9d5ddf0f3e12a4d8f0d19eff9486b

SHA512
da52edea055aab1c6d157d69c7694cb4520296c350655f7c6acf905690a65cd99b788bf90f876c1678e80b66832d2ec80f7614f0bfdacbc4321174424496a194

Download Submit
C:\Windows\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe

Filesize
372KB

MD5
16bb7f9a9ab297bc550ec6c762efeffe

SHA1
66a89c8cdcc1981fbda2415fb4e3e4a29a1cf598

SHA256
e994cab5bc5090dee1ef5a90965f59802a94aa599894347c416239a954ee86d3

SHA512
59e45d1c243b9ba174f86072bf90592cf6b8a7a77091d5c695ce02a9d4cfc090c1c1bfedd71d3cb0fc4717e03073642ff410a670d8e0643e3a01e0978f6a6829

Download Submit
C:\Windows\{7F5F9D37-5BF9-47fb-A6FA-96F7AF3186E8}.exe

Filesize
372KB

MD5
16bb7f9a9ab297bc550ec6c762efeffe

SHA1
66a89c8cdcc1981fbda2415fb4e3e4a29a1cf598

SHA256
e994cab5bc5090dee1ef5a90965f59802a94aa599894347c416239a954ee86d3

SHA512
59e45d1c243b9ba174f86072bf90592cf6b8a7a77091d5c695ce02a9d4cfc090c1c1bfedd71d3cb0fc4717e03073642ff410a670d8e0643e3a01e0978f6a6829

Download Submit
C:\Windows\{84F96FA9-522F-44cb-B69F-236684E09493}.exe

Filesize
372KB

MD5
f022df50d68f9f72b9b628b4f391ee14

SHA1
7b6db1098eb95612618cfdda2ebb64b0ef7e3573

SHA256
e06ac0af48f601d1098fc8f07619c2917cccbb91d114ae306fc319748d4f3226

SHA512
9617f41d69a8636aa06b7b68d5bd7dee35b6d3ea8f85fa0b9f4d6e4bc74d75eb6d508136d6ba22fd6a383a9246c463934d2c321ce1f70dbc99a38f03da0c0991

Download Submit
C:\Windows\{84F96FA9-522F-44cb-B69F-236684E09493}.exe

Filesize
372KB

MD5
f022df50d68f9f72b9b628b4f391ee14

SHA1
7b6db1098eb95612618cfdda2ebb64b0ef7e3573

SHA256
e06ac0af48f601d1098fc8f07619c2917cccbb91d114ae306fc319748d4f3226

SHA512
9617f41d69a8636aa06b7b68d5bd7dee35b6d3ea8f85fa0b9f4d6e4bc74d75eb6d508136d6ba22fd6a383a9246c463934d2c321ce1f70dbc99a38f03da0c0991

Download Submit
C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe

Filesize
372KB

MD5
2bf40a40d30bcc2fbaef78c13c6a2aae

SHA1
0f7f302631f1ded254aeb572e57eea74602140c1

SHA256
459f36819aba283d515504da1bcf7eac7411557bb6d80b099a928341e778b9ec

SHA512
0d210b5d24518b861fc2b5768517432937bb4ab2e2545da20685b0e0129aa0ae97b706eca2d9f09bd6db330e93d9b0ff57f2082f01dd5e84ca6f75594978afc6

Download Submit
C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe

Filesize
372KB

MD5
2bf40a40d30bcc2fbaef78c13c6a2aae

SHA1
0f7f302631f1ded254aeb572e57eea74602140c1

SHA256
459f36819aba283d515504da1bcf7eac7411557bb6d80b099a928341e778b9ec

SHA512
0d210b5d24518b861fc2b5768517432937bb4ab2e2545da20685b0e0129aa0ae97b706eca2d9f09bd6db330e93d9b0ff57f2082f01dd5e84ca6f75594978afc6

Download Submit
C:\Windows\{9A5BD77F-527A-46c0-953F-8D753D6549EC}.exe

Filesize
372KB

MD5
2bf40a40d30bcc2fbaef78c13c6a2aae

SHA1
0f7f302631f1ded254aeb572e57eea74602140c1

SHA256
459f36819aba283d515504da1bcf7eac7411557bb6d80b099a928341e778b9ec

SHA512
0d210b5d24518b861fc2b5768517432937bb4ab2e2545da20685b0e0129aa0ae97b706eca2d9f09bd6db330e93d9b0ff57f2082f01dd5e84ca6f75594978afc6

Download Submit
C:\Windows\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe

Filesize
372KB

MD5
6743c6de88e5ffcadf4dbf11b3facb53

SHA1
045cdfd2e6b13f5341d16af12999de737367ba99

SHA256
e494c6009558cd50f0af70fe92be12ee85e43533bd9f9f7091b6585ace161569

SHA512
91eb57dd2b53f9d361ab9a88e4c93f3258619cc5a1a996f1cc86bf90cef829be5adbf53450c52a0ed8bed0d3363bbecc4bbf639c438afe2f0fdd37afbc59bab8

Download Submit
C:\Windows\{DF28DA59-E3EB-4a8b-AD98-1EDB899B90DB}.exe

Filesize
372KB

MD5
6743c6de88e5ffcadf4dbf11b3facb53

SHA1
045cdfd2e6b13f5341d16af12999de737367ba99

SHA256
e494c6009558cd50f0af70fe92be12ee85e43533bd9f9f7091b6585ace161569

SHA512
91eb57dd2b53f9d361ab9a88e4c93f3258619cc5a1a996f1cc86bf90cef829be5adbf53450c52a0ed8bed0d3363bbecc4bbf639c438afe2f0fdd37afbc59bab8

Download Submit
C:\Windows\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe

Filesize
372KB

MD5
f3569d17a157f2109094830efcd19a0f

SHA1
64f41f6c9f38ae18c50402a872b3be2ecd8102c4

SHA256
9f8a22b5cc3b56dd16e04701f59d793ed5d522694546ee8a25f317e499e72960

SHA512
76794ef107746bfed7c1fae7ca64b5993b9a38699b48cf794af459d64d6eb3bf194a1d0b93824e9bd45898165395794447d8cdf5110e4d82ea8517fd326960c2

Download Submit
C:\Windows\{E2C3B9D3-22EF-459a-9B2B-206A5E93F40A}.exe

Filesize
372KB

MD5
f3569d17a157f2109094830efcd19a0f

SHA1
64f41f6c9f38ae18c50402a872b3be2ecd8102c4

SHA256
9f8a22b5cc3b56dd16e04701f59d793ed5d522694546ee8a25f317e499e72960

SHA512
76794ef107746bfed7c1fae7ca64b5993b9a38699b48cf794af459d64d6eb3bf194a1d0b93824e9bd45898165395794447d8cdf5110e4d82ea8517fd326960c2

Download Submit
C:\Windows\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe

Filesize
372KB

MD5
7ff754a34bf93cd6055258a8c8a15067

SHA1
e1f8b2459761196a72724118c45d6ef3b3f6f788

SHA256
d09b1d480beec5b4013c8b82d624d1468a764c933e7a3dde56aa7b2e921f605e

SHA512
37a6164deee52e0931cd357974b671174fe6c4770a6a23f0cc5c85adbcbf15e069dbcfc28ce0f1449a70375305db73010820d2e800646738e38ca0a2fc0c2892

Download Submit
C:\Windows\{E388CC40-1EEF-4157-8BD9-8533BD4F3D80}.exe

Filesize
372KB

MD5
7ff754a34bf93cd6055258a8c8a15067

SHA1
e1f8b2459761196a72724118c45d6ef3b3f6f788

SHA256
d09b1d480beec5b4013c8b82d624d1468a764c933e7a3dde56aa7b2e921f605e

SHA512
37a6164deee52e0931cd357974b671174fe6c4770a6a23f0cc5c85adbcbf15e069dbcfc28ce0f1449a70375305db73010820d2e800646738e38ca0a2fc0c2892

Download Submit
C:\Windows\{EF957A08-B721-4549-8C79-32963C943BC6}.exe

Filesize
372KB

MD5
c61d57a294948be26dd21e8bf191d7d2

SHA1
00026cbde8ddcf406d2fbd94d01a1653c0dccaf4

SHA256
3b9332d7a2a3269d5e1b1c344707edc741ef0ab307211a143005d5d1c9868138

SHA512
1dca1a2ebaca747b34b44c7063cfa7dc45b4da3fd680c7e41f87d0112c676176ab69c6875a46f3d513a4b99a0618d6cae039ffbe3fe933a7fd73e9677c83d407

Download Submit
C:\Windows\{EF957A08-B721-4549-8C79-32963C943BC6}.exe

Filesize
372KB

MD5
c61d57a294948be26dd21e8bf191d7d2

SHA1
00026cbde8ddcf406d2fbd94d01a1653c0dccaf4

SHA256
3b9332d7a2a3269d5e1b1c344707edc741ef0ab307211a143005d5d1c9868138

SHA512
1dca1a2ebaca747b34b44c7063cfa7dc45b4da3fd680c7e41f87d0112c676176ab69c6875a46f3d513a4b99a0618d6cae039ffbe3fe933a7fd73e9677c83d407

Download Submit