9f908fbee073181b3acedac592121ebb24fcebf161ac23416ab2ad1534dfe4e1

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89fbf1157422aaexeexeexeex.exe
Size

204KB
MD5

89fbf1157422aa04475049de927da4d2
SHA1

e01c423ba0853e6df126d7e93d453df1787b723f
SHA256

9f908fbee073181b3acedac592121ebb24fcebf161ac23416ab2ad1534dfe4e1
SHA512

0126c68473725f47f650c6712ff0b554bda5b27a7c087dbd0b01fa3953cda16f22738395502e5ad095bde02ff00f73db59acebeda0c09640e1555e0cfe536e85
SSDEEP

1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oGl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}	{C618A510-4905-4e10-A498-55E2D927AB96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}\stubpath = "C:\\Windows\\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe"	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89C7D518-B6D6-427c-BE1E-254081AD362B}\stubpath = "C:\\Windows\\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe"	{2276D88D-82EF-43e2-8355-148A4616710E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECA401E3-A2FE-4504-AF09-625F927927F7}	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECA401E3-A2FE-4504-AF09-625F927927F7}\stubpath = "C:\\Windows\\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe"	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C618A510-4905-4e10-A498-55E2D927AB96}	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}\stubpath = "C:\\Windows\\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe"	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B2DF7B-6732-471e-B546-56001BDF2CE2}	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89C7D518-B6D6-427c-BE1E-254081AD362B}	{2276D88D-82EF-43e2-8355-148A4616710E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}	{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53341408-ACE4-4e02-86F5-08F563886DC2}\stubpath = "C:\\Windows\\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe"	89fbf1157422aaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2276D88D-82EF-43e2-8355-148A4616710E}\stubpath = "C:\\Windows\\{2276D88D-82EF-43e2-8355-148A4616710E}.exe"	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C618A510-4905-4e10-A498-55E2D927AB96}\stubpath = "C:\\Windows\\{C618A510-4905-4e10-A498-55E2D927AB96}.exe"	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}\stubpath = "C:\\Windows\\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe"	{C618A510-4905-4e10-A498-55E2D927AB96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}\stubpath = "C:\\Windows\\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe"	{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53341408-ACE4-4e02-86F5-08F563886DC2}	89fbf1157422aaexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}\stubpath = "C:\\Windows\\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe"	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B2DF7B-6732-471e-B546-56001BDF2CE2}\stubpath = "C:\\Windows\\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe"	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2276D88D-82EF-43e2-8355-148A4616710E}	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}\stubpath = "C:\\Windows\\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe"	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe
4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe
3696	{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
228	{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	89fbf1157422aaexeexeexeex.exe
File created	C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
File created	C:\Windows\{2276D88D-82EF-43e2-8355-148A4616710E}.exe	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
File created	C:\Windows\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	{2276D88D-82EF-43e2-8355-148A4616710E}.exe
File created	C:\Windows\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe	{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
File created	C:\Windows\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
File created	C:\Windows\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
File created	C:\Windows\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
File created	C:\Windows\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
File created	C:\Windows\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
File created	C:\Windows\{C618A510-4905-4e10-A498-55E2D927AB96}.exe	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
File created	C:\Windows\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe	{C618A510-4905-4e10-A498-55E2D927AB96}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1300	89fbf1157422aaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
Token: SeIncBasePriorityPrivilege	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
Token: SeIncBasePriorityPrivilege	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
Token: SeIncBasePriorityPrivilege	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
Token: SeIncBasePriorityPrivilege	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
Token: SeIncBasePriorityPrivilege	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe
Token: SeIncBasePriorityPrivilege	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
Token: SeIncBasePriorityPrivilege	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
Token: SeIncBasePriorityPrivilege	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
Token: SeIncBasePriorityPrivilege	2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe
Token: SeIncBasePriorityPrivilege	3696	{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4508	1300	89fbf1157422aaexeexeexeex.exe	84
PID 1300 wrote to memory of 4508	1300	89fbf1157422aaexeexeexeex.exe	84
PID 1300 wrote to memory of 4508	1300	89fbf1157422aaexeexeexeex.exe	84
PID 1300 wrote to memory of 1236	1300	89fbf1157422aaexeexeexeex.exe	85
PID 1300 wrote to memory of 1236	1300	89fbf1157422aaexeexeexeex.exe	85
PID 1300 wrote to memory of 1236	1300	89fbf1157422aaexeexeexeex.exe	85
PID 4508 wrote to memory of 1628	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	86
PID 4508 wrote to memory of 1628	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	86
PID 4508 wrote to memory of 1628	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	86
PID 4508 wrote to memory of 1388	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	87
PID 4508 wrote to memory of 1388	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	87
PID 4508 wrote to memory of 1388	4508	{53341408-ACE4-4e02-86F5-08F563886DC2}.exe	87
PID 1628 wrote to memory of 3196	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	92
PID 1628 wrote to memory of 3196	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	92
PID 1628 wrote to memory of 3196	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	92
PID 1628 wrote to memory of 1476	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	91
PID 1628 wrote to memory of 1476	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	91
PID 1628 wrote to memory of 1476	1628	{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe	91
PID 3196 wrote to memory of 1224	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	93
PID 3196 wrote to memory of 1224	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	93
PID 3196 wrote to memory of 1224	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	93
PID 3196 wrote to memory of 4128	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	94
PID 3196 wrote to memory of 4128	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	94
PID 3196 wrote to memory of 4128	3196	{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe	94
PID 1224 wrote to memory of 472	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	95
PID 1224 wrote to memory of 472	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	95
PID 1224 wrote to memory of 472	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	95
PID 1224 wrote to memory of 2968	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	96
PID 1224 wrote to memory of 2968	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	96
PID 1224 wrote to memory of 2968	1224	{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe	96
PID 472 wrote to memory of 1660	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	97
PID 472 wrote to memory of 1660	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	97
PID 472 wrote to memory of 1660	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	97
PID 472 wrote to memory of 4224	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	98
PID 472 wrote to memory of 4224	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	98
PID 472 wrote to memory of 4224	472	{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe	98
PID 1660 wrote to memory of 4460	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	99
PID 1660 wrote to memory of 4460	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	99
PID 1660 wrote to memory of 4460	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	99
PID 1660 wrote to memory of 4316	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	100
PID 1660 wrote to memory of 4316	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	100
PID 1660 wrote to memory of 4316	1660	{2276D88D-82EF-43e2-8355-148A4616710E}.exe	100
PID 4460 wrote to memory of 4644	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	101
PID 4460 wrote to memory of 4644	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	101
PID 4460 wrote to memory of 4644	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	101
PID 4460 wrote to memory of 4492	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	102
PID 4460 wrote to memory of 4492	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	102
PID 4460 wrote to memory of 4492	4460	{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe	102
PID 4644 wrote to memory of 5008	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	103
PID 4644 wrote to memory of 5008	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	103
PID 4644 wrote to memory of 5008	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	103
PID 4644 wrote to memory of 2644	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	104
PID 4644 wrote to memory of 2644	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	104
PID 4644 wrote to memory of 2644	4644	{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe	104
PID 5008 wrote to memory of 2628	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	105
PID 5008 wrote to memory of 2628	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	105
PID 5008 wrote to memory of 2628	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	105
PID 5008 wrote to memory of 672	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	106
PID 5008 wrote to memory of 672	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	106
PID 5008 wrote to memory of 672	5008	{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe	106
PID 2628 wrote to memory of 3696	2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe	107
PID 2628 wrote to memory of 3696	2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe	107
PID 2628 wrote to memory of 3696	2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe	107
PID 2628 wrote to memory of 3828	2628	{C618A510-4905-4e10-A498-55E2D927AB96}.exe	108

C:\Users\Admin\AppData\Local\Temp\89fbf1157422aaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\89fbf1157422aaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
  C:\Windows\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
    C:\Windows\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2304A~1.EXE > nul
      4⤵
      PID:1476
  - - C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
      C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
        
        C:\Windows\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
        
        C:\Windows\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{2276D88D-82EF-43e2-8355-148A4616710E}.exe
        
        C:\Windows\{2276D88D-82EF-43e2-8355-148A4616710E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
        
        C:\Windows\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
        
        C:\Windows\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
        
        C:\Windows\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{C618A510-4905-4e10-A498-55E2D927AB96}.exe
        
        C:\Windows\{C618A510-4905-4e10-A498-55E2D927AB96}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
        
        C:\Windows\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe
        
        C:\Windows\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe
        13⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1A1E~1.EXE > nul
        13⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C618A~1.EXE > nul
        12⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECA40~1.EXE > nul
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{101E3~1.EXE > nul
        10⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89C7D~1.EXE > nul
        9⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2276D~1.EXE > nul
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD907~1.EXE > nul
        7⤵
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84B2D~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9058~1.EXE > nul
        5⤵
        
        PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53341~1.EXE > nul
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\89FBF1~1.EXE > nul
  2⤵
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe

Filesize
204KB

MD5
7eca260401ed2420c2a96c429c007408

SHA1
c416cefce558026d7fc987f15313904eaeb713db

SHA256
17c6e32f3a7e08e73f8aa32edc8faa1782940f74a4a6b9d34bf025bd5a5bd359

SHA512
aa1ccdd253d5850e6432291445806a822fdc75933bf3673844316050cebbe79c96ff5599a6a134c5f1bbaa9c906f0ab320e0605f8ee094046267174024594d99

Download Submit
C:\Windows\{101E3760-11E3-4a9a-ABD7-6D4DF3A1F88C}.exe

Filesize
204KB

MD5
7eca260401ed2420c2a96c429c007408

SHA1
c416cefce558026d7fc987f15313904eaeb713db

SHA256
17c6e32f3a7e08e73f8aa32edc8faa1782940f74a4a6b9d34bf025bd5a5bd359

SHA512
aa1ccdd253d5850e6432291445806a822fdc75933bf3673844316050cebbe79c96ff5599a6a134c5f1bbaa9c906f0ab320e0605f8ee094046267174024594d99

Download Submit
C:\Windows\{2276D88D-82EF-43e2-8355-148A4616710E}.exe

Filesize
204KB

MD5
cdd7beaf2dc9869ab9e15a3c2a462c1a

SHA1
1afb4d1afeee673c303d0d4f4f456f54fc54688f

SHA256
c67b9fe4d0573b64cb79349300b40ef019f904332ffae20584258520615a9b91

SHA512
e3d099fcbb1e887dbda81de89e75a6ab9ce6b90313a2bb90f6c090a07c63ff5cf7538f34beddf641c927d98cb25c978ab74ccfb033dbeeae707a4a8caff5cb83

Download Submit
C:\Windows\{2276D88D-82EF-43e2-8355-148A4616710E}.exe

Filesize
204KB

MD5
cdd7beaf2dc9869ab9e15a3c2a462c1a

SHA1
1afb4d1afeee673c303d0d4f4f456f54fc54688f

SHA256
c67b9fe4d0573b64cb79349300b40ef019f904332ffae20584258520615a9b91

SHA512
e3d099fcbb1e887dbda81de89e75a6ab9ce6b90313a2bb90f6c090a07c63ff5cf7538f34beddf641c927d98cb25c978ab74ccfb033dbeeae707a4a8caff5cb83

Download Submit
C:\Windows\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe

Filesize
204KB

MD5
4b18f58b07a30d751997ca8751690487

SHA1
a2f3103c012b1e01a85e1be62c25e75f72340993

SHA256
c2bed8d35fd14fe514b2e8f578cb80ed81c7a02a28b6bb65cd417e0d808498a2

SHA512
7dddc12c8682b7832fceaa01427b432c3f131e16cd3dbcd7c1c38e88b94319218821e39d723dc5a0e5792843511667a51d1e4b862c0af3e5833c768267ab1ed0

Download Submit
C:\Windows\{2304A9A1-82EA-46d8-B9E7-6F76D685317C}.exe

Filesize
204KB

MD5
4b18f58b07a30d751997ca8751690487

SHA1
a2f3103c012b1e01a85e1be62c25e75f72340993

SHA256
c2bed8d35fd14fe514b2e8f578cb80ed81c7a02a28b6bb65cd417e0d808498a2

SHA512
7dddc12c8682b7832fceaa01427b432c3f131e16cd3dbcd7c1c38e88b94319218821e39d723dc5a0e5792843511667a51d1e4b862c0af3e5833c768267ab1ed0

Download Submit
C:\Windows\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe

Filesize
204KB

MD5
4ece0bb77b39512706e4f17016b5785b

SHA1
c5ce32aba5b6f1d10ea92e995eeaba7d972eae6b

SHA256
17f6356194445bf144b0b1cc19deb56941c488e05162c38e03c38582d17c7de9

SHA512
9473ad970c2820080ca80ae6065dea334f46a297067f9f784babc23ea1b876ad7aaa884bf00337464eccc00f1a5680a4d6f75fb6b82170df7b5d4ab7db2f233e

Download Submit
C:\Windows\{53341408-ACE4-4e02-86F5-08F563886DC2}.exe

Filesize
204KB

MD5
4ece0bb77b39512706e4f17016b5785b

SHA1
c5ce32aba5b6f1d10ea92e995eeaba7d972eae6b

SHA256
17f6356194445bf144b0b1cc19deb56941c488e05162c38e03c38582d17c7de9

SHA512
9473ad970c2820080ca80ae6065dea334f46a297067f9f784babc23ea1b876ad7aaa884bf00337464eccc00f1a5680a4d6f75fb6b82170df7b5d4ab7db2f233e

Download Submit
C:\Windows\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe

Filesize
204KB

MD5
ec581d305cb7a6ad56d978b48e49c00c

SHA1
af9b450c7b738ae1be76f96fb35d48a3c837cac2

SHA256
df0e01736f78ca7fbec615e84d1ebb368f54f4412d5db30693789dec41884231

SHA512
e01d02a4f182c27ad8b4679e2b0ebcebf65c714fcc4cda6e2ee44cf4dfdb7cbc15dfb403cb44853188153d5f0874716a05af2a7207ed0bc3c5048c5769f94a44

Download Submit
C:\Windows\{670BEA9B-7358-4d91-BE9E-6B18F40ABC9F}.exe

Filesize
204KB

MD5
ec581d305cb7a6ad56d978b48e49c00c

SHA1
af9b450c7b738ae1be76f96fb35d48a3c837cac2

SHA256
df0e01736f78ca7fbec615e84d1ebb368f54f4412d5db30693789dec41884231

SHA512
e01d02a4f182c27ad8b4679e2b0ebcebf65c714fcc4cda6e2ee44cf4dfdb7cbc15dfb403cb44853188153d5f0874716a05af2a7207ed0bc3c5048c5769f94a44

Download Submit
C:\Windows\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe

Filesize
204KB

MD5
be732ca5624e9228ba675659afa0d49d

SHA1
e1e2e65d423905483aefbdfa831cb81ceb51e16d

SHA256
47f0e98649e35a20a2278485e6b9d73aac06b3f2509d5c33264f8f6651982cce

SHA512
e82fcfacc9f8e3715982951e2cd7ceb8c2b1f4caf1da934dfcb037c4f65ec99ba9b6e6478eac121527378a6d4bfc62bedcf4a2825913c634e86e795359f1065b

Download Submit
C:\Windows\{84B2DF7B-6732-471e-B546-56001BDF2CE2}.exe

Filesize
204KB

MD5
be732ca5624e9228ba675659afa0d49d

SHA1
e1e2e65d423905483aefbdfa831cb81ceb51e16d

SHA256
47f0e98649e35a20a2278485e6b9d73aac06b3f2509d5c33264f8f6651982cce

SHA512
e82fcfacc9f8e3715982951e2cd7ceb8c2b1f4caf1da934dfcb037c4f65ec99ba9b6e6478eac121527378a6d4bfc62bedcf4a2825913c634e86e795359f1065b

Download Submit
C:\Windows\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe

Filesize
204KB

MD5
4e7df03a3dc9e5740dcfbd1ba2bcb0e9

SHA1
92099d8b11de283bfd1d4761a54da0e4e282d1ba

SHA256
890df8261c146598d15a5ac74cdd3c5bc88f25348f0a1f89002fb425913a2a24

SHA512
40041870ad0df0ce2709bdb297439af6bf7c86d0d238535261c3330e93747ffd6a5f5941ac1e34160d1fddb3c4c77de3db72c82caf5558e75d11517b75aa8ffa

Download Submit
C:\Windows\{89C7D518-B6D6-427c-BE1E-254081AD362B}.exe

Filesize
204KB

MD5
4e7df03a3dc9e5740dcfbd1ba2bcb0e9

SHA1
92099d8b11de283bfd1d4761a54da0e4e282d1ba

SHA256
890df8261c146598d15a5ac74cdd3c5bc88f25348f0a1f89002fb425913a2a24

SHA512
40041870ad0df0ce2709bdb297439af6bf7c86d0d238535261c3330e93747ffd6a5f5941ac1e34160d1fddb3c4c77de3db72c82caf5558e75d11517b75aa8ffa

Download Submit
C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe

Filesize
204KB

MD5
47898f2010ff26407dd609841615614c

SHA1
66591e1ac376b214611bcfd6f7a2db453c8c9731

SHA256
277574f8981f1e891befb4eed2dfd13d10704468570036ff12cada2c3d9c7a65

SHA512
292111aa2318f959c7ca4dd1fd6eb57b30def2b278fbc20dae888395c44129e95d592e084bbe4bea330e3c469e58a84358d9e1380c03881d4271925c7ac421f5

Download Submit
C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe

Filesize
204KB

MD5
47898f2010ff26407dd609841615614c

SHA1
66591e1ac376b214611bcfd6f7a2db453c8c9731

SHA256
277574f8981f1e891befb4eed2dfd13d10704468570036ff12cada2c3d9c7a65

SHA512
292111aa2318f959c7ca4dd1fd6eb57b30def2b278fbc20dae888395c44129e95d592e084bbe4bea330e3c469e58a84358d9e1380c03881d4271925c7ac421f5

Download Submit
C:\Windows\{B90589C6-3EBC-42fb-A4BB-4D3CE18D9C0C}.exe

Filesize
204KB

MD5
47898f2010ff26407dd609841615614c

SHA1
66591e1ac376b214611bcfd6f7a2db453c8c9731

SHA256
277574f8981f1e891befb4eed2dfd13d10704468570036ff12cada2c3d9c7a65

SHA512
292111aa2318f959c7ca4dd1fd6eb57b30def2b278fbc20dae888395c44129e95d592e084bbe4bea330e3c469e58a84358d9e1380c03881d4271925c7ac421f5

Download Submit
C:\Windows\{C618A510-4905-4e10-A498-55E2D927AB96}.exe

Filesize
204KB

MD5
9c7e77a60d32b241900e539c374fe050

SHA1
b2abfe9c995aaa883cc0dde45c3279e54db5999d

SHA256
1b3ef4e80d26ad08bbff73eed01ff8dca155c170da85a0c0e8b438948a50ae4f

SHA512
e86ae16d1e1bd096004169e21cf17cf1fdc50c5d85d8331d310f72690f11b5478a8841432b76a5481cfbf5a52e441520a823b16dd48b561e1ec54ef60045d012

Download Submit
C:\Windows\{C618A510-4905-4e10-A498-55E2D927AB96}.exe

Filesize
204KB

MD5
9c7e77a60d32b241900e539c374fe050

SHA1
b2abfe9c995aaa883cc0dde45c3279e54db5999d

SHA256
1b3ef4e80d26ad08bbff73eed01ff8dca155c170da85a0c0e8b438948a50ae4f

SHA512
e86ae16d1e1bd096004169e21cf17cf1fdc50c5d85d8331d310f72690f11b5478a8841432b76a5481cfbf5a52e441520a823b16dd48b561e1ec54ef60045d012

Download Submit
C:\Windows\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe

Filesize
204KB

MD5
8441b65d750225b68bb4af5fcc042abe

SHA1
86079aa4c2b845b7d6762024e30e48c9482614f8

SHA256
d71fab8ec77ec7bff3b4b2ecca93e85f238ce8ae2fae8542dd7fec37c9b4ca9b

SHA512
b08dd9cad038acaeaa4d62f8acf808d536b130a9929bd92329a0a1bc685eaf6dd54d231f52db9237f557ea9711c4f333d7311bd921a6c5a7a658d4cbd2336bb1

Download Submit
C:\Windows\{ECA401E3-A2FE-4504-AF09-625F927927F7}.exe

Filesize
204KB

MD5
8441b65d750225b68bb4af5fcc042abe

SHA1
86079aa4c2b845b7d6762024e30e48c9482614f8

SHA256
d71fab8ec77ec7bff3b4b2ecca93e85f238ce8ae2fae8542dd7fec37c9b4ca9b

SHA512
b08dd9cad038acaeaa4d62f8acf808d536b130a9929bd92329a0a1bc685eaf6dd54d231f52db9237f557ea9711c4f333d7311bd921a6c5a7a658d4cbd2336bb1

Download Submit
C:\Windows\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe

Filesize
204KB

MD5
5a5f39ccf441523751108b723dd0a3d7

SHA1
8759522035c2e3f5fe797bc8fdcbfad454a691fe

SHA256
1da2db75e7cb5e56cda9466db6d6435f00f3a3ceb76f56238da6006d43691c12

SHA512
e8d3dbc419368a7a1ad2a080521cb338cb9bde0fa0e82571be4fffec16779dbb446c6ac7c62e17afdd45c62ac855c424b1ff6a728d2d5d8794b90caeede85f29

Download Submit
C:\Windows\{F1A1EA9A-FB31-4ba5-9774-FEC7F74AA195}.exe

Filesize
204KB

MD5
5a5f39ccf441523751108b723dd0a3d7

SHA1
8759522035c2e3f5fe797bc8fdcbfad454a691fe

SHA256
1da2db75e7cb5e56cda9466db6d6435f00f3a3ceb76f56238da6006d43691c12

SHA512
e8d3dbc419368a7a1ad2a080521cb338cb9bde0fa0e82571be4fffec16779dbb446c6ac7c62e17afdd45c62ac855c424b1ff6a728d2d5d8794b90caeede85f29

Download Submit
C:\Windows\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe

Filesize
204KB

MD5
c7976cb4f4be5a5556e4ec9ab5e0a695

SHA1
17ad6f1a5a6231ec05008684972a57a50b28d4eb

SHA256
dee7c4eb748b289a834c190cf938ed198bbef26376e183fe530f7d6d2f709f20

SHA512
ccf8973a0854a1601529dbd0212d969417c91e6f141c6120e6ee308becbcb71bc58dc66631d2a035add90ffa1582f7f86fccfcd82bcf28a8b69e971e29c46286

Download Submit
C:\Windows\{FD9073C4-1DFB-4b6f-BAA2-8D98EBD9D521}.exe

Filesize
204KB

MD5
c7976cb4f4be5a5556e4ec9ab5e0a695

SHA1
17ad6f1a5a6231ec05008684972a57a50b28d4eb

SHA256
dee7c4eb748b289a834c190cf938ed198bbef26376e183fe530f7d6d2f709f20

SHA512
ccf8973a0854a1601529dbd0212d969417c91e6f141c6120e6ee308becbcb71bc58dc66631d2a035add90ffa1582f7f86fccfcd82bcf28a8b69e971e29c46286

Download Submit