7acd0ce8f99b9bb9aa6adcacddac4f7920af79ef3da197d037f751180b64384b

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 07:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e88ebe93b495fcexeexeexeex.exe
Size

372KB
MD5

e88ebe93b495fc7d6f1992425f43ad80
SHA1

806139245c9bb36584fe66e49dc187ccfe416d92
SHA256

7acd0ce8f99b9bb9aa6adcacddac4f7920af79ef3da197d037f751180b64384b
SHA512

ea302bd06e52d50b955fb2862e022dfb2d8ef83049f6f6f8a6b08fb73f4c50a62484a2479bbcc1b603be581989d2b2253db0d7e796dcb082d04c195fe79ee65e
SSDEEP

3072:CEGh0o+mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261707CF-7DDB-482d-8B5E-063348396F2E}\stubpath = "C:\\Windows\\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe"	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F8956D-6957-43bb-825F-E4763E352E79}	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20E43AA-4458-4849-81A4-A50064E6ECEE}	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}\stubpath = "C:\\Windows\\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe"	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}\stubpath = "C:\\Windows\\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe"	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261707CF-7DDB-482d-8B5E-063348396F2E}	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129F4379-9A2D-441b-BA58-CB548E933B58}\stubpath = "C:\\Windows\\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe"	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}\stubpath = "C:\\Windows\\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe"	{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}	e88ebe93b495fcexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{618FC8A9-B72F-4973-9125-617F906FA2C4}	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}\stubpath = "C:\\Windows\\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe"	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20E43AA-4458-4849-81A4-A50064E6ECEE}\stubpath = "C:\\Windows\\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe"	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}	{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}\stubpath = "C:\\Windows\\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe"	e88ebe93b495fcexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}\stubpath = "C:\\Windows\\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe"	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{618FC8A9-B72F-4973-9125-617F906FA2C4}\stubpath = "C:\\Windows\\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe"	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F8956D-6957-43bb-825F-E4763E352E79}\stubpath = "C:\\Windows\\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe"	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}\stubpath = "C:\\Windows\\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe"	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129F4379-9A2D-441b-BA58-CB548E933B58}	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
460	{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
1036	{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
File created	C:\Windows\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
File created	C:\Windows\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
File created	C:\Windows\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
File created	C:\Windows\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
File created	C:\Windows\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe	{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
File created	C:\Windows\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	e88ebe93b495fcexeexeexeex.exe
File created	C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
File created	C:\Windows\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
File created	C:\Windows\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
File created	C:\Windows\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
File created	C:\Windows\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	e88ebe93b495fcexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
Token: SeIncBasePriorityPrivilege	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
Token: SeIncBasePriorityPrivilege	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
Token: SeIncBasePriorityPrivilege	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
Token: SeIncBasePriorityPrivilege	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
Token: SeIncBasePriorityPrivilege	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
Token: SeIncBasePriorityPrivilege	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
Token: SeIncBasePriorityPrivilege	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
Token: SeIncBasePriorityPrivilege	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
Token: SeIncBasePriorityPrivilege	3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
Token: SeIncBasePriorityPrivilege	460	{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3188	2104	e88ebe93b495fcexeexeexeex.exe	102
PID 2104 wrote to memory of 3188	2104	e88ebe93b495fcexeexeexeex.exe	102
PID 2104 wrote to memory of 3188	2104	e88ebe93b495fcexeexeexeex.exe	102
PID 2104 wrote to memory of 3080	2104	e88ebe93b495fcexeexeexeex.exe	103
PID 2104 wrote to memory of 3080	2104	e88ebe93b495fcexeexeexeex.exe	103
PID 2104 wrote to memory of 3080	2104	e88ebe93b495fcexeexeexeex.exe	103
PID 3188 wrote to memory of 4644	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	106
PID 3188 wrote to memory of 4644	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	106
PID 3188 wrote to memory of 4644	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	106
PID 3188 wrote to memory of 4968	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	107
PID 3188 wrote to memory of 4968	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	107
PID 3188 wrote to memory of 4968	3188	{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe	107
PID 4644 wrote to memory of 100	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	110
PID 4644 wrote to memory of 100	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	110
PID 4644 wrote to memory of 100	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	110
PID 4644 wrote to memory of 2064	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	109
PID 4644 wrote to memory of 2064	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	109
PID 4644 wrote to memory of 2064	4644	{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe	109
PID 100 wrote to memory of 3624	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	111
PID 100 wrote to memory of 3624	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	111
PID 100 wrote to memory of 3624	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	111
PID 100 wrote to memory of 4584	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	112
PID 100 wrote to memory of 4584	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	112
PID 100 wrote to memory of 4584	100	{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe	112
PID 3624 wrote to memory of 880	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	113
PID 3624 wrote to memory of 880	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	113
PID 3624 wrote to memory of 880	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	113
PID 3624 wrote to memory of 1544	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	114
PID 3624 wrote to memory of 1544	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	114
PID 3624 wrote to memory of 1544	3624	{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe	114
PID 880 wrote to memory of 4308	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	115
PID 880 wrote to memory of 4308	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	115
PID 880 wrote to memory of 4308	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	115
PID 880 wrote to memory of 3020	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	116
PID 880 wrote to memory of 3020	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	116
PID 880 wrote to memory of 3020	880	{261707CF-7DDB-482d-8B5E-063348396F2E}.exe	116
PID 4308 wrote to memory of 1680	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	117
PID 4308 wrote to memory of 1680	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	117
PID 4308 wrote to memory of 1680	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	117
PID 4308 wrote to memory of 4640	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	118
PID 4308 wrote to memory of 4640	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	118
PID 4308 wrote to memory of 4640	4308	{E0F8956D-6957-43bb-825F-E4763E352E79}.exe	118
PID 1680 wrote to memory of 3512	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	119
PID 1680 wrote to memory of 3512	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	119
PID 1680 wrote to memory of 3512	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	119
PID 1680 wrote to memory of 1516	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	120
PID 1680 wrote to memory of 1516	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	120
PID 1680 wrote to memory of 1516	1680	{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe	120
PID 3512 wrote to memory of 2732	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	121
PID 3512 wrote to memory of 2732	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	121
PID 3512 wrote to memory of 2732	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	121
PID 3512 wrote to memory of 1820	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	122
PID 3512 wrote to memory of 1820	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	122
PID 3512 wrote to memory of 1820	3512	{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe	122
PID 2732 wrote to memory of 3204	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	123
PID 2732 wrote to memory of 3204	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	123
PID 2732 wrote to memory of 3204	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	123
PID 2732 wrote to memory of 1084	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	124
PID 2732 wrote to memory of 1084	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	124
PID 2732 wrote to memory of 1084	2732	{129F4379-9A2D-441b-BA58-CB548E933B58}.exe	124
PID 3204 wrote to memory of 460	3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe	125
PID 3204 wrote to memory of 460	3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe	125
PID 3204 wrote to memory of 460	3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe	125
PID 3204 wrote to memory of 4324	3204	{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe	126

C:\Users\Admin\AppData\Local\Temp\e88ebe93b495fcexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e88ebe93b495fcexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
  C:\Windows\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
    C:\Windows\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6D1F~1.EXE > nul
      4⤵
      PID:2064
  - - C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
      C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:100
    - - C:\Windows\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
        
        C:\Windows\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
        
        C:\Windows\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
        
        C:\Windows\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
        
        C:\Windows\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
        
        C:\Windows\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
        
        C:\Windows\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
        
        C:\Windows\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
        
        C:\Windows\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
        
        C:\Windows\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe
        
        C:\Windows\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe
        13⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ABBF~1.EXE > nul
        13⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{287B1~1.EXE > nul
        12⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{129F4~1.EXE > nul
        11⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A20E4~1.EXE > nul
        10⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB102~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F89~1.EXE > nul
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26170~1.EXE > nul
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A439~1.EXE > nul
        6⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{618FC~1.EXE > nul
        5⤵
        
        PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF13B~1.EXE > nul
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E88EBE~1.EXE > nul
  2⤵
  PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe

Filesize
372KB

MD5
cc31d6e1d4ee75a492195aaec9d7aee0

SHA1
f9fb6cd97fa3108fa6b45ec65d6e53d56889eb90

SHA256
51256d923b2359aedecafc2689af443325c9730cdc74c8c972b8c5ee3943185d

SHA512
6a7742cec8644a910d4656ead0c8c235b142fd822793c52e8b61fa815ae7728167e2fa9b55e1cb499c97e99b66be0ab1d6be9caa681d17918f1fff3d43931880

Download Submit
C:\Windows\{129F4379-9A2D-441b-BA58-CB548E933B58}.exe

Filesize
372KB

MD5
cc31d6e1d4ee75a492195aaec9d7aee0

SHA1
f9fb6cd97fa3108fa6b45ec65d6e53d56889eb90

SHA256
51256d923b2359aedecafc2689af443325c9730cdc74c8c972b8c5ee3943185d

SHA512
6a7742cec8644a910d4656ead0c8c235b142fd822793c52e8b61fa815ae7728167e2fa9b55e1cb499c97e99b66be0ab1d6be9caa681d17918f1fff3d43931880

Download Submit
C:\Windows\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe

Filesize
372KB

MD5
2b449056cd2a628717ac8cbc4f6c0469

SHA1
d4b8a57accd89d5e638ad2a671e1c69db7b9c62f

SHA256
62dc4fe0651465d3735ac2d00f261e04e084b2ad4076f8ff54f2d127afed0fc4

SHA512
8b23fa0a77eb3e4e2e8a865997dacb2f9fa23e999e25ff7a8db57482812d9fe4fc25ad0334106a2e94d9eeb5b58ec5af885ee85ce3e16c95af18874f09e331ca

Download Submit
C:\Windows\{261707CF-7DDB-482d-8B5E-063348396F2E}.exe

Filesize
372KB

MD5
2b449056cd2a628717ac8cbc4f6c0469

SHA1
d4b8a57accd89d5e638ad2a671e1c69db7b9c62f

SHA256
62dc4fe0651465d3735ac2d00f261e04e084b2ad4076f8ff54f2d127afed0fc4

SHA512
8b23fa0a77eb3e4e2e8a865997dacb2f9fa23e999e25ff7a8db57482812d9fe4fc25ad0334106a2e94d9eeb5b58ec5af885ee85ce3e16c95af18874f09e331ca

Download Submit
C:\Windows\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe

Filesize
372KB

MD5
1aac91d8e82369d01b750a415ef3da02

SHA1
a4ea0f129e0494e307ffa51f4759cb7efe5b64d2

SHA256
30decba88db5e7f7992e8f5997b21be3dc33dddba223ec08fba8b2b95f58bba8

SHA512
2b616ef1b2d9d0e4c5ec8428fa5c36ca43e4a1b7c6e50efeb30e65072a7e7d041e43bd9f12325f3445c199a676661f3632b4a94d5d73bb4c1682825e88fb48e7

Download Submit
C:\Windows\{287B1E68-D437-47d9-BDBA-2DBFA9C62BBA}.exe

Filesize
372KB

MD5
1aac91d8e82369d01b750a415ef3da02

SHA1
a4ea0f129e0494e307ffa51f4759cb7efe5b64d2

SHA256
30decba88db5e7f7992e8f5997b21be3dc33dddba223ec08fba8b2b95f58bba8

SHA512
2b616ef1b2d9d0e4c5ec8428fa5c36ca43e4a1b7c6e50efeb30e65072a7e7d041e43bd9f12325f3445c199a676661f3632b4a94d5d73bb4c1682825e88fb48e7

Download Submit
C:\Windows\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe

Filesize
372KB

MD5
b7136b05b802bd9b7a8563a7b76975ce

SHA1
5aaa0a0f1955bf0b71c7e1aca175ee838203e532

SHA256
02efac17bb2142329b82d00119d1ef27896fab9c6de8f0c13be4d830d71c356b

SHA512
046b8b94efe84dcc2af3d3af20bfcfeae6d8059c821df8e302a3071cd5db2186897c16a3b474d614760070b561aa9a87d4dd0fa3879ba48e5174e60ee6b64f0d

Download Submit
C:\Windows\{2A439CFE-F392-491c-ADB6-8C3A21FB70E1}.exe

Filesize
372KB

MD5
b7136b05b802bd9b7a8563a7b76975ce

SHA1
5aaa0a0f1955bf0b71c7e1aca175ee838203e532

SHA256
02efac17bb2142329b82d00119d1ef27896fab9c6de8f0c13be4d830d71c356b

SHA512
046b8b94efe84dcc2af3d3af20bfcfeae6d8059c821df8e302a3071cd5db2186897c16a3b474d614760070b561aa9a87d4dd0fa3879ba48e5174e60ee6b64f0d

Download Submit
C:\Windows\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe

Filesize
372KB

MD5
130ae37698af7ea944204dd0ed20f430

SHA1
eee8416baccd9489d4c44fd51ca828e72aa3c1a0

SHA256
e0f9e8fe6e7518c20e85a3877d6f4412d691eb5847d952b770056f0bde5ab767

SHA512
ce0eaaf27f7a713eceaa68684560960be4608333249c6d394170ea018997d2a9b919031bfec66ec12b01266be5443b6330f60c4d3042495d4cc2c01625205a80

Download Submit
C:\Windows\{3ABBF492-240B-40f9-BF76-AC7799A3A80E}.exe

Filesize
372KB

MD5
130ae37698af7ea944204dd0ed20f430

SHA1
eee8416baccd9489d4c44fd51ca828e72aa3c1a0

SHA256
e0f9e8fe6e7518c20e85a3877d6f4412d691eb5847d952b770056f0bde5ab767

SHA512
ce0eaaf27f7a713eceaa68684560960be4608333249c6d394170ea018997d2a9b919031bfec66ec12b01266be5443b6330f60c4d3042495d4cc2c01625205a80

Download Submit
C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe

Filesize
372KB

MD5
b0c095aa81540a9a5be78d22288caa7a

SHA1
6c47ba72660e78b434498f91e5283fd4c7b1885e

SHA256
725c7094945f044c33bd610089be9e4e5ea2c00ba6562acb3818aa59ab4f1d41

SHA512
8a1f7acf41716ba2d7908e193f503e4ed80c28f58b18d9509b926254d65445bbda4f0651b6013a57dcbd2dbacb796159eb549794a2c45e6e81b7cddf3bc64920

Download Submit
C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe

Filesize
372KB

MD5
b0c095aa81540a9a5be78d22288caa7a

SHA1
6c47ba72660e78b434498f91e5283fd4c7b1885e

SHA256
725c7094945f044c33bd610089be9e4e5ea2c00ba6562acb3818aa59ab4f1d41

SHA512
8a1f7acf41716ba2d7908e193f503e4ed80c28f58b18d9509b926254d65445bbda4f0651b6013a57dcbd2dbacb796159eb549794a2c45e6e81b7cddf3bc64920

Download Submit
C:\Windows\{618FC8A9-B72F-4973-9125-617F906FA2C4}.exe

Filesize
372KB

MD5
b0c095aa81540a9a5be78d22288caa7a

SHA1
6c47ba72660e78b434498f91e5283fd4c7b1885e

SHA256
725c7094945f044c33bd610089be9e4e5ea2c00ba6562acb3818aa59ab4f1d41

SHA512
8a1f7acf41716ba2d7908e193f503e4ed80c28f58b18d9509b926254d65445bbda4f0651b6013a57dcbd2dbacb796159eb549794a2c45e6e81b7cddf3bc64920

Download Submit
C:\Windows\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe

Filesize
372KB

MD5
e73da14581c6126cdc1a50ef00675d32

SHA1
977e827d9d39422f05c0409b77378e064fe10166

SHA256
ed24d6000b1c580fab2ea7dbdb249e93ce6f3429006ca0fc19981ab40955fc52

SHA512
d4d8bd9f11adc0d92234b739cbc1902de5decdb93bf2d45267df34ec25511ad5d5223badd11a8d53e6a03c6da1b5a3f8fb8120204ddeeac9d38155d6591257d3

Download Submit
C:\Windows\{8D37BCA0-7691-4959-9974-C6FABBAE2E41}.exe

Filesize
372KB

MD5
e73da14581c6126cdc1a50ef00675d32

SHA1
977e827d9d39422f05c0409b77378e064fe10166

SHA256
ed24d6000b1c580fab2ea7dbdb249e93ce6f3429006ca0fc19981ab40955fc52

SHA512
d4d8bd9f11adc0d92234b739cbc1902de5decdb93bf2d45267df34ec25511ad5d5223badd11a8d53e6a03c6da1b5a3f8fb8120204ddeeac9d38155d6591257d3

Download Submit
C:\Windows\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe

Filesize
372KB

MD5
28067b73472fd17eeabc9034b661494e

SHA1
c91416e5ca4d8d6ab2af85fa6fa99707022ac8f1

SHA256
4667536c95f3080766d2710f3e8e08b2ed991a6163840c6778bc35cb5f46fdb9

SHA512
423f44d829ce4fc79ef198c8c3fe24371f6c59bf626dd85db5d3169b62c3a6c0486003e84eb6f10a64a7a2ae9894251aef17f27e8f04ba5c736c4562feafd57f

Download Submit
C:\Windows\{A20E43AA-4458-4849-81A4-A50064E6ECEE}.exe

Filesize
372KB

MD5
28067b73472fd17eeabc9034b661494e

SHA1
c91416e5ca4d8d6ab2af85fa6fa99707022ac8f1

SHA256
4667536c95f3080766d2710f3e8e08b2ed991a6163840c6778bc35cb5f46fdb9

SHA512
423f44d829ce4fc79ef198c8c3fe24371f6c59bf626dd85db5d3169b62c3a6c0486003e84eb6f10a64a7a2ae9894251aef17f27e8f04ba5c736c4562feafd57f

Download Submit
C:\Windows\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe

Filesize
372KB

MD5
81d73ee8e9ea8ac56d4b83cc164cb33b

SHA1
8928b36e66770ea9df77c8a550d3af4360a9fa42

SHA256
6c558c615a118cf0895efa46f32c1729943ce5369b568a2649b3994e7fc10670

SHA512
444d0bb22b1caaa8912856760b520087b5ead4ae134bfd12bb098d790d6830b3ca6eb2e6f9ba423422f3adb08c2be000793cf5696b5766b9809c7d5276028aed

Download Submit
C:\Windows\{DF13BE7F-99DC-4a7c-8A1F-B84E7994BA6E}.exe

Filesize
372KB

MD5
81d73ee8e9ea8ac56d4b83cc164cb33b

SHA1
8928b36e66770ea9df77c8a550d3af4360a9fa42

SHA256
6c558c615a118cf0895efa46f32c1729943ce5369b568a2649b3994e7fc10670

SHA512
444d0bb22b1caaa8912856760b520087b5ead4ae134bfd12bb098d790d6830b3ca6eb2e6f9ba423422f3adb08c2be000793cf5696b5766b9809c7d5276028aed

Download Submit
C:\Windows\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe

Filesize
372KB

MD5
519a352469f65e44a31dfde637274669

SHA1
2c583c210b8a8d9d46d89422d6cfc44a8d817afd

SHA256
d82cf39f26cbeb7c6e01b4ae01f416950ca2e84be4f29f5eb1f387c9207aabac

SHA512
abc7712374b3d6559fbae0459ee68b4808c334228de7ef6ce5d64c5ba21f9bf6ece7c196cfceec99e862cb3e7fdabc2dd56ac257ff696ff0bdcf2659fa2167c3

Download Submit
C:\Windows\{E0F8956D-6957-43bb-825F-E4763E352E79}.exe

Filesize
372KB

MD5
519a352469f65e44a31dfde637274669

SHA1
2c583c210b8a8d9d46d89422d6cfc44a8d817afd

SHA256
d82cf39f26cbeb7c6e01b4ae01f416950ca2e84be4f29f5eb1f387c9207aabac

SHA512
abc7712374b3d6559fbae0459ee68b4808c334228de7ef6ce5d64c5ba21f9bf6ece7c196cfceec99e862cb3e7fdabc2dd56ac257ff696ff0bdcf2659fa2167c3

Download Submit
C:\Windows\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe

Filesize
372KB

MD5
26123048c7283275e5f2fb226481f61e

SHA1
a1e3d2073d996be3b524b4bbef6aef5326c0cb73

SHA256
c452dca54575a7322a5db16b37c5d5abcba8dc0ae6b3511af1e809cdec60eb89

SHA512
c4b93712bdc5dbb1829208a3d9d0ec3744eea720eb6870ec17137938c0f5f63fc343e08f06b063f2228f2d1280b7b44f8b9d431f91cb1bba0c5e586004192d93

Download Submit
C:\Windows\{E6D1F4E7-C7A1-47bb-9293-66A1B67533BA}.exe

Filesize
372KB

MD5
26123048c7283275e5f2fb226481f61e

SHA1
a1e3d2073d996be3b524b4bbef6aef5326c0cb73

SHA256
c452dca54575a7322a5db16b37c5d5abcba8dc0ae6b3511af1e809cdec60eb89

SHA512
c4b93712bdc5dbb1829208a3d9d0ec3744eea720eb6870ec17137938c0f5f63fc343e08f06b063f2228f2d1280b7b44f8b9d431f91cb1bba0c5e586004192d93

Download Submit
C:\Windows\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe

Filesize
372KB

MD5
d621148e987b257a545116861b6acb4e

SHA1
9e80a856836ac09d820b91a61a9a87e23cb4cb3c

SHA256
663f6ffce7376da1901425c057b37ab99529b4d7e8d8f31cf60a71e10c5dc06e

SHA512
bb52a8eebf5220be5017b937505d2fceeb1d5efc505c4d6c2a61ee41021e9c9c9581e4f335627843826f779bc6ee67741d287e53a4a6c81441a4c566c768310e

Download Submit
C:\Windows\{FB10237B-B9F6-4c42-BA09-DE8FEA33DEE4}.exe

Filesize
372KB

MD5
d621148e987b257a545116861b6acb4e

SHA1
9e80a856836ac09d820b91a61a9a87e23cb4cb3c

SHA256
663f6ffce7376da1901425c057b37ab99529b4d7e8d8f31cf60a71e10c5dc06e

SHA512
bb52a8eebf5220be5017b937505d2fceeb1d5efc505c4d6c2a61ee41021e9c9c9581e4f335627843826f779bc6ee67741d287e53a4a6c81441a4c566c768310e

Download Submit