22fba7712b76af301f61b588c9fd0efa4472f577c401f5d6a58bc72e6af9b720

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee45be30e1db34exeexeexeex.exe
Size

168KB
MD5

ee45be30e1db34aeaa7030c3011332b9
SHA1

a6871d0f16983eedb2370adf096faa6cb3285c93
SHA256

22fba7712b76af301f61b588c9fd0efa4472f577c401f5d6a58bc72e6af9b720
SHA512

778ac38c101228733bcf7be385d8a43ed9ae7d590a78eeb822bb78aaf71e2fc815194d1f1684c37500e73956b5e9099b3b730ebc136fedd5c51a4ee83c500de9
SSDEEP

1536:1EGh0oClq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oClqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE87178-041F-47b3-AE60-8FFD69AA397D}\stubpath = "C:\\Windows\\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe"	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C46BD4-61C5-4fb6-9320-3327E3626810}	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C46BD4-61C5-4fb6-9320-3327E3626810}\stubpath = "C:\\Windows\\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe"	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}\stubpath = "C:\\Windows\\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe"	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B781F03-40EA-482d-8572-DF7F02401577}	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}\stubpath = "C:\\Windows\\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe"	{2B781F03-40EA-482d-8572-DF7F02401577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}\stubpath = "C:\\Windows\\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe"	ee45be30e1db34exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2728FE2D-136E-42fb-8F19-C14DF0D28236}\stubpath = "C:\\Windows\\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe"	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2728FE2D-136E-42fb-8F19-C14DF0D28236}	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}	{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}\stubpath = "C:\\Windows\\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe"	{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE87178-041F-47b3-AE60-8FFD69AA397D}	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}\stubpath = "C:\\Windows\\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe"	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}\stubpath = "C:\\Windows\\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe"	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}\stubpath = "C:\\Windows\\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe"	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}\stubpath = "C:\\Windows\\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe"	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}	ee45be30e1db34exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}	{2B781F03-40EA-482d-8572-DF7F02401577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B781F03-40EA-482d-8572-DF7F02401577}\stubpath = "C:\\Windows\\{2B781F03-40EA-482d-8572-DF7F02401577}.exe"	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe
1020	{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
216	{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
File created	C:\Windows\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
File created	C:\Windows\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
File created	C:\Windows\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
File created	C:\Windows\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
File created	C:\Windows\{2B781F03-40EA-482d-8572-DF7F02401577}.exe	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
File created	C:\Windows\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	ee45be30e1db34exeexeexeex.exe
File created	C:\Windows\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
File created	C:\Windows\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
File created	C:\Windows\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe	{2B781F03-40EA-482d-8572-DF7F02401577}.exe
File created	C:\Windows\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe	{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
File created	C:\Windows\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3572	ee45be30e1db34exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
Token: SeIncBasePriorityPrivilege	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
Token: SeIncBasePriorityPrivilege	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
Token: SeIncBasePriorityPrivilege	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
Token: SeIncBasePriorityPrivilege	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
Token: SeIncBasePriorityPrivilege	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
Token: SeIncBasePriorityPrivilege	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
Token: SeIncBasePriorityPrivilege	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
Token: SeIncBasePriorityPrivilege	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
Token: SeIncBasePriorityPrivilege	3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe
Token: SeIncBasePriorityPrivilege	1020	{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4580	3572	ee45be30e1db34exeexeexeex.exe	96
PID 3572 wrote to memory of 4580	3572	ee45be30e1db34exeexeexeex.exe	96
PID 3572 wrote to memory of 4580	3572	ee45be30e1db34exeexeexeex.exe	96
PID 3572 wrote to memory of 868	3572	ee45be30e1db34exeexeexeex.exe	97
PID 3572 wrote to memory of 868	3572	ee45be30e1db34exeexeexeex.exe	97
PID 3572 wrote to memory of 868	3572	ee45be30e1db34exeexeexeex.exe	97
PID 4580 wrote to memory of 912	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	98
PID 4580 wrote to memory of 912	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	98
PID 4580 wrote to memory of 912	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	98
PID 4580 wrote to memory of 3796	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	99
PID 4580 wrote to memory of 3796	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	99
PID 4580 wrote to memory of 3796	4580	{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe	99
PID 912 wrote to memory of 4632	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	103
PID 912 wrote to memory of 4632	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	103
PID 912 wrote to memory of 4632	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	103
PID 912 wrote to memory of 3540	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	102
PID 912 wrote to memory of 3540	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	102
PID 912 wrote to memory of 3540	912	{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe	102
PID 4632 wrote to memory of 4012	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	104
PID 4632 wrote to memory of 4012	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	104
PID 4632 wrote to memory of 4012	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	104
PID 4632 wrote to memory of 4928	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	105
PID 4632 wrote to memory of 4928	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	105
PID 4632 wrote to memory of 4928	4632	{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe	105
PID 4012 wrote to memory of 4712	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	106
PID 4012 wrote to memory of 4712	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	106
PID 4012 wrote to memory of 4712	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	106
PID 4012 wrote to memory of 4120	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	107
PID 4012 wrote to memory of 4120	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	107
PID 4012 wrote to memory of 4120	4012	{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe	107
PID 4712 wrote to memory of 1004	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	108
PID 4712 wrote to memory of 1004	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	108
PID 4712 wrote to memory of 1004	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	108
PID 4712 wrote to memory of 2920	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	109
PID 4712 wrote to memory of 2920	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	109
PID 4712 wrote to memory of 2920	4712	{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe	109
PID 1004 wrote to memory of 3372	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	113
PID 1004 wrote to memory of 3372	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	113
PID 1004 wrote to memory of 3372	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	113
PID 1004 wrote to memory of 3020	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	114
PID 1004 wrote to memory of 3020	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	114
PID 1004 wrote to memory of 3020	1004	{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe	114
PID 3372 wrote to memory of 1576	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	115
PID 3372 wrote to memory of 1576	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	115
PID 3372 wrote to memory of 1576	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	115
PID 3372 wrote to memory of 4432	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	116
PID 3372 wrote to memory of 4432	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	116
PID 3372 wrote to memory of 4432	3372	{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe	116
PID 1576 wrote to memory of 4752	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	117
PID 1576 wrote to memory of 4752	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	117
PID 1576 wrote to memory of 4752	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	117
PID 1576 wrote to memory of 808	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	118
PID 1576 wrote to memory of 808	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	118
PID 1576 wrote to memory of 808	1576	{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe	118
PID 4752 wrote to memory of 3012	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	119
PID 4752 wrote to memory of 3012	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	119
PID 4752 wrote to memory of 3012	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	119
PID 4752 wrote to memory of 1944	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	120
PID 4752 wrote to memory of 1944	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	120
PID 4752 wrote to memory of 1944	4752	{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe	120
PID 3012 wrote to memory of 1020	3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe	121
PID 3012 wrote to memory of 1020	3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe	121
PID 3012 wrote to memory of 1020	3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe	121
PID 3012 wrote to memory of 3520	3012	{2B781F03-40EA-482d-8572-DF7F02401577}.exe	122

C:\Users\Admin\AppData\Local\Temp\ee45be30e1db34exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ee45be30e1db34exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
  C:\Windows\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
    C:\Windows\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE87~1.EXE > nul
      4⤵
      PID:3540
  - - C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
      C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
        
        C:\Windows\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
        
        C:\Windows\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
        
        C:\Windows\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
        
        C:\Windows\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
        
        C:\Windows\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
        
        C:\Windows\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\{2B781F03-40EA-482d-8572-DF7F02401577}.exe
        
        C:\Windows\{2B781F03-40EA-482d-8572-DF7F02401577}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
        
        C:\Windows\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe
        
        C:\Windows\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe
        13⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022BD~1.EXE > nul
        13⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B781~1.EXE > nul
        12⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7E4~1.EXE > nul
        11⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3100~1.EXE > nul
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{760FA~1.EXE > nul
        9⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2728F~1.EXE > nul
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77C46~1.EXE > nul
        7⤵
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92A5A~1.EXE > nul
        6⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEE8F~1.EXE > nul
        5⤵
        
        PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CAFD5~1.EXE > nul
    3⤵
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EE45BE~1.EXE > nul
  2⤵
  PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe

Filesize
168KB

MD5
8a0236a232b3a1923fa1697a741a220e

SHA1
39925ae856151aa3ee5cd52a4cd4a9fb87d6adda

SHA256
5f52c05870ce61b7a4b36aed57381f3f92f505b5ab1c6584a46c12ed5f286d6e

SHA512
c208b669c3296218419360945b3f7b099f7c81477fb14ea6a99b6c6d1f9b5df2c7571c3e20dbf62a4f5e3f1367b74c71d24db1f98d9e9ee603c658dcbe3ef9aa

Download Submit
C:\Windows\{022BDD76-FF41-48ac-A2F8-AED625DCD38B}.exe

Filesize
168KB

MD5
8a0236a232b3a1923fa1697a741a220e

SHA1
39925ae856151aa3ee5cd52a4cd4a9fb87d6adda

SHA256
5f52c05870ce61b7a4b36aed57381f3f92f505b5ab1c6584a46c12ed5f286d6e

SHA512
c208b669c3296218419360945b3f7b099f7c81477fb14ea6a99b6c6d1f9b5df2c7571c3e20dbf62a4f5e3f1367b74c71d24db1f98d9e9ee603c658dcbe3ef9aa

Download Submit
C:\Windows\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe

Filesize
168KB

MD5
b6fe4cc3e3add0706edb75dd291f784a

SHA1
c74c3ff627bc68116399e6c1f8642091d08a6b96

SHA256
05c579b0008d81c72d715b87e8c19c087f746366775194ef4db3076ed0578134

SHA512
7a349871a0437bc1ba85c0b399f49ef22493bb233a4296631840e40e85fd01476912742f71379b6537f9d06bbb831e99856ccde1a86a0ef705417c676203a937

Download Submit
C:\Windows\{0CE87178-041F-47b3-AE60-8FFD69AA397D}.exe

Filesize
168KB

MD5
b6fe4cc3e3add0706edb75dd291f784a

SHA1
c74c3ff627bc68116399e6c1f8642091d08a6b96

SHA256
05c579b0008d81c72d715b87e8c19c087f746366775194ef4db3076ed0578134

SHA512
7a349871a0437bc1ba85c0b399f49ef22493bb233a4296631840e40e85fd01476912742f71379b6537f9d06bbb831e99856ccde1a86a0ef705417c676203a937

Download Submit
C:\Windows\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe

Filesize
168KB

MD5
e72f27c64064cb8f953f544016a9c2fa

SHA1
4ae25e3fb642b03fe8f7ff78815e1534165658ae

SHA256
500ade00e46171e2e7a42d9e2f000f82e5d0fd37bcb34359ac0538a5b67a6588

SHA512
06a9e7b4b0c8202034e3e96af818454011fb6d1e58c4b18f016b93c223a0f53f1c320ba946731c9d3eb30da1552f08948e2322b4255b47069f5c2c32be1ef66f

Download Submit
C:\Windows\{2728FE2D-136E-42fb-8F19-C14DF0D28236}.exe

Filesize
168KB

MD5
e72f27c64064cb8f953f544016a9c2fa

SHA1
4ae25e3fb642b03fe8f7ff78815e1534165658ae

SHA256
500ade00e46171e2e7a42d9e2f000f82e5d0fd37bcb34359ac0538a5b67a6588

SHA512
06a9e7b4b0c8202034e3e96af818454011fb6d1e58c4b18f016b93c223a0f53f1c320ba946731c9d3eb30da1552f08948e2322b4255b47069f5c2c32be1ef66f

Download Submit
C:\Windows\{2B781F03-40EA-482d-8572-DF7F02401577}.exe

Filesize
168KB

MD5
693ad9d40cfe91331f70af1add837c86

SHA1
7e46b27407a99ac80579ee15290a69c4d9a18bbd

SHA256
6e0e0a6b1610bd8fdc0af42e399a4d6de581cfac112b67a33e9ea130a29606ab

SHA512
e16d152b215fb133d31a53e454feefa8d868519ebdf16d1b179b5bd86dcf5efb1a3c102674e02a4857cfb154e89f54314c22356476f2eeff8feba65e185678ca

Download Submit
C:\Windows\{2B781F03-40EA-482d-8572-DF7F02401577}.exe

Filesize
168KB

MD5
693ad9d40cfe91331f70af1add837c86

SHA1
7e46b27407a99ac80579ee15290a69c4d9a18bbd

SHA256
6e0e0a6b1610bd8fdc0af42e399a4d6de581cfac112b67a33e9ea130a29606ab

SHA512
e16d152b215fb133d31a53e454feefa8d868519ebdf16d1b179b5bd86dcf5efb1a3c102674e02a4857cfb154e89f54314c22356476f2eeff8feba65e185678ca

Download Submit
C:\Windows\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe

Filesize
168KB

MD5
a20f87f8c07317815be830101cf12259

SHA1
0488551f765f00cde31dda67a44143054944ebcf

SHA256
d1af39d683f0ba3125cb653d0e76ec6fd3e7288d9ab5fd86bfb659f7db7e4e37

SHA512
8d2e039484f4c7f2c0c3990995d7ab3351cc8541de30a79254adf433d54384be043fda1c1555e24c99f937565eb95243b82b80fb14947d2236f70c5e5e7351cc

Download Submit
C:\Windows\{2E1153B6-90A6-485b-B19F-D97CD253F7CC}.exe

Filesize
168KB

MD5
a20f87f8c07317815be830101cf12259

SHA1
0488551f765f00cde31dda67a44143054944ebcf

SHA256
d1af39d683f0ba3125cb653d0e76ec6fd3e7288d9ab5fd86bfb659f7db7e4e37

SHA512
8d2e039484f4c7f2c0c3990995d7ab3351cc8541de30a79254adf433d54384be043fda1c1555e24c99f937565eb95243b82b80fb14947d2236f70c5e5e7351cc

Download Submit
C:\Windows\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe

Filesize
168KB

MD5
ee4ba79325d1b6168017721b7bdb702e

SHA1
b48b952a8e06ada44270dc6a93a2e44afe4dddf7

SHA256
bf6d7954521aa1815f0d72a2dfc6e9eb0a8d7e3b9d108b0a223578fd0ff9003c

SHA512
41875a4cdef52fde0bc81d9fa08534c66c3a2425b8740b31afc6ac5e9a20d5a0b780990de85f1e188d42296c5954759eb6e415f421e976af37aa89ceb7ce420f

Download Submit
C:\Windows\{760FA231-2E61-49e0-9C0D-BB9D97322FD5}.exe

Filesize
168KB

MD5
ee4ba79325d1b6168017721b7bdb702e

SHA1
b48b952a8e06ada44270dc6a93a2e44afe4dddf7

SHA256
bf6d7954521aa1815f0d72a2dfc6e9eb0a8d7e3b9d108b0a223578fd0ff9003c

SHA512
41875a4cdef52fde0bc81d9fa08534c66c3a2425b8740b31afc6ac5e9a20d5a0b780990de85f1e188d42296c5954759eb6e415f421e976af37aa89ceb7ce420f

Download Submit
C:\Windows\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe

Filesize
168KB

MD5
8efa9ea5ba3aaa83effae4625afeecb9

SHA1
f61503fe234d45c26e2531f603b64eb6dd796f60

SHA256
61651afbdab67ef387f738ce220b593a4326f1d6110eea32e4ab23455ed5c89a

SHA512
b060b541bf0a2f3ab9e20316f50fde2cd1bb9a66163bc07922041a338d98704606c7b27a90b42f619597947bf8c58a8ff4fb7b642e706bf6a64f85aa692878d5

Download Submit
C:\Windows\{77C46BD4-61C5-4fb6-9320-3327E3626810}.exe

Filesize
168KB

MD5
8efa9ea5ba3aaa83effae4625afeecb9

SHA1
f61503fe234d45c26e2531f603b64eb6dd796f60

SHA256
61651afbdab67ef387f738ce220b593a4326f1d6110eea32e4ab23455ed5c89a

SHA512
b060b541bf0a2f3ab9e20316f50fde2cd1bb9a66163bc07922041a338d98704606c7b27a90b42f619597947bf8c58a8ff4fb7b642e706bf6a64f85aa692878d5

Download Submit
C:\Windows\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe

Filesize
168KB

MD5
e1969119918ba81f24eb6b2ad57580f6

SHA1
c013be80d05b27a0739d265b92007be279dddf97

SHA256
efd2b8991cf6a84cdf331254c966e6177c485b4b7d94e461ff431b81c8f15476

SHA512
62819f1a90dcf9b6fffc16b7b2a3cdd22fbd87d48bcca34cef3025e7dffc4533b886b3b91fb79e254fa3f3926bd5405e1a5fc6b2933fbd8deec88f0f4cedb1e8

Download Submit
C:\Windows\{8A7E41F0-5B60-476c-B10C-EAFF1C8EAEF5}.exe

Filesize
168KB

MD5
e1969119918ba81f24eb6b2ad57580f6

SHA1
c013be80d05b27a0739d265b92007be279dddf97

SHA256
efd2b8991cf6a84cdf331254c966e6177c485b4b7d94e461ff431b81c8f15476

SHA512
62819f1a90dcf9b6fffc16b7b2a3cdd22fbd87d48bcca34cef3025e7dffc4533b886b3b91fb79e254fa3f3926bd5405e1a5fc6b2933fbd8deec88f0f4cedb1e8

Download Submit
C:\Windows\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe

Filesize
168KB

MD5
97b592d4d612a193f0a9fb5b8e7f74e0

SHA1
c3c3d17caebd2d5f4479a3b5180b2b7a9e766e53

SHA256
d019c8cb4c3701e4e032db50273b6f9ccbff594807b2fbffcce0878366ca2c70

SHA512
a3067d03460d88eb71ace3134476fc42ab543ddb0ece97cf5d154c9193252eda07714f71ad8357c365484ecd732f3a5822781b1218c1e3b636514773af3a368f

Download Submit
C:\Windows\{92A5A3D7-ED9E-4e52-9F0F-A072559BEDF2}.exe

Filesize
168KB

MD5
97b592d4d612a193f0a9fb5b8e7f74e0

SHA1
c3c3d17caebd2d5f4479a3b5180b2b7a9e766e53

SHA256
d019c8cb4c3701e4e032db50273b6f9ccbff594807b2fbffcce0878366ca2c70

SHA512
a3067d03460d88eb71ace3134476fc42ab543ddb0ece97cf5d154c9193252eda07714f71ad8357c365484ecd732f3a5822781b1218c1e3b636514773af3a368f

Download Submit
C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe

Filesize
168KB

MD5
12a02a135e2d0322c3b230f36eab113f

SHA1
c64050fec7b84fca7face99befbb163a548d2009

SHA256
c7f1e62b14aa0d141190d9cf71e81fb097d070b9a16854ae60cf7bd90d856f44

SHA512
98ccc659c7ff9c445a888023ae7a0dc6ee40e116f9064c14bbd67bda76a1c97d456464e37f72b8e81d778c51fc49ab8f4f39db2b89cf12621b6b2c5fdb95a422

Download Submit
C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe

Filesize
168KB

MD5
12a02a135e2d0322c3b230f36eab113f

SHA1
c64050fec7b84fca7face99befbb163a548d2009

SHA256
c7f1e62b14aa0d141190d9cf71e81fb097d070b9a16854ae60cf7bd90d856f44

SHA512
98ccc659c7ff9c445a888023ae7a0dc6ee40e116f9064c14bbd67bda76a1c97d456464e37f72b8e81d778c51fc49ab8f4f39db2b89cf12621b6b2c5fdb95a422

Download Submit
C:\Windows\{AEE8F38F-A5E6-4f0c-88DD-C24BE6925CC6}.exe

Filesize
168KB

MD5
12a02a135e2d0322c3b230f36eab113f

SHA1
c64050fec7b84fca7face99befbb163a548d2009

SHA256
c7f1e62b14aa0d141190d9cf71e81fb097d070b9a16854ae60cf7bd90d856f44

SHA512
98ccc659c7ff9c445a888023ae7a0dc6ee40e116f9064c14bbd67bda76a1c97d456464e37f72b8e81d778c51fc49ab8f4f39db2b89cf12621b6b2c5fdb95a422

Download Submit
C:\Windows\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe

Filesize
168KB

MD5
5cffc011680997101b49cfb09e40cde4

SHA1
33558446098abba92c1d0ba2ebe6e427d4026be5

SHA256
137df22c83fbbeb0dafd62adda6195d842f88ac1064a3c8b4984057e194f2cb3

SHA512
368a81b8ce1928e0ac3946d1d8a5c8cd3ae2a22e309672a5092062857ec1575883c043cf8bef48a0a8d6e6224909da382d725ccdeb98c5c99e6d3249482d74ac

Download Submit
C:\Windows\{CAFD5AFE-1045-44fa-AE4B-184F6051B34E}.exe

Filesize
168KB

MD5
5cffc011680997101b49cfb09e40cde4

SHA1
33558446098abba92c1d0ba2ebe6e427d4026be5

SHA256
137df22c83fbbeb0dafd62adda6195d842f88ac1064a3c8b4984057e194f2cb3

SHA512
368a81b8ce1928e0ac3946d1d8a5c8cd3ae2a22e309672a5092062857ec1575883c043cf8bef48a0a8d6e6224909da382d725ccdeb98c5c99e6d3249482d74ac

Download Submit
C:\Windows\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe

Filesize
168KB

MD5
b68f003df2d8f63eed320f5b37c9e10a

SHA1
a04380066a9347ac3cfa3e03fb4a06833931e5c9

SHA256
7ecd95c4b607acc239c6b16047ee28c392425652ddb34e79b582628551e787ee

SHA512
127b985a913ce5584122b5aab5735201ee0ec9ca5be06de834fc5c2e01953484412cc5b20de88efcf8a6b9d3fc0f05627ee0f6d4320e25cf2583547277d8081e

Download Submit
C:\Windows\{E3100D5C-7B61-4e1a-9082-8DEF9EF329EE}.exe

Filesize
168KB

MD5
b68f003df2d8f63eed320f5b37c9e10a

SHA1
a04380066a9347ac3cfa3e03fb4a06833931e5c9

SHA256
7ecd95c4b607acc239c6b16047ee28c392425652ddb34e79b582628551e787ee

SHA512
127b985a913ce5584122b5aab5735201ee0ec9ca5be06de834fc5c2e01953484412cc5b20de88efcf8a6b9d3fc0f05627ee0f6d4320e25cf2583547277d8081e

Download Submit