006ea7f53b28260aad3b5106c5666e641287329c86a11079932dbdc97ddf460d

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e805a890e76dexeexeexeex.exe
Size

168KB
MD5

e9e805a890e76d93c951642e25260d9e
SHA1

5e43dc46db2061640cbaa14f50cce15afc027813
SHA256

006ea7f53b28260aad3b5106c5666e641287329c86a11079932dbdc97ddf460d
SHA512

642905268ba0f5f00b11477ce1ad990228996ee2be861305161c412bdfc0b0adb5a8478f9f8ab18153a3432106d146bb749f257e84be9993f098d83e0ebc5257
SSDEEP

1536:1EGh0oilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oilqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1822266-9AA8-4e32-A829-24E0219A68D7}	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}\stubpath = "C:\\Windows\\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe"	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}\stubpath = "C:\\Windows\\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe"	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5D0184-F32A-4004-9930-61DD41FF3F75}	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}\stubpath = "C:\\Windows\\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe"	e9e805a890e76dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5D0184-F32A-4004-9930-61DD41FF3F75}\stubpath = "C:\\Windows\\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe"	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E713DF7-A4ED-4102-89E3-C5D54620739C}	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E713DF7-A4ED-4102-89E3-C5D54620739C}\stubpath = "C:\\Windows\\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe"	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}	e9e805a890e76dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7125F0AB-930F-4ed6-B440-669D139F4950}	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7125F0AB-930F-4ed6-B440-669D139F4950}\stubpath = "C:\\Windows\\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe"	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6932204E-1D2F-47e0-B33D-7F4393625F10}	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6932204E-1D2F-47e0-B33D-7F4393625F10}\stubpath = "C:\\Windows\\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe"	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}\stubpath = "C:\\Windows\\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe"	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}\stubpath = "C:\\Windows\\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe"	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1822266-9AA8-4e32-A829-24E0219A68D7}\stubpath = "C:\\Windows\\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe"	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}\stubpath = "C:\\Windows\\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe"	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
4148	{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
File created	C:\Windows\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
File created	C:\Windows\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
File created	C:\Windows\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
File created	C:\Windows\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
File created	C:\Windows\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	e9e805a890e76dexeexeexeex.exe
File created	C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
File created	C:\Windows\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
File created	C:\Windows\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
File created	C:\Windows\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
File created	C:\Windows\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1752	e9e805a890e76dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
Token: SeIncBasePriorityPrivilege	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
Token: SeIncBasePriorityPrivilege	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
Token: SeIncBasePriorityPrivilege	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
Token: SeIncBasePriorityPrivilege	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
Token: SeIncBasePriorityPrivilege	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
Token: SeIncBasePriorityPrivilege	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
Token: SeIncBasePriorityPrivilege	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
Token: SeIncBasePriorityPrivilege	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
Token: SeIncBasePriorityPrivilege	5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2716	1752	e9e805a890e76dexeexeexeex.exe	90
PID 1752 wrote to memory of 2716	1752	e9e805a890e76dexeexeexeex.exe	90
PID 1752 wrote to memory of 2716	1752	e9e805a890e76dexeexeexeex.exe	90
PID 1752 wrote to memory of 2976	1752	e9e805a890e76dexeexeexeex.exe	91
PID 1752 wrote to memory of 2976	1752	e9e805a890e76dexeexeexeex.exe	91
PID 1752 wrote to memory of 2976	1752	e9e805a890e76dexeexeexeex.exe	91
PID 2716 wrote to memory of 3368	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	99
PID 2716 wrote to memory of 3368	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	99
PID 2716 wrote to memory of 3368	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	99
PID 2716 wrote to memory of 2948	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	100
PID 2716 wrote to memory of 2948	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	100
PID 2716 wrote to memory of 2948	2716	{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe	100
PID 3368 wrote to memory of 4644	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	104
PID 3368 wrote to memory of 4644	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	104
PID 3368 wrote to memory of 4644	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	104
PID 3368 wrote to memory of 4080	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	103
PID 3368 wrote to memory of 4080	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	103
PID 3368 wrote to memory of 4080	3368	{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe	103
PID 4644 wrote to memory of 2424	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	105
PID 4644 wrote to memory of 2424	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	105
PID 4644 wrote to memory of 2424	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	105
PID 4644 wrote to memory of 4740	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	106
PID 4644 wrote to memory of 4740	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	106
PID 4644 wrote to memory of 4740	4644	{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe	106
PID 2424 wrote to memory of 3316	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	107
PID 2424 wrote to memory of 3316	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	107
PID 2424 wrote to memory of 3316	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	107
PID 2424 wrote to memory of 4340	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	108
PID 2424 wrote to memory of 4340	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	108
PID 2424 wrote to memory of 4340	2424	{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe	108
PID 3316 wrote to memory of 2196	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	110
PID 3316 wrote to memory of 2196	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	110
PID 3316 wrote to memory of 2196	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	110
PID 3316 wrote to memory of 1400	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	111
PID 3316 wrote to memory of 1400	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	111
PID 3316 wrote to memory of 1400	3316	{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe	111
PID 2196 wrote to memory of 2820	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	112
PID 2196 wrote to memory of 2820	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	112
PID 2196 wrote to memory of 2820	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	112
PID 2196 wrote to memory of 1668	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	113
PID 2196 wrote to memory of 1668	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	113
PID 2196 wrote to memory of 1668	2196	{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe	113
PID 2820 wrote to memory of 4896	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	114
PID 2820 wrote to memory of 4896	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	114
PID 2820 wrote to memory of 4896	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	114
PID 2820 wrote to memory of 3868	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	115
PID 2820 wrote to memory of 3868	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	115
PID 2820 wrote to memory of 3868	2820	{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe	115
PID 4896 wrote to memory of 2120	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	116
PID 4896 wrote to memory of 2120	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	116
PID 4896 wrote to memory of 2120	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	116
PID 4896 wrote to memory of 3044	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	117
PID 4896 wrote to memory of 3044	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	117
PID 4896 wrote to memory of 3044	4896	{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe	117
PID 2120 wrote to memory of 5116	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	119
PID 2120 wrote to memory of 5116	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	119
PID 2120 wrote to memory of 5116	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	119
PID 2120 wrote to memory of 544	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	118
PID 2120 wrote to memory of 544	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	118
PID 2120 wrote to memory of 544	2120	{7125F0AB-930F-4ed6-B440-669D139F4950}.exe	118
PID 5116 wrote to memory of 4148	5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe	120
PID 5116 wrote to memory of 4148	5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe	120
PID 5116 wrote to memory of 4148	5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe	120
PID 5116 wrote to memory of 4028	5116	{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe	121

C:\Users\Admin\AppData\Local\Temp\e9e805a890e76dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e9e805a890e76dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
  C:\Windows\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
    C:\Windows\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC5D0~1.EXE > nul
      4⤵
      PID:4080
  - - C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
      C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
        
        C:\Windows\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
        
        C:\Windows\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
        
        C:\Windows\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
        
        C:\Windows\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
        
        C:\Windows\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
        
        C:\Windows\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7125F~1.EXE > nul
        11⤵
        
        PID:544
        
        C:\Windows\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
        
        C:\Windows\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe
        
        C:\Windows\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe
        12⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69322~1.EXE > nul
        12⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1822~1.EXE > nul
        10⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AD27~1.EXE > nul
        9⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFB9~1.EXE > nul
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{696B9~1.EXE > nul
        7⤵
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E713~1.EXE > nul
        6⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8D21~1.EXE > nul
        5⤵
        
        PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF2A~1.EXE > nul
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E9E805~1.EXE > nul
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe

Filesize
168KB

MD5
3217aef480f7df0e18859b338879a987

SHA1
991c46d2cb0ab8c699152bea8530face1ca64ba2

SHA256
bb9c86e3eba699e371b4faf6fedef5c6dbc00f33c7f27f1052a08e438c41de02

SHA512
35c81f241dc501fcb7a88c11f9aee30d1e8c3ad51307fd66fc37d448f0e7eeeb851e9195b3803c93e12dee62a7b7e68c016413160a0e0b04ed28e670bef6a63c

Download Submit
C:\Windows\{3FFB9485-212E-4e82-8CE4-BC0D85E06366}.exe

Filesize
168KB

MD5
3217aef480f7df0e18859b338879a987

SHA1
991c46d2cb0ab8c699152bea8530face1ca64ba2

SHA256
bb9c86e3eba699e371b4faf6fedef5c6dbc00f33c7f27f1052a08e438c41de02

SHA512
35c81f241dc501fcb7a88c11f9aee30d1e8c3ad51307fd66fc37d448f0e7eeeb851e9195b3803c93e12dee62a7b7e68c016413160a0e0b04ed28e670bef6a63c

Download Submit
C:\Windows\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe

Filesize
168KB

MD5
eed61856ce0b5aca0ed41c926a40346c

SHA1
f29c4ae3acaf3ec7fbeaea04e12d0f2083025624

SHA256
05652f33f076dae3ba1ed7b036873c902eb0b6ddb3c5bceda92a0b0c8af8ab76

SHA512
2c7a5e84562300a97e829b99bf43b4a5b93217de080a8edd6121de7c84946fe8e2d7c4723ecd1deb9d3b988e235a8065b803bc58d6852411fe06be86545d7b89

Download Submit
C:\Windows\{5868033F-BD25-4f00-9E2D-EFF60C58BD02}.exe

Filesize
168KB

MD5
eed61856ce0b5aca0ed41c926a40346c

SHA1
f29c4ae3acaf3ec7fbeaea04e12d0f2083025624

SHA256
05652f33f076dae3ba1ed7b036873c902eb0b6ddb3c5bceda92a0b0c8af8ab76

SHA512
2c7a5e84562300a97e829b99bf43b4a5b93217de080a8edd6121de7c84946fe8e2d7c4723ecd1deb9d3b988e235a8065b803bc58d6852411fe06be86545d7b89

Download Submit
C:\Windows\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe

Filesize
168KB

MD5
78119092d45db4f561e99c060b567789

SHA1
b96faa9783ce58c07c0b724effa2fee2d16fb7f6

SHA256
28835d3b38742cbc1bf51ffe850a2120c6443abcb7edf0dac68bb2d728569c9e

SHA512
6b055f41abbd62b093e16c3946e995b2c7a7d08c08e40d3c585d19a9b3f5772faef91e5520f1ed929efe09232306f86de75036205aff85c78344a60a4c34eecd

Download Submit
C:\Windows\{5E713DF7-A4ED-4102-89E3-C5D54620739C}.exe

Filesize
168KB

MD5
78119092d45db4f561e99c060b567789

SHA1
b96faa9783ce58c07c0b724effa2fee2d16fb7f6

SHA256
28835d3b38742cbc1bf51ffe850a2120c6443abcb7edf0dac68bb2d728569c9e

SHA512
6b055f41abbd62b093e16c3946e995b2c7a7d08c08e40d3c585d19a9b3f5772faef91e5520f1ed929efe09232306f86de75036205aff85c78344a60a4c34eecd

Download Submit
C:\Windows\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe

Filesize
168KB

MD5
530200aea0491a1db4ac131a21b15259

SHA1
b5b60db2015c8c0b233cdfce4c8c4d3d98a74519

SHA256
7130512cdef03b71af688186843920c8da3e9097cb702dbd8f108ff2404e3d3c

SHA512
4ac842fca597956d5907eee1309425c9ab96d6d755a0960f58128ca999dde47abd26b8e2d76d5ab4fd20d960a5295f56be8f6c3624efdf9728655e739e7a8794

Download Submit
C:\Windows\{6932204E-1D2F-47e0-B33D-7F4393625F10}.exe

Filesize
168KB

MD5
530200aea0491a1db4ac131a21b15259

SHA1
b5b60db2015c8c0b233cdfce4c8c4d3d98a74519

SHA256
7130512cdef03b71af688186843920c8da3e9097cb702dbd8f108ff2404e3d3c

SHA512
4ac842fca597956d5907eee1309425c9ab96d6d755a0960f58128ca999dde47abd26b8e2d76d5ab4fd20d960a5295f56be8f6c3624efdf9728655e739e7a8794

Download Submit
C:\Windows\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe

Filesize
168KB

MD5
4dcf524d195d20ff7172a3b1f57adb0b

SHA1
4c5570b50cd37daedc5603c9e8c82fc057559dbb

SHA256
4d0ddcd188471b0ba293ca2a732148ade3960d59fe418a3f1a8e8ef7f3232b55

SHA512
995258134b6ba100b5a67af35a57c32c8d19788d218b82f2bf6ccf274892ace02c4856fca84d101733c632799cfeb336f20c384d85bea27469203b6db1ddf0f9

Download Submit
C:\Windows\{696B9485-4E9F-4e24-A1C3-1A166DB7F7A6}.exe

Filesize
168KB

MD5
4dcf524d195d20ff7172a3b1f57adb0b

SHA1
4c5570b50cd37daedc5603c9e8c82fc057559dbb

SHA256
4d0ddcd188471b0ba293ca2a732148ade3960d59fe418a3f1a8e8ef7f3232b55

SHA512
995258134b6ba100b5a67af35a57c32c8d19788d218b82f2bf6ccf274892ace02c4856fca84d101733c632799cfeb336f20c384d85bea27469203b6db1ddf0f9

Download Submit
C:\Windows\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe

Filesize
168KB

MD5
798d3a8f92eb717d45c623cb156c8d04

SHA1
f8e5f81404e6f0fcbb997b1d8a034ce7846ea682

SHA256
6cb304166ad84da77888804705888bdc10dc366a9201053dcbcbe9d7ad719ced

SHA512
9e11abf26a20334f05be1a46e5c966d7b90d8c498702458c3eb25f10814d7f44f90b746591f0c22a9f1ccaefd2675dd58c7e8ba9fc4597b48b1084641862da90

Download Submit
C:\Windows\{7125F0AB-930F-4ed6-B440-669D139F4950}.exe

Filesize
168KB

MD5
798d3a8f92eb717d45c623cb156c8d04

SHA1
f8e5f81404e6f0fcbb997b1d8a034ce7846ea682

SHA256
6cb304166ad84da77888804705888bdc10dc366a9201053dcbcbe9d7ad719ced

SHA512
9e11abf26a20334f05be1a46e5c966d7b90d8c498702458c3eb25f10814d7f44f90b746591f0c22a9f1ccaefd2675dd58c7e8ba9fc4597b48b1084641862da90

Download Submit
C:\Windows\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe

Filesize
168KB

MD5
de6d385de46246d12d458fe6b4aca835

SHA1
7a49b48feb07ea832526781dcfc5bbb5a088ec4c

SHA256
e2e3418ecf98b7e5f9af0f4a9a8f7c22676399ef3eab7586b9bb283ef091b495

SHA512
7ace69fed4a1a71d245cc0160049b5c2c4ffadd88a7840a95800e4c81f983fe08eac83b76cdc8db7646c6af107c67bffdf83c57b4e68bfc6c019413de07ef9a2

Download Submit
C:\Windows\{7AD27A34-FAC0-45d9-B81F-796460CE4AA3}.exe

Filesize
168KB

MD5
de6d385de46246d12d458fe6b4aca835

SHA1
7a49b48feb07ea832526781dcfc5bbb5a088ec4c

SHA256
e2e3418ecf98b7e5f9af0f4a9a8f7c22676399ef3eab7586b9bb283ef091b495

SHA512
7ace69fed4a1a71d245cc0160049b5c2c4ffadd88a7840a95800e4c81f983fe08eac83b76cdc8db7646c6af107c67bffdf83c57b4e68bfc6c019413de07ef9a2

Download Submit
C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe

Filesize
168KB

MD5
7f866dff2981297227417bd5725e3aed

SHA1
d31de5ae345c22f1399a8d0c1df8b25d2fd88c29

SHA256
890ce0cf56ed7a1c1e4400ecc16a87e1b762f0b0448a46e38ea3d9a17452712b

SHA512
b9aa94e52f9da613e90f305b654db1a0f4d6565449199e3fe407e08e8461644f4efce711ebde14122f59500ea2fb07d3d479b390c6efa35e3724b96bb2bee87d

Download Submit
C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe

Filesize
168KB

MD5
7f866dff2981297227417bd5725e3aed

SHA1
d31de5ae345c22f1399a8d0c1df8b25d2fd88c29

SHA256
890ce0cf56ed7a1c1e4400ecc16a87e1b762f0b0448a46e38ea3d9a17452712b

SHA512
b9aa94e52f9da613e90f305b654db1a0f4d6565449199e3fe407e08e8461644f4efce711ebde14122f59500ea2fb07d3d479b390c6efa35e3724b96bb2bee87d

Download Submit
C:\Windows\{A8D2188B-0A1E-40eb-BBC8-32356B9281E4}.exe

Filesize
168KB

MD5
7f866dff2981297227417bd5725e3aed

SHA1
d31de5ae345c22f1399a8d0c1df8b25d2fd88c29

SHA256
890ce0cf56ed7a1c1e4400ecc16a87e1b762f0b0448a46e38ea3d9a17452712b

SHA512
b9aa94e52f9da613e90f305b654db1a0f4d6565449199e3fe407e08e8461644f4efce711ebde14122f59500ea2fb07d3d479b390c6efa35e3724b96bb2bee87d

Download Submit
C:\Windows\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe

Filesize
168KB

MD5
2faf79efebffac0e6fe22f5e33643586

SHA1
2cf7d91b2e4e60b698151445b5c5d38c8b534d5c

SHA256
aabd1e8cc7e9d0a76fab0aa3ec6ba57fa17d63e798f631418e5c1dc27ba67cc0

SHA512
623f950a32e4f87c002e2e9c3a5b457ac049f20de29e156423e220f47ca3b7e8325a708273c1e279f0d5827e012aec09556a4b61e8293e7ba1525edc9455d6e8

Download Submit
C:\Windows\{ACF2A407-3BF2-4dfb-843B-15F1B23F893D}.exe

Filesize
168KB

MD5
2faf79efebffac0e6fe22f5e33643586

SHA1
2cf7d91b2e4e60b698151445b5c5d38c8b534d5c

SHA256
aabd1e8cc7e9d0a76fab0aa3ec6ba57fa17d63e798f631418e5c1dc27ba67cc0

SHA512
623f950a32e4f87c002e2e9c3a5b457ac049f20de29e156423e220f47ca3b7e8325a708273c1e279f0d5827e012aec09556a4b61e8293e7ba1525edc9455d6e8

Download Submit
C:\Windows\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe

Filesize
168KB

MD5
f0fb5ea72f99bf007c7048ac6fbefd41

SHA1
d1dc2f9119209ec64c36d384359607cbb92f3dde

SHA256
ade2c2a3bae66bc9a8bcc1f8017a70998ece6dc05beee69110796fd8f627e935

SHA512
7131584310d73632e9ab3ce58de211d024c713453c98c66106676346fd2df4025dbbe142f5be107439324d6ab692f045e64db7831370487c86bead8fc6a25d5c

Download Submit
C:\Windows\{B1822266-9AA8-4e32-A829-24E0219A68D7}.exe

Filesize
168KB

MD5
f0fb5ea72f99bf007c7048ac6fbefd41

SHA1
d1dc2f9119209ec64c36d384359607cbb92f3dde

SHA256
ade2c2a3bae66bc9a8bcc1f8017a70998ece6dc05beee69110796fd8f627e935

SHA512
7131584310d73632e9ab3ce58de211d024c713453c98c66106676346fd2df4025dbbe142f5be107439324d6ab692f045e64db7831370487c86bead8fc6a25d5c

Download Submit
C:\Windows\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe

Filesize
168KB

MD5
f6f60e23942f56a380c30c4fa0dffae1

SHA1
f148bad08c8c0c6bea1277c29e4220f9b6510220

SHA256
6d98b940f55517372303c79010732a2d308d2af9df15e965b49c64f3c1ab05ef

SHA512
43926aef8c02779402ed6c56198302477994b9e2b979f28fb0aef9bd21b4af25f640cb84aa60ca3c81465691ee0c7f6fd3b2ece90e07ba4c86920ec54bbc9aa0

Download Submit
C:\Windows\{EC5D0184-F32A-4004-9930-61DD41FF3F75}.exe

Filesize
168KB

MD5
f6f60e23942f56a380c30c4fa0dffae1

SHA1
f148bad08c8c0c6bea1277c29e4220f9b6510220

SHA256
6d98b940f55517372303c79010732a2d308d2af9df15e965b49c64f3c1ab05ef

SHA512
43926aef8c02779402ed6c56198302477994b9e2b979f28fb0aef9bd21b4af25f640cb84aa60ca3c81465691ee0c7f6fd3b2ece90e07ba4c86920ec54bbc9aa0

Download Submit