de433580efd1f03eaaa348928659a2dfb9cf5ced13e7d37ccc829b4c6e0276fe

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb21c24dc93fc6exeexeexeex.exe
Size

168KB
MD5

eb21c24dc93fc604a475f83e7f28040f
SHA1

d0cf95582d8a3fc63d013679d7717f3c4ab0c56a
SHA256

de433580efd1f03eaaa348928659a2dfb9cf5ced13e7d37ccc829b4c6e0276fe
SHA512

c4ea65869ce5ed6ccf234e183d9414eaa6eee6b2ca497f31be16f5d4fef72159d11fe54a4e0b8fda4196b6a359a20b67e40a62a374e9ac7362e24bb378a5614e
SSDEEP

1536:1EGh0oulq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oulqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}\stubpath = "C:\\Windows\\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe"	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763834A6-96CD-464d-9E09-89048C35DA22}	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F72384A-7A83-408d-93BA-3A97315166FF}	{763834A6-96CD-464d-9E09-89048C35DA22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF53AFA9-9423-41a8-8804-E78B828056F8}\stubpath = "C:\\Windows\\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe"	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DBFE663-D2C9-407b-9E7B-98CA20820779}\stubpath = "C:\\Windows\\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe"	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763834A6-96CD-464d-9E09-89048C35DA22}\stubpath = "C:\\Windows\\{763834A6-96CD-464d-9E09-89048C35DA22}.exe"	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F72384A-7A83-408d-93BA-3A97315166FF}\stubpath = "C:\\Windows\\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe"	{763834A6-96CD-464d-9E09-89048C35DA22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F253036A-0484-492f-A7A4-FDB1F361DA53}	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CC9642-4665-41eb-8847-5BF82B041F8F}	eb21c24dc93fc6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2E677B-5492-4a22-A671-9BE761B3F58C}	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2E677B-5492-4a22-A671-9BE761B3F58C}\stubpath = "C:\\Windows\\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe"	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}	{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}\stubpath = "C:\\Windows\\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe"	{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185A60B0-D7D1-4ed4-929B-861E45358DEE}\stubpath = "C:\\Windows\\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe"	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F253036A-0484-492f-A7A4-FDB1F361DA53}\stubpath = "C:\\Windows\\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe"	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CC9642-4665-41eb-8847-5BF82B041F8F}\stubpath = "C:\\Windows\\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe"	eb21c24dc93fc6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}\stubpath = "C:\\Windows\\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe"	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DBFE663-D2C9-407b-9E7B-98CA20820779}	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}\stubpath = "C:\\Windows\\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe"	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185A60B0-D7D1-4ed4-929B-861E45358DEE}	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF53AFA9-9423-41a8-8804-E78B828056F8}	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe
1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
912	{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
4596	{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
File created	C:\Windows\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
File created	C:\Windows\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	{763834A6-96CD-464d-9E09-89048C35DA22}.exe
File created	C:\Windows\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
File created	C:\Windows\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
File created	C:\Windows\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	eb21c24dc93fc6exeexeexeex.exe
File created	C:\Windows\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
File created	C:\Windows\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
File created	C:\Windows\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
File created	C:\Windows\{763834A6-96CD-464d-9E09-89048C35DA22}.exe	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
File created	C:\Windows\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe	{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
File created	C:\Windows\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3240	eb21c24dc93fc6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
Token: SeIncBasePriorityPrivilege	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
Token: SeIncBasePriorityPrivilege	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
Token: SeIncBasePriorityPrivilege	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
Token: SeIncBasePriorityPrivilege	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
Token: SeIncBasePriorityPrivilege	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
Token: SeIncBasePriorityPrivilege	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
Token: SeIncBasePriorityPrivilege	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe
Token: SeIncBasePriorityPrivilege	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
Token: SeIncBasePriorityPrivilege	3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
Token: SeIncBasePriorityPrivilege	912	{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2972	3240	eb21c24dc93fc6exeexeexeex.exe	93
PID 3240 wrote to memory of 2972	3240	eb21c24dc93fc6exeexeexeex.exe	93
PID 3240 wrote to memory of 2972	3240	eb21c24dc93fc6exeexeexeex.exe	93
PID 3240 wrote to memory of 4804	3240	eb21c24dc93fc6exeexeexeex.exe	94
PID 3240 wrote to memory of 4804	3240	eb21c24dc93fc6exeexeexeex.exe	94
PID 3240 wrote to memory of 4804	3240	eb21c24dc93fc6exeexeexeex.exe	94
PID 2972 wrote to memory of 2520	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	95
PID 2972 wrote to memory of 2520	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	95
PID 2972 wrote to memory of 2520	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	95
PID 2972 wrote to memory of 236	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	96
PID 2972 wrote to memory of 236	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	96
PID 2972 wrote to memory of 236	2972	{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe	96
PID 2520 wrote to memory of 2744	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	103
PID 2520 wrote to memory of 2744	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	103
PID 2520 wrote to memory of 2744	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	103
PID 2520 wrote to memory of 3516	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	104
PID 2520 wrote to memory of 3516	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	104
PID 2520 wrote to memory of 3516	2520	{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe	104
PID 2744 wrote to memory of 1672	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	106
PID 2744 wrote to memory of 1672	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	106
PID 2744 wrote to memory of 1672	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	106
PID 2744 wrote to memory of 3720	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	107
PID 2744 wrote to memory of 3720	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	107
PID 2744 wrote to memory of 3720	2744	{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe	107
PID 1672 wrote to memory of 5036	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	108
PID 1672 wrote to memory of 5036	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	108
PID 1672 wrote to memory of 5036	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	108
PID 1672 wrote to memory of 2084	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	109
PID 1672 wrote to memory of 2084	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	109
PID 1672 wrote to memory of 2084	1672	{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe	109
PID 5036 wrote to memory of 4592	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	111
PID 5036 wrote to memory of 4592	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	111
PID 5036 wrote to memory of 4592	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	111
PID 5036 wrote to memory of 5084	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	110
PID 5036 wrote to memory of 5084	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	110
PID 5036 wrote to memory of 5084	5036	{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe	110
PID 4592 wrote to memory of 2124	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	113
PID 4592 wrote to memory of 2124	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	113
PID 4592 wrote to memory of 2124	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	113
PID 4592 wrote to memory of 2044	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	114
PID 4592 wrote to memory of 2044	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	114
PID 4592 wrote to memory of 2044	4592	{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe	114
PID 2124 wrote to memory of 1012	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	115
PID 2124 wrote to memory of 1012	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	115
PID 2124 wrote to memory of 1012	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	115
PID 2124 wrote to memory of 4172	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	116
PID 2124 wrote to memory of 4172	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	116
PID 2124 wrote to memory of 4172	2124	{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe	116
PID 1012 wrote to memory of 1676	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	117
PID 1012 wrote to memory of 1676	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	117
PID 1012 wrote to memory of 1676	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	117
PID 1012 wrote to memory of 4320	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	118
PID 1012 wrote to memory of 4320	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	118
PID 1012 wrote to memory of 4320	1012	{763834A6-96CD-464d-9E09-89048C35DA22}.exe	118
PID 1676 wrote to memory of 3060	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	119
PID 1676 wrote to memory of 3060	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	119
PID 1676 wrote to memory of 3060	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	119
PID 1676 wrote to memory of 3400	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	120
PID 1676 wrote to memory of 3400	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	120
PID 1676 wrote to memory of 3400	1676	{2F72384A-7A83-408d-93BA-3A97315166FF}.exe	120
PID 3060 wrote to memory of 912	3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe	121
PID 3060 wrote to memory of 912	3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe	121
PID 3060 wrote to memory of 912	3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe	121
PID 3060 wrote to memory of 4416	3060	{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe	122

C:\Users\Admin\AppData\Local\Temp\eb21c24dc93fc6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\eb21c24dc93fc6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
  C:\Windows\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
    C:\Windows\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
      C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
        
        C:\Windows\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
        
        C:\Windows\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2E6~1.EXE > nul
        7⤵
        
        PID:5084
        
        C:\Windows\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
        
        C:\Windows\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
        
        C:\Windows\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{763834A6-96CD-464d-9E09-89048C35DA22}.exe
        
        C:\Windows\{763834A6-96CD-464d-9E09-89048C35DA22}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
        
        C:\Windows\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
        
        C:\Windows\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
        
        C:\Windows\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe
        
        C:\Windows\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{435B5~1.EXE > nul
        13⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2530~1.EXE > nul
        12⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F723~1.EXE > nul
        11⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76383~1.EXE > nul
        10⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DBFE~1.EXE > nul
        9⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF53A~1.EXE > nul
        8⤵
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{185A6~1.EXE > nul
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAC2~1.EXE > nul
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96E3F~1.EXE > nul
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{63CC9~1.EXE > nul
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EB21C2~1.EXE > nul
  2⤵
  PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe

Filesize
168KB

MD5
bc84eb15ba2d779de6ea5ce0cc05c1be

SHA1
4f64a54a218431b8ce356c6fac815827ad113d91

SHA256
78949f7d37a6180ca46bdeeca6e5aeccf0220088ab5fe9702b657cc3959d18d5

SHA512
b190daf1c2b886011ea33ff227fbe5113a4dbbfafb067645ea951c491524f450f0bce3254ac7c42981348c28d1df50fd0f7eb3008a9964ca5e26e4c99b977c1e

Download Submit
C:\Windows\{185A60B0-D7D1-4ed4-929B-861E45358DEE}.exe

Filesize
168KB

MD5
bc84eb15ba2d779de6ea5ce0cc05c1be

SHA1
4f64a54a218431b8ce356c6fac815827ad113d91

SHA256
78949f7d37a6180ca46bdeeca6e5aeccf0220088ab5fe9702b657cc3959d18d5

SHA512
b190daf1c2b886011ea33ff227fbe5113a4dbbfafb067645ea951c491524f450f0bce3254ac7c42981348c28d1df50fd0f7eb3008a9964ca5e26e4c99b977c1e

Download Submit
C:\Windows\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe

Filesize
168KB

MD5
8ad487164c39b7d0c67e436eb8991ee5

SHA1
9dbcb64ad8a4e29f147886a7ecbbe3de9cd856dd

SHA256
add5351edcebce1e4dc82d02b1b3c75c072831cedab86609595bd4a77636ec9a

SHA512
71a11d2857721eb40f26ffcd96bbd397d9c71c1a9c3f5b9b0576111665aee5f9178daa9e9c26015a7f832d4249832d272f1d08954f962ca22230e256928b584f

Download Submit
C:\Windows\{1DBFE663-D2C9-407b-9E7B-98CA20820779}.exe

Filesize
168KB

MD5
8ad487164c39b7d0c67e436eb8991ee5

SHA1
9dbcb64ad8a4e29f147886a7ecbbe3de9cd856dd

SHA256
add5351edcebce1e4dc82d02b1b3c75c072831cedab86609595bd4a77636ec9a

SHA512
71a11d2857721eb40f26ffcd96bbd397d9c71c1a9c3f5b9b0576111665aee5f9178daa9e9c26015a7f832d4249832d272f1d08954f962ca22230e256928b584f

Download Submit
C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe

Filesize
168KB

MD5
d7745028f16b5273b3f923dd7247533e

SHA1
376eda452c9c7b34b1631b9f7df3e7dfdfceac58

SHA256
3f1923c2249dc2600c2f3de6eb165363f5aed1974df9994e58b31d4dcb2d3add

SHA512
442a6ce62849d36bf9352e369a230ff879b784921ca921d3cf7c06c475a8818e5cebdd7e1d942024f8070a56eca3e8c04aca6aab00dd1ebd41470881d22d7329

Download Submit
C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe

Filesize
168KB

MD5
d7745028f16b5273b3f923dd7247533e

SHA1
376eda452c9c7b34b1631b9f7df3e7dfdfceac58

SHA256
3f1923c2249dc2600c2f3de6eb165363f5aed1974df9994e58b31d4dcb2d3add

SHA512
442a6ce62849d36bf9352e369a230ff879b784921ca921d3cf7c06c475a8818e5cebdd7e1d942024f8070a56eca3e8c04aca6aab00dd1ebd41470881d22d7329

Download Submit
C:\Windows\{2BAC2EC5-6580-422f-A4DC-1BCF30B34E81}.exe

Filesize
168KB

MD5
d7745028f16b5273b3f923dd7247533e

SHA1
376eda452c9c7b34b1631b9f7df3e7dfdfceac58

SHA256
3f1923c2249dc2600c2f3de6eb165363f5aed1974df9994e58b31d4dcb2d3add

SHA512
442a6ce62849d36bf9352e369a230ff879b784921ca921d3cf7c06c475a8818e5cebdd7e1d942024f8070a56eca3e8c04aca6aab00dd1ebd41470881d22d7329

Download Submit
C:\Windows\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe

Filesize
168KB

MD5
c114f7a597a4f11718104be8e2224595

SHA1
243e8d666e1a69fdb66242048b18fa9d4700d36e

SHA256
d533999d104e1ab22524c9d2ff3dcbacddeafdb8bdbd69cb128b0594ccb0dd8c

SHA512
d4a133ac8e53c53b9909c1eb61d65d3de5caf0ab693827d7bc45dc5c681f3734742376e368c384b5e312149b9366931d5da224976749b71595a401fdcff55d80

Download Submit
C:\Windows\{2F72384A-7A83-408d-93BA-3A97315166FF}.exe

Filesize
168KB

MD5
c114f7a597a4f11718104be8e2224595

SHA1
243e8d666e1a69fdb66242048b18fa9d4700d36e

SHA256
d533999d104e1ab22524c9d2ff3dcbacddeafdb8bdbd69cb128b0594ccb0dd8c

SHA512
d4a133ac8e53c53b9909c1eb61d65d3de5caf0ab693827d7bc45dc5c681f3734742376e368c384b5e312149b9366931d5da224976749b71595a401fdcff55d80

Download Submit
C:\Windows\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe

Filesize
168KB

MD5
7d92b4f1a0712f6aa2037f6a760d4e79

SHA1
557db39e56767e2e610ccf981468f10b197e86f7

SHA256
1491350e477455764b0ba192369ec77b186f7fc5653c45872fe44e93574b93a5

SHA512
680b3d4f7b366119411db05db6764f3a6e41d7a5fe6b3c4ac1c0a4ad7dfc3f7fb7dc486116acbf35ab4a635f418216940021693e892248f19aba4d03b3f4e025

Download Submit
C:\Windows\{435B5F32-EF75-4c0d-8851-6E6EED2DA07E}.exe

Filesize
168KB

MD5
7d92b4f1a0712f6aa2037f6a760d4e79

SHA1
557db39e56767e2e610ccf981468f10b197e86f7

SHA256
1491350e477455764b0ba192369ec77b186f7fc5653c45872fe44e93574b93a5

SHA512
680b3d4f7b366119411db05db6764f3a6e41d7a5fe6b3c4ac1c0a4ad7dfc3f7fb7dc486116acbf35ab4a635f418216940021693e892248f19aba4d03b3f4e025

Download Submit
C:\Windows\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe

Filesize
168KB

MD5
1582e282a6380d05ca9617229464e2ea

SHA1
739fdbbb768427f30bbb3fdf4dae951c98cb7143

SHA256
1758770ef6baa60c96fa3c7e5d7f75fe1a72b39fa78b3180a7abf8a518904e48

SHA512
5beff8108a8bb3bc2d9d3194982747251ab3126e037d4b643cdf1a8739c28f5cac2eee02bab0bb13df31d315eb0e7719f989bd7bd6c4b67611038405d2e0ba6f

Download Submit
C:\Windows\{4B2E677B-5492-4a22-A671-9BE761B3F58C}.exe

Filesize
168KB

MD5
1582e282a6380d05ca9617229464e2ea

SHA1
739fdbbb768427f30bbb3fdf4dae951c98cb7143

SHA256
1758770ef6baa60c96fa3c7e5d7f75fe1a72b39fa78b3180a7abf8a518904e48

SHA512
5beff8108a8bb3bc2d9d3194982747251ab3126e037d4b643cdf1a8739c28f5cac2eee02bab0bb13df31d315eb0e7719f989bd7bd6c4b67611038405d2e0ba6f

Download Submit
C:\Windows\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe

Filesize
168KB

MD5
2153a34e1523031f4acd13f40e0df3ae

SHA1
13632f5b9cd86a42b869dd870a055f9cdcb20779

SHA256
2b7a22b15927781274edf08bdc8a52ba176cfd9b75f8f481d907b937b76ab37f

SHA512
5170bdf4651ddf7d58e07785f8c452b392a0b4daf9b65ddfc32ce7eceb0c559fff526cbded2dafdcc8d9cf498797ab4f7017a5ba7e678ab136dc5155e82c5260

Download Submit
C:\Windows\{63CC9642-4665-41eb-8847-5BF82B041F8F}.exe

Filesize
168KB

MD5
2153a34e1523031f4acd13f40e0df3ae

SHA1
13632f5b9cd86a42b869dd870a055f9cdcb20779

SHA256
2b7a22b15927781274edf08bdc8a52ba176cfd9b75f8f481d907b937b76ab37f

SHA512
5170bdf4651ddf7d58e07785f8c452b392a0b4daf9b65ddfc32ce7eceb0c559fff526cbded2dafdcc8d9cf498797ab4f7017a5ba7e678ab136dc5155e82c5260

Download Submit
C:\Windows\{763834A6-96CD-464d-9E09-89048C35DA22}.exe

Filesize
168KB

MD5
4530dbb44a7668c080a1bebe108657a4

SHA1
3789e028af5476981b78bd62d36839fea7a4e965

SHA256
467455bf5492ee8a90e48c84fb8924a20035232358b95e8aa1793cea185aa33c

SHA512
ab46afcd4c456151eb34d66a12f322bd7aabd29cda59456d03a9b6b3af1597067b3715a621074e735876231998459ed42925bc708a729976c7fff6fd9a75c1dd

Download Submit
C:\Windows\{763834A6-96CD-464d-9E09-89048C35DA22}.exe

Filesize
168KB

MD5
4530dbb44a7668c080a1bebe108657a4

SHA1
3789e028af5476981b78bd62d36839fea7a4e965

SHA256
467455bf5492ee8a90e48c84fb8924a20035232358b95e8aa1793cea185aa33c

SHA512
ab46afcd4c456151eb34d66a12f322bd7aabd29cda59456d03a9b6b3af1597067b3715a621074e735876231998459ed42925bc708a729976c7fff6fd9a75c1dd

Download Submit
C:\Windows\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe

Filesize
168KB

MD5
3fa3acf40b8b89570a737c8aa870f1b6

SHA1
67856642caf796626d4e69c85f9f4e14750aecdd

SHA256
f2ec333769d290b56ddb3dc51714971d3dd0ab714003c779cb5cacc080315b1d

SHA512
3c3a79b4395411a49050ec566eb001348efd51ae8462c0a06df48661fc6c4d3ec9f3cc806f20ad27850817b0b13d11967687d8800b01429e747f7a092cbb4c74

Download Submit
C:\Windows\{96E3FCDF-4B08-4f17-BFF1-35C0960A11E8}.exe

Filesize
168KB

MD5
3fa3acf40b8b89570a737c8aa870f1b6

SHA1
67856642caf796626d4e69c85f9f4e14750aecdd

SHA256
f2ec333769d290b56ddb3dc51714971d3dd0ab714003c779cb5cacc080315b1d

SHA512
3c3a79b4395411a49050ec566eb001348efd51ae8462c0a06df48661fc6c4d3ec9f3cc806f20ad27850817b0b13d11967687d8800b01429e747f7a092cbb4c74

Download Submit
C:\Windows\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe

Filesize
168KB

MD5
04e74bcb836a601b7a47ce9aa6d4e33f

SHA1
d7264a48b066ab146af0b6eb7df4e9d359bbd0a4

SHA256
8cfa26190dedcf3ef38420a72abb56a897864cf5e2a2ca4159e27521dd18c612

SHA512
52dec70f6af19560ff8a795e173068e7ed14d525e605e6d253bacbe5b48f40be98ffca5eec7308c48bccaf48c02a5917c54124b624052b29f91c9d31ac5682f2

Download Submit
C:\Windows\{97EF8F82-A65C-4317-9DC8-2B1DFD390E0B}.exe

Filesize
168KB

MD5
04e74bcb836a601b7a47ce9aa6d4e33f

SHA1
d7264a48b066ab146af0b6eb7df4e9d359bbd0a4

SHA256
8cfa26190dedcf3ef38420a72abb56a897864cf5e2a2ca4159e27521dd18c612

SHA512
52dec70f6af19560ff8a795e173068e7ed14d525e605e6d253bacbe5b48f40be98ffca5eec7308c48bccaf48c02a5917c54124b624052b29f91c9d31ac5682f2

Download Submit
C:\Windows\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe

Filesize
168KB

MD5
f352b158a7bad2d87b3a5ab92d65f489

SHA1
5a7ac0c17ed99ee9b1d54484ee0830ae70df8767

SHA256
f7232111f1aba8225d95f93271f0dcb0189567b4510e97d399e82e1f90f44c8d

SHA512
d804b118c637cec770ae991ed05f0824c0929e9d9902ead8270f5ac0d2eb660f9c734d6a32b38641ea4e425f3d96ed423ebf82b7df0fcb4f067647e1e9aa4027

Download Submit
C:\Windows\{BF53AFA9-9423-41a8-8804-E78B828056F8}.exe

Filesize
168KB

MD5
f352b158a7bad2d87b3a5ab92d65f489

SHA1
5a7ac0c17ed99ee9b1d54484ee0830ae70df8767

SHA256
f7232111f1aba8225d95f93271f0dcb0189567b4510e97d399e82e1f90f44c8d

SHA512
d804b118c637cec770ae991ed05f0824c0929e9d9902ead8270f5ac0d2eb660f9c734d6a32b38641ea4e425f3d96ed423ebf82b7df0fcb4f067647e1e9aa4027

Download Submit
C:\Windows\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe

Filesize
168KB

MD5
45d03149deb87d0685d7be2d72d68627

SHA1
00aa5d257969de7f413ca5b8bf9879ded79dac7a

SHA256
b8a62ea02853781b96f7f24f8b67832cec83b36937f5f2cb2faa8a9c72358515

SHA512
5a9b164600e2efc1296812f514815fcc5503ef847435fa3bf12e966f6c006b26994e01a9942d2b9a3d381041d1b4b7e9b313b163aec2350c8337e1095edd3aaf

Download Submit
C:\Windows\{F253036A-0484-492f-A7A4-FDB1F361DA53}.exe

Filesize
168KB

MD5
45d03149deb87d0685d7be2d72d68627

SHA1
00aa5d257969de7f413ca5b8bf9879ded79dac7a

SHA256
b8a62ea02853781b96f7f24f8b67832cec83b36937f5f2cb2faa8a9c72358515

SHA512
5a9b164600e2efc1296812f514815fcc5503ef847435fa3bf12e966f6c006b26994e01a9942d2b9a3d381041d1b4b7e9b313b163aec2350c8337e1095edd3aaf

Download Submit