21dba26cc379b9826f4a08ed80dcbcf4c0a148a649da3d9c917949ccba93b759

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec406ab04df18dexeexeexeex.exe
Size

204KB
MD5

ec406ab04df18d077b87ea5aa547b4bf
SHA1

d7a64c631fd172c1f09c1454c1d7422fd9c37579
SHA256

21dba26cc379b9826f4a08ed80dcbcf4c0a148a649da3d9c917949ccba93b759
SHA512

9efcbf1079b4429cd44b295301479d47ab19c60aaab8d30e94f2a259f0b473d0ca6c7e10f2e408847ae08d42f9030d999a14d8a27a5b37f188290d29c1b69a2e
SSDEEP

1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oil1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}\stubpath = "C:\\Windows\\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe"	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}\stubpath = "C:\\Windows\\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe"	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}\stubpath = "C:\\Windows\\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe"	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}\stubpath = "C:\\Windows\\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe"	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}\stubpath = "C:\\Windows\\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe"	{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2646F5E9-7081-4781-803E-8FBA9D24D53C}	ec406ab04df18dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2646F5E9-7081-4781-803E-8FBA9D24D53C}\stubpath = "C:\\Windows\\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe"	ec406ab04df18dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}	{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}\stubpath = "C:\\Windows\\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe"	{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3315A04-BE38-4c41-8960-252843A89697}	{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3315A04-BE38-4c41-8960-252843A89697}\stubpath = "C:\\Windows\\{C3315A04-BE38-4c41-8960-252843A89697}.exe"	{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0098312-51DE-4284-A1ED-8037C5D73E70}	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}\stubpath = "C:\\Windows\\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe"	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD64E63D-B468-4e53-B201-A998EDAC6696}\stubpath = "C:\\Windows\\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe"	{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}	{C3315A04-BE38-4c41-8960-252843A89697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0098312-51DE-4284-A1ED-8037C5D73E70}\stubpath = "C:\\Windows\\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe"	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD64E63D-B468-4e53-B201-A998EDAC6696}	{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}	{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}\stubpath = "C:\\Windows\\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe"	{C3315A04-BE38-4c41-8960-252843A89697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}\stubpath = "C:\\Windows\\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe"	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
544	{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
1264	{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
2688	{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
2992	{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
2708	{C3315A04-BE38-4c41-8960-252843A89697}.exe
2496	{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
File created	C:\Windows\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
File created	C:\Windows\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
File created	C:\Windows\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
File created	C:\Windows\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe	{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
File created	C:\Windows\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe	{C3315A04-BE38-4c41-8960-252843A89697}.exe
File created	C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	ec406ab04df18dexeexeexeex.exe
File created	C:\Windows\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
File created	C:\Windows\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
File created	C:\Windows\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
File created	C:\Windows\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe	{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
File created	C:\Windows\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe	{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
File created	C:\Windows\{C3315A04-BE38-4c41-8960-252843A89697}.exe	{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	ec406ab04df18dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
Token: SeIncBasePriorityPrivilege	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
Token: SeIncBasePriorityPrivilege	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
Token: SeIncBasePriorityPrivilege	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
Token: SeIncBasePriorityPrivilege	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
Token: SeIncBasePriorityPrivilege	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
Token: SeIncBasePriorityPrivilege	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
Token: SeIncBasePriorityPrivilege	544	{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
Token: SeIncBasePriorityPrivilege	1264	{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
Token: SeIncBasePriorityPrivilege	2688	{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
Token: SeIncBasePriorityPrivilege	2992	{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
Token: SeIncBasePriorityPrivilege	2708	{C3315A04-BE38-4c41-8960-252843A89697}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2976	2276	ec406ab04df18dexeexeexeex.exe	29
PID 2276 wrote to memory of 2976	2276	ec406ab04df18dexeexeexeex.exe	29
PID 2276 wrote to memory of 2976	2276	ec406ab04df18dexeexeexeex.exe	29
PID 2276 wrote to memory of 2976	2276	ec406ab04df18dexeexeexeex.exe	29
PID 2276 wrote to memory of 3020	2276	ec406ab04df18dexeexeexeex.exe	30
PID 2276 wrote to memory of 3020	2276	ec406ab04df18dexeexeexeex.exe	30
PID 2276 wrote to memory of 3020	2276	ec406ab04df18dexeexeexeex.exe	30
PID 2276 wrote to memory of 3020	2276	ec406ab04df18dexeexeexeex.exe	30
PID 2976 wrote to memory of 1660	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	31
PID 2976 wrote to memory of 1660	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	31
PID 2976 wrote to memory of 1660	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	31
PID 2976 wrote to memory of 1660	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	31
PID 2976 wrote to memory of 3056	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	32
PID 2976 wrote to memory of 3056	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	32
PID 2976 wrote to memory of 3056	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	32
PID 2976 wrote to memory of 3056	2976	{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe	32
PID 1660 wrote to memory of 324	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	33
PID 1660 wrote to memory of 324	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	33
PID 1660 wrote to memory of 324	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	33
PID 1660 wrote to memory of 324	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	33
PID 1660 wrote to memory of 1852	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	34
PID 1660 wrote to memory of 1852	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	34
PID 1660 wrote to memory of 1852	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	34
PID 1660 wrote to memory of 1852	1660	{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe	34
PID 324 wrote to memory of 1140	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	35
PID 324 wrote to memory of 1140	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	35
PID 324 wrote to memory of 1140	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	35
PID 324 wrote to memory of 1140	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	35
PID 324 wrote to memory of 2952	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	36
PID 324 wrote to memory of 2952	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	36
PID 324 wrote to memory of 2952	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	36
PID 324 wrote to memory of 2952	324	{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe	36
PID 1140 wrote to memory of 2352	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	37
PID 1140 wrote to memory of 2352	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	37
PID 1140 wrote to memory of 2352	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	37
PID 1140 wrote to memory of 2352	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	37
PID 1140 wrote to memory of 2172	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	38
PID 1140 wrote to memory of 2172	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	38
PID 1140 wrote to memory of 2172	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	38
PID 1140 wrote to memory of 2172	1140	{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe	38
PID 2352 wrote to memory of 1252	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	39
PID 2352 wrote to memory of 1252	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	39
PID 2352 wrote to memory of 1252	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	39
PID 2352 wrote to memory of 1252	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	39
PID 2352 wrote to memory of 2868	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	40
PID 2352 wrote to memory of 2868	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	40
PID 2352 wrote to memory of 2868	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	40
PID 2352 wrote to memory of 2868	2352	{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe	40
PID 1252 wrote to memory of 2884	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	41
PID 1252 wrote to memory of 2884	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	41
PID 1252 wrote to memory of 2884	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	41
PID 1252 wrote to memory of 2884	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	41
PID 1252 wrote to memory of 2940	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	42
PID 1252 wrote to memory of 2940	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	42
PID 1252 wrote to memory of 2940	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	42
PID 1252 wrote to memory of 2940	1252	{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe	42
PID 2884 wrote to memory of 544	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	43
PID 2884 wrote to memory of 544	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	43
PID 2884 wrote to memory of 544	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	43
PID 2884 wrote to memory of 544	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	43
PID 2884 wrote to memory of 2080	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	44
PID 2884 wrote to memory of 2080	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	44
PID 2884 wrote to memory of 2080	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	44
PID 2884 wrote to memory of 2080	2884	{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe	44

C:\Users\Admin\AppData\Local\Temp\ec406ab04df18dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ec406ab04df18dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
  C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
    C:\Windows\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
      C:\Windows\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:324
    - - C:\Windows\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
        
        C:\Windows\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
        
        C:\Windows\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
        
        C:\Windows\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
        
        C:\Windows\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
        
        C:\Windows\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
        
        C:\Windows\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
        
        C:\Windows\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
        
        C:\Windows\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\{C3315A04-BE38-4c41-8960-252843A89697}.exe
        
        C:\Windows\{C3315A04-BE38-4c41-8960-252843A89697}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe
        
        C:\Windows\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe
        14⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3315~1.EXE > nul
        14⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED560~1.EXE > nul
        13⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5931~1.EXE > nul
        12⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD64E~1.EXE > nul
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D6B1~1.EXE > nul
        10⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68CB5~1.EXE > nul
        9⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15CCD~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C8A~1.EXE > nul
        7⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC74~1.EXE > nul
        6⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07B23~1.EXE > nul
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0098~1.EXE > nul
      4⤵
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2646F~1.EXE > nul
    3⤵
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC406A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe

Filesize
204KB

MD5
75b693d5815ef07781251316192f4f74

SHA1
1782f59f6a04b3f6fc99d124d1727c271a307b6b

SHA256
4ea586228f1e8153ad879fcc71f65e1126abcf035e6fb1fe435bb8c408c21c72

SHA512
8424a21402716c21920289ac996ada9fb065ecc086480a0b0a94c0fdb56013b09fdd84bc4666802efe3f987c4d024b29362d331a075fba45e2caf3993f79461d

Download Submit
C:\Windows\{07B2395A-B811-4b20-B68A-20CEB95CE5BB}.exe

Filesize
204KB

MD5
75b693d5815ef07781251316192f4f74

SHA1
1782f59f6a04b3f6fc99d124d1727c271a307b6b

SHA256
4ea586228f1e8153ad879fcc71f65e1126abcf035e6fb1fe435bb8c408c21c72

SHA512
8424a21402716c21920289ac996ada9fb065ecc086480a0b0a94c0fdb56013b09fdd84bc4666802efe3f987c4d024b29362d331a075fba45e2caf3993f79461d

Download Submit
C:\Windows\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe

Filesize
204KB

MD5
15d5affe2fbe8e633eea5b5cc456f2f3

SHA1
ba52953cd964a40c580148fb0dcbcd94946ba17a

SHA256
d1e4ed4942710b9183cbd1daf4b8faa3a5ced4ed94ad451ce90b37935cda8919

SHA512
c79a362566e29d5ca45c3a5e7d32001f3510b1c96e42221e4f383ddfe6f6aadf08b030f3c6e21ada609cabfab9b119e05a7c4d7bae389f00140f72f4eb46e5a8

Download Submit
C:\Windows\{15CCDF14-D99D-42d0-8C96-6DFC2E460D00}.exe

Filesize
204KB

MD5
15d5affe2fbe8e633eea5b5cc456f2f3

SHA1
ba52953cd964a40c580148fb0dcbcd94946ba17a

SHA256
d1e4ed4942710b9183cbd1daf4b8faa3a5ced4ed94ad451ce90b37935cda8919

SHA512
c79a362566e29d5ca45c3a5e7d32001f3510b1c96e42221e4f383ddfe6f6aadf08b030f3c6e21ada609cabfab9b119e05a7c4d7bae389f00140f72f4eb46e5a8

Download Submit
C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe

Filesize
204KB

MD5
c3823a8c748130d6582cfe3051aaf937

SHA1
80d9fc58b4e9c82ce59f824e07d9f2a6c8cab1d8

SHA256
55c142fc6acd79b23d679e0a8ec0bd1e9f3ff27de1210ab32a2d6767fa0dcc48

SHA512
4a64d68d2e54e7f7decdb9df7e8aee5c601eb7b068fe1b75ad553108d7df39a659ad35035434103abb971ad412f187597cf6ff5d98f49b442965aa68f6d7f446

Download Submit
C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe

Filesize
204KB

MD5
c3823a8c748130d6582cfe3051aaf937

SHA1
80d9fc58b4e9c82ce59f824e07d9f2a6c8cab1d8

SHA256
55c142fc6acd79b23d679e0a8ec0bd1e9f3ff27de1210ab32a2d6767fa0dcc48

SHA512
4a64d68d2e54e7f7decdb9df7e8aee5c601eb7b068fe1b75ad553108d7df39a659ad35035434103abb971ad412f187597cf6ff5d98f49b442965aa68f6d7f446

Download Submit
C:\Windows\{2646F5E9-7081-4781-803E-8FBA9D24D53C}.exe

Filesize
204KB

MD5
c3823a8c748130d6582cfe3051aaf937

SHA1
80d9fc58b4e9c82ce59f824e07d9f2a6c8cab1d8

SHA256
55c142fc6acd79b23d679e0a8ec0bd1e9f3ff27de1210ab32a2d6767fa0dcc48

SHA512
4a64d68d2e54e7f7decdb9df7e8aee5c601eb7b068fe1b75ad553108d7df39a659ad35035434103abb971ad412f187597cf6ff5d98f49b442965aa68f6d7f446

Download Submit
C:\Windows\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe

Filesize
204KB

MD5
a2e3d07d0e9cbb6e0d44714df79060bd

SHA1
4d80d7ff025d8ad3567d00af21ef9499229e6293

SHA256
f6da29b90b1161050b0b38502edc19313918fcbcc05fa62ba0ccc51f589fdcc7

SHA512
20b8c550a213c69c120eb1d2147a3b6680e92f6792b2e9697199bff38327c47cfb85ca5b95495d271883c5f24bd69bb963e4e069efbf895493b5d6b674fa63a4

Download Submit
C:\Windows\{2D6B1F80-B89F-4a7a-81F3-5A9C4565B7C6}.exe

Filesize
204KB

MD5
a2e3d07d0e9cbb6e0d44714df79060bd

SHA1
4d80d7ff025d8ad3567d00af21ef9499229e6293

SHA256
f6da29b90b1161050b0b38502edc19313918fcbcc05fa62ba0ccc51f589fdcc7

SHA512
20b8c550a213c69c120eb1d2147a3b6680e92f6792b2e9697199bff38327c47cfb85ca5b95495d271883c5f24bd69bb963e4e069efbf895493b5d6b674fa63a4

Download Submit
C:\Windows\{37CF1B17-CD2B-4193-AEB3-04357A247C6A}.exe

Filesize
204KB

MD5
063ccfa69a7173251148b72b06d4fda3

SHA1
a55cad7f8dd0bc4d8db6c5d4ae8986cbf48d748e

SHA256
9541b808a347065bd8dbaef5035ae782dab51a3fbe8fa8d8e585de501aafa9ce

SHA512
5cc0fa83890a5f16f9972faaa74bdd776ce2b878ab79cc7db90db606c4535805b31d1a19ca2925bd7dc59092fcc6a266f0dc2991f56b5f800dd58159e0a3a8ad

Download Submit
C:\Windows\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe

Filesize
204KB

MD5
f2bec4373d2377d0a4071d69d8546a4a

SHA1
9e400a44890b3fc10208572afeccb4656eaef55b

SHA256
076904190ace4984ac1fe8c14605784734b1492fcda145be58c2c1593b860f45

SHA512
fea3fca39c99677ede91bd35ddf5abdc2554b0f910013182586dda9f514e7a4c17da9140ec4b66a0921117ddbedc55155d2cff9f84233cd99084d623aa1e8685

Download Submit
C:\Windows\{5AC74D2C-5F58-45c6-9400-1372FAEF2718}.exe

Filesize
204KB

MD5
f2bec4373d2377d0a4071d69d8546a4a

SHA1
9e400a44890b3fc10208572afeccb4656eaef55b

SHA256
076904190ace4984ac1fe8c14605784734b1492fcda145be58c2c1593b860f45

SHA512
fea3fca39c99677ede91bd35ddf5abdc2554b0f910013182586dda9f514e7a4c17da9140ec4b66a0921117ddbedc55155d2cff9f84233cd99084d623aa1e8685

Download Submit
C:\Windows\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe

Filesize
204KB

MD5
9b700ddfd3b79c8a5e80447e249e8cba

SHA1
f9a195af53828f6bd0c3749e0d6ddb19369a331d

SHA256
1a5b3c23553886ba52f9d5ff6b5b9a555387bd8cc373d8078bd769778f193c30

SHA512
cda4f3df657cc896f1dff7eed4d03b2ea404965299b813b45e0395defa13c84585f99d1709476ea641b7afe079cdbb7869e35e0a16694daf2d293ed8653dff59

Download Submit
C:\Windows\{62C8A5E8-9371-4ada-893A-ADB966AEBB79}.exe

Filesize
204KB

MD5
9b700ddfd3b79c8a5e80447e249e8cba

SHA1
f9a195af53828f6bd0c3749e0d6ddb19369a331d

SHA256
1a5b3c23553886ba52f9d5ff6b5b9a555387bd8cc373d8078bd769778f193c30

SHA512
cda4f3df657cc896f1dff7eed4d03b2ea404965299b813b45e0395defa13c84585f99d1709476ea641b7afe079cdbb7869e35e0a16694daf2d293ed8653dff59

Download Submit
C:\Windows\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe

Filesize
204KB

MD5
f7d62fa45e626a03c202aa99aa92ea4f

SHA1
c70f692ad0a5041fa56c67c7bd121cfdeac9392e

SHA256
245fcb680adf7a3dce20fb8678eaf87db76b4aea12890a1481c04ae3929c982c

SHA512
380471495db4b8045e0d3313bca0cbc154fdefb8668efc52eaf42eb7dee5739ea0872a13ede59a2bbdbee5251facd8fc6ba076bd021bc72c1bf7dc505f6e3d81

Download Submit
C:\Windows\{68CB5C1B-7D5A-4084-9334-1F61917E95A3}.exe

Filesize
204KB

MD5
f7d62fa45e626a03c202aa99aa92ea4f

SHA1
c70f692ad0a5041fa56c67c7bd121cfdeac9392e

SHA256
245fcb680adf7a3dce20fb8678eaf87db76b4aea12890a1481c04ae3929c982c

SHA512
380471495db4b8045e0d3313bca0cbc154fdefb8668efc52eaf42eb7dee5739ea0872a13ede59a2bbdbee5251facd8fc6ba076bd021bc72c1bf7dc505f6e3d81

Download Submit
C:\Windows\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe

Filesize
204KB

MD5
71dadedfaf8780e037d42df3ff483fa8

SHA1
2ae7a46c00fd6195e926b9f7b93c7c8a8634e74f

SHA256
6e8fa152d908471715783eedd9f0345c8972032cff19bdac00ab3b2785b1675d

SHA512
efe8eaaee9b58bcaebf1a0b2f812ba7cf4ee6093252b68ba9865abff316bef530c3a6541b2c860cc2b37a207f65a2fca70ab8940cf988a171c029704305006f2

Download Submit
C:\Windows\{C0098312-51DE-4284-A1ED-8037C5D73E70}.exe

Filesize
204KB

MD5
71dadedfaf8780e037d42df3ff483fa8

SHA1
2ae7a46c00fd6195e926b9f7b93c7c8a8634e74f

SHA256
6e8fa152d908471715783eedd9f0345c8972032cff19bdac00ab3b2785b1675d

SHA512
efe8eaaee9b58bcaebf1a0b2f812ba7cf4ee6093252b68ba9865abff316bef530c3a6541b2c860cc2b37a207f65a2fca70ab8940cf988a171c029704305006f2

Download Submit
C:\Windows\{C3315A04-BE38-4c41-8960-252843A89697}.exe

Filesize
204KB

MD5
0b2289a12b08f0faf9df7734255df570

SHA1
9bffa0c0c9cf408befa5eaef30e380df14ff6af5

SHA256
c53dc99eb6246f3865546ef0f3db8e4df3403cc413c994dc1b26b2a0625d28db

SHA512
a9fe8993687bcb7a88520f1113db27fd412a627b0fcd508d483c6c3dd8c3ae31f010b5a859745b2b43ea21032f69256e5f4d3b15b4a6901520baa379bad58d2b

Download Submit
C:\Windows\{C3315A04-BE38-4c41-8960-252843A89697}.exe

Filesize
204KB

MD5
0b2289a12b08f0faf9df7734255df570

SHA1
9bffa0c0c9cf408befa5eaef30e380df14ff6af5

SHA256
c53dc99eb6246f3865546ef0f3db8e4df3403cc413c994dc1b26b2a0625d28db

SHA512
a9fe8993687bcb7a88520f1113db27fd412a627b0fcd508d483c6c3dd8c3ae31f010b5a859745b2b43ea21032f69256e5f4d3b15b4a6901520baa379bad58d2b

Download Submit
C:\Windows\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe

Filesize
204KB

MD5
cce3da9736247249c7cb7cae592e01d3

SHA1
63541b583b206d4a9d4dacdaeaaa555875185b67

SHA256
403067a46f1b0b5d0539e61681e860ad99660976fa4c18d60cc8adfb11b35d97

SHA512
9f47622a6aee26d0008fca357ffc8b14bca5b4ea9e5ae59e1ee5a084067d025ce2048b030f8952b1fb87cbe57550882b4c6688e88c8ed7c4919ecb8e5e395142

Download Submit
C:\Windows\{CD64E63D-B468-4e53-B201-A998EDAC6696}.exe

Filesize
204KB

MD5
cce3da9736247249c7cb7cae592e01d3

SHA1
63541b583b206d4a9d4dacdaeaaa555875185b67

SHA256
403067a46f1b0b5d0539e61681e860ad99660976fa4c18d60cc8adfb11b35d97

SHA512
9f47622a6aee26d0008fca357ffc8b14bca5b4ea9e5ae59e1ee5a084067d025ce2048b030f8952b1fb87cbe57550882b4c6688e88c8ed7c4919ecb8e5e395142

Download Submit
C:\Windows\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe

Filesize
204KB

MD5
571b579e8ec55c8c9cf1a02cb70eb078

SHA1
6c9f7fa56d9bd1ef4ef3a76e9c5a2b779ec546e6

SHA256
4271579248db545366f0af1eb39ee1f9255f73eccc35252c2d59dc6e56bc0458

SHA512
c1ca1dce4c088415c4a70679c7e36a5a21cc039e9ae84fd4f0625ac4dde75ce4a9fa74ddab33593585b7fc2293ab0fbe8f25f98f8df0b052916cc8ec9342d5c7

Download Submit
C:\Windows\{E59313A8-59CF-45e4-8AEE-0DB4C3E802EF}.exe

Filesize
204KB

MD5
571b579e8ec55c8c9cf1a02cb70eb078

SHA1
6c9f7fa56d9bd1ef4ef3a76e9c5a2b779ec546e6

SHA256
4271579248db545366f0af1eb39ee1f9255f73eccc35252c2d59dc6e56bc0458

SHA512
c1ca1dce4c088415c4a70679c7e36a5a21cc039e9ae84fd4f0625ac4dde75ce4a9fa74ddab33593585b7fc2293ab0fbe8f25f98f8df0b052916cc8ec9342d5c7

Download Submit
C:\Windows\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe

Filesize
204KB

MD5
aef82174062bc055c679bd8375180208

SHA1
3d1c6f1b17e009c3cf63dcb35f899f46e66ba4df

SHA256
bc752046647d77ae46442c32c9443d5225fc0b9e4c559b1b523b3117266a1895

SHA512
e56a63ac1e31216ba19940449e7699055909a6e44fe17b7df08f0f27befbde87b40c5926446575e230ef6d865db91afc3b5e2316462f25ccabeee4950c445c3c

Download Submit
C:\Windows\{ED5602B9-C05A-468d-A9F2-D5F86E1055E7}.exe

Filesize
204KB

MD5
aef82174062bc055c679bd8375180208

SHA1
3d1c6f1b17e009c3cf63dcb35f899f46e66ba4df

SHA256
bc752046647d77ae46442c32c9443d5225fc0b9e4c559b1b523b3117266a1895

SHA512
e56a63ac1e31216ba19940449e7699055909a6e44fe17b7df08f0f27befbde87b40c5926446575e230ef6d865db91afc3b5e2316462f25ccabeee4950c445c3c

Download Submit