21dba26cc379b9826f4a08ed80dcbcf4c0a148a649da3d9c917949ccba93b759

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec406ab04df18dexeexeexeex.exe
Size

204KB
MD5

ec406ab04df18d077b87ea5aa547b4bf
SHA1

d7a64c631fd172c1f09c1454c1d7422fd9c37579
SHA256

21dba26cc379b9826f4a08ed80dcbcf4c0a148a649da3d9c917949ccba93b759
SHA512

9efcbf1079b4429cd44b295301479d47ab19c60aaab8d30e94f2a259f0b473d0ca6c7e10f2e408847ae08d42f9030d999a14d8a27a5b37f188290d29c1b69a2e
SSDEEP

1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oil1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE0A9A2-5734-49dc-B89A-6113250C3260}	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C379F0-D8F3-44e7-85EE-383DD053898C}	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01810165-2C12-4cae-850D-1AE1E90AEA15}	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}\stubpath = "C:\\Windows\\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe"	{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}\stubpath = "C:\\Windows\\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe"	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}\stubpath = "C:\\Windows\\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe"	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E83EA3-D83E-4f38-926D-A663B78572ED}	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97798128-97D2-4292-A75C-3F325C4A49F6}	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABB0002-353C-4967-B6FF-201C3F3618A4}\stubpath = "C:\\Windows\\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe"	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}	ec406ab04df18dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}\stubpath = "C:\\Windows\\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe"	ec406ab04df18dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}\stubpath = "C:\\Windows\\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe"	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}\stubpath = "C:\\Windows\\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe"	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97798128-97D2-4292-A75C-3F325C4A49F6}\stubpath = "C:\\Windows\\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe"	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01810165-2C12-4cae-850D-1AE1E90AEA15}\stubpath = "C:\\Windows\\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe"	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE0A9A2-5734-49dc-B89A-6113250C3260}\stubpath = "C:\\Windows\\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe"	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E83EA3-D83E-4f38-926D-A663B78572ED}\stubpath = "C:\\Windows\\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe"	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C379F0-D8F3-44e7-85EE-383DD053898C}\stubpath = "C:\\Windows\\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe"	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABB0002-353C-4967-B6FF-201C3F3618A4}	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}	{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe

Executes dropped EXE 12 IoCs

pid	Process
2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
3464	{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe
3096	{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
File created	C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
File created	C:\Windows\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
File created	C:\Windows\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
File created	C:\Windows\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
File created	C:\Windows\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe	{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe
File created	C:\Windows\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	ec406ab04df18dexeexeexeex.exe
File created	C:\Windows\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
File created	C:\Windows\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
File created	C:\Windows\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
File created	C:\Windows\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
File created	C:\Windows\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4736	ec406ab04df18dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
Token: SeIncBasePriorityPrivilege	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
Token: SeIncBasePriorityPrivilege	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
Token: SeIncBasePriorityPrivilege	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
Token: SeIncBasePriorityPrivilege	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
Token: SeIncBasePriorityPrivilege	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
Token: SeIncBasePriorityPrivilege	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
Token: SeIncBasePriorityPrivilege	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
Token: SeIncBasePriorityPrivilege	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
Token: SeIncBasePriorityPrivilege	2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
Token: SeIncBasePriorityPrivilege	3464	{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2272	4736	ec406ab04df18dexeexeexeex.exe	93
PID 4736 wrote to memory of 2272	4736	ec406ab04df18dexeexeexeex.exe	93
PID 4736 wrote to memory of 2272	4736	ec406ab04df18dexeexeexeex.exe	93
PID 4736 wrote to memory of 4444	4736	ec406ab04df18dexeexeexeex.exe	94
PID 4736 wrote to memory of 4444	4736	ec406ab04df18dexeexeexeex.exe	94
PID 4736 wrote to memory of 4444	4736	ec406ab04df18dexeexeexeex.exe	94
PID 2272 wrote to memory of 740	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	99
PID 2272 wrote to memory of 740	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	99
PID 2272 wrote to memory of 740	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	99
PID 2272 wrote to memory of 1088	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	98
PID 2272 wrote to memory of 1088	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	98
PID 2272 wrote to memory of 1088	2272	{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe	98
PID 740 wrote to memory of 548	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	102
PID 740 wrote to memory of 548	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	102
PID 740 wrote to memory of 548	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	102
PID 740 wrote to memory of 1824	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	101
PID 740 wrote to memory of 1824	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	101
PID 740 wrote to memory of 1824	740	{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe	101
PID 548 wrote to memory of 2356	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	103
PID 548 wrote to memory of 2356	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	103
PID 548 wrote to memory of 2356	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	103
PID 548 wrote to memory of 3788	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	104
PID 548 wrote to memory of 3788	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	104
PID 548 wrote to memory of 3788	548	{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe	104
PID 2356 wrote to memory of 5060	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	105
PID 2356 wrote to memory of 5060	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	105
PID 2356 wrote to memory of 5060	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	105
PID 2356 wrote to memory of 336	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	106
PID 2356 wrote to memory of 336	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	106
PID 2356 wrote to memory of 336	2356	{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe	106
PID 5060 wrote to memory of 4820	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	107
PID 5060 wrote to memory of 4820	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	107
PID 5060 wrote to memory of 4820	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	107
PID 5060 wrote to memory of 3364	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	108
PID 5060 wrote to memory of 3364	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	108
PID 5060 wrote to memory of 3364	5060	{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe	108
PID 4820 wrote to memory of 4164	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	109
PID 4820 wrote to memory of 4164	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	109
PID 4820 wrote to memory of 4164	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	109
PID 4820 wrote to memory of 1876	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	110
PID 4820 wrote to memory of 1876	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	110
PID 4820 wrote to memory of 1876	4820	{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe	110
PID 4164 wrote to memory of 3612	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	111
PID 4164 wrote to memory of 3612	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	111
PID 4164 wrote to memory of 3612	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	111
PID 4164 wrote to memory of 2448	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	112
PID 4164 wrote to memory of 2448	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	112
PID 4164 wrote to memory of 2448	4164	{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe	112
PID 3612 wrote to memory of 4688	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	113
PID 3612 wrote to memory of 4688	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	113
PID 3612 wrote to memory of 4688	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	113
PID 3612 wrote to memory of 2552	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	114
PID 3612 wrote to memory of 2552	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	114
PID 3612 wrote to memory of 2552	3612	{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe	114
PID 4688 wrote to memory of 2184	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	115
PID 4688 wrote to memory of 2184	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	115
PID 4688 wrote to memory of 2184	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	115
PID 4688 wrote to memory of 1900	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	116
PID 4688 wrote to memory of 1900	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	116
PID 4688 wrote to memory of 1900	4688	{97798128-97D2-4292-A75C-3F325C4A49F6}.exe	116
PID 2184 wrote to memory of 3464	2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe	117
PID 2184 wrote to memory of 3464	2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe	117
PID 2184 wrote to memory of 3464	2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe	117
PID 2184 wrote to memory of 3504	2184	{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe	118

C:\Users\Admin\AppData\Local\Temp\ec406ab04df18dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ec406ab04df18dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
  C:\Windows\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{995D2~1.EXE > nul
    3⤵
    PID:1088
- - C:\Windows\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
    C:\Windows\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E06E~1.EXE > nul
      4⤵
      PID:1824
  - - C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
      C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
        
        C:\Windows\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
        
        C:\Windows\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
        
        C:\Windows\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
        
        C:\Windows\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
        
        C:\Windows\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
        
        C:\Windows\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
        
        C:\Windows\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe
        
        C:\Windows\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe
        
        C:\Windows\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ABB0~1.EXE > nul
        13⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01810~1.EXE > nul
        12⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97798~1.EXE > nul
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D11F~1.EXE > nul
        10⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92C37~1.EXE > nul
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E83~1.EXE > nul
        8⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE0A~1.EXE > nul
        7⤵
        
        PID:3364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D23C5~1.EXE > nul
        6⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90B34~1.EXE > nul
        5⤵
        
        PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC406A~1.EXE > nul
  2⤵
  PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe

Filesize
204KB

MD5
08f9da23c98820a55898ed5cc302f8c0

SHA1
f4a36726e99f58878758687008ea760b951374df

SHA256
7868b3f0af6f7732eed0451e66542f24e73ebc714d9c114a92c0b9384906de53

SHA512
4859d99e67f245b6354d670420e03349e796ea34cd609330a109608b1640ca47815abc7611548f1c2e3ba876d5e05b2897897a23399a520dc4517bf7e1ce933f

Download Submit
C:\Windows\{01810165-2C12-4cae-850D-1AE1E90AEA15}.exe

Filesize
204KB

MD5
08f9da23c98820a55898ed5cc302f8c0

SHA1
f4a36726e99f58878758687008ea760b951374df

SHA256
7868b3f0af6f7732eed0451e66542f24e73ebc714d9c114a92c0b9384906de53

SHA512
4859d99e67f245b6354d670420e03349e796ea34cd609330a109608b1640ca47815abc7611548f1c2e3ba876d5e05b2897897a23399a520dc4517bf7e1ce933f

Download Submit
C:\Windows\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe

Filesize
204KB

MD5
282fba133ab2d4c34fd90b97e82d95a7

SHA1
4508622a5a01a729771ee05ab73e0c764e6e80f1

SHA256
e3eee825cc7f56eb05fe30f3174820c7b9557ef1ce660e3060c8249b13b0fb7b

SHA512
f95da2e2ca1e9490e490322787b4a5eadabc32381c8a677be3102a310dd0f89fc05c8b0d29f93115721132335d500fde7ee70ae078398a02dd3179fbd04c06be

Download Submit
C:\Windows\{4ABB0002-353C-4967-B6FF-201C3F3618A4}.exe

Filesize
204KB

MD5
282fba133ab2d4c34fd90b97e82d95a7

SHA1
4508622a5a01a729771ee05ab73e0c764e6e80f1

SHA256
e3eee825cc7f56eb05fe30f3174820c7b9557ef1ce660e3060c8249b13b0fb7b

SHA512
f95da2e2ca1e9490e490322787b4a5eadabc32381c8a677be3102a310dd0f89fc05c8b0d29f93115721132335d500fde7ee70ae078398a02dd3179fbd04c06be

Download Submit
C:\Windows\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe

Filesize
204KB

MD5
c721cdcae6cf77fcff538fc77816883f

SHA1
cacfc01afb87e99ba42a4c92bd646436f0447472

SHA256
626779e752bfd800397b4acab5874cc6af86f2af63b924af2265b17a8c53ce58

SHA512
01b728029459b9c2da32335529051972a7c587cfb8baa4c32c3a2ad21519f0e3b585b227ffe9a880417f009977e203370f327a6fb9286364d57e529963606fab

Download Submit
C:\Windows\{4E06EF2D-7CB6-40b9-83F6-C9E3995AA080}.exe

Filesize
204KB

MD5
c721cdcae6cf77fcff538fc77816883f

SHA1
cacfc01afb87e99ba42a4c92bd646436f0447472

SHA256
626779e752bfd800397b4acab5874cc6af86f2af63b924af2265b17a8c53ce58

SHA512
01b728029459b9c2da32335529051972a7c587cfb8baa4c32c3a2ad21519f0e3b585b227ffe9a880417f009977e203370f327a6fb9286364d57e529963606fab

Download Submit
C:\Windows\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe

Filesize
204KB

MD5
d68ce6f864089839014e43ff31972b93

SHA1
a9e89437bf9cec333efac0150c83ebe84b8b487d

SHA256
ad23de3b92b6c6b42d5a358f15984961b535e406fe323edc62ee1561c8fac456

SHA512
fc2a2c19ac099f4c0cca44531e50f74f49b56da9e121d24675b2d2c4ce0e926b7aea28ee5af34a87404c5790205d6b41b6ebe8485f260d5864517702a8069de1

Download Submit
C:\Windows\{5D11FC46-EF8B-4433-BE1D-88FC7C7F57B9}.exe

Filesize
204KB

MD5
d68ce6f864089839014e43ff31972b93

SHA1
a9e89437bf9cec333efac0150c83ebe84b8b487d

SHA256
ad23de3b92b6c6b42d5a358f15984961b535e406fe323edc62ee1561c8fac456

SHA512
fc2a2c19ac099f4c0cca44531e50f74f49b56da9e121d24675b2d2c4ce0e926b7aea28ee5af34a87404c5790205d6b41b6ebe8485f260d5864517702a8069de1

Download Submit
C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe

Filesize
204KB

MD5
5511c506fee79e1522a42829e9dbd078

SHA1
b9ee7490f2580454b16705ae308ab4afadb02d66

SHA256
18a6f0433963e249eaa88af410e649d56f904217ac8df3eb9133e508e32f6abc

SHA512
b3dbb83df423ff939f022b9f1aacb0112e40d4b3d7c106a318f040d70e414345e7fe27549327f11afd2a31192a1fcd871eaf987ff41e2b36bd1f48b571d8227a

Download Submit
C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe

Filesize
204KB

MD5
5511c506fee79e1522a42829e9dbd078

SHA1
b9ee7490f2580454b16705ae308ab4afadb02d66

SHA256
18a6f0433963e249eaa88af410e649d56f904217ac8df3eb9133e508e32f6abc

SHA512
b3dbb83df423ff939f022b9f1aacb0112e40d4b3d7c106a318f040d70e414345e7fe27549327f11afd2a31192a1fcd871eaf987ff41e2b36bd1f48b571d8227a

Download Submit
C:\Windows\{90B345BA-E8A1-475f-B1E2-C2E5A73E2CE9}.exe

Filesize
204KB

MD5
5511c506fee79e1522a42829e9dbd078

SHA1
b9ee7490f2580454b16705ae308ab4afadb02d66

SHA256
18a6f0433963e249eaa88af410e649d56f904217ac8df3eb9133e508e32f6abc

SHA512
b3dbb83df423ff939f022b9f1aacb0112e40d4b3d7c106a318f040d70e414345e7fe27549327f11afd2a31192a1fcd871eaf987ff41e2b36bd1f48b571d8227a

Download Submit
C:\Windows\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe

Filesize
204KB

MD5
cc55c5ac2c8f08734f070327cf5890d5

SHA1
8c14e84b4fd4aa18d6b3ea0f5dae648cfa4bc1a5

SHA256
ff20a89085115ea32a9be449f2236767a0a6fb8c7fd501f406794879195bb132

SHA512
a3862736851dbc4f870d9c1ce9141adc4cf0d76166e3dfb062ebc88a85df41dcd72b0ff8275b6c1fc23e04f0137ddfb5be3961d5338b2eeed915379f8c7a04d6

Download Submit
C:\Windows\{92C379F0-D8F3-44e7-85EE-383DD053898C}.exe

Filesize
204KB

MD5
cc55c5ac2c8f08734f070327cf5890d5

SHA1
8c14e84b4fd4aa18d6b3ea0f5dae648cfa4bc1a5

SHA256
ff20a89085115ea32a9be449f2236767a0a6fb8c7fd501f406794879195bb132

SHA512
a3862736851dbc4f870d9c1ce9141adc4cf0d76166e3dfb062ebc88a85df41dcd72b0ff8275b6c1fc23e04f0137ddfb5be3961d5338b2eeed915379f8c7a04d6

Download Submit
C:\Windows\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe

Filesize
204KB

MD5
3fdc7625c9937e05a75503406ec03c18

SHA1
7b78be1260ddf59e8d4928204d07058e4f1b3b75

SHA256
8fe9d950b116a1671cf69837087507707d8b89af4a72d46130377bb3c5b4b510

SHA512
8053501e8d3f34ca8b6129c115f7ea99faaaa660c109c41b92a990c7675bd2b797a811908729283b6f103241a7715122a6b389e208318d414639437463fc3c83

Download Submit
C:\Windows\{97798128-97D2-4292-A75C-3F325C4A49F6}.exe

Filesize
204KB

MD5
3fdc7625c9937e05a75503406ec03c18

SHA1
7b78be1260ddf59e8d4928204d07058e4f1b3b75

SHA256
8fe9d950b116a1671cf69837087507707d8b89af4a72d46130377bb3c5b4b510

SHA512
8053501e8d3f34ca8b6129c115f7ea99faaaa660c109c41b92a990c7675bd2b797a811908729283b6f103241a7715122a6b389e208318d414639437463fc3c83

Download Submit
C:\Windows\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe

Filesize
204KB

MD5
b8d653ad1d373a2f770bf9f456e382f2

SHA1
f83cbc1e624eaeef978fc1251dd15dc3f9b1af23

SHA256
cb6732d0c150801623bcaaf8ad206f6262e9c99c79125f171cf986188d557040

SHA512
0c4d9304eb023375d3a6d792a4e36fd749e5a8ed72d89b790f5a00bcf92b655cb27e7f69a1ebda87bc05637a4484ac403c577e94e3c02258aa91dcb3a2f58066

Download Submit
C:\Windows\{995D2EEF-D7FE-4b8e-84FC-EC915CB3E556}.exe

Filesize
204KB

MD5
b8d653ad1d373a2f770bf9f456e382f2

SHA1
f83cbc1e624eaeef978fc1251dd15dc3f9b1af23

SHA256
cb6732d0c150801623bcaaf8ad206f6262e9c99c79125f171cf986188d557040

SHA512
0c4d9304eb023375d3a6d792a4e36fd749e5a8ed72d89b790f5a00bcf92b655cb27e7f69a1ebda87bc05637a4484ac403c577e94e3c02258aa91dcb3a2f58066

Download Submit
C:\Windows\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe

Filesize
204KB

MD5
546728bdd88bda321bb683e16e33264b

SHA1
42374e3c18a893504d33f3cca1f893de905aeea1

SHA256
bc81558c8c6c963a13d6c576c772db3f776e6fea7f4b26d16134716b4069b9fe

SHA512
40cf4f0a68dea491139a6b6f311c96c486ad06d5f8fc1eb9b44d6a1ed2f75df996027d10dd9ea2f3e09d4190178b88f55adc9f5169a197f92ab09c6ffa75a69e

Download Submit
C:\Windows\{A7E83EA3-D83E-4f38-926D-A663B78572ED}.exe

Filesize
204KB

MD5
546728bdd88bda321bb683e16e33264b

SHA1
42374e3c18a893504d33f3cca1f893de905aeea1

SHA256
bc81558c8c6c963a13d6c576c772db3f776e6fea7f4b26d16134716b4069b9fe

SHA512
40cf4f0a68dea491139a6b6f311c96c486ad06d5f8fc1eb9b44d6a1ed2f75df996027d10dd9ea2f3e09d4190178b88f55adc9f5169a197f92ab09c6ffa75a69e

Download Submit
C:\Windows\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe

Filesize
204KB

MD5
f8ca1437dc8cd38bf908e5403bc32c94

SHA1
37418378f065acc55d32a625870022df0bb07849

SHA256
473808b305e5593a7c186f70d26026c328741fa041cb61a65ed6bd256df49dfb

SHA512
70b2094960f72d8cf6e037708eb434b3de2a833957bd1ed86de48f3eaece05ae052d8180023e90fe307538ae7e4a2b8069c3022a7d23366bea0888f32545e795

Download Submit
C:\Windows\{BB3071DA-C8CD-4e99-A7DC-CCBDE24EE5AA}.exe

Filesize
204KB

MD5
f8ca1437dc8cd38bf908e5403bc32c94

SHA1
37418378f065acc55d32a625870022df0bb07849

SHA256
473808b305e5593a7c186f70d26026c328741fa041cb61a65ed6bd256df49dfb

SHA512
70b2094960f72d8cf6e037708eb434b3de2a833957bd1ed86de48f3eaece05ae052d8180023e90fe307538ae7e4a2b8069c3022a7d23366bea0888f32545e795

Download Submit
C:\Windows\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe

Filesize
204KB

MD5
521f8ae832dde3e6459ada48d4657586

SHA1
db8270a31257a9a9aee61745aa39278056be6f8e

SHA256
75d1cb6857f0445bda0442d8491ea90b1c62dac0cbb0f0792a4cac0c77c7e657

SHA512
19308345988a7228aa8d8b56e1b91d02c77cb2a9fa939eac4b826a47729068921429f563ba671e64c1518ad4cae8bad227eba1f99c81a3821be60c28b9e837b4

Download Submit
C:\Windows\{D23C5691-FE88-4f14-B039-4DCF07CB1B3C}.exe

Filesize
204KB

MD5
521f8ae832dde3e6459ada48d4657586

SHA1
db8270a31257a9a9aee61745aa39278056be6f8e

SHA256
75d1cb6857f0445bda0442d8491ea90b1c62dac0cbb0f0792a4cac0c77c7e657

SHA512
19308345988a7228aa8d8b56e1b91d02c77cb2a9fa939eac4b826a47729068921429f563ba671e64c1518ad4cae8bad227eba1f99c81a3821be60c28b9e837b4

Download Submit
C:\Windows\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe

Filesize
204KB

MD5
05effe5ee61edc0049afab7249dff97c

SHA1
66b9789366552e385141f15889b92cdc793251a4

SHA256
5b82ada43cdbc1f614a07fca5e75df8562f70ea8f6a15899e49d4b8f0cb374ee

SHA512
036e0b133b442b2de12871d577a01293a2241d7418094f3524d09127e1edd74ea2aba3299e3b4088ad2ad42ba9ec43eac97a24e9bdb18d7ee6b78579363143d8

Download Submit
C:\Windows\{FEE0A9A2-5734-49dc-B89A-6113250C3260}.exe

Filesize
204KB

MD5
05effe5ee61edc0049afab7249dff97c

SHA1
66b9789366552e385141f15889b92cdc793251a4

SHA256
5b82ada43cdbc1f614a07fca5e75df8562f70ea8f6a15899e49d4b8f0cb374ee

SHA512
036e0b133b442b2de12871d577a01293a2241d7418094f3524d09127e1edd74ea2aba3299e3b4088ad2ad42ba9ec43eac97a24e9bdb18d7ee6b78579363143d8

Download Submit