677bf52adde8759ee8f4998029f615015b50a0291c8dce3300ae03e121e01e3f

Analysis

max time kernel
144s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5d9a3c116ac4exeexeexeex.exe
Size

204KB
MD5

ec5d9a3c116ac4621536d47bcd78d33c
SHA1

f1aa9b558f7b3f0ab22f8ab11fa5b8cfee072471
SHA256

677bf52adde8759ee8f4998029f615015b50a0291c8dce3300ae03e121e01e3f
SHA512

281300be75c854a7745d07c898761a686ec7cabaf6691dcb42e54efc4ed6415d96cb8c0322062391abc3dd4534d9c81e0ee7d81850593fff565f9e6a3868d106
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91CB760A-B854-4b3a-949F-356DA754586D}\stubpath = "C:\\Windows\\{91CB760A-B854-4b3a-949F-356DA754586D}.exe"	ec5d9a3c116ac4exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37648057-C21D-43b8-9240-5E98E2234BD2}	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}	{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB2851E-0AAC-4095-A31B-EF937699A182}	{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457295F1-5048-45f0-B24A-6349963BF7B8}	{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A389EC64-7222-42ca-83D6-861325384CED}	{91CB760A-B854-4b3a-949F-356DA754586D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A389EC64-7222-42ca-83D6-861325384CED}\stubpath = "C:\\Windows\\{A389EC64-7222-42ca-83D6-861325384CED}.exe"	{91CB760A-B854-4b3a-949F-356DA754586D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}\stubpath = "C:\\Windows\\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe"	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}\stubpath = "C:\\Windows\\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe"	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}\stubpath = "C:\\Windows\\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe"	{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}	{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91CB760A-B854-4b3a-949F-356DA754586D}	ec5d9a3c116ac4exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}\stubpath = "C:\\Windows\\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe"	{A389EC64-7222-42ca-83D6-861325384CED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E911FAB9-0529-44cb-9028-F9D66F27A82D}	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37648057-C21D-43b8-9240-5E98E2234BD2}\stubpath = "C:\\Windows\\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe"	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}\stubpath = "C:\\Windows\\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe"	{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457295F1-5048-45f0-B24A-6349963BF7B8}\stubpath = "C:\\Windows\\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe"	{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB2851E-0AAC-4095-A31B-EF937699A182}\stubpath = "C:\\Windows\\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe"	{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}	{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}	{A389EC64-7222-42ca-83D6-861325384CED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}\stubpath = "C:\\Windows\\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe"	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E911FAB9-0529-44cb-9028-F9D66F27A82D}\stubpath = "C:\\Windows\\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe"	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}\stubpath = "C:\\Windows\\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe"	{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe

Deletes itself 1 IoCs

pid	Process
276	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe
2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe
2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
2120	{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
2556	{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
2788	{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
2652	{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
2608	{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe
2612	{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe	{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
File created	C:\Windows\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	{A389EC64-7222-42ca-83D6-861325384CED}.exe
File created	C:\Windows\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
File created	C:\Windows\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
File created	C:\Windows\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
File created	C:\Windows\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
File created	C:\Windows\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
File created	C:\Windows\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe	{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
File created	C:\Windows\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe	{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
File created	C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe	ec5d9a3c116ac4exeexeexeex.exe
File created	C:\Windows\{A389EC64-7222-42ca-83D6-861325384CED}.exe	{91CB760A-B854-4b3a-949F-356DA754586D}.exe
File created	C:\Windows\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe	{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
File created	C:\Windows\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe	{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	ec5d9a3c116ac4exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe
Token: SeIncBasePriorityPrivilege	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe
Token: SeIncBasePriorityPrivilege	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
Token: SeIncBasePriorityPrivilege	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
Token: SeIncBasePriorityPrivilege	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
Token: SeIncBasePriorityPrivilege	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
Token: SeIncBasePriorityPrivilege	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
Token: SeIncBasePriorityPrivilege	2120	{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
Token: SeIncBasePriorityPrivilege	2556	{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
Token: SeIncBasePriorityPrivilege	2788	{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
Token: SeIncBasePriorityPrivilege	2652	{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
Token: SeIncBasePriorityPrivilege	2608	{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2324	2020	ec5d9a3c116ac4exeexeexeex.exe	29
PID 2020 wrote to memory of 2324	2020	ec5d9a3c116ac4exeexeexeex.exe	29
PID 2020 wrote to memory of 2324	2020	ec5d9a3c116ac4exeexeexeex.exe	29
PID 2020 wrote to memory of 2324	2020	ec5d9a3c116ac4exeexeexeex.exe	29
PID 2020 wrote to memory of 276	2020	ec5d9a3c116ac4exeexeexeex.exe	30
PID 2020 wrote to memory of 276	2020	ec5d9a3c116ac4exeexeexeex.exe	30
PID 2020 wrote to memory of 276	2020	ec5d9a3c116ac4exeexeexeex.exe	30
PID 2020 wrote to memory of 276	2020	ec5d9a3c116ac4exeexeexeex.exe	30
PID 2324 wrote to memory of 2412	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	31
PID 2324 wrote to memory of 2412	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	31
PID 2324 wrote to memory of 2412	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	31
PID 2324 wrote to memory of 2412	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	31
PID 2324 wrote to memory of 2908	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	32
PID 2324 wrote to memory of 2908	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	32
PID 2324 wrote to memory of 2908	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	32
PID 2324 wrote to memory of 2908	2324	{91CB760A-B854-4b3a-949F-356DA754586D}.exe	32
PID 2412 wrote to memory of 2924	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	33
PID 2412 wrote to memory of 2924	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	33
PID 2412 wrote to memory of 2924	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	33
PID 2412 wrote to memory of 2924	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	33
PID 2412 wrote to memory of 2996	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	34
PID 2412 wrote to memory of 2996	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	34
PID 2412 wrote to memory of 2996	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	34
PID 2412 wrote to memory of 2996	2412	{A389EC64-7222-42ca-83D6-861325384CED}.exe	34
PID 2924 wrote to memory of 876	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	36
PID 2924 wrote to memory of 876	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	36
PID 2924 wrote to memory of 876	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	36
PID 2924 wrote to memory of 876	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	36
PID 2924 wrote to memory of 1396	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	35
PID 2924 wrote to memory of 1396	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	35
PID 2924 wrote to memory of 1396	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	35
PID 2924 wrote to memory of 1396	2924	{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe	35
PID 876 wrote to memory of 2260	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	38
PID 876 wrote to memory of 2260	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	38
PID 876 wrote to memory of 2260	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	38
PID 876 wrote to memory of 2260	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	38
PID 876 wrote to memory of 2032	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	37
PID 876 wrote to memory of 2032	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	37
PID 876 wrote to memory of 2032	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	37
PID 876 wrote to memory of 2032	876	{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe	37
PID 2260 wrote to memory of 2080	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	40
PID 2260 wrote to memory of 2080	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	40
PID 2260 wrote to memory of 2080	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	40
PID 2260 wrote to memory of 2080	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	40
PID 2260 wrote to memory of 2204	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	39
PID 2260 wrote to memory of 2204	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	39
PID 2260 wrote to memory of 2204	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	39
PID 2260 wrote to memory of 2204	2260	{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe	39
PID 2080 wrote to memory of 980	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	42
PID 2080 wrote to memory of 980	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	42
PID 2080 wrote to memory of 980	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	42
PID 2080 wrote to memory of 980	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	42
PID 2080 wrote to memory of 2864	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	41
PID 2080 wrote to memory of 2864	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	41
PID 2080 wrote to memory of 2864	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	41
PID 2080 wrote to memory of 2864	2080	{37648057-C21D-43b8-9240-5E98E2234BD2}.exe	41
PID 980 wrote to memory of 2120	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	43
PID 980 wrote to memory of 2120	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	43
PID 980 wrote to memory of 2120	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	43
PID 980 wrote to memory of 2120	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	43
PID 980 wrote to memory of 2224	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	44
PID 980 wrote to memory of 2224	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	44
PID 980 wrote to memory of 2224	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	44
PID 980 wrote to memory of 2224	980	{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe	44

C:\Users\Admin\AppData\Local\Temp\ec5d9a3c116ac4exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ec5d9a3c116ac4exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe
  C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\{A389EC64-7222-42ca-83D6-861325384CED}.exe
    C:\Windows\{A389EC64-7222-42ca-83D6-861325384CED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
      C:\Windows\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9CC4~1.EXE > nul
        5⤵
        
        PID:1396
    - - C:\Windows\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
        
        C:\Windows\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3070F~1.EXE > nul
        6⤵
        
        PID:2032
      - C:\Windows\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
        
        C:\Windows\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E911F~1.EXE > nul
        7⤵
        
        PID:2204
        
        C:\Windows\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
        
        C:\Windows\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37648~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
        
        C:\Windows\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
        
        C:\Windows\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
        
        C:\Windows\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BD59~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
        
        C:\Windows\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
        
        C:\Windows\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe
        
        C:\Windows\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe
        
        C:\Windows\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe
        14⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB28~1.EXE > nul
        14⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45729~1.EXE > nul
        13⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D5C3~1.EXE > nul
        12⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{109D0~1.EXE > nul
        10⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A284~1.EXE > nul
        9⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A389E~1.EXE > nul
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{91CB7~1.EXE > nul
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC5D9A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe

Filesize
204KB

MD5
e1757499ade30962cede7fea9ac1d19d

SHA1
a832dd51aec9e73b3028ee999a1d1003a6641456

SHA256
ebd09c447b88de43716a2417e80232d925d74b92cb8ad0356be97d8d62215ae0

SHA512
02f1ed2ba69ef89448e1528846d49db299aa5824384a1f626db14cbb7dbf9511e0a447344bdbf5289379aff07ab6fd559c3e3be200f45fc9ffbc22bd8118e279

Download Submit
C:\Windows\{109D0CB9-AA12-402b-9D9A-10E1F7002B80}.exe

Filesize
204KB

MD5
e1757499ade30962cede7fea9ac1d19d

SHA1
a832dd51aec9e73b3028ee999a1d1003a6641456

SHA256
ebd09c447b88de43716a2417e80232d925d74b92cb8ad0356be97d8d62215ae0

SHA512
02f1ed2ba69ef89448e1528846d49db299aa5824384a1f626db14cbb7dbf9511e0a447344bdbf5289379aff07ab6fd559c3e3be200f45fc9ffbc22bd8118e279

Download Submit
C:\Windows\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe

Filesize
204KB

MD5
e9b773ca38d2781ab08136ddce11cae1

SHA1
67c6b7bbddf6621cc39b21e7b232fbabe4208016

SHA256
0477a4c5255cc091eed663837a34a69d04c656ec2680a8463418436c7b45cfe4

SHA512
05ff3a78100f7026bbb7cd82ba657970cc8fd6176e60cc093dd998eea34970a52f062ca0b83e68d6275ae425c9a7317b2550d401a0a7d4baa4fbbc8b6009654b

Download Submit
C:\Windows\{2BD59AC6-02DC-4024-B7D3-2A0C08CED72B}.exe

Filesize
204KB

MD5
e9b773ca38d2781ab08136ddce11cae1

SHA1
67c6b7bbddf6621cc39b21e7b232fbabe4208016

SHA256
0477a4c5255cc091eed663837a34a69d04c656ec2680a8463418436c7b45cfe4

SHA512
05ff3a78100f7026bbb7cd82ba657970cc8fd6176e60cc093dd998eea34970a52f062ca0b83e68d6275ae425c9a7317b2550d401a0a7d4baa4fbbc8b6009654b

Download Submit
C:\Windows\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe

Filesize
204KB

MD5
de2b5bd8b18b1e53b5c4af094032b8bf

SHA1
1914fa0b341d1fd434696e6bac396306550c5089

SHA256
150530d04db988e22cd4f7cd3cbc6af8fa64dd766d79eecc640112c5772ac4db

SHA512
c243ecd9e730265075af97ceafc8b651309008dc309bb1a73176b06768c75455fe90e739685ce4391ac5d94c213d6063e0fec141b6047af1c04c5d6b848c84ad

Download Submit
C:\Windows\{3070FFCA-0D1A-49dc-8C24-20EAA4880450}.exe

Filesize
204KB

MD5
de2b5bd8b18b1e53b5c4af094032b8bf

SHA1
1914fa0b341d1fd434696e6bac396306550c5089

SHA256
150530d04db988e22cd4f7cd3cbc6af8fa64dd766d79eecc640112c5772ac4db

SHA512
c243ecd9e730265075af97ceafc8b651309008dc309bb1a73176b06768c75455fe90e739685ce4391ac5d94c213d6063e0fec141b6047af1c04c5d6b848c84ad

Download Submit
C:\Windows\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe

Filesize
204KB

MD5
23aaa8f3cdb9ff2ef6501ce03cfe7cc3

SHA1
e6db094dce9201b75b6a9169eb8530cc170a239d

SHA256
2510587119f66efee14595f32032755cfc86db3471b42413c8750f516ee8c426

SHA512
83967a21c8992e5c45f9a4926173bf817d863fe867ea95a471290003f4e3e6aa673aa72c14f2739d11963930428869ed39f27abf8e0a487fe85c19e323021eef

Download Submit
C:\Windows\{37648057-C21D-43b8-9240-5E98E2234BD2}.exe

Filesize
204KB

MD5
23aaa8f3cdb9ff2ef6501ce03cfe7cc3

SHA1
e6db094dce9201b75b6a9169eb8530cc170a239d

SHA256
2510587119f66efee14595f32032755cfc86db3471b42413c8750f516ee8c426

SHA512
83967a21c8992e5c45f9a4926173bf817d863fe867ea95a471290003f4e3e6aa673aa72c14f2739d11963930428869ed39f27abf8e0a487fe85c19e323021eef

Download Submit
C:\Windows\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe

Filesize
204KB

MD5
a59295f2b8c7661bb7d8036144abd408

SHA1
93599f6c5c7a8b62cca07cfa0495bd8ba6f48440

SHA256
756d672cde8f0f7299f485513ae49204a6853800fce9ef391f13a6f94d67f262

SHA512
c70f251207d0872d128acaee8f34674c4fa89d872506dedbb6f122d4cf34868101556e639e1491e2795372fe0f60db761cc43688b504f577cfb1e1bb2f4e8080

Download Submit
C:\Windows\{457295F1-5048-45f0-B24A-6349963BF7B8}.exe

Filesize
204KB

MD5
a59295f2b8c7661bb7d8036144abd408

SHA1
93599f6c5c7a8b62cca07cfa0495bd8ba6f48440

SHA256
756d672cde8f0f7299f485513ae49204a6853800fce9ef391f13a6f94d67f262

SHA512
c70f251207d0872d128acaee8f34674c4fa89d872506dedbb6f122d4cf34868101556e639e1491e2795372fe0f60db761cc43688b504f577cfb1e1bb2f4e8080

Download Submit
C:\Windows\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe

Filesize
204KB

MD5
69a54789c9e1ef8c8ee8e7e7aa004b97

SHA1
3ebb1a7fed86f8c6dad51bf40bae012d1181c298

SHA256
52316006f9bbfe54af25c6fe66ce093ea06674c10d6d376575f8a95956508de1

SHA512
c2f78f4039c39a0d22ccb3c0ad6ff07f44371576ee062d3fbfe67e62020a73615bfd6b938f03b455d10dd17dbf580ab9a5bbd9c4effa83f05edd30c845caaa9d

Download Submit
C:\Windows\{7A284BB9-A6A7-474b-B59B-DA79527EAD26}.exe

Filesize
204KB

MD5
69a54789c9e1ef8c8ee8e7e7aa004b97

SHA1
3ebb1a7fed86f8c6dad51bf40bae012d1181c298

SHA256
52316006f9bbfe54af25c6fe66ce093ea06674c10d6d376575f8a95956508de1

SHA512
c2f78f4039c39a0d22ccb3c0ad6ff07f44371576ee062d3fbfe67e62020a73615bfd6b938f03b455d10dd17dbf580ab9a5bbd9c4effa83f05edd30c845caaa9d

Download Submit
C:\Windows\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe

Filesize
204KB

MD5
219cef8332be40887af7b125a09fe4d0

SHA1
1f28885f27ae510f8ae24b12933fe1b8b77b5f44

SHA256
233e5b77091d4b3d2ad124740bf516a236490cd8f47107743e69d299c81a8964

SHA512
5d710871d9d47453ca4efcd74bda739eb7c725216675ff034f0209c51dc6096a77ef6b0ff6bd0ca93bbcde9623d090cd41f062699ddfa2b252743353df1ec0f8

Download Submit
C:\Windows\{8D5C30B4-1429-4630-BAB1-4244FB0EC121}.exe

Filesize
204KB

MD5
219cef8332be40887af7b125a09fe4d0

SHA1
1f28885f27ae510f8ae24b12933fe1b8b77b5f44

SHA256
233e5b77091d4b3d2ad124740bf516a236490cd8f47107743e69d299c81a8964

SHA512
5d710871d9d47453ca4efcd74bda739eb7c725216675ff034f0209c51dc6096a77ef6b0ff6bd0ca93bbcde9623d090cd41f062699ddfa2b252743353df1ec0f8

Download Submit
C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe

Filesize
204KB

MD5
27fd30f507087a0f29ed8ab6ed06f6fb

SHA1
5bb527d823933e5c79381387d8f26bea840dc0c2

SHA256
b04afb213af0489f2433692f58106fee58fd6cf2afecd369d186425b8b2dfd1d

SHA512
179eff9abc0d75e4fdbe81497ca242d245430b80465dd19018930286eb08f8a039046ad06111ce731e912f3370d2d8a86bf43085b7ee5d94748582a381b40507

Download Submit
C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe

Filesize
204KB

MD5
27fd30f507087a0f29ed8ab6ed06f6fb

SHA1
5bb527d823933e5c79381387d8f26bea840dc0c2

SHA256
b04afb213af0489f2433692f58106fee58fd6cf2afecd369d186425b8b2dfd1d

SHA512
179eff9abc0d75e4fdbe81497ca242d245430b80465dd19018930286eb08f8a039046ad06111ce731e912f3370d2d8a86bf43085b7ee5d94748582a381b40507

Download Submit
C:\Windows\{91CB760A-B854-4b3a-949F-356DA754586D}.exe

Filesize
204KB

MD5
27fd30f507087a0f29ed8ab6ed06f6fb

SHA1
5bb527d823933e5c79381387d8f26bea840dc0c2

SHA256
b04afb213af0489f2433692f58106fee58fd6cf2afecd369d186425b8b2dfd1d

SHA512
179eff9abc0d75e4fdbe81497ca242d245430b80465dd19018930286eb08f8a039046ad06111ce731e912f3370d2d8a86bf43085b7ee5d94748582a381b40507

Download Submit
C:\Windows\{9D21DFEB-5E90-4e81-9EC4-65B23058E879}.exe

Filesize
204KB

MD5
76ed30b3059580f4c757f4076574245f

SHA1
1bb835de1b9a1d189f7e5c52cb34ad9acc69be3f

SHA256
bb21fe1c836a7337c13b2f7f40fca3451f078a132ec4f6876b612128ef538945

SHA512
47d08036b8f15891189ba4e13e14b0e239d757db1100438f45bf2e2e75df297f610af8edbb0fcb218740f35f664256a5012ff4a11860a71e7eb839fadc93eab5

Download Submit
C:\Windows\{A389EC64-7222-42ca-83D6-861325384CED}.exe

Filesize
204KB

MD5
d2c297cc7eac8773a6ebbd19a346293f

SHA1
d49e8e449d6e2cb9947b4f45c639eb71ef3e0545

SHA256
90810fbcd0831196ff69b4005631a0ba08aaf4e0710edeeed850d4ed474182fb

SHA512
e8d6b9ccd9fac4905090bcde6bb4fa1043bd5190478c8628fdbd6de18e3cc2da20d434a3f5885d9fbe11ffbeed264ec42f249047c9266ffa3126b944e83420a7

Download Submit
C:\Windows\{A389EC64-7222-42ca-83D6-861325384CED}.exe

Filesize
204KB

MD5
d2c297cc7eac8773a6ebbd19a346293f

SHA1
d49e8e449d6e2cb9947b4f45c639eb71ef3e0545

SHA256
90810fbcd0831196ff69b4005631a0ba08aaf4e0710edeeed850d4ed474182fb

SHA512
e8d6b9ccd9fac4905090bcde6bb4fa1043bd5190478c8628fdbd6de18e3cc2da20d434a3f5885d9fbe11ffbeed264ec42f249047c9266ffa3126b944e83420a7

Download Submit
C:\Windows\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe

Filesize
204KB

MD5
ce07b3fb94ad2842bd5ae15f210cb710

SHA1
779c1676bc1010353a675a5e5165d21fabe644fb

SHA256
4754810549fda2553f4f04d9d2f2aa324823600c3e46f13370fa3ae00d007925

SHA512
0ea71dbe15d01fbe6fdee33592d8d91fcd9ef5c230276643920d0bead434f4ddfe7cf2cfa7ae90e05f40812ded3f14b8983493894e3f98f69e30577d00d27bdd

Download Submit
C:\Windows\{E911FAB9-0529-44cb-9028-F9D66F27A82D}.exe

Filesize
204KB

MD5
ce07b3fb94ad2842bd5ae15f210cb710

SHA1
779c1676bc1010353a675a5e5165d21fabe644fb

SHA256
4754810549fda2553f4f04d9d2f2aa324823600c3e46f13370fa3ae00d007925

SHA512
0ea71dbe15d01fbe6fdee33592d8d91fcd9ef5c230276643920d0bead434f4ddfe7cf2cfa7ae90e05f40812ded3f14b8983493894e3f98f69e30577d00d27bdd

Download Submit
C:\Windows\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe

Filesize
204KB

MD5
3e1ca11e92eb7346933f0b934bb5bcca

SHA1
32170b347ab644cbe6f8b4f21ea4c3dbc738da98

SHA256
c218586fa498ea435b5aae13c4c19fd8aee29433e46f62ad2a5314441fd1c008

SHA512
9e087623a321614827e1c39c0c9596b2602e829f3d7a0113a745b1de413adc91ebc6c22a84007a704ff2aec045b0e2f571b4429e840bcd7c3faddfe96c8c0f27

Download Submit
C:\Windows\{F9CC4BE4-979E-491f-A5D8-BB7E1F9C24B3}.exe

Filesize
204KB

MD5
3e1ca11e92eb7346933f0b934bb5bcca

SHA1
32170b347ab644cbe6f8b4f21ea4c3dbc738da98

SHA256
c218586fa498ea435b5aae13c4c19fd8aee29433e46f62ad2a5314441fd1c008

SHA512
9e087623a321614827e1c39c0c9596b2602e829f3d7a0113a745b1de413adc91ebc6c22a84007a704ff2aec045b0e2f571b4429e840bcd7c3faddfe96c8c0f27

Download Submit
C:\Windows\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe

Filesize
204KB

MD5
b191a2d413e72694fadc733a9834aa99

SHA1
f95ce12f9f972f88966a6090d7a117db9ee392c3

SHA256
d63a1150d6793216e4d31752fb6c540bad4d5a0fc37d6061dce4e6e4ba0652fe

SHA512
b21f524f8261164e43439efe687c4a51eedf3d316f0f4ca55c2e93905dd581f7e1937a5ec716361e34177cd69a99810912308d27abee0d9dce1006e185114988

Download Submit
C:\Windows\{FCB2851E-0AAC-4095-A31B-EF937699A182}.exe

Filesize
204KB

MD5
b191a2d413e72694fadc733a9834aa99

SHA1
f95ce12f9f972f88966a6090d7a117db9ee392c3

SHA256
d63a1150d6793216e4d31752fb6c540bad4d5a0fc37d6061dce4e6e4ba0652fe

SHA512
b21f524f8261164e43439efe687c4a51eedf3d316f0f4ca55c2e93905dd581f7e1937a5ec716361e34177cd69a99810912308d27abee0d9dce1006e185114988

Download Submit