8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51

Analysis

max time kernel
147s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Size

116KB
MD5

bb4836099b6e2b6240e85f9505e44ec4
SHA1

99c3b49c4aa6832068d38b147ebec76cfad63fce
SHA256

8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51
SHA512

24d67d17f2b90df814c316f7d9c8f1c6672c4a01aab9cb4dffb378c9c806b9a6bd5e3683d47a8365fadbc829fa0e45b0690ac804effbf1333187999896a58edb
SSDEEP

768:Qvw9816vhKQLroc4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0ocl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
1708	{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
636	{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
1732	{6760C67E-B112-403b-9186-AC963F171D63}.exe
1784	{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
816	{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D67FAF7F-30E0-4790-99FB-03888DE00C30}	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE686095-E117-49b7-B4E9-ECA30E717B7E}\stubpath = "C:\\Windows\\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe"	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55260088-B774-4ee8-B3A3-C8D1ED868164}\stubpath = "C:\\Windows\\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe"	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}\stubpath = "C:\\Windows\\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe"	{6760C67E-B112-403b-9186-AC963F171D63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}	{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6760C67E-B112-403b-9186-AC963F171D63}\stubpath = "C:\\Windows\\{6760C67E-B112-403b-9186-AC963F171D63}.exe"	{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}	{6760C67E-B112-403b-9186-AC963F171D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D67FAF7F-30E0-4790-99FB-03888DE00C30}\stubpath = "C:\\Windows\\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe"	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}\stubpath = "C:\\Windows\\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe"	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F37155-0B78-4e26-A588-ECCC4D8677B0}	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F37155-0B78-4e26-A588-ECCC4D8677B0}\stubpath = "C:\\Windows\\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe"	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}\stubpath = "C:\\Windows\\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe"	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}\stubpath = "C:\\Windows\\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe"	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}\stubpath = "C:\\Windows\\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe"	{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6760C67E-B112-403b-9186-AC963F171D63}	{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}	{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE686095-E117-49b7-B4E9-ECA30E717B7E}	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55260088-B774-4ee8-B3A3-C8D1ED868164}	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}\stubpath = "C:\\Windows\\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe"	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}\stubpath = "C:\\Windows\\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe"	{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
File created	C:\Windows\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe	{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
File created	C:\Windows\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
File created	C:\Windows\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
File created	C:\Windows\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
File created	C:\Windows\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
File created	C:\Windows\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
File created	C:\Windows\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
File created	C:\Windows\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
File created	C:\Windows\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe	{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
File created	C:\Windows\{6760C67E-B112-403b-9186-AC963F171D63}.exe	{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
File created	C:\Windows\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe	{6760C67E-B112-403b-9186-AC963F171D63}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
Token: SeIncBasePriorityPrivilege	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
Token: SeIncBasePriorityPrivilege	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
Token: SeIncBasePriorityPrivilege	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
Token: SeIncBasePriorityPrivilege	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
Token: SeIncBasePriorityPrivilege	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
Token: SeIncBasePriorityPrivilege	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
Token: SeIncBasePriorityPrivilege	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
Token: SeIncBasePriorityPrivilege	1708	{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
Token: SeIncBasePriorityPrivilege	636	{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
Token: SeIncBasePriorityPrivilege	1732	{6760C67E-B112-403b-9186-AC963F171D63}.exe
Token: SeIncBasePriorityPrivilege	1784	{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2020	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	27
PID 1672 wrote to memory of 2020	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	27
PID 1672 wrote to memory of 2020	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	27
PID 1672 wrote to memory of 2020	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	27
PID 1672 wrote to memory of 2036	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	28
PID 1672 wrote to memory of 2036	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	28
PID 1672 wrote to memory of 2036	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	28
PID 1672 wrote to memory of 2036	1672	8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe	28
PID 2020 wrote to memory of 940	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	29
PID 2020 wrote to memory of 940	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	29
PID 2020 wrote to memory of 940	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	29
PID 2020 wrote to memory of 940	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	29
PID 2020 wrote to memory of 1608	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	30
PID 2020 wrote to memory of 1608	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	30
PID 2020 wrote to memory of 1608	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	30
PID 2020 wrote to memory of 1608	2020	{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe	30
PID 940 wrote to memory of 1092	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	31
PID 940 wrote to memory of 1092	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	31
PID 940 wrote to memory of 1092	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	31
PID 940 wrote to memory of 1092	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	31
PID 940 wrote to memory of 1656	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	32
PID 940 wrote to memory of 1656	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	32
PID 940 wrote to memory of 1656	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	32
PID 940 wrote to memory of 1656	940	{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe	32
PID 1092 wrote to memory of 1788	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	33
PID 1092 wrote to memory of 1788	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	33
PID 1092 wrote to memory of 1788	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	33
PID 1092 wrote to memory of 1788	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	33
PID 1092 wrote to memory of 1108	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	34
PID 1092 wrote to memory of 1108	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	34
PID 1092 wrote to memory of 1108	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	34
PID 1092 wrote to memory of 1108	1092	{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe	34
PID 1788 wrote to memory of 912	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	35
PID 1788 wrote to memory of 912	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	35
PID 1788 wrote to memory of 912	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	35
PID 1788 wrote to memory of 912	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	35
PID 1788 wrote to memory of 1808	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	36
PID 1788 wrote to memory of 1808	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	36
PID 1788 wrote to memory of 1808	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	36
PID 1788 wrote to memory of 1808	1788	{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe	36
PID 912 wrote to memory of 1768	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	37
PID 912 wrote to memory of 1768	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	37
PID 912 wrote to memory of 1768	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	37
PID 912 wrote to memory of 1768	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	37
PID 912 wrote to memory of 1780	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	38
PID 912 wrote to memory of 1780	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	38
PID 912 wrote to memory of 1780	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	38
PID 912 wrote to memory of 1780	912	{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe	38
PID 1768 wrote to memory of 1252	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	39
PID 1768 wrote to memory of 1252	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	39
PID 1768 wrote to memory of 1252	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	39
PID 1768 wrote to memory of 1252	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	39
PID 1768 wrote to memory of 384	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	40
PID 1768 wrote to memory of 384	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	40
PID 1768 wrote to memory of 384	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	40
PID 1768 wrote to memory of 384	1768	{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe	40
PID 1252 wrote to memory of 1708	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	41
PID 1252 wrote to memory of 1708	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	41
PID 1252 wrote to memory of 1708	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	41
PID 1252 wrote to memory of 1708	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	41
PID 1252 wrote to memory of 1356	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	42
PID 1252 wrote to memory of 1356	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	42
PID 1252 wrote to memory of 1356	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	42
PID 1252 wrote to memory of 1356	1252	{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe	42

C:\Users\Admin\AppData\Local\Temp\8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe
"C:\Users\Admin\AppData\Local\Temp\8e6a976b4433265fbd3ef516f471515962a89031a7dd46cd9911f9956c04dd51.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
  C:\Windows\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
    C:\Windows\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
      C:\Windows\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
        
        C:\Windows\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
        
        C:\Windows\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe
        6⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
        
        C:\Windows\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
        
        C:\Windows\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
        
        C:\Windows\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
        
        C:\Windows\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe
        10⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{6760C67E-B112-403b-9186-AC963F171D63}.exe
        
        C:\Windows\{6760C67E-B112-403b-9186-AC963F171D63}.exe
        11⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
        
        C:\Windows\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe
        12⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe
        
        C:\Windows\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe
        13⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8F7B~1.EXE > nul
        13⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6760C~1.EXE > nul
        12⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96838~1.EXE > nul
        11⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62B16~1.EXE > nul
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D7E~1.EXE > nul
        9⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA7A0~1.EXE > nul
        8⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55260~1.EXE > nul
        7⤵
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F37~1.EXE > nul
        6⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBDC~1.EXE > nul
        5⤵
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE686~1.EXE > nul
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D67FA~1.EXE > nul
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E6A97~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AA3A3B3-41A2-40a8-ABC6-6AB6484C43CB}.exe

Filesize
116KB

MD5
1732c90bb1ac8ed3a137094afeb837d1

SHA1
1f3929b37a1eb5b9b8bf491b54dd04895c3fe896

SHA256
40857479196c0534a9083b3cfe164d74b30c0e7dd8f099da279b0e5110e2b2c6

SHA512
e0c0afbfe7902b5c77e0f0da24072ed60ee324c916336d7b0544f7fe6f5f7537eb9068118c3d162e6e9d3fe700daddadf71af1831c40f3aaf13f759b56f795bf

Download Submit
C:\Windows\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe

Filesize
116KB

MD5
41227fac6dc696c92871cfd60a10bcdc

SHA1
2e4903dd8313623ae7193142ffc70096ad5a048a

SHA256
166f32f0b27326909f42c0eacba4ac67d6e54012d64e9ca60d24c1b9e74b73b1

SHA512
6070f98dc9885fefa640539ea6077ee1f7de27b21a04095f87cb2072c70b16383136c7f5410bfa822874db615500798e8406394c255a112afa3334d8eec20dd6

Download Submit
C:\Windows\{55260088-B774-4ee8-B3A3-C8D1ED868164}.exe

Filesize
116KB

MD5
41227fac6dc696c92871cfd60a10bcdc

SHA1
2e4903dd8313623ae7193142ffc70096ad5a048a

SHA256
166f32f0b27326909f42c0eacba4ac67d6e54012d64e9ca60d24c1b9e74b73b1

SHA512
6070f98dc9885fefa640539ea6077ee1f7de27b21a04095f87cb2072c70b16383136c7f5410bfa822874db615500798e8406394c255a112afa3334d8eec20dd6

Download Submit
C:\Windows\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe

Filesize
116KB

MD5
3a3072400835ddc62a2f1aabc9b2fd06

SHA1
153d5b12b5ecaa05468110f778d5293f5949309e

SHA256
a3c90270b2cdd1e1af4357bcd6193d5ba429d9f9d8b4df80f2cdb1ffa85236e9

SHA512
c2b5a5ff67c4d230f811bd92144d47ed1b4aa3bce8af63d0a775fe25e37033584552822aa806fa16aebb3a03a067d46516269cb21495c3ce69a9c81194564bdb

Download Submit
C:\Windows\{62B169D1-356B-459a-AA97-F92BCB9B9C5B}.exe

Filesize
116KB

MD5
3a3072400835ddc62a2f1aabc9b2fd06

SHA1
153d5b12b5ecaa05468110f778d5293f5949309e

SHA256
a3c90270b2cdd1e1af4357bcd6193d5ba429d9f9d8b4df80f2cdb1ffa85236e9

SHA512
c2b5a5ff67c4d230f811bd92144d47ed1b4aa3bce8af63d0a775fe25e37033584552822aa806fa16aebb3a03a067d46516269cb21495c3ce69a9c81194564bdb

Download Submit
C:\Windows\{6760C67E-B112-403b-9186-AC963F171D63}.exe

Filesize
116KB

MD5
92b9ac1638f6bbaadd75f1d2bd17b9be

SHA1
87d552accda7971af89e771dd93726e3bd20a297

SHA256
7104ffd6a2c0c4222a2a8b9e2b0946fc652e7a59eebf40cd81ff549a901b843c

SHA512
734a321f8d81fd3d7ecbcda58e165d3eb2dbc076768e82467ca0cce3419b4503cba40051021f3de588117dce0da1fd7e57d781f42810439ae2c9f78bfcbf2db9

Download Submit
C:\Windows\{6760C67E-B112-403b-9186-AC963F171D63}.exe

Filesize
116KB

MD5
92b9ac1638f6bbaadd75f1d2bd17b9be

SHA1
87d552accda7971af89e771dd93726e3bd20a297

SHA256
7104ffd6a2c0c4222a2a8b9e2b0946fc652e7a59eebf40cd81ff549a901b843c

SHA512
734a321f8d81fd3d7ecbcda58e165d3eb2dbc076768e82467ca0cce3419b4503cba40051021f3de588117dce0da1fd7e57d781f42810439ae2c9f78bfcbf2db9

Download Submit
C:\Windows\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe

Filesize
116KB

MD5
22f05fe683429de422cde528413688ba

SHA1
5883f3dd66fc1b3f18654e19ede9d29f9848d625

SHA256
50f93e2eb591ef88eeb15c9d94b7f892469527a397e82a2925a15acc69155b3c

SHA512
5b0477aa53c0d49958b6e1b425ea61d14c98c807c7d9a547fa336dcd10c0ccef26ace89b0b80d30f3b294b77899888c925892b5e23e5b0adaae78827a42f4291

Download Submit
C:\Windows\{83F37155-0B78-4e26-A588-ECCC4D8677B0}.exe

Filesize
116KB

MD5
22f05fe683429de422cde528413688ba

SHA1
5883f3dd66fc1b3f18654e19ede9d29f9848d625

SHA256
50f93e2eb591ef88eeb15c9d94b7f892469527a397e82a2925a15acc69155b3c

SHA512
5b0477aa53c0d49958b6e1b425ea61d14c98c807c7d9a547fa336dcd10c0ccef26ace89b0b80d30f3b294b77899888c925892b5e23e5b0adaae78827a42f4291

Download Submit
C:\Windows\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe

Filesize
116KB

MD5
dacb3e670a4e1c8a605f41907d71ec00

SHA1
0a96391dced4c7c154feab152b063ee414dc5c01

SHA256
436e164a32940ff16b581009e0ee3a37e55da01ca3bb71a3856159ba823426c6

SHA512
e9da928377f65d922442b38ba9aef17fb101301bd57267b3e8af144342047499ffa2d7fd39e585fefcf4a0cfcc7c2f912b9d72bf54ef83743a27d6673539513b

Download Submit
C:\Windows\{96838CAE-BC09-49b2-98DF-065AEDC4BC74}.exe

Filesize
116KB

MD5
dacb3e670a4e1c8a605f41907d71ec00

SHA1
0a96391dced4c7c154feab152b063ee414dc5c01

SHA256
436e164a32940ff16b581009e0ee3a37e55da01ca3bb71a3856159ba823426c6

SHA512
e9da928377f65d922442b38ba9aef17fb101301bd57267b3e8af144342047499ffa2d7fd39e585fefcf4a0cfcc7c2f912b9d72bf54ef83743a27d6673539513b

Download Submit
C:\Windows\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe

Filesize
116KB

MD5
75f2547e92cbf29778f3c4dbf167dd0f

SHA1
d641763251a9c4a669ab0aba0a0650e2cf26db90

SHA256
08f4dcbf7edb7b764ba5e8b2cbb312b036cfe21e78bf1c74f920f675ecdc7f50

SHA512
9d7fdc3efb5476a8ea0842fc087f58d4b8bd41bcf1c45378c1790f85291f8bc8f966959ff1ef41b9f5cc82d8df5f0d6db4323dd61ac42f6835c9404a47a5249a

Download Submit
C:\Windows\{B3D7E3C2-F457-4f3b-B3CE-64B482B9E5DB}.exe

Filesize
116KB

MD5
75f2547e92cbf29778f3c4dbf167dd0f

SHA1
d641763251a9c4a669ab0aba0a0650e2cf26db90

SHA256
08f4dcbf7edb7b764ba5e8b2cbb312b036cfe21e78bf1c74f920f675ecdc7f50

SHA512
9d7fdc3efb5476a8ea0842fc087f58d4b8bd41bcf1c45378c1790f85291f8bc8f966959ff1ef41b9f5cc82d8df5f0d6db4323dd61ac42f6835c9404a47a5249a

Download Submit
C:\Windows\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe

Filesize
116KB

MD5
a0468ebfe54b259e341f485ebc40f9a5

SHA1
6404fdb9204525245da0f52ec1fd8ad23efdc9ab

SHA256
902d6a76dbac1cbfad9cc24802d7ec23007ad546f4fe0bc0b8297fc684aaee7f

SHA512
64596fbd419f8e5ec85c92a5c9f05895e9c19166d7efd7c4ad11ab6538050b2fb43a06e0f9631c1e67c555b96d7a0d523fa2609b9c15e7d4e51b6f7edbfc022b

Download Submit
C:\Windows\{D67FAF7F-30E0-4790-99FB-03888DE00C30}.exe

Filesize
116KB

MD5
a0468ebfe54b259e341f485ebc40f9a5

SHA1
6404fdb9204525245da0f52ec1fd8ad23efdc9ab

SHA256
902d6a76dbac1cbfad9cc24802d7ec23007ad546f4fe0bc0b8297fc684aaee7f

SHA512
64596fbd419f8e5ec85c92a5c9f05895e9c19166d7efd7c4ad11ab6538050b2fb43a06e0f9631c1e67c555b96d7a0d523fa2609b9c15e7d4e51b6f7edbfc022b

Download Submit
C:\Windows\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe

Filesize
116KB

MD5
1c52fa2fa8f992925dfbe8b158b03164

SHA1
51581f4a285fdc413ae1890e2c37ae89df6f7cb1

SHA256
ec795fbe7e71bb9a64d1ed821f10895227603aa051594d22a034aae20b3a4e73

SHA512
c2039657ffb588b8a8c057d7b6e9dcdffb41a81f396a60d1b001d01b6ecd6d2057dba8e2fd7e882380a273ce3697ae0f86e7083eb08f8ff08455fcb88790527e

Download Submit
C:\Windows\{D8F7BE38-DA40-41e6-B343-17E27EC9656F}.exe

Filesize
116KB

MD5
1c52fa2fa8f992925dfbe8b158b03164

SHA1
51581f4a285fdc413ae1890e2c37ae89df6f7cb1

SHA256
ec795fbe7e71bb9a64d1ed821f10895227603aa051594d22a034aae20b3a4e73

SHA512
c2039657ffb588b8a8c057d7b6e9dcdffb41a81f396a60d1b001d01b6ecd6d2057dba8e2fd7e882380a273ce3697ae0f86e7083eb08f8ff08455fcb88790527e

Download Submit
C:\Windows\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe

Filesize
116KB

MD5
c43482f4cc97c2203365afc9b252bc0e

SHA1
ab93bef41af5525eb34728f2766503c62178ed4d

SHA256
e26964fa7a9396897722021129f2732a4642abbee43a7426d73985f9ceda12ba

SHA512
016a13c5981e3b0e377172aa0a99e3abdd18f4f25858123524a410e833ceb3472120c829f28edafaa259e3199fe6c2b0b3dad29e0acc4fd8ebd9d4187545ed98

Download Submit
C:\Windows\{DA7A002B-A693-4fc0-A4EE-54FE96AA146B}.exe

Filesize
116KB

MD5
c43482f4cc97c2203365afc9b252bc0e

SHA1
ab93bef41af5525eb34728f2766503c62178ed4d

SHA256
e26964fa7a9396897722021129f2732a4642abbee43a7426d73985f9ceda12ba

SHA512
016a13c5981e3b0e377172aa0a99e3abdd18f4f25858123524a410e833ceb3472120c829f28edafaa259e3199fe6c2b0b3dad29e0acc4fd8ebd9d4187545ed98

Download Submit
C:\Windows\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe

Filesize
116KB

MD5
7410a21270ce444e516e4a673665a7ed

SHA1
7dc60ce28ac4ebaeca37ccf02d64204209470412

SHA256
f95adc985785ce49e222c317d5c6c2098ded952bb25befd4465b76ff226601bf

SHA512
70e04d4602fcfc05a2f375796b0ecaaf9959fe4597796b6f334082ee938f8466ded3bf4dd71951c5a7ae54237531edd561e01ccd4baea9ef20d2cc3415742887

Download Submit
C:\Windows\{EBBDC862-D56E-431c-865E-7F17F6C1E7F8}.exe

Filesize
116KB

MD5
7410a21270ce444e516e4a673665a7ed

SHA1
7dc60ce28ac4ebaeca37ccf02d64204209470412

SHA256
f95adc985785ce49e222c317d5c6c2098ded952bb25befd4465b76ff226601bf

SHA512
70e04d4602fcfc05a2f375796b0ecaaf9959fe4597796b6f334082ee938f8466ded3bf4dd71951c5a7ae54237531edd561e01ccd4baea9ef20d2cc3415742887

Download Submit
C:\Windows\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe

Filesize
116KB

MD5
3fe9d508eeff2afd5ae1526328877c7d

SHA1
d65f339d4242a651520358b6fd58f072793b531b

SHA256
aee9b00687864872fadc7eb6938ce907029b550ba3849c53d3e05e94d15007ab

SHA512
a2aa9f84f38b9cbb0e7c6e3114e5e85a44ce8c2ec584008333a7bb811faca33d8ecb99e1d3cf0b71b97816916856c880f74f1267ebdfb4ffcfa1290abc0f21b6

Download Submit
C:\Windows\{FE686095-E117-49b7-B4E9-ECA30E717B7E}.exe

Filesize
116KB

MD5
3fe9d508eeff2afd5ae1526328877c7d

SHA1
d65f339d4242a651520358b6fd58f072793b531b

SHA256
aee9b00687864872fadc7eb6938ce907029b550ba3849c53d3e05e94d15007ab

SHA512
a2aa9f84f38b9cbb0e7c6e3114e5e85a44ce8c2ec584008333a7bb811faca33d8ecb99e1d3cf0b71b97816916856c880f74f1267ebdfb4ffcfa1290abc0f21b6

Download Submit
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download