601a07ba2e448019f881dec66f71ffb22b872a8cc0b3a062f17d903ea3e7240a

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6e3fde941118exeexeexeex.exe
Size

372KB
MD5

1a6e3fde9411185343c9cb682e06aaa4
SHA1

643843b8408c430b6d8343575a76c91062c772f0
SHA256

601a07ba2e448019f881dec66f71ffb22b872a8cc0b3a062f17d903ea3e7240a
SHA512

d95bc709195a4922b01d604bdc742bb87a1169d94c0d8f7abaf739dce2bdfdedd0b7f5562e40d5087f7e040d63a36b132822fe26b1fee080108c3592be5c4f38
SSDEEP

3072:CEGh0o4mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}\stubpath = "C:\\Windows\\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe"	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D845BC63-B869-4e59-ADF5-061E0110C613}	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583125DD-B6AB-4d05-89CE-AC775FC82347}	{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583125DD-B6AB-4d05-89CE-AC775FC82347}\stubpath = "C:\\Windows\\{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe"	{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}\stubpath = "C:\\Windows\\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe"	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B6E01A-980B-478a-8473-351910C8C6EE}\stubpath = "C:\\Windows\\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe"	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}\stubpath = "C:\\Windows\\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe"	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}\stubpath = "C:\\Windows\\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe"	{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}	{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20804D6-294B-44c7-94F5-1C3B93E030EB}	1a6e3fde941118exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B6E01A-980B-478a-8473-351910C8C6EE}	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}\stubpath = "C:\\Windows\\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe"	{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}	{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}	{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}\stubpath = "C:\\Windows\\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe"	{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}	{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}\stubpath = "C:\\Windows\\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe"	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}\stubpath = "C:\\Windows\\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe"	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D845BC63-B869-4e59-ADF5-061E0110C613}\stubpath = "C:\\Windows\\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe"	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}\stubpath = "C:\\Windows\\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe"	{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20804D6-294B-44c7-94F5-1C3B93E030EB}\stubpath = "C:\\Windows\\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe"	1a6e3fde941118exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
2252	{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
576	{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
2532	{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
2564	{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
2496	{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
2528	{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
File created	C:\Windows\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe	{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
File created	C:\Windows\{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe	{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
File created	C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	1a6e3fde941118exeexeexeex.exe
File created	C:\Windows\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
File created	C:\Windows\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
File created	C:\Windows\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
File created	C:\Windows\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe	{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
File created	C:\Windows\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe	{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
File created	C:\Windows\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe	{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
File created	C:\Windows\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
File created	C:\Windows\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
File created	C:\Windows\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	1a6e3fde941118exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
Token: SeIncBasePriorityPrivilege	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
Token: SeIncBasePriorityPrivilege	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
Token: SeIncBasePriorityPrivilege	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
Token: SeIncBasePriorityPrivilege	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
Token: SeIncBasePriorityPrivilege	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
Token: SeIncBasePriorityPrivilege	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
Token: SeIncBasePriorityPrivilege	2252	{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
Token: SeIncBasePriorityPrivilege	576	{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
Token: SeIncBasePriorityPrivilege	2532	{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
Token: SeIncBasePriorityPrivilege	2564	{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
Token: SeIncBasePriorityPrivilege	2496	{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2880	2544	1a6e3fde941118exeexeexeex.exe	27
PID 2544 wrote to memory of 2880	2544	1a6e3fde941118exeexeexeex.exe	27
PID 2544 wrote to memory of 2880	2544	1a6e3fde941118exeexeexeex.exe	27
PID 2544 wrote to memory of 2880	2544	1a6e3fde941118exeexeexeex.exe	27
PID 2544 wrote to memory of 2980	2544	1a6e3fde941118exeexeexeex.exe	28
PID 2544 wrote to memory of 2980	2544	1a6e3fde941118exeexeexeex.exe	28
PID 2544 wrote to memory of 2980	2544	1a6e3fde941118exeexeexeex.exe	28
PID 2544 wrote to memory of 2980	2544	1a6e3fde941118exeexeexeex.exe	28
PID 2880 wrote to memory of 2992	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	29
PID 2880 wrote to memory of 2992	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	29
PID 2880 wrote to memory of 2992	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	29
PID 2880 wrote to memory of 2992	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	29
PID 2880 wrote to memory of 2928	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	30
PID 2880 wrote to memory of 2928	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	30
PID 2880 wrote to memory of 2928	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	30
PID 2880 wrote to memory of 2928	2880	{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe	30
PID 2992 wrote to memory of 3004	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	31
PID 2992 wrote to memory of 3004	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	31
PID 2992 wrote to memory of 3004	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	31
PID 2992 wrote to memory of 3004	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	31
PID 2992 wrote to memory of 3028	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	32
PID 2992 wrote to memory of 3028	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	32
PID 2992 wrote to memory of 3028	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	32
PID 2992 wrote to memory of 3028	2992	{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe	32
PID 3004 wrote to memory of 2856	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	33
PID 3004 wrote to memory of 2856	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	33
PID 3004 wrote to memory of 2856	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	33
PID 3004 wrote to memory of 2856	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	33
PID 3004 wrote to memory of 1100	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	34
PID 3004 wrote to memory of 1100	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	34
PID 3004 wrote to memory of 1100	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	34
PID 3004 wrote to memory of 1100	3004	{07B6E01A-980B-478a-8473-351910C8C6EE}.exe	34
PID 2856 wrote to memory of 2848	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	35
PID 2856 wrote to memory of 2848	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	35
PID 2856 wrote to memory of 2848	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	35
PID 2856 wrote to memory of 2848	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	35
PID 2856 wrote to memory of 2168	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	36
PID 2856 wrote to memory of 2168	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	36
PID 2856 wrote to memory of 2168	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	36
PID 2856 wrote to memory of 2168	2856	{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe	36
PID 2848 wrote to memory of 884	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	37
PID 2848 wrote to memory of 884	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	37
PID 2848 wrote to memory of 884	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	37
PID 2848 wrote to memory of 884	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	37
PID 2848 wrote to memory of 2756	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	38
PID 2848 wrote to memory of 2756	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	38
PID 2848 wrote to memory of 2756	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	38
PID 2848 wrote to memory of 2756	2848	{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe	38
PID 884 wrote to memory of 2840	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	39
PID 884 wrote to memory of 2840	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	39
PID 884 wrote to memory of 2840	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	39
PID 884 wrote to memory of 2840	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	39
PID 884 wrote to memory of 2720	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	40
PID 884 wrote to memory of 2720	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	40
PID 884 wrote to memory of 2720	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	40
PID 884 wrote to memory of 2720	884	{D845BC63-B869-4e59-ADF5-061E0110C613}.exe	40
PID 2840 wrote to memory of 2252	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	41
PID 2840 wrote to memory of 2252	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	41
PID 2840 wrote to memory of 2252	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	41
PID 2840 wrote to memory of 2252	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	41
PID 2840 wrote to memory of 2224	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	42
PID 2840 wrote to memory of 2224	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	42
PID 2840 wrote to memory of 2224	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	42
PID 2840 wrote to memory of 2224	2840	{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe	42

C:\Users\Admin\AppData\Local\Temp\1a6e3fde941118exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\1a6e3fde941118exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
  C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
    C:\Windows\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
      C:\Windows\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
        
        C:\Windows\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
        
        C:\Windows\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
        
        C:\Windows\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
        
        C:\Windows\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
        
        C:\Windows\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
        
        C:\Windows\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
        
        C:\Windows\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
        
        C:\Windows\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
        
        C:\Windows\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe
        
        C:\Windows\{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe
        14⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13F3C~1.EXE > nul
        14⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CA47~1.EXE > nul
        13⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F51BA~1.EXE > nul
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D26F~1.EXE > nul
        11⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D8E5~1.EXE > nul
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04647~1.EXE > nul
        9⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D845B~1.EXE > nul
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC08~1.EXE > nul
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBFDE~1.EXE > nul
        6⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07B6E~1.EXE > nul
        5⤵
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2BEBC~1.EXE > nul
      4⤵
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2080~1.EXE > nul
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1A6E3F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe

Filesize
372KB

MD5
26531ba0b21a0bf5c4aad884609b41bf

SHA1
ba4ce12e5102f57151e76af14c97e34ced5f8b48

SHA256
e9e56001b1ee7ec2778b669e02154e1dee59b65d10f31ad81a2e5a474145f09f

SHA512
1b24d3c9b54f1018fc511964536f90543e6ea5b90213aed1bb6d611da9205c695f48548a415c1de9002e067fb70229d889e3e9653c6a8db680fbf7d5d08ba63e

Download Submit
C:\Windows\{046476F7-D5FE-47f7-8A2D-0B42EF6BF01A}.exe

Filesize
372KB

MD5
26531ba0b21a0bf5c4aad884609b41bf

SHA1
ba4ce12e5102f57151e76af14c97e34ced5f8b48

SHA256
e9e56001b1ee7ec2778b669e02154e1dee59b65d10f31ad81a2e5a474145f09f

SHA512
1b24d3c9b54f1018fc511964536f90543e6ea5b90213aed1bb6d611da9205c695f48548a415c1de9002e067fb70229d889e3e9653c6a8db680fbf7d5d08ba63e

Download Submit
C:\Windows\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe

Filesize
372KB

MD5
e584e7753611212e1623f07e34f61602

SHA1
75990d0282908ad2e164b83b5f00773e0a5cd828

SHA256
d088de578e55112c237ec672f6c0ffe46ab45fe82bb2bfdd51f74b43e27432fb

SHA512
89bfda1cb4e41b91624be795fe7d42b32a94e68c4b07680bedb1231c48e0c61cf633292a605ad6531c4f0fff475f81741800242d6bd0b7e2b6be38df0a5b215d

Download Submit
C:\Windows\{07B6E01A-980B-478a-8473-351910C8C6EE}.exe

Filesize
372KB

MD5
e584e7753611212e1623f07e34f61602

SHA1
75990d0282908ad2e164b83b5f00773e0a5cd828

SHA256
d088de578e55112c237ec672f6c0ffe46ab45fe82bb2bfdd51f74b43e27432fb

SHA512
89bfda1cb4e41b91624be795fe7d42b32a94e68c4b07680bedb1231c48e0c61cf633292a605ad6531c4f0fff475f81741800242d6bd0b7e2b6be38df0a5b215d

Download Submit
C:\Windows\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe

Filesize
372KB

MD5
9d5f2e82808a89dc3635fcebc9966641

SHA1
1ed68ec5703dd2ee9fe592589e682c9f9cf887f6

SHA256
75f6e1b2ccc7d466c24060118c6f05bf7943435f3450f3d1a11fff21e2fd7620

SHA512
c801e2e442991b3e63f4aa56d9a084ed41d6d6ad04078016ce9b8edf9c17734d7efee347ae5817c190b2363bd4892bb433403cce3595c7a479fa2d887bed8133

Download Submit
C:\Windows\{13F3C7ED-2EFF-43d6-BB8D-0F29AAC84BB5}.exe

Filesize
372KB

MD5
9d5f2e82808a89dc3635fcebc9966641

SHA1
1ed68ec5703dd2ee9fe592589e682c9f9cf887f6

SHA256
75f6e1b2ccc7d466c24060118c6f05bf7943435f3450f3d1a11fff21e2fd7620

SHA512
c801e2e442991b3e63f4aa56d9a084ed41d6d6ad04078016ce9b8edf9c17734d7efee347ae5817c190b2363bd4892bb433403cce3595c7a479fa2d887bed8133

Download Submit
C:\Windows\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe

Filesize
372KB

MD5
ae94fc58da52c92fccb9348839785d0d

SHA1
25ea8fad10879caa4260f978c731340deab39f0d

SHA256
15232830f9cc3eff1c25e94fb6d499dd258fa285f3634c067206ab0cfc122ea0

SHA512
2713065d401a8ebaf6e6f5d9e71fb92950967a08555da32e1f70c7cdb2d52e8ba263a3ef94600de1039e0ca1e8c09c3cdb845e351f6612883b3c79b8722ab5b9

Download Submit
C:\Windows\{2BEBC473-1BEC-4eec-82E5-958E1CCA4539}.exe

Filesize
372KB

MD5
ae94fc58da52c92fccb9348839785d0d

SHA1
25ea8fad10879caa4260f978c731340deab39f0d

SHA256
15232830f9cc3eff1c25e94fb6d499dd258fa285f3634c067206ab0cfc122ea0

SHA512
2713065d401a8ebaf6e6f5d9e71fb92950967a08555da32e1f70c7cdb2d52e8ba263a3ef94600de1039e0ca1e8c09c3cdb845e351f6612883b3c79b8722ab5b9

Download Submit
C:\Windows\{583125DD-B6AB-4d05-89CE-AC775FC82347}.exe

Filesize
372KB

MD5
425bc1b3d1b434423cbce6d9cc1d88ae

SHA1
84b3ad8b55804276183a7b90f5c54de43b681cec

SHA256
93955dabf4f98613c3a25170f5a2aeed2cc82e7188a6671c70697002b7e2a266

SHA512
f7f2a8dcd1a0b41f9874c4bde06190adb5568ab5066160a8d56321592dae8168beed417692352ccaa992977e66e85c5411f58f264d4b906007a89b1ee92b3c9d

Download Submit
C:\Windows\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe

Filesize
372KB

MD5
853773698db3a057b92aa07e137051b5

SHA1
d9c3d1da9964c75bc81ee20ac0451d16de8847b4

SHA256
c6312c672fc8186d57c70d9fee1a76a081af02fbc922f91dc378e3eddca3351b

SHA512
4bfaa72f470c787cbb00a8621cb35f4a28d5ec78f85a4f7db3aeb138d345e4fcb0a9f42bddf756c6a89ee339b6f0f1b39dee85034a91b6510111519509a24cba

Download Submit
C:\Windows\{5CA47079-7DAA-4055-9D7A-275FB4E26FE5}.exe

Filesize
372KB

MD5
853773698db3a057b92aa07e137051b5

SHA1
d9c3d1da9964c75bc81ee20ac0451d16de8847b4

SHA256
c6312c672fc8186d57c70d9fee1a76a081af02fbc922f91dc378e3eddca3351b

SHA512
4bfaa72f470c787cbb00a8621cb35f4a28d5ec78f85a4f7db3aeb138d345e4fcb0a9f42bddf756c6a89ee339b6f0f1b39dee85034a91b6510111519509a24cba

Download Submit
C:\Windows\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe

Filesize
372KB

MD5
63b38cfb15f1c9e375ad892cb27bee87

SHA1
3af842e8e942b4a308e0dea0421438ba131575a2

SHA256
f8f09ec43315286d19afcb5ff64b90a634792d1b49b8520d9cb90124146ae69b

SHA512
d74e4bc262e46b255e2b900a426b89bea75ac2b3a9863e3115ad6e8fe4da45354e8181eff1b47b40d80aa3a06ecdcb70c786ef5888416aacc13fd8b4b133204d

Download Submit
C:\Windows\{7D26FD9A-513A-491f-9EB1-2F0B4AF0D0C5}.exe

Filesize
372KB

MD5
63b38cfb15f1c9e375ad892cb27bee87

SHA1
3af842e8e942b4a308e0dea0421438ba131575a2

SHA256
f8f09ec43315286d19afcb5ff64b90a634792d1b49b8520d9cb90124146ae69b

SHA512
d74e4bc262e46b255e2b900a426b89bea75ac2b3a9863e3115ad6e8fe4da45354e8181eff1b47b40d80aa3a06ecdcb70c786ef5888416aacc13fd8b4b133204d

Download Submit
C:\Windows\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe

Filesize
372KB

MD5
1d41020bbbcc33a3623c0064d54eccd0

SHA1
896554af7ee598ca1f5ffed1987d97dc3d6763a7

SHA256
cbb5c9ad2bb768d346701864a141c5d17ac3b2aef33ebee255aa3052c4c91389

SHA512
a916fe5c315c52ecb774ab339a03e77d3eeafe6e98b202716a0595ae4b414374c18845946ff0d32ca47cdf3d98da983caeedd5fb20abf3a8bb7cb63f407ae9cb

Download Submit
C:\Windows\{7D8E519C-4374-4662-BF9C-46FF2ED0E3D4}.exe

Filesize
372KB

MD5
1d41020bbbcc33a3623c0064d54eccd0

SHA1
896554af7ee598ca1f5ffed1987d97dc3d6763a7

SHA256
cbb5c9ad2bb768d346701864a141c5d17ac3b2aef33ebee255aa3052c4c91389

SHA512
a916fe5c315c52ecb774ab339a03e77d3eeafe6e98b202716a0595ae4b414374c18845946ff0d32ca47cdf3d98da983caeedd5fb20abf3a8bb7cb63f407ae9cb

Download Submit
C:\Windows\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe

Filesize
372KB

MD5
42a1dea60f2b7ad7c3bbb3bd17c6d838

SHA1
f1378f5b25ffe6ced70506da44295665f941b060

SHA256
cf7230ab83a1192f32454ed0e6c3e90262639d992a2c5d599b36bf9a2bdbffbe

SHA512
61d4b267254d5e175f73fa53d0c56fcc161b1b3dc459a5decf12029c24fd055ed43b3e810fe35e5c5d3ce63799a5d8470d5ea05e4486189cfb350472b3190647

Download Submit
C:\Windows\{AEC08015-CE17-4c66-8B8E-66D2CE6549A1}.exe

Filesize
372KB

MD5
42a1dea60f2b7ad7c3bbb3bd17c6d838

SHA1
f1378f5b25ffe6ced70506da44295665f941b060

SHA256
cf7230ab83a1192f32454ed0e6c3e90262639d992a2c5d599b36bf9a2bdbffbe

SHA512
61d4b267254d5e175f73fa53d0c56fcc161b1b3dc459a5decf12029c24fd055ed43b3e810fe35e5c5d3ce63799a5d8470d5ea05e4486189cfb350472b3190647

Download Submit
C:\Windows\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe

Filesize
372KB

MD5
95cb57ec6b8e0d3d7ab8d56907c22f05

SHA1
6d86efad2f47d99046272a2f9d41ec8a5d608d3c

SHA256
c55a97038e847b2efc444765619b6dd6585ef192672c8643eb770bcb60121953

SHA512
0b8c4adeed7ae53f67f87e1f8724df9559617c5e9519dabb48d3c4640fe55209a48e6d2e744639f347f6600b610862ac245ba3f4956dd274f62317d82da4e217

Download Submit
C:\Windows\{CBFDE278-EFB0-4f46-9DE1-576D00C74A81}.exe

Filesize
372KB

MD5
95cb57ec6b8e0d3d7ab8d56907c22f05

SHA1
6d86efad2f47d99046272a2f9d41ec8a5d608d3c

SHA256
c55a97038e847b2efc444765619b6dd6585ef192672c8643eb770bcb60121953

SHA512
0b8c4adeed7ae53f67f87e1f8724df9559617c5e9519dabb48d3c4640fe55209a48e6d2e744639f347f6600b610862ac245ba3f4956dd274f62317d82da4e217

Download Submit
C:\Windows\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe

Filesize
372KB

MD5
17c03c40afe0aa1282cadc2a1f950127

SHA1
588d13e2e642c87e62fb4ac1220ec4e4cf68266f

SHA256
60f954f211cc6d8bab8cc8b11f59ef23e2e245a270a561e15ad5ad86875bcee3

SHA512
6d80c8c35c4868ae7c8bd5ef67ae7f30287dd174fc51237f86590a1787cb765e2768e60b94b518a279f864c1c98b0965c69ca88e6cb6c59c18f3577340969f4e

Download Submit
C:\Windows\{D845BC63-B869-4e59-ADF5-061E0110C613}.exe

Filesize
372KB

MD5
17c03c40afe0aa1282cadc2a1f950127

SHA1
588d13e2e642c87e62fb4ac1220ec4e4cf68266f

SHA256
60f954f211cc6d8bab8cc8b11f59ef23e2e245a270a561e15ad5ad86875bcee3

SHA512
6d80c8c35c4868ae7c8bd5ef67ae7f30287dd174fc51237f86590a1787cb765e2768e60b94b518a279f864c1c98b0965c69ca88e6cb6c59c18f3577340969f4e

Download Submit
C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe

Filesize
372KB

MD5
6b8713ad0ffdcefbd1963f9dd7b27661

SHA1
5a83cc0d7335d348aab4b5cbd0a6f1d387a6ccf0

SHA256
3ece09baa0162a0b95ab8a0cb61f5c54b5705875153308c8f30ce303aa5d5b5a

SHA512
76e8c05a9df65de187714d243c05a7984d00b47072198c348b41404bf4533a1ba8a498d7b4d65af6ddaaa36a3d2d28a7e7863ea910b2e102fc753f1159d13f8d

Download Submit
C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe

Filesize
372KB

MD5
6b8713ad0ffdcefbd1963f9dd7b27661

SHA1
5a83cc0d7335d348aab4b5cbd0a6f1d387a6ccf0

SHA256
3ece09baa0162a0b95ab8a0cb61f5c54b5705875153308c8f30ce303aa5d5b5a

SHA512
76e8c05a9df65de187714d243c05a7984d00b47072198c348b41404bf4533a1ba8a498d7b4d65af6ddaaa36a3d2d28a7e7863ea910b2e102fc753f1159d13f8d

Download Submit
C:\Windows\{F20804D6-294B-44c7-94F5-1C3B93E030EB}.exe

Filesize
372KB

MD5
6b8713ad0ffdcefbd1963f9dd7b27661

SHA1
5a83cc0d7335d348aab4b5cbd0a6f1d387a6ccf0

SHA256
3ece09baa0162a0b95ab8a0cb61f5c54b5705875153308c8f30ce303aa5d5b5a

SHA512
76e8c05a9df65de187714d243c05a7984d00b47072198c348b41404bf4533a1ba8a498d7b4d65af6ddaaa36a3d2d28a7e7863ea910b2e102fc753f1159d13f8d

Download Submit
C:\Windows\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe

Filesize
372KB

MD5
eb850c51bb8c64d4a1f88eade0d1c684

SHA1
6fa41378ddd1bbc0cc5dda26cb8e0cd65a08c78b

SHA256
d1a94cdd8564830c1bf87b44f81e247e281d08ed695eecbae7abbfe474741069

SHA512
5b6f0808d8c5e4cafbe57c91633a10ed4aa4b5fd5dec094e9fd92d19702adb54c4466a21049650b5a5f0bd3cbe3e78b3cb74553bd27992d6dde114e925291ad3

Download Submit
C:\Windows\{F51BA2C0-8052-43b2-A16F-5620D7F275AA}.exe

Filesize
372KB

MD5
eb850c51bb8c64d4a1f88eade0d1c684

SHA1
6fa41378ddd1bbc0cc5dda26cb8e0cd65a08c78b

SHA256
d1a94cdd8564830c1bf87b44f81e247e281d08ed695eecbae7abbfe474741069

SHA512
5b6f0808d8c5e4cafbe57c91633a10ed4aa4b5fd5dec094e9fd92d19702adb54c4466a21049650b5a5f0bd3cbe3e78b3cb74553bd27992d6dde114e925291ad3

Download Submit