bd488c06a4454c2b3a33d9698d4cbe13de334a015f5c1bef679403eb259d7ad9

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2170ad63b67d8eexeexeexeex.exe
Size

204KB
MD5

2170ad63b67d8e000f371fbfa48b7843
SHA1

aa2cd074a647dc67033f9f3fefbf28d1a2ee3172
SHA256

bd488c06a4454c2b3a33d9698d4cbe13de334a015f5c1bef679403eb259d7ad9
SHA512

8c0ac29c378aaba41fae81697bf6a49f24bc9706d3fc34687516d2d3820b69e0be23f1cb615de164c9fdd5349f05adf34caa6dc5ce0c84a25886851a6381e298
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ojl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0007F8-302F-47a2-B54D-F01C84862EBC}\stubpath = "C:\\Windows\\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe"	2170ad63b67d8eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16D70A93-7F69-46c2-B070-D0449DC87668}	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}\stubpath = "C:\\Windows\\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe"	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C212B-67E6-40d5-A047-161D28079D1B}\stubpath = "C:\\Windows\\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe"	{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}	{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}	{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0007F8-302F-47a2-B54D-F01C84862EBC}	2170ad63b67d8eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}\stubpath = "C:\\Windows\\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe"	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}\stubpath = "C:\\Windows\\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe"	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16D70A93-7F69-46c2-B070-D0449DC87668}\stubpath = "C:\\Windows\\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe"	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7755DD29-0FB5-433a-B476-5E0D1F28428B}	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}\stubpath = "C:\\Windows\\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe"	{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}\stubpath = "C:\\Windows\\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe"	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7755DD29-0FB5-433a-B476-5E0D1F28428B}\stubpath = "C:\\Windows\\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe"	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56480B21-1BF1-411f-A3D5-A58F96E484CF}	{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C212B-67E6-40d5-A047-161D28079D1B}	{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}\stubpath = "C:\\Windows\\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe"	{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}	{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}\stubpath = "C:\\Windows\\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe"	{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}\stubpath = "C:\\Windows\\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe"	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56480B21-1BF1-411f-A3D5-A58F96E484CF}\stubpath = "C:\\Windows\\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe"	{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
2984	{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
2724	{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
2872	{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
2784	{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
2712	{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
2528	{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
File created	C:\Windows\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
File created	C:\Windows\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
File created	C:\Windows\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe	{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
File created	C:\Windows\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe	{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
File created	C:\Windows\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe	{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
File created	C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	2170ad63b67d8eexeexeexeex.exe
File created	C:\Windows\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
File created	C:\Windows\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
File created	C:\Windows\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
File created	C:\Windows\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe	{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
File created	C:\Windows\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe	{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
File created	C:\Windows\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	2170ad63b67d8eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
Token: SeIncBasePriorityPrivilege	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
Token: SeIncBasePriorityPrivilege	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
Token: SeIncBasePriorityPrivilege	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
Token: SeIncBasePriorityPrivilege	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
Token: SeIncBasePriorityPrivilege	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
Token: SeIncBasePriorityPrivilege	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
Token: SeIncBasePriorityPrivilege	2984	{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
Token: SeIncBasePriorityPrivilege	2724	{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
Token: SeIncBasePriorityPrivilege	2872	{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
Token: SeIncBasePriorityPrivilege	2784	{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
Token: SeIncBasePriorityPrivilege	2712	{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1528	3048	2170ad63b67d8eexeexeexeex.exe	28
PID 3048 wrote to memory of 1528	3048	2170ad63b67d8eexeexeexeex.exe	28
PID 3048 wrote to memory of 1528	3048	2170ad63b67d8eexeexeexeex.exe	28
PID 3048 wrote to memory of 1528	3048	2170ad63b67d8eexeexeexeex.exe	28
PID 3048 wrote to memory of 1500	3048	2170ad63b67d8eexeexeexeex.exe	29
PID 3048 wrote to memory of 1500	3048	2170ad63b67d8eexeexeexeex.exe	29
PID 3048 wrote to memory of 1500	3048	2170ad63b67d8eexeexeexeex.exe	29
PID 3048 wrote to memory of 1500	3048	2170ad63b67d8eexeexeexeex.exe	29
PID 1528 wrote to memory of 1232	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	30
PID 1528 wrote to memory of 1232	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	30
PID 1528 wrote to memory of 1232	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	30
PID 1528 wrote to memory of 1232	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	30
PID 1528 wrote to memory of 1128	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	31
PID 1528 wrote to memory of 1128	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	31
PID 1528 wrote to memory of 1128	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	31
PID 1528 wrote to memory of 1128	1528	{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe	31
PID 1232 wrote to memory of 2152	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	32
PID 1232 wrote to memory of 2152	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	32
PID 1232 wrote to memory of 2152	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	32
PID 1232 wrote to memory of 2152	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	32
PID 1232 wrote to memory of 2252	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	33
PID 1232 wrote to memory of 2252	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	33
PID 1232 wrote to memory of 2252	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	33
PID 1232 wrote to memory of 2252	1232	{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe	33
PID 2152 wrote to memory of 2260	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	34
PID 2152 wrote to memory of 2260	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	34
PID 2152 wrote to memory of 2260	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	34
PID 2152 wrote to memory of 2260	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	34
PID 2152 wrote to memory of 3000	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	35
PID 2152 wrote to memory of 3000	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	35
PID 2152 wrote to memory of 3000	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	35
PID 2152 wrote to memory of 3000	2152	{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe	35
PID 2260 wrote to memory of 2868	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	36
PID 2260 wrote to memory of 2868	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	36
PID 2260 wrote to memory of 2868	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	36
PID 2260 wrote to memory of 2868	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	36
PID 2260 wrote to memory of 2084	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	37
PID 2260 wrote to memory of 2084	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	37
PID 2260 wrote to memory of 2084	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	37
PID 2260 wrote to memory of 2084	2260	{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe	37
PID 2868 wrote to memory of 1448	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	38
PID 2868 wrote to memory of 1448	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	38
PID 2868 wrote to memory of 1448	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	38
PID 2868 wrote to memory of 1448	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	38
PID 2868 wrote to memory of 1068	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	39
PID 2868 wrote to memory of 1068	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	39
PID 2868 wrote to memory of 1068	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	39
PID 2868 wrote to memory of 1068	2868	{16D70A93-7F69-46c2-B070-D0449DC87668}.exe	39
PID 1448 wrote to memory of 2040	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	41
PID 1448 wrote to memory of 2040	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	41
PID 1448 wrote to memory of 2040	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	41
PID 1448 wrote to memory of 2040	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	41
PID 1448 wrote to memory of 2908	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	40
PID 1448 wrote to memory of 2908	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	40
PID 1448 wrote to memory of 2908	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	40
PID 1448 wrote to memory of 2908	1448	{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe	40
PID 2040 wrote to memory of 2984	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	42
PID 2040 wrote to memory of 2984	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	42
PID 2040 wrote to memory of 2984	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	42
PID 2040 wrote to memory of 2984	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	42
PID 2040 wrote to memory of 2852	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	43
PID 2040 wrote to memory of 2852	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	43
PID 2040 wrote to memory of 2852	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	43
PID 2040 wrote to memory of 2852	2040	{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe	43

C:\Users\Admin\AppData\Local\Temp\2170ad63b67d8eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2170ad63b67d8eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
  C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
    C:\Windows\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
      C:\Windows\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
        
        C:\Windows\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
        
        C:\Windows\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
        
        C:\Windows\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B5A8~1.EXE > nul
        8⤵
        
        PID:2908
        
        C:\Windows\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
        
        C:\Windows\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
        
        C:\Windows\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AF51~1.EXE > nul
        10⤵
        
        PID:2756
        
        C:\Windows\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
        
        C:\Windows\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56480~1.EXE > nul
        11⤵
        
        PID:2800
        
        C:\Windows\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
        
        C:\Windows\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C2~1.EXE > nul
        12⤵
        
        PID:2648
        
        C:\Windows\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
        
        C:\Windows\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1DCE~1.EXE > nul
        13⤵
        
        PID:2380
        
        C:\Windows\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
        
        C:\Windows\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe
        
        C:\Windows\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe
        14⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8A3~1.EXE > nul
        14⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7755D~1.EXE > nul
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16D70~1.EXE > nul
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9E2~1.EXE > nul
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A96~1.EXE > nul
        5⤵
        
        PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5485D~1.EXE > nul
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF000~1.EXE > nul
    3⤵
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2170AD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01B38717-CCD9-45ba-967B-5FADC8BA3A02}.exe

Filesize
204KB

MD5
7a172015194487215e81e787670b5cd9

SHA1
f6d7507596c0a54053573eb3dfe13086f11103c0

SHA256
f383b162cf6963002d8cf4d01efe4b314b69b7c63c2845185c52c7fccd6082e5

SHA512
c942cccf311d0eca1bf08a5b5ee0d7ccfbbb54b3680bdd61f3d0ed3c47f1141f4f0387d2be6079596ff0f4a2b25fb7ebd15ee13f21e1d2beced8467e597667f9

Download Submit
C:\Windows\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe

Filesize
204KB

MD5
84b5e1622c2097f31f8c86e293b9c6d0

SHA1
a31189975e61a3666f98a5ee525bcde89891fbf5

SHA256
5ad33a7ef60fd008fd3cd96baf5a6f2d7ade7c0a899cfa73660c1122e1f713ea

SHA512
5d69f9475a5b2267d600f91ce8ff606cc3817e28f0047785f58cfd6c158457a14ee540efdf36402e1a7931d039efe0f9ae33fe5d3c81667ae76060e8504ef07a

Download Submit
C:\Windows\{16D70A93-7F69-46c2-B070-D0449DC87668}.exe

Filesize
204KB

MD5
84b5e1622c2097f31f8c86e293b9c6d0

SHA1
a31189975e61a3666f98a5ee525bcde89891fbf5

SHA256
5ad33a7ef60fd008fd3cd96baf5a6f2d7ade7c0a899cfa73660c1122e1f713ea

SHA512
5d69f9475a5b2267d600f91ce8ff606cc3817e28f0047785f58cfd6c158457a14ee540efdf36402e1a7931d039efe0f9ae33fe5d3c81667ae76060e8504ef07a

Download Submit
C:\Windows\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe

Filesize
204KB

MD5
20ce386954f16a5f80864a6b550f377b

SHA1
469dc9cdaaa5137a7dcd5b2351af35b0370d4166

SHA256
b9d800acb0a174063c9cb32a15d9788f38f1b81cea527b3f4ff48186145c85e7

SHA512
daa4c8cf730cf122c57d3ba9ae0b996ca9f4e7608c9b94c8f371e00cd7ac91d4827a3a3a8d02654c8885d0c8d1abe47b383d7a090dafa17f3cab5b1ff3fbf2d3

Download Submit
C:\Windows\{2B5A8406-95B5-4dc3-8181-70DFF1CD5775}.exe

Filesize
204KB

MD5
20ce386954f16a5f80864a6b550f377b

SHA1
469dc9cdaaa5137a7dcd5b2351af35b0370d4166

SHA256
b9d800acb0a174063c9cb32a15d9788f38f1b81cea527b3f4ff48186145c85e7

SHA512
daa4c8cf730cf122c57d3ba9ae0b996ca9f4e7608c9b94c8f371e00cd7ac91d4827a3a3a8d02654c8885d0c8d1abe47b383d7a090dafa17f3cab5b1ff3fbf2d3

Download Submit
C:\Windows\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe

Filesize
204KB

MD5
97e44a9955d54d082244453878241ae9

SHA1
7173d58701ce080fffcfcd7a2717f9abf0035a54

SHA256
d20321a2ff927cd7bac1957b505cc56289643e5f2f5a2826f81369aa60c3c1f4

SHA512
91ed9c2fa5a2b14ef66d3f516643cb699257b3b22803a5dcaa4bfdb91511aeecd9fa86bde0dd3b7ffbd62682dbce3b15d9450e4ad719c7fd3b43a0a75889fdcf

Download Submit
C:\Windows\{5485DF95-DFB8-4cd4-A10C-068DBD9FB6B5}.exe

Filesize
204KB

MD5
97e44a9955d54d082244453878241ae9

SHA1
7173d58701ce080fffcfcd7a2717f9abf0035a54

SHA256
d20321a2ff927cd7bac1957b505cc56289643e5f2f5a2826f81369aa60c3c1f4

SHA512
91ed9c2fa5a2b14ef66d3f516643cb699257b3b22803a5dcaa4bfdb91511aeecd9fa86bde0dd3b7ffbd62682dbce3b15d9450e4ad719c7fd3b43a0a75889fdcf

Download Submit
C:\Windows\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe

Filesize
204KB

MD5
69e4b2a619a18a4087f3311f6d0eb0fb

SHA1
c407433c7d3f37a145d4a4c9f7541e00d5eeed22

SHA256
4db994da625c277d6257526a857a212c82d9c7b395b67e0757fe819367a30d8d

SHA512
0457d779ef1a2fde811c51adb176c5d4742aec29a88031b796893d6c7528d465399d735ac72967efbb89afcfb7fe3f13d6cf2ee4652351c9683e04ecff670800

Download Submit
C:\Windows\{56480B21-1BF1-411f-A3D5-A58F96E484CF}.exe

Filesize
204KB

MD5
69e4b2a619a18a4087f3311f6d0eb0fb

SHA1
c407433c7d3f37a145d4a4c9f7541e00d5eeed22

SHA256
4db994da625c277d6257526a857a212c82d9c7b395b67e0757fe819367a30d8d

SHA512
0457d779ef1a2fde811c51adb176c5d4742aec29a88031b796893d6c7528d465399d735ac72967efbb89afcfb7fe3f13d6cf2ee4652351c9683e04ecff670800

Download Submit
C:\Windows\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe

Filesize
204KB

MD5
893bc9e5af1a378474cdec480d740a1e

SHA1
224e049b02856bf1b309b868da24c9d75d5b662d

SHA256
bee4d045cd956b3747a7c645ed42b1621fd3d1fccf9b8561cd1020c4f25d5f01

SHA512
c81ae568d40a2c7d7527fe517953439e71292e9f04faea4127fe67fa69a1405ef2a8c04eed6be312bf2fb31565c5d9db01ddcef4b3e778710bc616c048d266ef

Download Submit
C:\Windows\{6AF51BEF-06E8-4cbd-A695-20347B9AAAC8}.exe

Filesize
204KB

MD5
893bc9e5af1a378474cdec480d740a1e

SHA1
224e049b02856bf1b309b868da24c9d75d5b662d

SHA256
bee4d045cd956b3747a7c645ed42b1621fd3d1fccf9b8561cd1020c4f25d5f01

SHA512
c81ae568d40a2c7d7527fe517953439e71292e9f04faea4127fe67fa69a1405ef2a8c04eed6be312bf2fb31565c5d9db01ddcef4b3e778710bc616c048d266ef

Download Submit
C:\Windows\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe

Filesize
204KB

MD5
13ff48de39243163e8fc80cb194362d6

SHA1
9775363354765c266e349371fb038755050888cf

SHA256
cb6818dcc3c641295ed4fe7b3be3c9ce69afcdfd79bedcde5f71bbd218a298b8

SHA512
f0931501db2ae39002d60aaacab2162e9acc884523ea94aa6c5ba4dfaa36bda6652d16493e97d31f6a9fad3df03102147a2204fe98e27b6ef336aee729ffc2c2

Download Submit
C:\Windows\{7755DD29-0FB5-433a-B476-5E0D1F28428B}.exe

Filesize
204KB

MD5
13ff48de39243163e8fc80cb194362d6

SHA1
9775363354765c266e349371fb038755050888cf

SHA256
cb6818dcc3c641295ed4fe7b3be3c9ce69afcdfd79bedcde5f71bbd218a298b8

SHA512
f0931501db2ae39002d60aaacab2162e9acc884523ea94aa6c5ba4dfaa36bda6652d16493e97d31f6a9fad3df03102147a2204fe98e27b6ef336aee729ffc2c2

Download Submit
C:\Windows\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe

Filesize
204KB

MD5
af385cb98834f3c49c8faa0d728404fa

SHA1
67816ba927e5df853ef4fa4701a2c4cef6ac0f48

SHA256
65ec5a1c7c695fd3a25f338a912eacdf4fc4c555b1e4d3e360751ff6fb99db19

SHA512
115ace22e8ffb54b826528f570b213c943de5f5607b6a72aa236aeffcadee2bd3ffa6e90ef38c2b220789e638e4a96db658936fa65d457380b910cb1087f25e3

Download Submit
C:\Windows\{BB8A3A83-8B6E-41d0-A632-B298A89B5712}.exe

Filesize
204KB

MD5
af385cb98834f3c49c8faa0d728404fa

SHA1
67816ba927e5df853ef4fa4701a2c4cef6ac0f48

SHA256
65ec5a1c7c695fd3a25f338a912eacdf4fc4c555b1e4d3e360751ff6fb99db19

SHA512
115ace22e8ffb54b826528f570b213c943de5f5607b6a72aa236aeffcadee2bd3ffa6e90ef38c2b220789e638e4a96db658936fa65d457380b910cb1087f25e3

Download Submit
C:\Windows\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe

Filesize
204KB

MD5
5d30333fe003335ffd4d80c72a970de7

SHA1
2ea598fa0b703471b325a0bc8e6cea9a11907579

SHA256
a262fca1e80ee4c6a4dbf568bf9076813cb6b9d20acd7d863cbc54625fa9075f

SHA512
3941615aefa1c5843eabf168f0517bf1501a0d3ca54e86e5acf24ca2d3e513ebcef348ddd1b59b65431cedbba47ab37838af22e0fce831003778ebd08e780d05

Download Submit
C:\Windows\{C73C212B-67E6-40d5-A047-161D28079D1B}.exe

Filesize
204KB

MD5
5d30333fe003335ffd4d80c72a970de7

SHA1
2ea598fa0b703471b325a0bc8e6cea9a11907579

SHA256
a262fca1e80ee4c6a4dbf568bf9076813cb6b9d20acd7d863cbc54625fa9075f

SHA512
3941615aefa1c5843eabf168f0517bf1501a0d3ca54e86e5acf24ca2d3e513ebcef348ddd1b59b65431cedbba47ab37838af22e0fce831003778ebd08e780d05

Download Submit
C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe

Filesize
204KB

MD5
88a6781d0800d16a5b6590aa178b7114

SHA1
de7cb5dbfee77970360995c70d138c2265cd42a5

SHA256
042d8988b1ee105552479dc9c72c71e46ea83d0fa06d686f09b836728a9ec6ab

SHA512
e4e060587952cab936c4e998239b5e9019fcdde5a0efac2176cbb7c50da302fc68f2e57ec82b588acdfd4bd653e61a51fddfa75d555e1d6a2e7dbee64167c704

Download Submit
C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe

Filesize
204KB

MD5
88a6781d0800d16a5b6590aa178b7114

SHA1
de7cb5dbfee77970360995c70d138c2265cd42a5

SHA256
042d8988b1ee105552479dc9c72c71e46ea83d0fa06d686f09b836728a9ec6ab

SHA512
e4e060587952cab936c4e998239b5e9019fcdde5a0efac2176cbb7c50da302fc68f2e57ec82b588acdfd4bd653e61a51fddfa75d555e1d6a2e7dbee64167c704

Download Submit
C:\Windows\{CF0007F8-302F-47a2-B54D-F01C84862EBC}.exe

Filesize
204KB

MD5
88a6781d0800d16a5b6590aa178b7114

SHA1
de7cb5dbfee77970360995c70d138c2265cd42a5

SHA256
042d8988b1ee105552479dc9c72c71e46ea83d0fa06d686f09b836728a9ec6ab

SHA512
e4e060587952cab936c4e998239b5e9019fcdde5a0efac2176cbb7c50da302fc68f2e57ec82b588acdfd4bd653e61a51fddfa75d555e1d6a2e7dbee64167c704

Download Submit
C:\Windows\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe

Filesize
204KB

MD5
a7b61384369f1e0831016488bd383345

SHA1
e668f718eae7d4aed79a390384e133a418043f8a

SHA256
8c9101bf6df62183a6a0e2dda6416915b31605bbd10791c9f8afde30ec58bdbb

SHA512
b0808623902ee1a76b80abf27f481e0e720d21c713837bdd95b8ccd26306f3b2ef17f16f29f4a0c8bb83365b38f481a4fcc653ba60ebd1bfd9a02320e51e98e4

Download Submit
C:\Windows\{DF9E2995-40BA-4bfb-908A-FECA3189C5B2}.exe

Filesize
204KB

MD5
a7b61384369f1e0831016488bd383345

SHA1
e668f718eae7d4aed79a390384e133a418043f8a

SHA256
8c9101bf6df62183a6a0e2dda6416915b31605bbd10791c9f8afde30ec58bdbb

SHA512
b0808623902ee1a76b80abf27f481e0e720d21c713837bdd95b8ccd26306f3b2ef17f16f29f4a0c8bb83365b38f481a4fcc653ba60ebd1bfd9a02320e51e98e4

Download Submit
C:\Windows\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe

Filesize
204KB

MD5
9dd5ea93eb9248828367a8285c48de07

SHA1
ccd83c11081284318f985406d2af52ffbd59bfae

SHA256
aa97ae3588a682a12b31ccd00d7dbabecdc430aaa4c232d584af2e47b902158e

SHA512
78c07ba530894ab51016dcb4671ba102fc16b814a25ac536f7a54dab61bf1b629ba798c5a148b5cd6144e4680d3a9ef835da213007cfaa4501f3163f145a5464

Download Submit
C:\Windows\{E1DCED7D-6649-4292-A55D-7BF0BE59FAEA}.exe

Filesize
204KB

MD5
9dd5ea93eb9248828367a8285c48de07

SHA1
ccd83c11081284318f985406d2af52ffbd59bfae

SHA256
aa97ae3588a682a12b31ccd00d7dbabecdc430aaa4c232d584af2e47b902158e

SHA512
78c07ba530894ab51016dcb4671ba102fc16b814a25ac536f7a54dab61bf1b629ba798c5a148b5cd6144e4680d3a9ef835da213007cfaa4501f3163f145a5464

Download Submit
C:\Windows\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe

Filesize
204KB

MD5
2b4114ae09ccb9056b8e5661fa113310

SHA1
d0724a7b5382807bc610348ffa847be1b2570121

SHA256
53fbe0ab60e3283d2614a08e7a4e95f4dcfeb8ee132a24a835b20bedf9f4e1b6

SHA512
a12fd8f45028af9d97b8c4250a58c5d7d9c734cdc98c4cb1826343ab8a1612d970f8dfdaf260958a26887bbdc6db75b2f5d13a5163f25d4555607aa76546cc0a

Download Submit
C:\Windows\{F8A96ACB-FE33-44a6-B229-07D8B41C10E4}.exe

Filesize
204KB

MD5
2b4114ae09ccb9056b8e5661fa113310

SHA1
d0724a7b5382807bc610348ffa847be1b2570121

SHA256
53fbe0ab60e3283d2614a08e7a4e95f4dcfeb8ee132a24a835b20bedf9f4e1b6

SHA512
a12fd8f45028af9d97b8c4250a58c5d7d9c734cdc98c4cb1826343ab8a1612d970f8dfdaf260958a26887bbdc6db75b2f5d13a5163f25d4555607aa76546cc0a

Download Submit