5ace336ef12c69e272c236b1e02479e555d3927d0b7c44c4b57f751354582fe3

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 12:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26ad421e975965exeexeexeex.exe
Size

204KB
MD5

26ad421e975965221fcf5b263efcbdbc
SHA1

8af480292d47c6997c4fc13632eb30670fc5ae33
SHA256

5ace336ef12c69e272c236b1e02479e555d3927d0b7c44c4b57f751354582fe3
SHA512

378d79df8dbfa51283f04f00fb237606407392e7c888911f84d7d1eff29b6a2f4e6ef9c70439c7101c0354243e8e3d34875698275d0142dadb7f5055d1f69aaf
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oZl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}\stubpath = "C:\\Windows\\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe"	{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}	26ad421e975965exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10157DCC-D76D-437e-8773-9D954F67991A}	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}\stubpath = "C:\\Windows\\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe"	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}\stubpath = "C:\\Windows\\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe"	{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}	{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}\stubpath = "C:\\Windows\\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe"	26ad421e975965exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}\stubpath = "C:\\Windows\\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe"	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}\stubpath = "C:\\Windows\\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe"	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}\stubpath = "C:\\Windows\\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe"	{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}	{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CC677-E23A-400e-A509-4AB384145C50}	{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}\stubpath = "C:\\Windows\\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe"	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8348F62-D79B-41fd-9C18-F07B4720CC72}	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8348F62-D79B-41fd-9C18-F07B4720CC72}\stubpath = "C:\\Windows\\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe"	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}	{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CC677-E23A-400e-A509-4AB384145C50}\stubpath = "C:\\Windows\\{DF5CC677-E23A-400e-A509-4AB384145C50}.exe"	{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10157DCC-D76D-437e-8773-9D954F67991A}\stubpath = "C:\\Windows\\{10157DCC-D76D-437e-8773-9D954F67991A}.exe"	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}\stubpath = "C:\\Windows\\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe"	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}	{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}\stubpath = "C:\\Windows\\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe"	{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
2976	{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
3052	{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
2716	{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
2692	{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
1032	{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe
2656	{DF5CC677-E23A-400e-A509-4AB384145C50}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	26ad421e975965exeexeexeex.exe
File created	C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
File created	C:\Windows\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
File created	C:\Windows\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
File created	C:\Windows\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe	{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
File created	C:\Windows\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe	{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
File created	C:\Windows\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe	{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
File created	C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
File created	C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
File created	C:\Windows\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
File created	C:\Windows\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
File created	C:\Windows\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe	{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
File created	C:\Windows\{DF5CC677-E23A-400e-A509-4AB384145C50}.exe	{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	692	26ad421e975965exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
Token: SeIncBasePriorityPrivilege	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Token: SeIncBasePriorityPrivilege	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Token: SeIncBasePriorityPrivilege	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Token: SeIncBasePriorityPrivilege	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
Token: SeIncBasePriorityPrivilege	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
Token: SeIncBasePriorityPrivilege	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
Token: SeIncBasePriorityPrivilege	2976	{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
Token: SeIncBasePriorityPrivilege	3052	{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
Token: SeIncBasePriorityPrivilege	2716	{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
Token: SeIncBasePriorityPrivilege	2692	{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
Token: SeIncBasePriorityPrivilege	1032	{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 540	692	26ad421e975965exeexeexeex.exe	28
PID 692 wrote to memory of 540	692	26ad421e975965exeexeexeex.exe	28
PID 692 wrote to memory of 540	692	26ad421e975965exeexeexeex.exe	28
PID 692 wrote to memory of 540	692	26ad421e975965exeexeexeex.exe	28
PID 692 wrote to memory of 2392	692	26ad421e975965exeexeexeex.exe	29
PID 692 wrote to memory of 2392	692	26ad421e975965exeexeexeex.exe	29
PID 692 wrote to memory of 2392	692	26ad421e975965exeexeexeex.exe	29
PID 692 wrote to memory of 2392	692	26ad421e975965exeexeexeex.exe	29
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 1176 wrote to memory of 2108	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 2108	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 2108	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 2108	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 456	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 456	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 456	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 456	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 2108 wrote to memory of 2900	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 2108 wrote to memory of 2900	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 2108 wrote to memory of 2900	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 2108 wrote to memory of 2900	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 2108 wrote to memory of 1036	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 2108 wrote to memory of 1036	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 2108 wrote to memory of 1036	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 2108 wrote to memory of 1036	2108	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 2900 wrote to memory of 2780	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2900 wrote to memory of 2780	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2900 wrote to memory of 2780	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2900 wrote to memory of 2780	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2900 wrote to memory of 2196	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2900 wrote to memory of 2196	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2900 wrote to memory of 2196	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2900 wrote to memory of 2196	2900	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2780 wrote to memory of 960	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	38
PID 2780 wrote to memory of 960	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	38
PID 2780 wrote to memory of 960	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	38
PID 2780 wrote to memory of 960	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	38
PID 2780 wrote to memory of 1772	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	39
PID 2780 wrote to memory of 1772	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	39
PID 2780 wrote to memory of 1772	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	39
PID 2780 wrote to memory of 1772	2780	{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe	39
PID 960 wrote to memory of 2240	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	40
PID 960 wrote to memory of 2240	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	40
PID 960 wrote to memory of 2240	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	40
PID 960 wrote to memory of 2240	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	40
PID 960 wrote to memory of 2256	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	41
PID 960 wrote to memory of 2256	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	41
PID 960 wrote to memory of 2256	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	41
PID 960 wrote to memory of 2256	960	{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe	41
PID 2240 wrote to memory of 2976	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	42
PID 2240 wrote to memory of 2976	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	42
PID 2240 wrote to memory of 2976	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	42
PID 2240 wrote to memory of 2976	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	42
PID 2240 wrote to memory of 2932	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	43
PID 2240 wrote to memory of 2932	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	43
PID 2240 wrote to memory of 2932	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	43
PID 2240 wrote to memory of 2932	2240	{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe	43

C:\Users\Admin\AppData\Local\Temp\26ad421e975965exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\26ad421e975965exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
  C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe
    C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
      C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
        
        C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
        
        C:\Windows\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
        
        C:\Windows\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
        
        C:\Windows\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
        
        C:\Windows\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
        
        C:\Windows\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
        
        C:\Windows\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
        
        C:\Windows\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe
        
        C:\Windows\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\{DF5CC677-E23A-400e-A509-4AB384145C50}.exe
        
        C:\Windows\{DF5CC677-E23A-400e-A509-4AB384145C50}.exe
        14⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D5B~1.EXE > nul
        14⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2615~1.EXE > nul
        13⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FAC0~1.EXE > nul
        12⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DEA0~1.EXE > nul
        11⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8348~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A00DD~1.EXE > nul
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{519A9~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4848~1.EXE > nul
        7⤵
        
        PID:1772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDD8~1.EXE > nul
        6⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F38~1.EXE > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10157~1.EXE > nul
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC8E~1.EXE > nul
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\26AD42~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe

Filesize
204KB

MD5
91029bde881076c98effbe153588faae

SHA1
81948f12f9b41625b4c1aa08a16f5c4b6d144d62

SHA256
49c89fe0dee81c5a8efae1b6a0261b849dd8cad20dd5fcfc3519b9f0c18f7761

SHA512
869d713f1b96da32b48c91fe3d4051effd627e65d1c7c851b5ce6b3756cd57bcdbcdbfb99052ce7fd8f797d6d1989161513b481019880c3e4cbab2e5a52482e0

Download Submit
C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe

Filesize
204KB

MD5
91029bde881076c98effbe153588faae

SHA1
81948f12f9b41625b4c1aa08a16f5c4b6d144d62

SHA256
49c89fe0dee81c5a8efae1b6a0261b849dd8cad20dd5fcfc3519b9f0c18f7761

SHA512
869d713f1b96da32b48c91fe3d4051effd627e65d1c7c851b5ce6b3756cd57bcdbcdbfb99052ce7fd8f797d6d1989161513b481019880c3e4cbab2e5a52482e0

Download Submit
C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe

Filesize
204KB

MD5
df2ee58ed9d8c0ad1de88c8d85f8de84

SHA1
26ea572ca1ccb1106ad9d0ec6e9e6a5f7db4460a

SHA256
e918883edee3d144c66f8486e92b8a88df46012f3d882df97eba14a063c6035f

SHA512
a892d7a9e123344470201c1151c8ffa49fe26a8d7a501277b6a4050dc64cecaa0e13aed57a02d5a1a77b0fb14e814b4045b5626ba4b529e8a2fe82e2cf60b2e4

Download Submit
C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe

Filesize
204KB

MD5
df2ee58ed9d8c0ad1de88c8d85f8de84

SHA1
26ea572ca1ccb1106ad9d0ec6e9e6a5f7db4460a

SHA256
e918883edee3d144c66f8486e92b8a88df46012f3d882df97eba14a063c6035f

SHA512
a892d7a9e123344470201c1151c8ffa49fe26a8d7a501277b6a4050dc64cecaa0e13aed57a02d5a1a77b0fb14e814b4045b5626ba4b529e8a2fe82e2cf60b2e4

Download Submit
C:\Windows\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe

Filesize
204KB

MD5
d1c2e22ef24e5373568e1debc0d299e2

SHA1
1db2cbe5f42b784e495ec8d44d9e441eeda890ab

SHA256
8967ba150c918ad8147b0a14fe1015f4e12e80ccf6d6c6342412fc56da6fdb48

SHA512
1726f2ce6febdbe2a378677c042d2e102910cafa148fa7dd9c701ede064a5ea61131464c9bc03be3a310621de784cf4c0db75e9bae2f3a315c653e1c2ca6bfca

Download Submit
C:\Windows\{2FAC0F99-3E76-46b5-AFD1-FF9FFC9BAE53}.exe

Filesize
204KB

MD5
d1c2e22ef24e5373568e1debc0d299e2

SHA1
1db2cbe5f42b784e495ec8d44d9e441eeda890ab

SHA256
8967ba150c918ad8147b0a14fe1015f4e12e80ccf6d6c6342412fc56da6fdb48

SHA512
1726f2ce6febdbe2a378677c042d2e102910cafa148fa7dd9c701ede064a5ea61131464c9bc03be3a310621de784cf4c0db75e9bae2f3a315c653e1c2ca6bfca

Download Submit
C:\Windows\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe

Filesize
204KB

MD5
f254faffaa3c3bb4323baa6f9c305cd0

SHA1
49209c922b44a5f56f005b4608f9944fb40d6ac1

SHA256
b98bcb3f6bc2b3ed9171377df7d3e4663a0eb75ffdb9d9da5761632466136c38

SHA512
5bcdbe756a0a1b50a53b206d0a6187c80901311890f403189688e64ae571ee682877b4584471ecdcdcb93a594a4ae4b7ef8bb2a3e6041997bb60fa55b74ab435

Download Submit
C:\Windows\{31D5BC5B-F9C6-49e5-BFE5-870BE38E6F2D}.exe

Filesize
204KB

MD5
f254faffaa3c3bb4323baa6f9c305cd0

SHA1
49209c922b44a5f56f005b4608f9944fb40d6ac1

SHA256
b98bcb3f6bc2b3ed9171377df7d3e4663a0eb75ffdb9d9da5761632466136c38

SHA512
5bcdbe756a0a1b50a53b206d0a6187c80901311890f403189688e64ae571ee682877b4584471ecdcdcb93a594a4ae4b7ef8bb2a3e6041997bb60fa55b74ab435

Download Submit
C:\Windows\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe

Filesize
204KB

MD5
a708085f214839d766dc249656278580

SHA1
4b7a68dc1e34680ee65f07c0a52a2ab7c9521882

SHA256
da13e93ddaa48188fa34daa555181a35d8c25aff69578930b0f50a3101836457

SHA512
7ca668c891453ef2c1476043d5ffc45c8a9bffde2e715fa85015cbe416ab26e5e935802b04bbf8d06d172f36af3f4b2e477738d77df7122cdfd23199c5c1c4b0

Download Submit
C:\Windows\{519A98AC-BBA7-4eec-92AD-DCCF9307BA22}.exe

Filesize
204KB

MD5
a708085f214839d766dc249656278580

SHA1
4b7a68dc1e34680ee65f07c0a52a2ab7c9521882

SHA256
da13e93ddaa48188fa34daa555181a35d8c25aff69578930b0f50a3101836457

SHA512
7ca668c891453ef2c1476043d5ffc45c8a9bffde2e715fa85015cbe416ab26e5e935802b04bbf8d06d172f36af3f4b2e477738d77df7122cdfd23199c5c1c4b0

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
204KB

MD5
8d41cc9da0bc16c2170eb83638ef067b

SHA1
14c8e11787c5ae699a04a1a347d1cea28e9d7d40

SHA256
7b12b026a1b3de47fe52e9ef3459ace33e43e2a000d2545bcf1b5087f216de3e

SHA512
eff187bfd283b68802de0accc069da29965e187109257e1df1ccfd808177fca99d63d74562736f2e8ad0d83e3d734d79bf79f35093787d78a886b86189bf4d07

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
204KB

MD5
8d41cc9da0bc16c2170eb83638ef067b

SHA1
14c8e11787c5ae699a04a1a347d1cea28e9d7d40

SHA256
7b12b026a1b3de47fe52e9ef3459ace33e43e2a000d2545bcf1b5087f216de3e

SHA512
eff187bfd283b68802de0accc069da29965e187109257e1df1ccfd808177fca99d63d74562736f2e8ad0d83e3d734d79bf79f35093787d78a886b86189bf4d07

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
204KB

MD5
8d41cc9da0bc16c2170eb83638ef067b

SHA1
14c8e11787c5ae699a04a1a347d1cea28e9d7d40

SHA256
7b12b026a1b3de47fe52e9ef3459ace33e43e2a000d2545bcf1b5087f216de3e

SHA512
eff187bfd283b68802de0accc069da29965e187109257e1df1ccfd808177fca99d63d74562736f2e8ad0d83e3d734d79bf79f35093787d78a886b86189bf4d07

Download Submit
C:\Windows\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe

Filesize
204KB

MD5
0791c8d1a40aa2a619f0e1c725a95050

SHA1
84ddfa11931e3c06d26ee293f7755670b2ce061b

SHA256
3948520509efaea94d4c98e969ed4a8e5e4fee4fdfe5c83daebafae065b5f757

SHA512
7ebc0c231a9c1461b67f1f33e33728d1ac6f16985663f4f872b2262cf5d4b2a36679dd65318e0769b70da913829718eecf33534522d2d62e567656ffc96e2ecc

Download Submit
C:\Windows\{9DEA00A3-C41C-4f6a-B1D5-FE6F10D9D662}.exe

Filesize
204KB

MD5
0791c8d1a40aa2a619f0e1c725a95050

SHA1
84ddfa11931e3c06d26ee293f7755670b2ce061b

SHA256
3948520509efaea94d4c98e969ed4a8e5e4fee4fdfe5c83daebafae065b5f757

SHA512
7ebc0c231a9c1461b67f1f33e33728d1ac6f16985663f4f872b2262cf5d4b2a36679dd65318e0769b70da913829718eecf33534522d2d62e567656ffc96e2ecc

Download Submit
C:\Windows\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe

Filesize
204KB

MD5
757a933121fd7a5adf73a8b6a076de93

SHA1
dbd67262da4e9797102ac0b232b7e624493ea30d

SHA256
a930fd3f46e20b8c65bfc6c6e38ff536f00f49e3e9573315fc89bdee2b263c1d

SHA512
5b90fb4b304aaa7c72ac097a3205f9c73c168aba81b0cb3d98985b5dd32d3857f3c642b61dd7bc1a7f00d4e7529deea5a52ea188c45e31c109a0f6235828ac8d

Download Submit
C:\Windows\{A00DDD43-56C8-4951-84F5-6E1D7D650F8C}.exe

Filesize
204KB

MD5
757a933121fd7a5adf73a8b6a076de93

SHA1
dbd67262da4e9797102ac0b232b7e624493ea30d

SHA256
a930fd3f46e20b8c65bfc6c6e38ff536f00f49e3e9573315fc89bdee2b263c1d

SHA512
5b90fb4b304aaa7c72ac097a3205f9c73c168aba81b0cb3d98985b5dd32d3857f3c642b61dd7bc1a7f00d4e7529deea5a52ea188c45e31c109a0f6235828ac8d

Download Submit
C:\Windows\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe

Filesize
204KB

MD5
b8448cca0e8fb009a812afc2e04ff716

SHA1
886623754595084b15685b4eeabb1046277aa8d4

SHA256
28af559d96ec5971958b84bb64a6a38bd6669cd83edc193cf45c6f4296ef7f14

SHA512
b004b69134b45f0ee5bc112a2ea47d51511a9b5e9df9213843e1c1984dfd352f231bb89e43bff16dee66781c569b9a07a8e1b2289aa5ef7fd9e652b314dcb887

Download Submit
C:\Windows\{B8348F62-D79B-41fd-9C18-F07B4720CC72}.exe

Filesize
204KB

MD5
b8448cca0e8fb009a812afc2e04ff716

SHA1
886623754595084b15685b4eeabb1046277aa8d4

SHA256
28af559d96ec5971958b84bb64a6a38bd6669cd83edc193cf45c6f4296ef7f14

SHA512
b004b69134b45f0ee5bc112a2ea47d51511a9b5e9df9213843e1c1984dfd352f231bb89e43bff16dee66781c569b9a07a8e1b2289aa5ef7fd9e652b314dcb887

Download Submit
C:\Windows\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe

Filesize
204KB

MD5
f293565d76714c1fec2943d9cf62b386

SHA1
cbf5b92a3c6fb482bb79dc900b7e1fd94d8ff776

SHA256
fc8d59db48472293597190f43a260376d15e6204dd4b867d28d9a5fc9a0eff2a

SHA512
03b36cbd90bff40ed32857fccd85553379206aef9c1f88d6fe1ddd6b16bf3c0373043610f1ae6ab75f1857cfd33aa08a3a3d18210a02b2799d34dd1f406b30ac

Download Submit
C:\Windows\{C48487DD-099F-47a7-AF4F-9C19F49D1C3F}.exe

Filesize
204KB

MD5
f293565d76714c1fec2943d9cf62b386

SHA1
cbf5b92a3c6fb482bb79dc900b7e1fd94d8ff776

SHA256
fc8d59db48472293597190f43a260376d15e6204dd4b867d28d9a5fc9a0eff2a

SHA512
03b36cbd90bff40ed32857fccd85553379206aef9c1f88d6fe1ddd6b16bf3c0373043610f1ae6ab75f1857cfd33aa08a3a3d18210a02b2799d34dd1f406b30ac

Download Submit
C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe

Filesize
204KB

MD5
2f3380d5b8ca3680b26bd1bd88358b05

SHA1
359b6cb44e1b10722714d2e38635b81f62f952bc

SHA256
f23ee72390410cf9a940b8976ad76e9a3772ef43ff44f506190b7e7fa829c6d2

SHA512
4901c8f52873e4746deb1f8e6c74fd38628dc3a1e6457e46b14bfd5d792fd78a21782f232c6d98ce620ccde3f1d5691d2ed4550cb81163c9955d4214d7db3eea

Download Submit
C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe

Filesize
204KB

MD5
2f3380d5b8ca3680b26bd1bd88358b05

SHA1
359b6cb44e1b10722714d2e38635b81f62f952bc

SHA256
f23ee72390410cf9a940b8976ad76e9a3772ef43ff44f506190b7e7fa829c6d2

SHA512
4901c8f52873e4746deb1f8e6c74fd38628dc3a1e6457e46b14bfd5d792fd78a21782f232c6d98ce620ccde3f1d5691d2ed4550cb81163c9955d4214d7db3eea

Download Submit
C:\Windows\{DF5CC677-E23A-400e-A509-4AB384145C50}.exe

Filesize
204KB

MD5
6a93552c5703527119882068e9639417

SHA1
09cede611f4a45156cd142bfb72e5948824e924e

SHA256
01c70461a89ac0d2fc173811d8af868bbaa4beb3a092ede77008a8bbcfb66f66

SHA512
d1cc65dcfea7b78fc3566306e0c7de986b57bed6bc1060c13434b57dc3df7654b588e741f8ca9104f9ebd558a9f28241547daf4e3b10c2514bd24600f5d07805

Download Submit
C:\Windows\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe

Filesize
204KB

MD5
2696d8678c825fd71dfa47c702cc5002

SHA1
b81c96f68aae07246f25627d61631ff316994dcf

SHA256
bfdcea094f7b89fb787f977c18648d2e65da1459184ad9ba29f589653a994f82

SHA512
e14ff0189ac1fba982f1ea5922740af4c7dd4d14c21940f072484737e93c0d77b4eed2d55ffd188c78c39a615c3da412b925eeeba0ff62b908ead22ec881a682

Download Submit
C:\Windows\{E2615C8C-0BDC-4d91-94A0-A86B173F231B}.exe

Filesize
204KB

MD5
2696d8678c825fd71dfa47c702cc5002

SHA1
b81c96f68aae07246f25627d61631ff316994dcf

SHA256
bfdcea094f7b89fb787f977c18648d2e65da1459184ad9ba29f589653a994f82

SHA512
e14ff0189ac1fba982f1ea5922740af4c7dd4d14c21940f072484737e93c0d77b4eed2d55ffd188c78c39a615c3da412b925eeeba0ff62b908ead22ec881a682

Download Submit