1cf0e9f32dd7a2331818e5bcdc6306e1793fb7e7e4bd982cda03db1a72712dd6

Analysis

max time kernel
149s
max time network
77s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291dde04ec62bdexeexeexeex.exe
Size

372KB
MD5

291dde04ec62bd40177135bf1d03cdb5
SHA1

0bbd9331443f808bc25eb772f568972ff00ed444
SHA256

1cf0e9f32dd7a2331818e5bcdc6306e1793fb7e7e4bd982cda03db1a72712dd6
SHA512

9234dccc711c2877e66a80d8a98e8fc420067a5c670d713bb795f8bff6366ac0fb17f64204d5401b6c692bfa64a90b9d7afae45b546616977b88642fa92c2bf7
SSDEEP

3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGMl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2A4749E-FB86-426f-9D5A-86DBC4407673}	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}\stubpath = "C:\\Windows\\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe"	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA782AC-B80A-41dc-919D-CD61A5F99379}\stubpath = "C:\\Windows\\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe"	{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD57B45-FA4F-435f-83AD-DA326F694445}	{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}	291dde04ec62bdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E9294A1-7923-4fc1-B184-220B6D5335F1}	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}\stubpath = "C:\\Windows\\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe"	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}	{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD57B45-FA4F-435f-83AD-DA326F694445}\stubpath = "C:\\Windows\\{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe"	{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E9294A1-7923-4fc1-B184-220B6D5335F1}\stubpath = "C:\\Windows\\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe"	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA782AC-B80A-41dc-919D-CD61A5F99379}	{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}\stubpath = "C:\\Windows\\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe"	{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}\stubpath = "C:\\Windows\\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe"	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}	{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}\stubpath = "C:\\Windows\\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe"	{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1D46843-D87E-45cf-B599-75E8F7041A1A}	{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48346F1C-2130-4b40-A930-0791C9B8979C}	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48346F1C-2130-4b40-A930-0791C9B8979C}\stubpath = "C:\\Windows\\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe"	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}\stubpath = "C:\\Windows\\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe"	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1D46843-D87E-45cf-B599-75E8F7041A1A}\stubpath = "C:\\Windows\\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe"	{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}\stubpath = "C:\\Windows\\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe"	291dde04ec62bdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2A4749E-FB86-426f-9D5A-86DBC4407673}\stubpath = "C:\\Windows\\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe"	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
2156	{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
2708	{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
2640	{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
2764	{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
2660	{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
2540	{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
File created	C:\Windows\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
File created	C:\Windows\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe	{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
File created	C:\Windows\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe	{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
File created	C:\Windows\{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe	{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
File created	C:\Windows\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe	{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
File created	C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	291dde04ec62bdexeexeexeex.exe
File created	C:\Windows\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
File created	C:\Windows\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
File created	C:\Windows\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
File created	C:\Windows\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
File created	C:\Windows\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
File created	C:\Windows\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe	{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	291dde04ec62bdexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
Token: SeIncBasePriorityPrivilege	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
Token: SeIncBasePriorityPrivilege	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
Token: SeIncBasePriorityPrivilege	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
Token: SeIncBasePriorityPrivilege	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
Token: SeIncBasePriorityPrivilege	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
Token: SeIncBasePriorityPrivilege	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
Token: SeIncBasePriorityPrivilege	2156	{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
Token: SeIncBasePriorityPrivilege	2708	{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
Token: SeIncBasePriorityPrivilege	2640	{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
Token: SeIncBasePriorityPrivilege	2764	{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
Token: SeIncBasePriorityPrivilege	2660	{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2948	2868	291dde04ec62bdexeexeexeex.exe	28
PID 2868 wrote to memory of 2948	2868	291dde04ec62bdexeexeexeex.exe	28
PID 2868 wrote to memory of 2948	2868	291dde04ec62bdexeexeexeex.exe	28
PID 2868 wrote to memory of 2948	2868	291dde04ec62bdexeexeexeex.exe	28
PID 2868 wrote to memory of 1244	2868	291dde04ec62bdexeexeexeex.exe	29
PID 2868 wrote to memory of 1244	2868	291dde04ec62bdexeexeexeex.exe	29
PID 2868 wrote to memory of 1244	2868	291dde04ec62bdexeexeexeex.exe	29
PID 2868 wrote to memory of 1244	2868	291dde04ec62bdexeexeexeex.exe	29
PID 2948 wrote to memory of 1432	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	30
PID 2948 wrote to memory of 1432	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	30
PID 2948 wrote to memory of 1432	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	30
PID 2948 wrote to memory of 1432	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	30
PID 2948 wrote to memory of 2012	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	31
PID 2948 wrote to memory of 2012	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	31
PID 2948 wrote to memory of 2012	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	31
PID 2948 wrote to memory of 2012	2948	{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe	31
PID 1432 wrote to memory of 2564	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	32
PID 1432 wrote to memory of 2564	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	32
PID 1432 wrote to memory of 2564	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	32
PID 1432 wrote to memory of 2564	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	32
PID 1432 wrote to memory of 2240	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	33
PID 1432 wrote to memory of 2240	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	33
PID 1432 wrote to memory of 2240	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	33
PID 1432 wrote to memory of 2240	1432	{48346F1C-2130-4b40-A930-0791C9B8979C}.exe	33
PID 2564 wrote to memory of 2092	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	34
PID 2564 wrote to memory of 2092	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	34
PID 2564 wrote to memory of 2092	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	34
PID 2564 wrote to memory of 2092	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	34
PID 2564 wrote to memory of 1316	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	35
PID 2564 wrote to memory of 1316	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	35
PID 2564 wrote to memory of 1316	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	35
PID 2564 wrote to memory of 1316	2564	{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe	35
PID 2092 wrote to memory of 1628	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	36
PID 2092 wrote to memory of 1628	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	36
PID 2092 wrote to memory of 1628	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	36
PID 2092 wrote to memory of 1628	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	36
PID 2092 wrote to memory of 2316	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	37
PID 2092 wrote to memory of 2316	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	37
PID 2092 wrote to memory of 2316	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	37
PID 2092 wrote to memory of 2316	2092	{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe	37
PID 1628 wrote to memory of 3044	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	38
PID 1628 wrote to memory of 3044	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	38
PID 1628 wrote to memory of 3044	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	38
PID 1628 wrote to memory of 3044	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	38
PID 1628 wrote to memory of 860	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	39
PID 1628 wrote to memory of 860	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	39
PID 1628 wrote to memory of 860	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	39
PID 1628 wrote to memory of 860	1628	{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe	39
PID 3044 wrote to memory of 2448	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	40
PID 3044 wrote to memory of 2448	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	40
PID 3044 wrote to memory of 2448	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	40
PID 3044 wrote to memory of 2448	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	40
PID 3044 wrote to memory of 548	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	41
PID 3044 wrote to memory of 548	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	41
PID 3044 wrote to memory of 548	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	41
PID 3044 wrote to memory of 548	3044	{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe	41
PID 2448 wrote to memory of 2156	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	42
PID 2448 wrote to memory of 2156	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	42
PID 2448 wrote to memory of 2156	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	42
PID 2448 wrote to memory of 2156	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	42
PID 2448 wrote to memory of 2260	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	43
PID 2448 wrote to memory of 2260	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	43
PID 2448 wrote to memory of 2260	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	43
PID 2448 wrote to memory of 2260	2448	{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe	43

C:\Users\Admin\AppData\Local\Temp\291dde04ec62bdexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\291dde04ec62bdexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
  C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
    C:\Windows\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
      C:\Windows\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
        
        C:\Windows\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
        
        C:\Windows\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
        
        C:\Windows\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
        
        C:\Windows\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
        
        C:\Windows\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
        
        C:\Windows\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
        
        C:\Windows\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
        
        C:\Windows\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
        
        C:\Windows\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe
        
        C:\Windows\{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe
        14⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1D46~1.EXE > nul
        14⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABBC6~1.EXE > nul
        13⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25332~1.EXE > nul
        12⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AA78~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE28D~1.EXE > nul
        10⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBBD~1.EXE > nul
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2A47~1.EXE > nul
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ADDE~1.EXE > nul
        7⤵
        
        PID:860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DBDE~1.EXE > nul
        6⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E929~1.EXE > nul
        5⤵
        
        PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48346~1.EXE > nul
      4⤵
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F985~1.EXE > nul
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\291DDE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe

Filesize
372KB

MD5
3024d042c58bc00e76e9af583bb02981

SHA1
42d47327d022f61d2e290e3237f7d632bcf45bd8

SHA256
97da5de70219d0ee327eb57f7beb24a6ce828cd15f344b3c1ab47a43f00e9228

SHA512
db2a163cdaa87fa24abc4f731344acdada54b9cab030139aaffdadc061ec9c70cb38949549e81047a6e7292ab26559b8b23178fa1e8f0c857261a118f4ed4f00

Download Submit
C:\Windows\{1DBDEC4B-9A86-4f47-9151-5719AF1579C1}.exe

Filesize
372KB

MD5
3024d042c58bc00e76e9af583bb02981

SHA1
42d47327d022f61d2e290e3237f7d632bcf45bd8

SHA256
97da5de70219d0ee327eb57f7beb24a6ce828cd15f344b3c1ab47a43f00e9228

SHA512
db2a163cdaa87fa24abc4f731344acdada54b9cab030139aaffdadc061ec9c70cb38949549e81047a6e7292ab26559b8b23178fa1e8f0c857261a118f4ed4f00

Download Submit
C:\Windows\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe

Filesize
372KB

MD5
edbb5bede863a9e9fd692bcca5a15a6a

SHA1
d7c9f896c01432fd2846e1ad132ae10e4c6e8ce5

SHA256
0e400a6ed098cbe83d815cd15e26c02266ec735c5d0ea1c864dd6dbd6d9361cd

SHA512
a17a9f13b8aa054706bc608af6d6de0d86cd9811b3d6c821d963fbd151175f12b070910418dc9f628bed2af433a5a61b0edff745f3541f1a1f2af98909b14bf2

Download Submit
C:\Windows\{25332F75-4CD8-4eb0-BFA2-51E6DEA5D58F}.exe

Filesize
372KB

MD5
edbb5bede863a9e9fd692bcca5a15a6a

SHA1
d7c9f896c01432fd2846e1ad132ae10e4c6e8ce5

SHA256
0e400a6ed098cbe83d815cd15e26c02266ec735c5d0ea1c864dd6dbd6d9361cd

SHA512
a17a9f13b8aa054706bc608af6d6de0d86cd9811b3d6c821d963fbd151175f12b070910418dc9f628bed2af433a5a61b0edff745f3541f1a1f2af98909b14bf2

Download Submit
C:\Windows\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe

Filesize
372KB

MD5
b8ff6e284d7c233831d04dfe4adb8497

SHA1
fcfdd1dba978036929c1ca3fad81d496defeaa40

SHA256
c75ad6eb7eeaa3d0271a71f6dc449c89af1657be0de83c76cead2c6cc28ae47a

SHA512
67c978ae490b2e2a385d5cf3d8502178722b280857a46da8bef3dbf60594c7771a2a1e0f5301c2517b79159e2b092cbd3a2c7bf2a6beed25df79bc8db7273678

Download Submit
C:\Windows\{3AA782AC-B80A-41dc-919D-CD61A5F99379}.exe

Filesize
372KB

MD5
b8ff6e284d7c233831d04dfe4adb8497

SHA1
fcfdd1dba978036929c1ca3fad81d496defeaa40

SHA256
c75ad6eb7eeaa3d0271a71f6dc449c89af1657be0de83c76cead2c6cc28ae47a

SHA512
67c978ae490b2e2a385d5cf3d8502178722b280857a46da8bef3dbf60594c7771a2a1e0f5301c2517b79159e2b092cbd3a2c7bf2a6beed25df79bc8db7273678

Download Submit
C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe

Filesize
372KB

MD5
50c68588977e096d6aab92c9c5935719

SHA1
9ea386ff9a65e69d3f73314dca62a119ccc8dfc2

SHA256
3ba1e010367aef2fa29a6efa1855b6821f5319332d886e161b03540a8018104b

SHA512
446265387218f59ee13061da04a660b85abd28a466a9278b441a37f94ef822a15c365d18e4fe4dd26ca1cada74e7489dcfc7ee28494794b884e57a57cc95b4c2

Download Submit
C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe

Filesize
372KB

MD5
50c68588977e096d6aab92c9c5935719

SHA1
9ea386ff9a65e69d3f73314dca62a119ccc8dfc2

SHA256
3ba1e010367aef2fa29a6efa1855b6821f5319332d886e161b03540a8018104b

SHA512
446265387218f59ee13061da04a660b85abd28a466a9278b441a37f94ef822a15c365d18e4fe4dd26ca1cada74e7489dcfc7ee28494794b884e57a57cc95b4c2

Download Submit
C:\Windows\{3F985818-9C0A-4b43-8B64-8D237F97C4F7}.exe

Filesize
372KB

MD5
50c68588977e096d6aab92c9c5935719

SHA1
9ea386ff9a65e69d3f73314dca62a119ccc8dfc2

SHA256
3ba1e010367aef2fa29a6efa1855b6821f5319332d886e161b03540a8018104b

SHA512
446265387218f59ee13061da04a660b85abd28a466a9278b441a37f94ef822a15c365d18e4fe4dd26ca1cada74e7489dcfc7ee28494794b884e57a57cc95b4c2

Download Submit
C:\Windows\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe

Filesize
372KB

MD5
8379e844a7caf1d611cb4e1ae01bcc0d

SHA1
16cd9e55c35bf16b1b68f8c3b9c55a9f3aeb7326

SHA256
0bd27ca47c36066f82db00f14819daf3d7ccef36af339f8085eae8697cae5657

SHA512
a2837892a765f178a0ab3e486002beea86e3498ff4fc09fa482a747b517fa6f0d255d7de2a56253229dace7acdd0bd28f16a4a73bd916d2520bfc8c0d7bf6506

Download Submit
C:\Windows\{48346F1C-2130-4b40-A930-0791C9B8979C}.exe

Filesize
372KB

MD5
8379e844a7caf1d611cb4e1ae01bcc0d

SHA1
16cd9e55c35bf16b1b68f8c3b9c55a9f3aeb7326

SHA256
0bd27ca47c36066f82db00f14819daf3d7ccef36af339f8085eae8697cae5657

SHA512
a2837892a765f178a0ab3e486002beea86e3498ff4fc09fa482a747b517fa6f0d255d7de2a56253229dace7acdd0bd28f16a4a73bd916d2520bfc8c0d7bf6506

Download Submit
C:\Windows\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe

Filesize
372KB

MD5
c3ff247013a10a55cf9eec6c75b09631

SHA1
bbc5a0de6c212d06205acd3d1b823036562fe93c

SHA256
30979522062728ffe294b776f52ab91e6fd944ff211533f1b2a3b06adf8f9d4c

SHA512
bb47283cd6611077dcb851aee15ae74c6a28d5af8de62c005d71920cd58baaa9d0ee7237855753243ab5488c7e6ff360cc12685f74a262c380a892123830ed86

Download Submit
C:\Windows\{6E9294A1-7923-4fc1-B184-220B6D5335F1}.exe

Filesize
372KB

MD5
c3ff247013a10a55cf9eec6c75b09631

SHA1
bbc5a0de6c212d06205acd3d1b823036562fe93c

SHA256
30979522062728ffe294b776f52ab91e6fd944ff211533f1b2a3b06adf8f9d4c

SHA512
bb47283cd6611077dcb851aee15ae74c6a28d5af8de62c005d71920cd58baaa9d0ee7237855753243ab5488c7e6ff360cc12685f74a262c380a892123830ed86

Download Submit
C:\Windows\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe

Filesize
372KB

MD5
370f9d1687f33d1bc3b2169b6a1ec176

SHA1
ec1594dead2470c1cf78a1b7c1c1c5a78a52469a

SHA256
f201627398117194edecb416bfebc16d7eb7712efa4121689b8f384bff7a4071

SHA512
a2ade4625c0b13011a897c518b3d6554424ec00af2477d8ead4345497b5747219e6f7a50760e5e4babe84f13ff035ed16252181a9f4c84289e9d6dcd8408ae7f

Download Submit
C:\Windows\{7ADDE83C-1CA4-43c8-8000-03A4D80AA676}.exe

Filesize
372KB

MD5
370f9d1687f33d1bc3b2169b6a1ec176

SHA1
ec1594dead2470c1cf78a1b7c1c1c5a78a52469a

SHA256
f201627398117194edecb416bfebc16d7eb7712efa4121689b8f384bff7a4071

SHA512
a2ade4625c0b13011a897c518b3d6554424ec00af2477d8ead4345497b5747219e6f7a50760e5e4babe84f13ff035ed16252181a9f4c84289e9d6dcd8408ae7f

Download Submit
C:\Windows\{8DD57B45-FA4F-435f-83AD-DA326F694445}.exe

Filesize
372KB

MD5
f2966e0d3bed84e8aed4e5a3b8013db7

SHA1
511a1b2ebbc3704ea0786f9a7097de427a88fd01

SHA256
b3db22fbe9d32008a55d608780588c068c1372e1a69fb52a3829299d61eea4d9

SHA512
8fa031ab052ac62169035c2e48c5e22a55d8ee7766f5ef03def60d10f5030e9f396afec77dde9c18685718b42f826d2d33acc0c7484515f47b52a52c6b91fa63

Download Submit
C:\Windows\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe

Filesize
372KB

MD5
5a0261f738e5ed7f4ad9ee92b57224df

SHA1
d85e1fc51fb56995204816ff2f53ce068c1b36af

SHA256
65389549b2bdd47b988fe1ca72eed673067201c93cc3eb1969e2a08558d464c0

SHA512
bcabaa07b5c36c0a5f4e6e2f1d04b3a30244d67f63748b546a2f2b7391c4daaa07cc46cc29804d5873198a25c9faf5dba88f8c6a99c694f88a7190a0fd1dd470

Download Submit
C:\Windows\{9EBBD1A4-0631-4ab3-AE20-F70923B3A653}.exe

Filesize
372KB

MD5
5a0261f738e5ed7f4ad9ee92b57224df

SHA1
d85e1fc51fb56995204816ff2f53ce068c1b36af

SHA256
65389549b2bdd47b988fe1ca72eed673067201c93cc3eb1969e2a08558d464c0

SHA512
bcabaa07b5c36c0a5f4e6e2f1d04b3a30244d67f63748b546a2f2b7391c4daaa07cc46cc29804d5873198a25c9faf5dba88f8c6a99c694f88a7190a0fd1dd470

Download Submit
C:\Windows\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe

Filesize
372KB

MD5
254e723cefe5d2824a780be9c82574c9

SHA1
2b70f185c0c986bba24325f5bb93f3d0c0b8a900

SHA256
b85c1e784d7799ff3bf624e50f616bea4f5e0fbef7385972fd9870920364f66a

SHA512
bb8934a395b5c62d1760a963d4d639920957b97051e578d8b52ee4c12cf3370a21a71f144c3ab81f812d3dbc3b99f405910122a3e00d20c12e55d032d60638d2

Download Submit
C:\Windows\{ABBC6565-AB3F-4c84-AF60-BA8524A41270}.exe

Filesize
372KB

MD5
254e723cefe5d2824a780be9c82574c9

SHA1
2b70f185c0c986bba24325f5bb93f3d0c0b8a900

SHA256
b85c1e784d7799ff3bf624e50f616bea4f5e0fbef7385972fd9870920364f66a

SHA512
bb8934a395b5c62d1760a963d4d639920957b97051e578d8b52ee4c12cf3370a21a71f144c3ab81f812d3dbc3b99f405910122a3e00d20c12e55d032d60638d2

Download Submit
C:\Windows\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe

Filesize
372KB

MD5
3d0304381f7623dac540fc4ba8d3f797

SHA1
13802313500ba388026a4e5c614ec19582ec35df

SHA256
ee6a58726a85e7eeca5f1e2f79d130465578272185e533d3fc1dac569c1e6470

SHA512
873d2b5cd2c1a2f087ebf48e45fd3a381ec0674c5fff7fb0eaf234dba45569b3ebfc2c3017a452f91c7beb24fe0bb55a9245c920d4105ee38a04b2c431ce3201

Download Submit
C:\Windows\{B2A4749E-FB86-426f-9D5A-86DBC4407673}.exe

Filesize
372KB

MD5
3d0304381f7623dac540fc4ba8d3f797

SHA1
13802313500ba388026a4e5c614ec19582ec35df

SHA256
ee6a58726a85e7eeca5f1e2f79d130465578272185e533d3fc1dac569c1e6470

SHA512
873d2b5cd2c1a2f087ebf48e45fd3a381ec0674c5fff7fb0eaf234dba45569b3ebfc2c3017a452f91c7beb24fe0bb55a9245c920d4105ee38a04b2c431ce3201

Download Submit
C:\Windows\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe

Filesize
372KB

MD5
21cf4e04c9d672bd889157cebc129b24

SHA1
25168fb60b8993f16a843c66fccff758aae5c0c7

SHA256
7288004e2af2e335075318e8944f3b9885ddddf8fd6e562e705822871c11a9a2

SHA512
f15e088dcbb698388bccf118e1cb63fe5e54ad17829af1868b9243059f20d3060223ed4fcaecbf82aa9d240c3bf21e9f3b646760572bb9459b7009176fa598e9

Download Submit
C:\Windows\{BE28DA1A-4884-41d2-A30F-D591F1FBFB30}.exe

Filesize
372KB

MD5
21cf4e04c9d672bd889157cebc129b24

SHA1
25168fb60b8993f16a843c66fccff758aae5c0c7

SHA256
7288004e2af2e335075318e8944f3b9885ddddf8fd6e562e705822871c11a9a2

SHA512
f15e088dcbb698388bccf118e1cb63fe5e54ad17829af1868b9243059f20d3060223ed4fcaecbf82aa9d240c3bf21e9f3b646760572bb9459b7009176fa598e9

Download Submit
C:\Windows\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe

Filesize
372KB

MD5
d491f7f75886abdc97c3863b7876cdf6

SHA1
19f5120a1d26c6a5dd132975c70b56911d2ae0ff

SHA256
4da2e33d0eee0e2d0bd7d3d0ec880236bdd1413d02fb962a77585b5ec5bea9f1

SHA512
3b80914e73abd9df1a15d8c118751a8d72d85223491437c90d8b2bd641e7178708acdb1fefe1e24c6c0045a15af293bda9a7530b9b7b73a45c22dd33061eb3ce

Download Submit
C:\Windows\{D1D46843-D87E-45cf-B599-75E8F7041A1A}.exe

Filesize
372KB

MD5
d491f7f75886abdc97c3863b7876cdf6

SHA1
19f5120a1d26c6a5dd132975c70b56911d2ae0ff

SHA256
4da2e33d0eee0e2d0bd7d3d0ec880236bdd1413d02fb962a77585b5ec5bea9f1

SHA512
3b80914e73abd9df1a15d8c118751a8d72d85223491437c90d8b2bd641e7178708acdb1fefe1e24c6c0045a15af293bda9a7530b9b7b73a45c22dd33061eb3ce

Download Submit