0c43658a4e4162a9ac41b72edec61222bce0353037d3fe6bad6fd694302124fb

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dabbdba5e8900exeexeexeex.exe
Size

204KB
MD5

2dabbdba5e89005d06afa0ac21414beb
SHA1

2ba12aedc4eafcd274f969db3e160d86f206ae97
SHA256

0c43658a4e4162a9ac41b72edec61222bce0353037d3fe6bad6fd694302124fb
SHA512

796f7d4922c2b4e8f6aeb790d4d36b57e5c72f2790580f3afa2f73b4afd305ed3d477a08b18e3f1be9f21993c42d48cc25eb851a982b3bd64dfc994cbefb5f49
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}	{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF113688-4ED7-487d-995A-BD32FEC04BFA}\stubpath = "C:\\Windows\\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe"	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}\stubpath = "C:\\Windows\\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe"	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}\stubpath = "C:\\Windows\\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe"	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF58F8F-95A2-406d-87A8-12731A03111E}	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF58F8F-95A2-406d-87A8-12731A03111E}\stubpath = "C:\\Windows\\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe"	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E9BA19-6B02-493d-9671-25977D58F3B3}	{38306786-939E-417d-9368-A4565893F43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95379CB5-A764-4552-9BF5-F3CABDDE415D}\stubpath = "C:\\Windows\\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe"	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A56BEB-2149-466a-923D-450D795ADC9C}\stubpath = "C:\\Windows\\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe"	{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E9BA19-6B02-493d-9671-25977D58F3B3}\stubpath = "C:\\Windows\\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe"	{38306786-939E-417d-9368-A4565893F43C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF113688-4ED7-487d-995A-BD32FEC04BFA}	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE76268B-3A63-4287-85B6-73047F6BE2C1}	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE76268B-3A63-4287-85B6-73047F6BE2C1}\stubpath = "C:\\Windows\\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe"	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}\stubpath = "C:\\Windows\\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe"	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38306786-939E-417d-9368-A4565893F43C}	{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38306786-939E-417d-9368-A4565893F43C}\stubpath = "C:\\Windows\\{38306786-939E-417d-9368-A4565893F43C}.exe"	{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A56BEB-2149-466a-923D-450D795ADC9C}	{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}	2dabbdba5e8900exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}\stubpath = "C:\\Windows\\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe"	2dabbdba5e8900exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95379CB5-A764-4552-9BF5-F3CABDDE415D}	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}\stubpath = "C:\\Windows\\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe"	{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}	{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}\stubpath = "C:\\Windows\\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe"	{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
1656	{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
2360	{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
2736	{38306786-939E-417d-9368-A4565893F43C}.exe
276	{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
2660	{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe
2492	{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe	{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
File created	C:\Windows\{38306786-939E-417d-9368-A4565893F43C}.exe	{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
File created	C:\Windows\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe	{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
File created	C:\Windows\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe	{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe
File created	C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	2dabbdba5e8900exeexeexeex.exe
File created	C:\Windows\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
File created	C:\Windows\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
File created	C:\Windows\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
File created	C:\Windows\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
File created	C:\Windows\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
File created	C:\Windows\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe	{38306786-939E-417d-9368-A4565893F43C}.exe
File created	C:\Windows\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
File created	C:\Windows\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2392	2dabbdba5e8900exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
Token: SeIncBasePriorityPrivilege	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
Token: SeIncBasePriorityPrivilege	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
Token: SeIncBasePriorityPrivilege	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
Token: SeIncBasePriorityPrivilege	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
Token: SeIncBasePriorityPrivilege	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
Token: SeIncBasePriorityPrivilege	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
Token: SeIncBasePriorityPrivilege	1656	{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
Token: SeIncBasePriorityPrivilege	2360	{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
Token: SeIncBasePriorityPrivilege	2736	{38306786-939E-417d-9368-A4565893F43C}.exe
Token: SeIncBasePriorityPrivilege	276	{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
Token: SeIncBasePriorityPrivilege	2660	{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2288	2392	2dabbdba5e8900exeexeexeex.exe	28
PID 2392 wrote to memory of 2288	2392	2dabbdba5e8900exeexeexeex.exe	28
PID 2392 wrote to memory of 2288	2392	2dabbdba5e8900exeexeexeex.exe	28
PID 2392 wrote to memory of 2288	2392	2dabbdba5e8900exeexeexeex.exe	28
PID 2392 wrote to memory of 2084	2392	2dabbdba5e8900exeexeexeex.exe	29
PID 2392 wrote to memory of 2084	2392	2dabbdba5e8900exeexeexeex.exe	29
PID 2392 wrote to memory of 2084	2392	2dabbdba5e8900exeexeexeex.exe	29
PID 2392 wrote to memory of 2084	2392	2dabbdba5e8900exeexeexeex.exe	29
PID 2288 wrote to memory of 2076	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	30
PID 2288 wrote to memory of 2076	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	30
PID 2288 wrote to memory of 2076	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	30
PID 2288 wrote to memory of 2076	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	30
PID 2288 wrote to memory of 592	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	31
PID 2288 wrote to memory of 592	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	31
PID 2288 wrote to memory of 592	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	31
PID 2288 wrote to memory of 592	2288	{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe	31
PID 2076 wrote to memory of 2260	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	32
PID 2076 wrote to memory of 2260	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	32
PID 2076 wrote to memory of 2260	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	32
PID 2076 wrote to memory of 2260	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	32
PID 2076 wrote to memory of 924	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	33
PID 2076 wrote to memory of 924	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	33
PID 2076 wrote to memory of 924	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	33
PID 2076 wrote to memory of 924	2076	{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe	33
PID 2260 wrote to memory of 2964	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	35
PID 2260 wrote to memory of 2964	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	35
PID 2260 wrote to memory of 2964	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	35
PID 2260 wrote to memory of 2964	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	35
PID 2260 wrote to memory of 2112	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	34
PID 2260 wrote to memory of 2112	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	34
PID 2260 wrote to memory of 2112	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	34
PID 2260 wrote to memory of 2112	2260	{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe	34
PID 2964 wrote to memory of 2328	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	37
PID 2964 wrote to memory of 2328	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	37
PID 2964 wrote to memory of 2328	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	37
PID 2964 wrote to memory of 2328	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	37
PID 2964 wrote to memory of 1744	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	36
PID 2964 wrote to memory of 1744	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	36
PID 2964 wrote to memory of 1744	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	36
PID 2964 wrote to memory of 1744	2964	{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe	36
PID 2328 wrote to memory of 1636	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	39
PID 2328 wrote to memory of 1636	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	39
PID 2328 wrote to memory of 1636	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	39
PID 2328 wrote to memory of 1636	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	39
PID 2328 wrote to memory of 2000	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	38
PID 2328 wrote to memory of 2000	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	38
PID 2328 wrote to memory of 2000	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	38
PID 2328 wrote to memory of 2000	2328	{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe	38
PID 1636 wrote to memory of 996	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	40
PID 1636 wrote to memory of 996	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	40
PID 1636 wrote to memory of 996	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	40
PID 1636 wrote to memory of 996	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	40
PID 1636 wrote to memory of 1896	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	41
PID 1636 wrote to memory of 1896	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	41
PID 1636 wrote to memory of 1896	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	41
PID 1636 wrote to memory of 1896	1636	{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe	41
PID 996 wrote to memory of 1656	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	42
PID 996 wrote to memory of 1656	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	42
PID 996 wrote to memory of 1656	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	42
PID 996 wrote to memory of 1656	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	42
PID 996 wrote to memory of 1260	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	43
PID 996 wrote to memory of 1260	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	43
PID 996 wrote to memory of 1260	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	43
PID 996 wrote to memory of 1260	996	{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe	43

C:\Users\Admin\AppData\Local\Temp\2dabbdba5e8900exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2dabbdba5e8900exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
  C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
    C:\Windows\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
      C:\Windows\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE762~1.EXE > nul
        5⤵
        
        PID:2112
    - - C:\Windows\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
        
        C:\Windows\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38C5A~1.EXE > nul
        6⤵
        
        PID:1744
      - C:\Windows\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
        
        C:\Windows\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95379~1.EXE > nul
        7⤵
        
        PID:2000
        
        C:\Windows\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
        
        C:\Windows\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
        
        C:\Windows\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
        
        C:\Windows\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF58~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
        
        C:\Windows\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\{38306786-939E-417d-9368-A4565893F43C}.exe
        
        C:\Windows\{38306786-939E-417d-9368-A4565893F43C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38306~1.EXE > nul
        12⤵
        
        PID:2652
        
        C:\Windows\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
        
        C:\Windows\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe
        
        C:\Windows\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A56~1.EXE > nul
        14⤵
        
        PID:2584
        
        C:\Windows\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe
        
        C:\Windows\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe
        14⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E9B~1.EXE > nul
        13⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA71E~1.EXE > nul
        11⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CCA9~1.EXE > nul
        9⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB558~1.EXE > nul
        8⤵
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF113~1.EXE > nul
      4⤵
      PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E78EC~1.EXE > nul
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2DABBD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0774546D-72A6-4c7c-8541-CD03FBEF2AFB}.exe

Filesize
204KB

MD5
bdfae1f6dd3e0528a8444bd61fc94883

SHA1
73897d954c694540ba0b3689beb98035d4496bce

SHA256
729f04f2d5e94a86504bbda5be53e6c0d8c6565f50c307a1d353cc58a2b00fd3

SHA512
b5cc422067aa52b2c3a13f90c4c5703784d97914a0b357114dc229fb9f00c501be95b44b51d9fc73bb48f3f6b0a106faa573c2b1670c27f78162510861345087

Download Submit
C:\Windows\{38306786-939E-417d-9368-A4565893F43C}.exe

Filesize
204KB

MD5
6bb7ba2109acc939ef7c6577faf32c8d

SHA1
fe0b963ee8d0959095cebd20686b8fcc825ed3df

SHA256
52d9c81621fa52eaf4d009d8913a13f2c7f77db823aad98ee4dac8d172938d80

SHA512
11a2b81a572e07047fadca5214cb60b380cc30d40c321390b40c0ebd2caa55900cfe28dd6882994a0c7aa5b38855240b13b3181052cbd5b1592dcc7c9a7f53a9

Download Submit
C:\Windows\{38306786-939E-417d-9368-A4565893F43C}.exe

Filesize
204KB

MD5
6bb7ba2109acc939ef7c6577faf32c8d

SHA1
fe0b963ee8d0959095cebd20686b8fcc825ed3df

SHA256
52d9c81621fa52eaf4d009d8913a13f2c7f77db823aad98ee4dac8d172938d80

SHA512
11a2b81a572e07047fadca5214cb60b380cc30d40c321390b40c0ebd2caa55900cfe28dd6882994a0c7aa5b38855240b13b3181052cbd5b1592dcc7c9a7f53a9

Download Submit
C:\Windows\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe

Filesize
204KB

MD5
4faffb147e80d88f0d2bc9ba87a5f3a6

SHA1
74850686f097c1ae7f34ca7c5405cbaee36436c9

SHA256
1cc78894c5d3e77e318e2882649ab8d59a1d878c3aa47b308af70b3c549949af

SHA512
2266c4f6c35bdbbd3691612d9390cfedec393150c1fde45f09cd658166df9a553ea11201cc5fc250095338b840c9d4e686a31c905863edb02ad325d322498cb4

Download Submit
C:\Windows\{38C5AEAD-C750-4f47-A4E8-E9A13D279726}.exe

Filesize
204KB

MD5
4faffb147e80d88f0d2bc9ba87a5f3a6

SHA1
74850686f097c1ae7f34ca7c5405cbaee36436c9

SHA256
1cc78894c5d3e77e318e2882649ab8d59a1d878c3aa47b308af70b3c549949af

SHA512
2266c4f6c35bdbbd3691612d9390cfedec393150c1fde45f09cd658166df9a553ea11201cc5fc250095338b840c9d4e686a31c905863edb02ad325d322498cb4

Download Submit
C:\Windows\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe

Filesize
204KB

MD5
57a3389877c3fad4d362bf4677346538

SHA1
b242100bf064809d9fea2ff4048e75f0212ba34f

SHA256
341ea3df3dad1b2da9edaf6b46fda5ff288b3e7fffb9afcf4b00a01beed225a5

SHA512
0ce8b5b334c4c30c8c6982eabe54acff0e997d4b95ebddc6d057ff4a7b4672855e493d111c797e22774ac97a508231e5a1f4c43818a6139ee30e64d546234f2d

Download Submit
C:\Windows\{4AF58F8F-95A2-406d-87A8-12731A03111E}.exe

Filesize
204KB

MD5
57a3389877c3fad4d362bf4677346538

SHA1
b242100bf064809d9fea2ff4048e75f0212ba34f

SHA256
341ea3df3dad1b2da9edaf6b46fda5ff288b3e7fffb9afcf4b00a01beed225a5

SHA512
0ce8b5b334c4c30c8c6982eabe54acff0e997d4b95ebddc6d057ff4a7b4672855e493d111c797e22774ac97a508231e5a1f4c43818a6139ee30e64d546234f2d

Download Submit
C:\Windows\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe

Filesize
204KB

MD5
37a4e942af3ae40245de6c30594d61db

SHA1
1efbe991ac958afcfb01b79105b53426e4693da7

SHA256
a53d73b3ebfdf94379ac97127a768d42e8726eefb6cf887487ffd14e8a5ee4ee

SHA512
52a3fba02eec5ff58e839eb0854c72d05812049eccfe97a9ff6c0f304867de61fd16079fe77ba2a348a3880f5fa33c0bf5caa9daaf90914c5c396d7126b1c309

Download Submit
C:\Windows\{5CCA92B7-A1E2-4809-9A46-2D5BBCD674C7}.exe

Filesize
204KB

MD5
37a4e942af3ae40245de6c30594d61db

SHA1
1efbe991ac958afcfb01b79105b53426e4693da7

SHA256
a53d73b3ebfdf94379ac97127a768d42e8726eefb6cf887487ffd14e8a5ee4ee

SHA512
52a3fba02eec5ff58e839eb0854c72d05812049eccfe97a9ff6c0f304867de61fd16079fe77ba2a348a3880f5fa33c0bf5caa9daaf90914c5c396d7126b1c309

Download Submit
C:\Windows\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe

Filesize
204KB

MD5
f00a9b4f566bb5c7651e12c2d99916fc

SHA1
3ee0f1b5e8902a2bcb9af8932e2a2bbcc48f1212

SHA256
c576f2d1bec592797b67a1d626a7552817946c62d1c7c29e9c55243c68c94a37

SHA512
acb24e28ed583abe2fe8718d839974593aa72b6095ee60b70da07d2f8237c91412f62cd1354295b49bbf15f880dbc970012be11a0960f79808c4f182be8267c4

Download Submit
C:\Windows\{95379CB5-A764-4552-9BF5-F3CABDDE415D}.exe

Filesize
204KB

MD5
f00a9b4f566bb5c7651e12c2d99916fc

SHA1
3ee0f1b5e8902a2bcb9af8932e2a2bbcc48f1212

SHA256
c576f2d1bec592797b67a1d626a7552817946c62d1c7c29e9c55243c68c94a37

SHA512
acb24e28ed583abe2fe8718d839974593aa72b6095ee60b70da07d2f8237c91412f62cd1354295b49bbf15f880dbc970012be11a0960f79808c4f182be8267c4

Download Submit
C:\Windows\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe

Filesize
204KB

MD5
6b78ce0a3eb605f57948a306b3fe3212

SHA1
aaee204dc37cb4a38a370f1d375edd5f8a953928

SHA256
dbc779c83ce407276965a968e8e4eaaa4ab740a93564ce385b794be85ad72b18

SHA512
1c7c07c4391b177c4c3cd3524590bc0e2dbe8c134f25e981e521b5d85a6f6fabb400372f3d8d85741e3f3951779498e745670a25cef2682aed783221d205e8fe

Download Submit
C:\Windows\{BE76268B-3A63-4287-85B6-73047F6BE2C1}.exe

Filesize
204KB

MD5
6b78ce0a3eb605f57948a306b3fe3212

SHA1
aaee204dc37cb4a38a370f1d375edd5f8a953928

SHA256
dbc779c83ce407276965a968e8e4eaaa4ab740a93564ce385b794be85ad72b18

SHA512
1c7c07c4391b177c4c3cd3524590bc0e2dbe8c134f25e981e521b5d85a6f6fabb400372f3d8d85741e3f3951779498e745670a25cef2682aed783221d205e8fe

Download Submit
C:\Windows\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe

Filesize
204KB

MD5
2b5d9e203839e0feb1d3ab03ea733cf7

SHA1
a39f72181a76ee83ec21ff7bdecee01b4d10c5de

SHA256
c50fcf50e9afe7928d7bfd7f78611ef7f0dc58cc63757a3ee7c84d60f25c5a3f

SHA512
4df1ca58bb3f53d4080314f4547ac8dfdafd31cfc6b2a7f62f75261603fe53c105167387a335bc2f9ddc0a8b6b7b1f85a54baf6d0a9860c6391900030e9147d0

Download Submit
C:\Windows\{CA71EC1D-9D15-412b-B9C6-84BC5D4C3285}.exe

Filesize
204KB

MD5
2b5d9e203839e0feb1d3ab03ea733cf7

SHA1
a39f72181a76ee83ec21ff7bdecee01b4d10c5de

SHA256
c50fcf50e9afe7928d7bfd7f78611ef7f0dc58cc63757a3ee7c84d60f25c5a3f

SHA512
4df1ca58bb3f53d4080314f4547ac8dfdafd31cfc6b2a7f62f75261603fe53c105167387a335bc2f9ddc0a8b6b7b1f85a54baf6d0a9860c6391900030e9147d0

Download Submit
C:\Windows\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe

Filesize
204KB

MD5
a2db1dda7abd3a4a1e5a3424bb652961

SHA1
306369b7b0d55c48ad3ef94d9e305b5af32d7ba1

SHA256
5ac4b4acaaa25c5d2ae5fbcd1127665ec06227d1fbc8c33974955398ecb5c706

SHA512
a464e9b125d14a1c55e7666d522204c622f6e2b6dc8078961e3ee7d5185f9056b194930bc9c62c1b3efc88e6fac89ae38a00a89a8156423706d9bc7dd2308768

Download Submit
C:\Windows\{CB558EC7-1AAB-45e4-803B-B39F1F6107BD}.exe

Filesize
204KB

MD5
a2db1dda7abd3a4a1e5a3424bb652961

SHA1
306369b7b0d55c48ad3ef94d9e305b5af32d7ba1

SHA256
5ac4b4acaaa25c5d2ae5fbcd1127665ec06227d1fbc8c33974955398ecb5c706

SHA512
a464e9b125d14a1c55e7666d522204c622f6e2b6dc8078961e3ee7d5185f9056b194930bc9c62c1b3efc88e6fac89ae38a00a89a8156423706d9bc7dd2308768

Download Submit
C:\Windows\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe

Filesize
204KB

MD5
341580861ce9da65f1d7ec58fb82d912

SHA1
73126bebe9b68450e82eff4c18f4fa2078c8d774

SHA256
56bf6366817d6377f038257f8011a9c1821e61e0e0aaf18b835b7d15f91cde9a

SHA512
9aa1daba8b923093f62d07749436443f67f879b8dd674df958106d95ac84faee79f2c44a040cd7a1faf4f951edbcf4cc7231cbb2985e15bcb4c2efee30da560a

Download Submit
C:\Windows\{E1E9BA19-6B02-493d-9671-25977D58F3B3}.exe

Filesize
204KB

MD5
341580861ce9da65f1d7ec58fb82d912

SHA1
73126bebe9b68450e82eff4c18f4fa2078c8d774

SHA256
56bf6366817d6377f038257f8011a9c1821e61e0e0aaf18b835b7d15f91cde9a

SHA512
9aa1daba8b923093f62d07749436443f67f879b8dd674df958106d95ac84faee79f2c44a040cd7a1faf4f951edbcf4cc7231cbb2985e15bcb4c2efee30da560a

Download Submit
C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe

Filesize
204KB

MD5
880d8912d2eb1084bcd49c5ed1e38fa1

SHA1
b660f152c304012cfb4051c31dd53dabf6e6eb43

SHA256
7342d371d53fd435a4f748188d06c7d93a1155aa922f2be90db1243e23282a40

SHA512
88fc67ca517a7bdde1008ba67fed5021bb6c15765955a0fe62f2bc046f279e31f205511d0b903b2fecb508ec0e94909d81768dafd3017f49f6304a61a2659c1e

Download Submit
C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe

Filesize
204KB

MD5
880d8912d2eb1084bcd49c5ed1e38fa1

SHA1
b660f152c304012cfb4051c31dd53dabf6e6eb43

SHA256
7342d371d53fd435a4f748188d06c7d93a1155aa922f2be90db1243e23282a40

SHA512
88fc67ca517a7bdde1008ba67fed5021bb6c15765955a0fe62f2bc046f279e31f205511d0b903b2fecb508ec0e94909d81768dafd3017f49f6304a61a2659c1e

Download Submit
C:\Windows\{E78EC7BE-D61D-42f8-AD7C-B4D480DB30E2}.exe

Filesize
204KB

MD5
880d8912d2eb1084bcd49c5ed1e38fa1

SHA1
b660f152c304012cfb4051c31dd53dabf6e6eb43

SHA256
7342d371d53fd435a4f748188d06c7d93a1155aa922f2be90db1243e23282a40

SHA512
88fc67ca517a7bdde1008ba67fed5021bb6c15765955a0fe62f2bc046f279e31f205511d0b903b2fecb508ec0e94909d81768dafd3017f49f6304a61a2659c1e

Download Submit
C:\Windows\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe

Filesize
204KB

MD5
3e8436d5a0da4c0f4a7ed5223c2c802c

SHA1
9e0fed4c42cdb75c96ea9a7335860c8d770d0363

SHA256
dbbcd8f9bf81c61c9220c7ee7acc9341df636e18190e54f4f4cd71a4fe5e0335

SHA512
600989b7bb6dfa4e0decc5359b9235f0ee2c925972faecfe6b8d876057a73fa16bec69e9fffee74cb59b80a18519abca725e4ef4abbe6175c25662ecd9e687fa

Download Submit
C:\Windows\{E7A56BEB-2149-466a-923D-450D795ADC9C}.exe

Filesize
204KB

MD5
3e8436d5a0da4c0f4a7ed5223c2c802c

SHA1
9e0fed4c42cdb75c96ea9a7335860c8d770d0363

SHA256
dbbcd8f9bf81c61c9220c7ee7acc9341df636e18190e54f4f4cd71a4fe5e0335

SHA512
600989b7bb6dfa4e0decc5359b9235f0ee2c925972faecfe6b8d876057a73fa16bec69e9fffee74cb59b80a18519abca725e4ef4abbe6175c25662ecd9e687fa

Download Submit
C:\Windows\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe

Filesize
204KB

MD5
121eb7324d35a0ae3007bbe9ac2878e4

SHA1
9a15399cba4c9597d17a693c83ae0b4353c1584c

SHA256
19b9c59927153774399c6528769b8a2633ad84cbcaa66665a8e9c3d37f96c24f

SHA512
8d72a149b3283e60cd46bb219341499a8d825a5562003893567c6a2481710ff171970f454163c170cf5a8d0989ce3fe79d80f95f6cf1d4a18f7b9c20157e29e7

Download Submit
C:\Windows\{EF113688-4ED7-487d-995A-BD32FEC04BFA}.exe

Filesize
204KB

MD5
121eb7324d35a0ae3007bbe9ac2878e4

SHA1
9a15399cba4c9597d17a693c83ae0b4353c1584c

SHA256
19b9c59927153774399c6528769b8a2633ad84cbcaa66665a8e9c3d37f96c24f

SHA512
8d72a149b3283e60cd46bb219341499a8d825a5562003893567c6a2481710ff171970f454163c170cf5a8d0989ce3fe79d80f95f6cf1d4a18f7b9c20157e29e7

Download Submit