1aa1e8b2bda49c4c27d5c2c1f9d32ef17e2774ae69aef3ef1948abc7eb5bfd68

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e0841835450c6exeexeexeex.exe
Size

204KB
MD5

2e0841835450c6fce465ce1497bc8080
SHA1

28d5b0c5f7e147f294ed5eee5ba34c950bcd7c68
SHA256

1aa1e8b2bda49c4c27d5c2c1f9d32ef17e2774ae69aef3ef1948abc7eb5bfd68
SHA512

a2dadc642533f54856880e08c01749dbe14b209d91fabf3805a23b65c871e2670d8b6b0702fea2e7bc4f7038cb0cd0e6d4d377840feb8d135e0293f5f04ebeb1
SSDEEP

1536:1EGh0oHLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0orl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6026954-4A31-44ac-BE3C-7B160F7067F2}	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6026954-4A31-44ac-BE3C-7B160F7067F2}\stubpath = "C:\\Windows\\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe"	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}\stubpath = "C:\\Windows\\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe"	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81208A60-EFCB-4dbf-9FA4-6092774065F5}	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81208A60-EFCB-4dbf-9FA4-6092774065F5}\stubpath = "C:\\Windows\\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe"	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}	{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4325D7C-530B-483d-9EFE-61B03D1D112C}	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}	{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392A435B-CBCA-460e-BB45-A4331A5C14C4}	{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392A435B-CBCA-460e-BB45-A4331A5C14C4}\stubpath = "C:\\Windows\\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe"	{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41357890-614C-4599-AF39-858445F2FBA4}\stubpath = "C:\\Windows\\{41357890-614C-4599-AF39-858445F2FBA4}.exe"	{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F77078CC-A961-46dd-8612-6FC83CFE62F7}	{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4325D7C-530B-483d-9EFE-61B03D1D112C}\stubpath = "C:\\Windows\\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe"	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54558763-201C-4a3f-8B97-EAD82E6A0069}\stubpath = "C:\\Windows\\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe"	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}\stubpath = "C:\\Windows\\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe"	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}\stubpath = "C:\\Windows\\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe"	{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}	2e0841835450c6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}\stubpath = "C:\\Windows\\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe"	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}\stubpath = "C:\\Windows\\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe"	{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F77078CC-A961-46dd-8612-6FC83CFE62F7}\stubpath = "C:\\Windows\\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe"	{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41357890-614C-4599-AF39-858445F2FBA4}	{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54558763-201C-4a3f-8B97-EAD82E6A0069}	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}\stubpath = "C:\\Windows\\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe"	2e0841835450c6exeexeexeex.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
2956	{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
2600	{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
2836	{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
2740	{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
2588	{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
2452	{41357890-614C-4599-AF39-858445F2FBA4}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
File created	C:\Windows\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe	{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
File created	C:\Windows\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe	{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
File created	C:\Windows\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe	{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
File created	C:\Windows\{41357890-614C-4599-AF39-858445F2FBA4}.exe	{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
File created	C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	2e0841835450c6exeexeexeex.exe
File created	C:\Windows\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
File created	C:\Windows\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
File created	C:\Windows\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
File created	C:\Windows\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe	{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
File created	C:\Windows\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
File created	C:\Windows\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
File created	C:\Windows\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	2e0841835450c6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
Token: SeIncBasePriorityPrivilege	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
Token: SeIncBasePriorityPrivilege	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
Token: SeIncBasePriorityPrivilege	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
Token: SeIncBasePriorityPrivilege	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
Token: SeIncBasePriorityPrivilege	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
Token: SeIncBasePriorityPrivilege	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
Token: SeIncBasePriorityPrivilege	2956	{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
Token: SeIncBasePriorityPrivilege	2600	{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
Token: SeIncBasePriorityPrivilege	2836	{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
Token: SeIncBasePriorityPrivilege	2740	{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
Token: SeIncBasePriorityPrivilege	2588	{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1040	2400	2e0841835450c6exeexeexeex.exe	29
PID 2400 wrote to memory of 1040	2400	2e0841835450c6exeexeexeex.exe	29
PID 2400 wrote to memory of 1040	2400	2e0841835450c6exeexeexeex.exe	29
PID 2400 wrote to memory of 1040	2400	2e0841835450c6exeexeexeex.exe	29
PID 2400 wrote to memory of 2436	2400	2e0841835450c6exeexeexeex.exe	30
PID 2400 wrote to memory of 2436	2400	2e0841835450c6exeexeexeex.exe	30
PID 2400 wrote to memory of 2436	2400	2e0841835450c6exeexeexeex.exe	30
PID 2400 wrote to memory of 2436	2400	2e0841835450c6exeexeexeex.exe	30
PID 1040 wrote to memory of 3064	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	31
PID 1040 wrote to memory of 3064	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	31
PID 1040 wrote to memory of 3064	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	31
PID 1040 wrote to memory of 3064	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	31
PID 1040 wrote to memory of 2268	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	32
PID 1040 wrote to memory of 2268	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	32
PID 1040 wrote to memory of 2268	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	32
PID 1040 wrote to memory of 2268	1040	{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe	32
PID 3064 wrote to memory of 1288	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	33
PID 3064 wrote to memory of 1288	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	33
PID 3064 wrote to memory of 1288	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	33
PID 3064 wrote to memory of 1288	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	33
PID 3064 wrote to memory of 2120	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	34
PID 3064 wrote to memory of 2120	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	34
PID 3064 wrote to memory of 2120	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	34
PID 3064 wrote to memory of 2120	3064	{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe	34
PID 1288 wrote to memory of 2428	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	36
PID 1288 wrote to memory of 2428	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	36
PID 1288 wrote to memory of 2428	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	36
PID 1288 wrote to memory of 2428	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	36
PID 1288 wrote to memory of 2568	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	35
PID 1288 wrote to memory of 2568	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	35
PID 1288 wrote to memory of 2568	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	35
PID 1288 wrote to memory of 2568	1288	{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe	35
PID 2428 wrote to memory of 1508	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	37
PID 2428 wrote to memory of 1508	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	37
PID 2428 wrote to memory of 1508	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	37
PID 2428 wrote to memory of 1508	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	37
PID 2428 wrote to memory of 1476	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	38
PID 2428 wrote to memory of 1476	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	38
PID 2428 wrote to memory of 1476	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	38
PID 2428 wrote to memory of 1476	2428	{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe	38
PID 1508 wrote to memory of 2228	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	40
PID 1508 wrote to memory of 2228	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	40
PID 1508 wrote to memory of 2228	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	40
PID 1508 wrote to memory of 2228	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	40
PID 1508 wrote to memory of 2952	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	39
PID 1508 wrote to memory of 2952	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	39
PID 1508 wrote to memory of 2952	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	39
PID 1508 wrote to memory of 2952	1508	{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe	39
PID 2228 wrote to memory of 1444	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	42
PID 2228 wrote to memory of 1444	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	42
PID 2228 wrote to memory of 1444	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	42
PID 2228 wrote to memory of 1444	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	42
PID 2228 wrote to memory of 2140	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	41
PID 2228 wrote to memory of 2140	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	41
PID 2228 wrote to memory of 2140	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	41
PID 2228 wrote to memory of 2140	2228	{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe	41
PID 1444 wrote to memory of 2956	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	43
PID 1444 wrote to memory of 2956	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	43
PID 1444 wrote to memory of 2956	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	43
PID 1444 wrote to memory of 2956	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	43
PID 1444 wrote to memory of 3036	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	44
PID 1444 wrote to memory of 3036	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	44
PID 1444 wrote to memory of 3036	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	44
PID 1444 wrote to memory of 3036	1444	{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe	44

C:\Users\Admin\AppData\Local\Temp\2e0841835450c6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2e0841835450c6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
  C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
    C:\Windows\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
      C:\Windows\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54558~1.EXE > nul
        5⤵
        
        PID:2568
    - - C:\Windows\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
        
        C:\Windows\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
        
        C:\Windows\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D56E0~1.EXE > nul
        7⤵
        
        PID:2952
        
        C:\Windows\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
        
        C:\Windows\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5DE2~1.EXE > nul
        8⤵
        
        PID:2140
        
        C:\Windows\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
        
        C:\Windows\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
        
        C:\Windows\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAF7~1.EXE > nul
        10⤵
        
        PID:2756
        
        C:\Windows\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
        
        C:\Windows\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
        
        C:\Windows\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7707~1.EXE > nul
        12⤵
        
        PID:2848
        
        C:\Windows\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
        
        C:\Windows\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D098~1.EXE > nul
        13⤵
        
        PID:2628
        
        C:\Windows\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
        
        C:\Windows\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{392A4~1.EXE > nul
        14⤵
        
        PID:2492
        
        C:\Windows\{41357890-614C-4599-AF39-858445F2FBA4}.exe
        
        C:\Windows\{41357890-614C-4599-AF39-858445F2FBA4}.exe
        14⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99F31~1.EXE > nul
        11⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81208~1.EXE > nul
        9⤵
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6026~1.EXE > nul
        6⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4325~1.EXE > nul
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DAF98~1.EXE > nul
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E0841~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe

Filesize
204KB

MD5
e68111784cb72589b5040856c655f619

SHA1
6788757b0831e21314c5e8900081e00a4e2b9d65

SHA256
2f89e188351c89dbb3b55df4568f33aaf061f37e78c940639be73d0d1d6e60a4

SHA512
abf6218bfeab74c42f266af604ac9af7d46616e4f7977fbd04684dc370330755310d1d8b5de3cf94428fd55f57cf6cbf5b187ef69414811fe7914192533a50d5

Download Submit
C:\Windows\{392A435B-CBCA-460e-BB45-A4331A5C14C4}.exe

Filesize
204KB

MD5
e68111784cb72589b5040856c655f619

SHA1
6788757b0831e21314c5e8900081e00a4e2b9d65

SHA256
2f89e188351c89dbb3b55df4568f33aaf061f37e78c940639be73d0d1d6e60a4

SHA512
abf6218bfeab74c42f266af604ac9af7d46616e4f7977fbd04684dc370330755310d1d8b5de3cf94428fd55f57cf6cbf5b187ef69414811fe7914192533a50d5

Download Submit
C:\Windows\{41357890-614C-4599-AF39-858445F2FBA4}.exe

Filesize
204KB

MD5
fe6d3ff45f0d2febf260352e231f7afb

SHA1
f12c6316c7f3e265f7266ba75c0033ec7c93a43d

SHA256
9dbdd2276ddc76b4447c79142d4ac1ce55c2f13a89193d8c515d098a6fce88e2

SHA512
9a431270c750a190825aa7fc057ded5c88f577e26aa4156b9c219b5732f9836e3b3c7e5780658630df466cd143008442fb415847b1413cf06c0a49db9bac781c

Download Submit
C:\Windows\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe

Filesize
204KB

MD5
90f23532b85a8f120cb8f11d1b835d20

SHA1
d0791974c1aa6b0798862321496142886085133f

SHA256
f7c5a8902d4565563056196ae10ff1267c92eec30c01050597d93dc73cc5c331

SHA512
3db4c4aa32a55688cfe6859ee20d24401351bd0d94a5090f932d6fdebf72fbcbdc76f616a3dcf8f651b2739adf235ac017969a486c5b429772356cc4ea62021d

Download Submit
C:\Windows\{54558763-201C-4a3f-8B97-EAD82E6A0069}.exe

Filesize
204KB

MD5
90f23532b85a8f120cb8f11d1b835d20

SHA1
d0791974c1aa6b0798862321496142886085133f

SHA256
f7c5a8902d4565563056196ae10ff1267c92eec30c01050597d93dc73cc5c331

SHA512
3db4c4aa32a55688cfe6859ee20d24401351bd0d94a5090f932d6fdebf72fbcbdc76f616a3dcf8f651b2739adf235ac017969a486c5b429772356cc4ea62021d

Download Submit
C:\Windows\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe

Filesize
204KB

MD5
7c84ffce70978951aed8cb4a55642e4e

SHA1
eb158efbea491a7f147bb7ce53f6ae58f64b54cd

SHA256
3b946f0460e34d1968093f5a3410ff08fe64f0fea396276b2aa135768ab239fe

SHA512
daa220702129a0dd86e759e7335b75bba9d3de7731bf1169734ddc752bc8a7c561dd5c32cd0a619286b716bb9105ef128427d6293a8f04edaa2aa790f3e7475e

Download Submit
C:\Windows\{6D0989E4-BEEF-43c5-99D8-3C7960058EEA}.exe

Filesize
204KB

MD5
7c84ffce70978951aed8cb4a55642e4e

SHA1
eb158efbea491a7f147bb7ce53f6ae58f64b54cd

SHA256
3b946f0460e34d1968093f5a3410ff08fe64f0fea396276b2aa135768ab239fe

SHA512
daa220702129a0dd86e759e7335b75bba9d3de7731bf1169734ddc752bc8a7c561dd5c32cd0a619286b716bb9105ef128427d6293a8f04edaa2aa790f3e7475e

Download Submit
C:\Windows\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe

Filesize
204KB

MD5
8a486d479a5e8cf63ce8b063a9f94355

SHA1
d6547f2b5380d6a57b7e99ae54a49cdd9f8cea3a

SHA256
10316aa70699df0c17766d412d0f5ae3bc9e758a1428180baedd1b71006d017e

SHA512
c54039befa5b0aef701290446131b877d4a14fe374d6306837622e8ec867b68b1984b701a938daf164948747140fe1c74d0883286b05241341d15a1208c9eeeb

Download Submit
C:\Windows\{81208A60-EFCB-4dbf-9FA4-6092774065F5}.exe

Filesize
204KB

MD5
8a486d479a5e8cf63ce8b063a9f94355

SHA1
d6547f2b5380d6a57b7e99ae54a49cdd9f8cea3a

SHA256
10316aa70699df0c17766d412d0f5ae3bc9e758a1428180baedd1b71006d017e

SHA512
c54039befa5b0aef701290446131b877d4a14fe374d6306837622e8ec867b68b1984b701a938daf164948747140fe1c74d0883286b05241341d15a1208c9eeeb

Download Submit
C:\Windows\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe

Filesize
204KB

MD5
a6db3f13b8a843294107c678e5b5d304

SHA1
9952a0cc055de08e4f318e55ea77320def46a651

SHA256
f2e697949776a5b4c56665e45d518cfef9e925d5f5438d919a0f3825056ecbef

SHA512
da2a8ddeafd02ce91c0fe0159af5a80a5a7ff1d1b9364e482effd491bb5f38085c08988bd6310b87ce53a87709e3e03c8b5679f42443040f359ca8cdf4247145

Download Submit
C:\Windows\{8BAF7A62-D766-4000-B287-0EB10E82D4E7}.exe

Filesize
204KB

MD5
a6db3f13b8a843294107c678e5b5d304

SHA1
9952a0cc055de08e4f318e55ea77320def46a651

SHA256
f2e697949776a5b4c56665e45d518cfef9e925d5f5438d919a0f3825056ecbef

SHA512
da2a8ddeafd02ce91c0fe0159af5a80a5a7ff1d1b9364e482effd491bb5f38085c08988bd6310b87ce53a87709e3e03c8b5679f42443040f359ca8cdf4247145

Download Submit
C:\Windows\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe

Filesize
204KB

MD5
3493bcc88c65ded1257c94ae1b52de80

SHA1
52698460cd0397a0953468cbfb7eb1a12e5c59d2

SHA256
3e95b50915e76de39d5d2bbd1da21f674baece4144629594a3a0f83a436fc16f

SHA512
f38cef56840e47376fe924fb9f1b8fb2d3b891e9e1015d176db51fb90e2e6f622fcc9860c3d62b89639d7228d145a14d4f190422e0a9de42d21c2a7bdc351639

Download Submit
C:\Windows\{99F31FF5-CF26-43a4-AEBA-41F9BFF9721C}.exe

Filesize
204KB

MD5
3493bcc88c65ded1257c94ae1b52de80

SHA1
52698460cd0397a0953468cbfb7eb1a12e5c59d2

SHA256
3e95b50915e76de39d5d2bbd1da21f674baece4144629594a3a0f83a436fc16f

SHA512
f38cef56840e47376fe924fb9f1b8fb2d3b891e9e1015d176db51fb90e2e6f622fcc9860c3d62b89639d7228d145a14d4f190422e0a9de42d21c2a7bdc351639

Download Submit
C:\Windows\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe

Filesize
204KB

MD5
d35035a3ce3d3e47725c6c48a46d7657

SHA1
cacc4d8fdaad3bee30d3be0d51512328fb76ce83

SHA256
96cbdaa1cbbabec1806eb147396b2624ffa6be2dd5b0b19587fecd96a56c1e41

SHA512
31a93a77302f9102532b1b208055121bc4f2ddfd52296cdcaacba455c7ca5c74fc996e4fb11723f4e78dee84c4c324a3f8fd406716307e63e37f1a82618db813

Download Submit
C:\Windows\{D56E0A83-3EB0-4fc9-A7A4-EE2F963AA42B}.exe

Filesize
204KB

MD5
d35035a3ce3d3e47725c6c48a46d7657

SHA1
cacc4d8fdaad3bee30d3be0d51512328fb76ce83

SHA256
96cbdaa1cbbabec1806eb147396b2624ffa6be2dd5b0b19587fecd96a56c1e41

SHA512
31a93a77302f9102532b1b208055121bc4f2ddfd52296cdcaacba455c7ca5c74fc996e4fb11723f4e78dee84c4c324a3f8fd406716307e63e37f1a82618db813

Download Submit
C:\Windows\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe

Filesize
204KB

MD5
2cac1e452a481142b8c282123ca70b74

SHA1
2212410797a19e32d9ec206c891785f06510d72c

SHA256
f3fd68405115e7768ef45b0f8c776ee80af62c37f7858e0e6614df774f45bcdd

SHA512
63916def662f5c1a5689df2b6c98dfc45df29419e91d6a884bec67cb97f98ecf88de4bdc3bce305ef0ac1de00f2f219ad198fe6514f964f60d9fcb6973c2780f

Download Submit
C:\Windows\{D6026954-4A31-44ac-BE3C-7B160F7067F2}.exe

Filesize
204KB

MD5
2cac1e452a481142b8c282123ca70b74

SHA1
2212410797a19e32d9ec206c891785f06510d72c

SHA256
f3fd68405115e7768ef45b0f8c776ee80af62c37f7858e0e6614df774f45bcdd

SHA512
63916def662f5c1a5689df2b6c98dfc45df29419e91d6a884bec67cb97f98ecf88de4bdc3bce305ef0ac1de00f2f219ad198fe6514f964f60d9fcb6973c2780f

Download Submit
C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe

Filesize
204KB

MD5
0051f192566b5346eb5fc7b8d651edcf

SHA1
dc0fe7326cbb72572a87b5d674c614eb432d47f6

SHA256
83a972532c521a77ac505a44144d9dfc6594021a5d5ba1ac1a1e2e8d80ccafdb

SHA512
94672d81016eee7a130c4af73ae4dfe8a945371ecba4e6e133b4121cb86ec28f256eb0ef80cf1ad9c97caeb1b2fad3f2cf838cc42467503705de6ce784f204ed

Download Submit
C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe

Filesize
204KB

MD5
0051f192566b5346eb5fc7b8d651edcf

SHA1
dc0fe7326cbb72572a87b5d674c614eb432d47f6

SHA256
83a972532c521a77ac505a44144d9dfc6594021a5d5ba1ac1a1e2e8d80ccafdb

SHA512
94672d81016eee7a130c4af73ae4dfe8a945371ecba4e6e133b4121cb86ec28f256eb0ef80cf1ad9c97caeb1b2fad3f2cf838cc42467503705de6ce784f204ed

Download Submit
C:\Windows\{DAF988B1-A2E0-44d2-9631-EE32DC997FA9}.exe

Filesize
204KB

MD5
0051f192566b5346eb5fc7b8d651edcf

SHA1
dc0fe7326cbb72572a87b5d674c614eb432d47f6

SHA256
83a972532c521a77ac505a44144d9dfc6594021a5d5ba1ac1a1e2e8d80ccafdb

SHA512
94672d81016eee7a130c4af73ae4dfe8a945371ecba4e6e133b4121cb86ec28f256eb0ef80cf1ad9c97caeb1b2fad3f2cf838cc42467503705de6ce784f204ed

Download Submit
C:\Windows\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe

Filesize
204KB

MD5
92936fa37fa6bbc5b7f3b5c1574a36e3

SHA1
16190ae7b4ba09b6cea36d2117749083a543f99b

SHA256
9b36bbabeee76130797f88eb11eb844d48040d374f8994fdb2b4af7c2c2ca469

SHA512
8db3eeaf051e9ee79a24f8a3143ba825d0c85acf13a351cff9d21bcc4cb4431e8d4476c6eee21f53f25c2263ee85747ee39bdc80368ed956664b256a8d5ed8ec

Download Submit
C:\Windows\{F4325D7C-530B-483d-9EFE-61B03D1D112C}.exe

Filesize
204KB

MD5
92936fa37fa6bbc5b7f3b5c1574a36e3

SHA1
16190ae7b4ba09b6cea36d2117749083a543f99b

SHA256
9b36bbabeee76130797f88eb11eb844d48040d374f8994fdb2b4af7c2c2ca469

SHA512
8db3eeaf051e9ee79a24f8a3143ba825d0c85acf13a351cff9d21bcc4cb4431e8d4476c6eee21f53f25c2263ee85747ee39bdc80368ed956664b256a8d5ed8ec

Download Submit
C:\Windows\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe

Filesize
204KB

MD5
2cc26b235dff8f618260452b3bd287f9

SHA1
ef10861077dfd7433e076176572c5c709ad57cd5

SHA256
06483aa6768910bd86e40077605c379e8b4605670fed4f73d336afeab8126801

SHA512
f52b60cffd4f85bc0d7fe07724714fb0db5fb1402ef9f695dc595af4de8f14b9a14f0ffa20fc510ee90c42b18203475fa3b9df636255e6563409fdf00193b427

Download Submit
C:\Windows\{F5DE2280-9C0C-4d04-B9A2-C9DB2F1B9608}.exe

Filesize
204KB

MD5
2cc26b235dff8f618260452b3bd287f9

SHA1
ef10861077dfd7433e076176572c5c709ad57cd5

SHA256
06483aa6768910bd86e40077605c379e8b4605670fed4f73d336afeab8126801

SHA512
f52b60cffd4f85bc0d7fe07724714fb0db5fb1402ef9f695dc595af4de8f14b9a14f0ffa20fc510ee90c42b18203475fa3b9df636255e6563409fdf00193b427

Download Submit
C:\Windows\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe

Filesize
204KB

MD5
0c77fc37b2183507536098dad7f6e2cc

SHA1
0b6b84d721c20c30cded34e4a0fd716241fc4689

SHA256
2392d5d173141f08c40e8112b8548ec1b15c31618a245750fcb720e9e8b86edd

SHA512
1651933e358e54a27029730a919f01bb3d1ee5aedfb45a819923521506d348b47ac0a741d5ada8eebe6b99745915628f3a3b6a15e07c1365635474d347989505

Download Submit
C:\Windows\{F77078CC-A961-46dd-8612-6FC83CFE62F7}.exe

Filesize
204KB

MD5
0c77fc37b2183507536098dad7f6e2cc

SHA1
0b6b84d721c20c30cded34e4a0fd716241fc4689

SHA256
2392d5d173141f08c40e8112b8548ec1b15c31618a245750fcb720e9e8b86edd

SHA512
1651933e358e54a27029730a919f01bb3d1ee5aedfb45a819923521506d348b47ac0a741d5ada8eebe6b99745915628f3a3b6a15e07c1365635474d347989505

Download Submit