2f813a687aa4c9065b1a0a9c7a43b2db7c9de28f51bf21babc735c7e75be366a

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386d9765ba430bexeexeexeex.exe
Size

372KB
MD5

386d9765ba430b8c72034532470e13b8
SHA1

f5f8926e0274ee4a289e5ff72e41ceca9c1ba48f
SHA256

2f813a687aa4c9065b1a0a9c7a43b2db7c9de28f51bf21babc735c7e75be366a
SHA512

e6a5793b692aab5123e9ec50c3319a616cf08002398d25872000b5cf61ef4150a7a5b39c88d7a650baa60465f4c5c10607f3ef3e1953517ce69d9a26acf847b9
SSDEEP

3072:CEGh0oZmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG+l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}\stubpath = "C:\\Windows\\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe"	386d9765ba430bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F428888-8397-4fe7-A5D3-9830AB349243}\stubpath = "C:\\Windows\\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe"	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}	{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}	{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}\stubpath = "C:\\Windows\\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe"	{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5744732-D61A-4cc3-A3A0-501246128219}\stubpath = "C:\\Windows\\{C5744732-D61A-4cc3-A3A0-501246128219}.exe"	{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8847DD-085E-4379-AD90-0A7302C84A3F}\stubpath = "C:\\Windows\\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe"	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}\stubpath = "C:\\Windows\\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe"	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1805918B-39C3-4305-8414-10FD5AC29481}\stubpath = "C:\\Windows\\{1805918B-39C3-4305-8414-10FD5AC29481}.exe"	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}\stubpath = "C:\\Windows\\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe"	{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}	{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}	{1805918B-39C3-4305-8414-10FD5AC29481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}\stubpath = "C:\\Windows\\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe"	{1805918B-39C3-4305-8414-10FD5AC29481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}\stubpath = "C:\\Windows\\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe"	{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F428888-8397-4fe7-A5D3-9830AB349243}	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}\stubpath = "C:\\Windows\\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe"	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}\stubpath = "C:\\Windows\\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe"	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1805918B-39C3-4305-8414-10FD5AC29481}	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}\stubpath = "C:\\Windows\\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe"	{C5744732-D61A-4cc3-A3A0-501246128219}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}	386d9765ba430bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8847DD-085E-4379-AD90-0A7302C84A3F}	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5744732-D61A-4cc3-A3A0-501246128219}	{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}	{C5744732-D61A-4cc3-A3A0-501246128219}.exe

Deletes itself 1 IoCs

pid	Process
1284	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe
872	{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
2268	{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
2696	{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
2992	{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
2484	{C5744732-D61A-4cc3-A3A0-501246128219}.exe
2208	{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe	{1805918B-39C3-4305-8414-10FD5AC29481}.exe
File created	C:\Windows\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe	{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
File created	C:\Windows\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe	{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
File created	C:\Windows\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe	{C5744732-D61A-4cc3-A3A0-501246128219}.exe
File created	C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	386d9765ba430bexeexeexeex.exe
File created	C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
File created	C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
File created	C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
File created	C:\Windows\{1805918B-39C3-4305-8414-10FD5AC29481}.exe	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
File created	C:\Windows\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe	{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
File created	C:\Windows\{C5744732-D61A-4cc3-A3A0-501246128219}.exe	{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
File created	C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
File created	C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	386d9765ba430bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Token: SeIncBasePriorityPrivilege	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Token: SeIncBasePriorityPrivilege	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Token: SeIncBasePriorityPrivilege	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Token: SeIncBasePriorityPrivilege	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Token: SeIncBasePriorityPrivilege	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Token: SeIncBasePriorityPrivilege	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe
Token: SeIncBasePriorityPrivilege	872	{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
Token: SeIncBasePriorityPrivilege	2268	{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
Token: SeIncBasePriorityPrivilege	2696	{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
Token: SeIncBasePriorityPrivilege	2992	{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
Token: SeIncBasePriorityPrivilege	2484	{C5744732-D61A-4cc3-A3A0-501246128219}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3040	2340	386d9765ba430bexeexeexeex.exe	29
PID 2340 wrote to memory of 3040	2340	386d9765ba430bexeexeexeex.exe	29
PID 2340 wrote to memory of 3040	2340	386d9765ba430bexeexeexeex.exe	29
PID 2340 wrote to memory of 3040	2340	386d9765ba430bexeexeexeex.exe	29
PID 2340 wrote to memory of 1284	2340	386d9765ba430bexeexeexeex.exe	30
PID 2340 wrote to memory of 1284	2340	386d9765ba430bexeexeexeex.exe	30
PID 2340 wrote to memory of 1284	2340	386d9765ba430bexeexeexeex.exe	30
PID 2340 wrote to memory of 1284	2340	386d9765ba430bexeexeexeex.exe	30
PID 3040 wrote to memory of 2356	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3040 wrote to memory of 2356	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3040 wrote to memory of 2356	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3040 wrote to memory of 2356	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3040 wrote to memory of 2996	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3040 wrote to memory of 2996	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3040 wrote to memory of 2996	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3040 wrote to memory of 2996	3040	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 2356 wrote to memory of 904	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 2356 wrote to memory of 904	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 2356 wrote to memory of 904	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 2356 wrote to memory of 904	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 2356 wrote to memory of 1688	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 2356 wrote to memory of 1688	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 2356 wrote to memory of 1688	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 2356 wrote to memory of 1688	2356	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 904 wrote to memory of 2540	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 904 wrote to memory of 2540	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 904 wrote to memory of 2540	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 904 wrote to memory of 2540	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 904 wrote to memory of 2184	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 904 wrote to memory of 2184	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 904 wrote to memory of 2184	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 904 wrote to memory of 2184	904	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 2540 wrote to memory of 2860	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 2540 wrote to memory of 2860	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 2540 wrote to memory of 2860	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 2540 wrote to memory of 2860	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 2540 wrote to memory of 2888	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 2540 wrote to memory of 2888	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 2540 wrote to memory of 2888	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 2540 wrote to memory of 2888	2540	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 2860 wrote to memory of 1616	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2860 wrote to memory of 1616	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2860 wrote to memory of 1616	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2860 wrote to memory of 1616	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2860 wrote to memory of 1672	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2860 wrote to memory of 1672	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2860 wrote to memory of 1672	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2860 wrote to memory of 1672	2860	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 1616 wrote to memory of 2092	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 1616 wrote to memory of 2092	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 1616 wrote to memory of 2092	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 1616 wrote to memory of 2092	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 1616 wrote to memory of 2096	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 1616 wrote to memory of 2096	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 1616 wrote to memory of 2096	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 1616 wrote to memory of 2096	1616	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 2092 wrote to memory of 872	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	43
PID 2092 wrote to memory of 872	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	43
PID 2092 wrote to memory of 872	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	43
PID 2092 wrote to memory of 872	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	43
PID 2092 wrote to memory of 2236	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	44
PID 2092 wrote to memory of 2236	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	44
PID 2092 wrote to memory of 2236	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	44
PID 2092 wrote to memory of 2236	2092	{1805918B-39C3-4305-8414-10FD5AC29481}.exe	44

C:\Users\Admin\AppData\Local\Temp\386d9765ba430bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\386d9765ba430bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
  C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
    C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F428~1.EXE > nul
      4⤵
      PID:1688
  - - C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
      C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
        
        C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
        
        C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
        
        C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{1805918B-39C3-4305-8414-10FD5AC29481}.exe
        
        C:\Windows\{1805918B-39C3-4305-8414-10FD5AC29481}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
        
        C:\Windows\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
        
        C:\Windows\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
        
        C:\Windows\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
        
        C:\Windows\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\{C5744732-D61A-4cc3-A3A0-501246128219}.exe
        
        C:\Windows\{C5744732-D61A-4cc3-A3A0-501246128219}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe
        
        C:\Windows\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe
        14⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5744~1.EXE > nul
        14⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{780D3~1.EXE > nul
        13⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A1B~1.EXE > nul
        12⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6833~1.EXE > nul
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2567C~1.EXE > nul
        10⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18059~1.EXE > nul
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF07B~1.EXE > nul
        8⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA19~1.EXE > nul
        7⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD884~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DBD9~1.EXE > nul
        5⤵
        
        PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EB549~1.EXE > nul
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\386D97~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0167AD62-E9D7-4b1f-AB57-BA0047C66D64}.exe

Filesize
372KB

MD5
77d96b28aec3125edd21889c4878473d

SHA1
c5e98e268cc7594c5b4e3ee7cec624e654e910af

SHA256
687b9fc3c4102ad37b1b2d9e9dd2da006d209d6effa9ee0cd6480b740079057f

SHA512
6aafa59082561656825399bd29297ecbf70b11a2c7924e39726c0ac248c54648c36d28728779079d9c75ea7ee96efa422fb9ace04ca0386403261039fda9deca

Download Submit
C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe

Filesize
372KB

MD5
d895aa4843b0837fa6f70c44cfc59943

SHA1
a5a1130d226330949f2ba469fdd8369ff78a2b6e

SHA256
2b5ecc470673f8c5f7b6dfdf0dbaa152635610905deb8c46cb3fed8fb133072f

SHA512
c7307a2f3133b555fc39a90a8f1a5720e2f39fd0acb9d6f67a2b33863b4f21c553c950b406f6738006e9d3fa78f1293c1f54f7e5c414aa8593c704c8caf17b28

Download Submit
C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe

Filesize
372KB

MD5
d895aa4843b0837fa6f70c44cfc59943

SHA1
a5a1130d226330949f2ba469fdd8369ff78a2b6e

SHA256
2b5ecc470673f8c5f7b6dfdf0dbaa152635610905deb8c46cb3fed8fb133072f

SHA512
c7307a2f3133b555fc39a90a8f1a5720e2f39fd0acb9d6f67a2b33863b4f21c553c950b406f6738006e9d3fa78f1293c1f54f7e5c414aa8593c704c8caf17b28

Download Submit
C:\Windows\{1805918B-39C3-4305-8414-10FD5AC29481}.exe

Filesize
372KB

MD5
8278fabb6532db71a5b570e2d6cc1f99

SHA1
2d4a140eb13f327a9098369c82e30f0abd3e5d2f

SHA256
f7378cadfe1d116dd29fdfa41cb6e4b32cc7883f9b4d5c9a07a229a08b132357

SHA512
3fc8790ee71362fa0cc2ca015e189b7dd406a5b4888fdfe53e67e60a12905c7e67dceed5f97875fa3167ab0ef9f0b953e41668273c826ddf0c927ba427caa073

Download Submit
C:\Windows\{1805918B-39C3-4305-8414-10FD5AC29481}.exe

Filesize
372KB

MD5
8278fabb6532db71a5b570e2d6cc1f99

SHA1
2d4a140eb13f327a9098369c82e30f0abd3e5d2f

SHA256
f7378cadfe1d116dd29fdfa41cb6e4b32cc7883f9b4d5c9a07a229a08b132357

SHA512
3fc8790ee71362fa0cc2ca015e189b7dd406a5b4888fdfe53e67e60a12905c7e67dceed5f97875fa3167ab0ef9f0b953e41668273c826ddf0c927ba427caa073

Download Submit
C:\Windows\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe

Filesize
372KB

MD5
84043fbdb85a684bacc5fa43501ed1de

SHA1
c0841076fb7688cc2bcd9a9c4db6c82a9a62e158

SHA256
18ec2d826c401bbc2ab75943c3826ae3debbb06f5a5cdab943934aa082a28637

SHA512
d5502de669d551c2d0b37c699881c91cba923ebc78fcc6169df6ae30ca4766d7facc045f9b00230debc37408eec54c486b9e9dbc39ce946615a8384ef74d99fc

Download Submit
C:\Windows\{2567CEA3-4286-4e7c-BE77-F5C75543B75E}.exe

Filesize
372KB

MD5
84043fbdb85a684bacc5fa43501ed1de

SHA1
c0841076fb7688cc2bcd9a9c4db6c82a9a62e158

SHA256
18ec2d826c401bbc2ab75943c3826ae3debbb06f5a5cdab943934aa082a28637

SHA512
d5502de669d551c2d0b37c699881c91cba923ebc78fcc6169df6ae30ca4766d7facc045f9b00230debc37408eec54c486b9e9dbc39ce946615a8384ef74d99fc

Download Submit
C:\Windows\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe

Filesize
372KB

MD5
5036895f71a6d67031fa1e349e42f08e

SHA1
1e58b026fe01d2e78c63d17834fe23f9fccfc285

SHA256
6a00a6e2d3714eb702bf324e4f79f3c4acd8dd359fbf4ccb548df34c02df2b2c

SHA512
491e484f2811f7892566edf7fa7f46a8998f62c19c7e41df351d780ecec6fbbaa2166cc071418642cb304c193e7c4b65caeb33f87ac7cdf17334395eed20b9e2

Download Submit
C:\Windows\{28A1B9F8-01D5-4fd5-A7A5-3D8EBEF3D6B9}.exe

Filesize
372KB

MD5
5036895f71a6d67031fa1e349e42f08e

SHA1
1e58b026fe01d2e78c63d17834fe23f9fccfc285

SHA256
6a00a6e2d3714eb702bf324e4f79f3c4acd8dd359fbf4ccb548df34c02df2b2c

SHA512
491e484f2811f7892566edf7fa7f46a8998f62c19c7e41df351d780ecec6fbbaa2166cc071418642cb304c193e7c4b65caeb33f87ac7cdf17334395eed20b9e2

Download Submit
C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe

Filesize
372KB

MD5
7f7a61d7a9318fbd15bd80669780fd48

SHA1
54a0d66c64d90cb143906b8b375dc1b99da53a54

SHA256
9ae4a55cc7534cc0fbd21a6a21784782cd0ce72a5c58e9cdc9a730b3293103ed

SHA512
e780ad7bd12f7c76104ac641d475c3b098d3a54859a35764cc395e7ac6b11f400c3123add51b66db2471a5508fb97ca0debf0e5684a1dfe6a6ff996af2dead6e

Download Submit
C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe

Filesize
372KB

MD5
7f7a61d7a9318fbd15bd80669780fd48

SHA1
54a0d66c64d90cb143906b8b375dc1b99da53a54

SHA256
9ae4a55cc7534cc0fbd21a6a21784782cd0ce72a5c58e9cdc9a730b3293103ed

SHA512
e780ad7bd12f7c76104ac641d475c3b098d3a54859a35764cc395e7ac6b11f400c3123add51b66db2471a5508fb97ca0debf0e5684a1dfe6a6ff996af2dead6e

Download Submit
C:\Windows\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe

Filesize
372KB

MD5
c524fac2603742497b21d6284240f90e

SHA1
53b2748e486618620609b8056f7fdfb9d956f673

SHA256
ebe10c03e4eed5fc83d40e5c7d0cd59e03b48b2101eab85a4812d893c99014c6

SHA512
d69ef6d78cb070b99413b8f36ec8f249b5405786241e4c2b1038dcd0ace84ecd9d81802cbc55cb1ca5fc437113747d3ffd9d2775b0909951e8f8114068fafe28

Download Submit
C:\Windows\{780D3E24-BDF8-4a5a-90E4-A25968A5E318}.exe

Filesize
372KB

MD5
c524fac2603742497b21d6284240f90e

SHA1
53b2748e486618620609b8056f7fdfb9d956f673

SHA256
ebe10c03e4eed5fc83d40e5c7d0cd59e03b48b2101eab85a4812d893c99014c6

SHA512
d69ef6d78cb070b99413b8f36ec8f249b5405786241e4c2b1038dcd0ace84ecd9d81802cbc55cb1ca5fc437113747d3ffd9d2775b0909951e8f8114068fafe28

Download Submit
C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe

Filesize
372KB

MD5
0d1a2e45b48eb61ba531ee079eab1f59

SHA1
1568e9d9d7f65d8bd9d81653528f7f4700a74c3f

SHA256
62dcffbb0ebbd0bc7214b7ade132e70606ce1ff62e45494c72866be49bc49061

SHA512
27ce5b916b2ddfc6f7bdaa8e17bb358310a16676f19e283ed389e3dab41782208ccff2f766cc0f3b0bc206917079ed4daeba7fcb4c81dfd3ce89bf8e1319b381

Download Submit
C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe

Filesize
372KB

MD5
0d1a2e45b48eb61ba531ee079eab1f59

SHA1
1568e9d9d7f65d8bd9d81653528f7f4700a74c3f

SHA256
62dcffbb0ebbd0bc7214b7ade132e70606ce1ff62e45494c72866be49bc49061

SHA512
27ce5b916b2ddfc6f7bdaa8e17bb358310a16676f19e283ed389e3dab41782208ccff2f766cc0f3b0bc206917079ed4daeba7fcb4c81dfd3ce89bf8e1319b381

Download Submit
C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe

Filesize
372KB

MD5
a65b03e5c2b39f393f37391737a8b2de

SHA1
0b1d894b5f0e8e5700a602fad12eb114b7b35cec

SHA256
f49224fa7ab217c1a7fa70efcfdf7204c8341e15aaadc7bdca2c180b46689127

SHA512
30442a057fb43fe2ca86e3fb67354b0fa7a7f9735038878b890a30d3c8782566b343029310b259faf457ca4ae96ad1be9c98fc2fb364f26b1ec273cd3042ca65

Download Submit
C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe

Filesize
372KB

MD5
a65b03e5c2b39f393f37391737a8b2de

SHA1
0b1d894b5f0e8e5700a602fad12eb114b7b35cec

SHA256
f49224fa7ab217c1a7fa70efcfdf7204c8341e15aaadc7bdca2c180b46689127

SHA512
30442a057fb43fe2ca86e3fb67354b0fa7a7f9735038878b890a30d3c8782566b343029310b259faf457ca4ae96ad1be9c98fc2fb364f26b1ec273cd3042ca65

Download Submit
C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe

Filesize
372KB

MD5
c654a9b195b78751aa204e42eda40f48

SHA1
2dca3a2b5d3bee01c3e23e7995c1775a1cf6722e

SHA256
1300f9b731ed41f93b532f5e878fea0ed6597c8d8057ff573064d09a63ab4675

SHA512
c76751c474f3537b801b199ee313cd2a76a000fe798d1b3708bcc121c13a5e21efb4c0c77d0f0f65445f73c59eca306e4266fdb8d277393c417af79ee6d6a614

Download Submit
C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe

Filesize
372KB

MD5
c654a9b195b78751aa204e42eda40f48

SHA1
2dca3a2b5d3bee01c3e23e7995c1775a1cf6722e

SHA256
1300f9b731ed41f93b532f5e878fea0ed6597c8d8057ff573064d09a63ab4675

SHA512
c76751c474f3537b801b199ee313cd2a76a000fe798d1b3708bcc121c13a5e21efb4c0c77d0f0f65445f73c59eca306e4266fdb8d277393c417af79ee6d6a614

Download Submit
C:\Windows\{C5744732-D61A-4cc3-A3A0-501246128219}.exe

Filesize
372KB

MD5
46a2713550ac02670d5af98db5c7e7a6

SHA1
0c87dd3c0da75f0c3f35321b065404d5df228abd

SHA256
d955b43ccc2bea077a3fe3b1a862a7d544d780c9239ebb0f5f7d541690cd6dca

SHA512
9ead1fe8ca1ef4b90bc630c5667e21dbc246c213c6fdfef52daa0b1823c10b076f7762a7bf692d8ca25bbe6e24e576e0cbf5949864220333bf9af42915ba71e0

Download Submit
C:\Windows\{C5744732-D61A-4cc3-A3A0-501246128219}.exe

Filesize
372KB

MD5
46a2713550ac02670d5af98db5c7e7a6

SHA1
0c87dd3c0da75f0c3f35321b065404d5df228abd

SHA256
d955b43ccc2bea077a3fe3b1a862a7d544d780c9239ebb0f5f7d541690cd6dca

SHA512
9ead1fe8ca1ef4b90bc630c5667e21dbc246c213c6fdfef52daa0b1823c10b076f7762a7bf692d8ca25bbe6e24e576e0cbf5949864220333bf9af42915ba71e0

Download Submit
C:\Windows\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe

Filesize
372KB

MD5
7fd7602dd40ab9513fe5920e8d1d4d8d

SHA1
060d18ab62949930f6a3a06fd1d177d352993108

SHA256
481a1af61cb22d351cd7e28e9bf7755b859c9059e919e5896bf7e9ee24b89884

SHA512
4aa744830c125c4569f946f9fed51b9d7a34d78e65c7f47408cfef2fd0f251f93cc7a96bd21075be3d1930b7b4843e6fc0a3bebbf19e2ad266254257394053c9

Download Submit
C:\Windows\{E6833041-2E89-4e42-82DF-B6424ED8AE2A}.exe

Filesize
372KB

MD5
7fd7602dd40ab9513fe5920e8d1d4d8d

SHA1
060d18ab62949930f6a3a06fd1d177d352993108

SHA256
481a1af61cb22d351cd7e28e9bf7755b859c9059e919e5896bf7e9ee24b89884

SHA512
4aa744830c125c4569f946f9fed51b9d7a34d78e65c7f47408cfef2fd0f251f93cc7a96bd21075be3d1930b7b4843e6fc0a3bebbf19e2ad266254257394053c9

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit