e5acf17e261a1902bfff264bcf8a6e0d1e0739a8f24fd9073dea9c35fca70753

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dd44f9311e284exeexeexeex.exe
Size

204KB
MD5

3dd44f9311e28469e1ddc60a4670a8e1
SHA1

442b6f3869e20c132d63c11cc2178709795110db
SHA256

e5acf17e261a1902bfff264bcf8a6e0d1e0739a8f24fd9073dea9c35fca70753
SHA512

efc99475d60794ffc3632eaba3d5920a9d5a8889edf4dae45a45b58e77057da9e248f5b6c1c2a0d5771b0ba9e3bdea7c4ca7da414ff2c32dbacfb6a35164fa49
SSDEEP

1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}\stubpath = "C:\\Windows\\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe"	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED77035-869C-46f5-95D1-2EA0EAC49509}\stubpath = "C:\\Windows\\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe"	{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}	{02628E23-6301-4784-8716-F8136E318952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}\stubpath = "C:\\Windows\\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe"	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686F00E3-E010-485b-A88F-E3F0563DBB1A}	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B369C57F-C84C-47f2-8207-4F58DECD3C97}	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B369C57F-C84C-47f2-8207-4F58DECD3C97}\stubpath = "C:\\Windows\\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe"	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}\stubpath = "C:\\Windows\\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe"	{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02628E23-6301-4784-8716-F8136E318952}	{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83879F5D-600E-44d7-A866-926CB0C70B8F}	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686F00E3-E010-485b-A88F-E3F0563DBB1A}\stubpath = "C:\\Windows\\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe"	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7E887-665A-41ea-9B5C-883AD3D907C8}\stubpath = "C:\\Windows\\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe"	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}	{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}\stubpath = "C:\\Windows\\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe"	{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F194BEA1-828C-4283-9577-0762FFAF91F8}	3dd44f9311e284exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F194BEA1-828C-4283-9577-0762FFAF91F8}\stubpath = "C:\\Windows\\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe"	3dd44f9311e284exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83879F5D-600E-44d7-A866-926CB0C70B8F}\stubpath = "C:\\Windows\\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe"	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}\stubpath = "C:\\Windows\\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe"	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7E887-665A-41ea-9B5C-883AD3D907C8}	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}	{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED77035-869C-46f5-95D1-2EA0EAC49509}	{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02628E23-6301-4784-8716-F8136E318952}\stubpath = "C:\\Windows\\{02628E23-6301-4784-8716-F8136E318952}.exe"	{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}\stubpath = "C:\\Windows\\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe"	{02628E23-6301-4784-8716-F8136E318952}.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
2264	{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
2732	{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
2660	{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
1784	{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
2920	{02628E23-6301-4784-8716-F8136E318952}.exe
2728	{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
File created	C:\Windows\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
File created	C:\Windows\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
File created	C:\Windows\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
File created	C:\Windows\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe	{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
File created	C:\Windows\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe	{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
File created	C:\Windows\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe	{02628E23-6301-4784-8716-F8136E318952}.exe
File created	C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	3dd44f9311e284exeexeexeex.exe
File created	C:\Windows\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
File created	C:\Windows\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
File created	C:\Windows\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe	{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
File created	C:\Windows\{02628E23-6301-4784-8716-F8136E318952}.exe	{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
File created	C:\Windows\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	3dd44f9311e284exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
Token: SeIncBasePriorityPrivilege	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
Token: SeIncBasePriorityPrivilege	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
Token: SeIncBasePriorityPrivilege	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
Token: SeIncBasePriorityPrivilege	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
Token: SeIncBasePriorityPrivilege	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
Token: SeIncBasePriorityPrivilege	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
Token: SeIncBasePriorityPrivilege	2264	{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
Token: SeIncBasePriorityPrivilege	2732	{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
Token: SeIncBasePriorityPrivilege	2660	{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
Token: SeIncBasePriorityPrivilege	1784	{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
Token: SeIncBasePriorityPrivilege	2920	{02628E23-6301-4784-8716-F8136E318952}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1136	2360	3dd44f9311e284exeexeexeex.exe	28
PID 2360 wrote to memory of 1136	2360	3dd44f9311e284exeexeexeex.exe	28
PID 2360 wrote to memory of 1136	2360	3dd44f9311e284exeexeexeex.exe	28
PID 2360 wrote to memory of 1136	2360	3dd44f9311e284exeexeexeex.exe	28
PID 2360 wrote to memory of 2280	2360	3dd44f9311e284exeexeexeex.exe	29
PID 2360 wrote to memory of 2280	2360	3dd44f9311e284exeexeexeex.exe	29
PID 2360 wrote to memory of 2280	2360	3dd44f9311e284exeexeexeex.exe	29
PID 2360 wrote to memory of 2280	2360	3dd44f9311e284exeexeexeex.exe	29
PID 1136 wrote to memory of 2248	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	30
PID 1136 wrote to memory of 2248	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	30
PID 1136 wrote to memory of 2248	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	30
PID 1136 wrote to memory of 2248	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	30
PID 1136 wrote to memory of 2296	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	31
PID 1136 wrote to memory of 2296	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	31
PID 1136 wrote to memory of 2296	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	31
PID 1136 wrote to memory of 2296	1136	{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe	31
PID 2248 wrote to memory of 2424	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	32
PID 2248 wrote to memory of 2424	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	32
PID 2248 wrote to memory of 2424	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	32
PID 2248 wrote to memory of 2424	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	32
PID 2248 wrote to memory of 1608	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	33
PID 2248 wrote to memory of 1608	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	33
PID 2248 wrote to memory of 1608	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	33
PID 2248 wrote to memory of 1608	2248	{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe	33
PID 2424 wrote to memory of 1604	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	34
PID 2424 wrote to memory of 1604	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	34
PID 2424 wrote to memory of 1604	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	34
PID 2424 wrote to memory of 1604	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	34
PID 2424 wrote to memory of 2960	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	35
PID 2424 wrote to memory of 2960	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	35
PID 2424 wrote to memory of 2960	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	35
PID 2424 wrote to memory of 2960	2424	{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe	35
PID 1604 wrote to memory of 940	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	36
PID 1604 wrote to memory of 940	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	36
PID 1604 wrote to memory of 940	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	36
PID 1604 wrote to memory of 940	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	36
PID 1604 wrote to memory of 848	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	37
PID 1604 wrote to memory of 848	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	37
PID 1604 wrote to memory of 848	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	37
PID 1604 wrote to memory of 848	1604	{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe	37
PID 940 wrote to memory of 2236	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	38
PID 940 wrote to memory of 2236	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	38
PID 940 wrote to memory of 2236	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	38
PID 940 wrote to memory of 2236	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	38
PID 940 wrote to memory of 3016	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	39
PID 940 wrote to memory of 3016	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	39
PID 940 wrote to memory of 3016	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	39
PID 940 wrote to memory of 3016	940	{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe	39
PID 2236 wrote to memory of 1324	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	40
PID 2236 wrote to memory of 1324	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	40
PID 2236 wrote to memory of 1324	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	40
PID 2236 wrote to memory of 1324	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	40
PID 2236 wrote to memory of 2288	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	41
PID 2236 wrote to memory of 2288	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	41
PID 2236 wrote to memory of 2288	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	41
PID 2236 wrote to memory of 2288	2236	{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe	41
PID 1324 wrote to memory of 2264	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	42
PID 1324 wrote to memory of 2264	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	42
PID 1324 wrote to memory of 2264	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	42
PID 1324 wrote to memory of 2264	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	42
PID 1324 wrote to memory of 2956	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	43
PID 1324 wrote to memory of 2956	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	43
PID 1324 wrote to memory of 2956	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	43
PID 1324 wrote to memory of 2956	1324	{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe	43

C:\Users\Admin\AppData\Local\Temp\3dd44f9311e284exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3dd44f9311e284exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
  C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
    C:\Windows\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
      C:\Windows\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
        
        C:\Windows\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
        
        C:\Windows\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
        
        C:\Windows\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
        
        C:\Windows\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
        
        C:\Windows\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
        
        C:\Windows\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C01D0~1.EXE > nul
        11⤵
        
        PID:2780
        
        C:\Windows\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
        
        C:\Windows\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
        
        C:\Windows\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{02628E23-6301-4784-8716-F8136E318952}.exe
        
        C:\Windows\{02628E23-6301-4784-8716-F8136E318952}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02628~1.EXE > nul
        14⤵
        
        PID:2524
        
        C:\Windows\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe
        
        C:\Windows\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe
        14⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED77~1.EXE > nul
        13⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144A7~1.EXE > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B369C~1.EXE > nul
        10⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40F7E~1.EXE > nul
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0783B~1.EXE > nul
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{686F0~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83879~1.EXE > nul
        6⤵
        
        PID:848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD00~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51942~1.EXE > nul
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F194B~1.EXE > nul
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3DD44F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02628E23-6301-4784-8716-F8136E318952}.exe

Filesize
204KB

MD5
0fef9030f648a9c92a7980331df1a89f

SHA1
8828dbc3c368b15e04fcdb1c26ba4a9d9beb8a4d

SHA256
bfcd9ab6e5c077a99bb19e46fdce430fe200bcdcc5fee5c6e8bf15f8e2e387c4

SHA512
6ce7c0abfa6bca45a07224c247b0e3e058bdf441ecc1c55dcde493be545457775123ca8fa86523930ba549c552d45541cc67554727def911429a02657f4e8cbd

Download Submit
C:\Windows\{02628E23-6301-4784-8716-F8136E318952}.exe

Filesize
204KB

MD5
0fef9030f648a9c92a7980331df1a89f

SHA1
8828dbc3c368b15e04fcdb1c26ba4a9d9beb8a4d

SHA256
bfcd9ab6e5c077a99bb19e46fdce430fe200bcdcc5fee5c6e8bf15f8e2e387c4

SHA512
6ce7c0abfa6bca45a07224c247b0e3e058bdf441ecc1c55dcde493be545457775123ca8fa86523930ba549c552d45541cc67554727def911429a02657f4e8cbd

Download Submit
C:\Windows\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe

Filesize
204KB

MD5
9a9dd90a5a4e4354d666094da1e0f3fd

SHA1
7af53ece41b72b151f2db40c5c7847fd45560acd

SHA256
7bd40ac6498e4bbab94bf1bb8892b2e8d4284de63b47e63cbeef712cd5053f67

SHA512
a38807a45baa3c180e0dee662bc1b93aa09ff8a14dcd1c7cacb1858946ad80d8568b815386601ddf3b78e57ef85a69b427a5dd1b840fa1083bda9b7b2d651aeb

Download Submit
C:\Windows\{0783B2EE-F629-41d7-8EE1-9B3D723D6F63}.exe

Filesize
204KB

MD5
9a9dd90a5a4e4354d666094da1e0f3fd

SHA1
7af53ece41b72b151f2db40c5c7847fd45560acd

SHA256
7bd40ac6498e4bbab94bf1bb8892b2e8d4284de63b47e63cbeef712cd5053f67

SHA512
a38807a45baa3c180e0dee662bc1b93aa09ff8a14dcd1c7cacb1858946ad80d8568b815386601ddf3b78e57ef85a69b427a5dd1b840fa1083bda9b7b2d651aeb

Download Submit
C:\Windows\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe

Filesize
204KB

MD5
eb2e93523e731c8eac8419287a8d00a9

SHA1
6deb15e9244f889506dff3ee7599f72e18b278fe

SHA256
97ab7310b82639c51a4522e016d98b22ab1a429adf29a6d03f12747312f2f416

SHA512
af6f7aff6e9173a5c37fe3904ca48ff61d09eddba879ed51ceb7eb413bb123d94b0f2fa5f58fa0a133c478833adcdf2c6cbc55b7286ab22f578f7bad0c2d3d41

Download Submit
C:\Windows\{144A7FB8-A26B-44fe-8F11-C1CC2A5157BD}.exe

Filesize
204KB

MD5
eb2e93523e731c8eac8419287a8d00a9

SHA1
6deb15e9244f889506dff3ee7599f72e18b278fe

SHA256
97ab7310b82639c51a4522e016d98b22ab1a429adf29a6d03f12747312f2f416

SHA512
af6f7aff6e9173a5c37fe3904ca48ff61d09eddba879ed51ceb7eb413bb123d94b0f2fa5f58fa0a133c478833adcdf2c6cbc55b7286ab22f578f7bad0c2d3d41

Download Submit
C:\Windows\{1EEE47D0-7D59-48c2-AA3A-C802F0125FD3}.exe

Filesize
204KB

MD5
672681cf98ef0f15a544261fc5e7ca7a

SHA1
e9559b94e67b5341300a2cd2bc37e4c6c2370cf7

SHA256
0d605698f30797526f7f5ee00931229f62e089b86f2c3bfbd657dc094e8f1e60

SHA512
2df9b65461e9203ecb4f6e4f6c0378e22ddde4ebf32730812792b12be5833c6dd981d301162f98dfcac815e6c68e42b4b810ab0a29706ba964b1fbe149dd84cc

Download Submit
C:\Windows\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe

Filesize
204KB

MD5
2e0a6e2c3efc923b6a835a50b7fccc41

SHA1
2664802cfe5283068250764dce01b9b8e5ad558c

SHA256
c3e98086ee6f209c86eea0fc28ae912f415dc1fd35f024d3ba4b7b0937b41cbc

SHA512
00e767ae5c576b471ef8bee1adb38f510df383fa0927f71a23ed296b9b7a0c45b486674eb5234cbbd7146419f92f72e7a6106c03151b2420f00bcb44baecb5fb

Download Submit
C:\Windows\{40F7E887-665A-41ea-9B5C-883AD3D907C8}.exe

Filesize
204KB

MD5
2e0a6e2c3efc923b6a835a50b7fccc41

SHA1
2664802cfe5283068250764dce01b9b8e5ad558c

SHA256
c3e98086ee6f209c86eea0fc28ae912f415dc1fd35f024d3ba4b7b0937b41cbc

SHA512
00e767ae5c576b471ef8bee1adb38f510df383fa0927f71a23ed296b9b7a0c45b486674eb5234cbbd7146419f92f72e7a6106c03151b2420f00bcb44baecb5fb

Download Submit
C:\Windows\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe

Filesize
204KB

MD5
de07d65e45b9efd836572c024dc304c8

SHA1
b407f27ac419d9f07c69976f5c6e6d49ab51f123

SHA256
628c281a3a41556d17d30a06a1e6c75a338c953373d8b0d1346449f209e3aa92

SHA512
8bfe64880fced5c3892716d8bf401094dca2298bf05fa2e97b40b8375ac68cdc4651ea25121f4e19df41860885f7a2ecc6f9632d506518fd6fe350fe4de22b95

Download Submit
C:\Windows\{519429CC-3A5A-491b-9EA4-BC1D74521BC7}.exe

Filesize
204KB

MD5
de07d65e45b9efd836572c024dc304c8

SHA1
b407f27ac419d9f07c69976f5c6e6d49ab51f123

SHA256
628c281a3a41556d17d30a06a1e6c75a338c953373d8b0d1346449f209e3aa92

SHA512
8bfe64880fced5c3892716d8bf401094dca2298bf05fa2e97b40b8375ac68cdc4651ea25121f4e19df41860885f7a2ecc6f9632d506518fd6fe350fe4de22b95

Download Submit
C:\Windows\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe

Filesize
204KB

MD5
1579f6ea257757ba1720a5e6bcb41fbf

SHA1
9cf93187fc6d784efb4094ec150427f573447530

SHA256
2633f34605e443e793145af5660a770840c860aad6becead1831c4e4d86ecaef

SHA512
1996d0ee908bff8826814b0759914dcaf55bfe0e8220fce217d8172e18282bbaca30567db62db5f7c7a3c4a12d1dd698d14a3b95ed8fa8fcb72813002b0758d1

Download Submit
C:\Windows\{686F00E3-E010-485b-A88F-E3F0563DBB1A}.exe

Filesize
204KB

MD5
1579f6ea257757ba1720a5e6bcb41fbf

SHA1
9cf93187fc6d784efb4094ec150427f573447530

SHA256
2633f34605e443e793145af5660a770840c860aad6becead1831c4e4d86ecaef

SHA512
1996d0ee908bff8826814b0759914dcaf55bfe0e8220fce217d8172e18282bbaca30567db62db5f7c7a3c4a12d1dd698d14a3b95ed8fa8fcb72813002b0758d1

Download Submit
C:\Windows\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe

Filesize
204KB

MD5
12b29cddc5fc1baaffbbfd513bdc5b98

SHA1
84b90bb34939d1e4b5ddaa445c89068f5df9c832

SHA256
18407d2fdb3cc5cb3d546b34bebc5717fca74db433465153b8a8a86d380ddeae

SHA512
fbcc4914771a9a05eb9c28757a659447eedec1e5ecfeef043aa3fb97b9ce6883e565f4d09e9e626c57e1b9a80ecf100b9d12674d1379119575811c7bf6624c91

Download Submit
C:\Windows\{83879F5D-600E-44d7-A866-926CB0C70B8F}.exe

Filesize
204KB

MD5
12b29cddc5fc1baaffbbfd513bdc5b98

SHA1
84b90bb34939d1e4b5ddaa445c89068f5df9c832

SHA256
18407d2fdb3cc5cb3d546b34bebc5717fca74db433465153b8a8a86d380ddeae

SHA512
fbcc4914771a9a05eb9c28757a659447eedec1e5ecfeef043aa3fb97b9ce6883e565f4d09e9e626c57e1b9a80ecf100b9d12674d1379119575811c7bf6624c91

Download Submit
C:\Windows\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe

Filesize
204KB

MD5
51187bfe51f6d72b11d118118fcb83a7

SHA1
a050dd01e6bd056fa1e58b7772db748e06b80f08

SHA256
71a375ad133cd1195d4c656d3111d3c4574b637b67bc425da15dbb25e8c6a7b1

SHA512
a925b294ab0f0b5d7715a558e3f4eacaa6f10a0f3cc56dd4e06f5afe3aff8ec138970c176a1b3d16df1fc99bcdc61868168d4be507dd2e75f051ff95fa910fb4

Download Submit
C:\Windows\{B369C57F-C84C-47f2-8207-4F58DECD3C97}.exe

Filesize
204KB

MD5
51187bfe51f6d72b11d118118fcb83a7

SHA1
a050dd01e6bd056fa1e58b7772db748e06b80f08

SHA256
71a375ad133cd1195d4c656d3111d3c4574b637b67bc425da15dbb25e8c6a7b1

SHA512
a925b294ab0f0b5d7715a558e3f4eacaa6f10a0f3cc56dd4e06f5afe3aff8ec138970c176a1b3d16df1fc99bcdc61868168d4be507dd2e75f051ff95fa910fb4

Download Submit
C:\Windows\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe

Filesize
204KB

MD5
21d7d2c09628004d7ce89d4c73143ea7

SHA1
40c6441488464db128fe7f92e8a72d2b2fa6a676

SHA256
12f4537733bcdd40778841f081cf4cd74c7b21cc2734976139d4637ac32e2a1a

SHA512
58387d4447dec90eb011307e1527bd2ae8aa5bf904acce2049856204c7342e880226f9c2610677dcb4f76487bd51b13947fa22505b22b89d0d05edd3b49a21e3

Download Submit
C:\Windows\{C01D0E0F-7E9E-4f61-BD42-FA6227A7071A}.exe

Filesize
204KB

MD5
21d7d2c09628004d7ce89d4c73143ea7

SHA1
40c6441488464db128fe7f92e8a72d2b2fa6a676

SHA256
12f4537733bcdd40778841f081cf4cd74c7b21cc2734976139d4637ac32e2a1a

SHA512
58387d4447dec90eb011307e1527bd2ae8aa5bf904acce2049856204c7342e880226f9c2610677dcb4f76487bd51b13947fa22505b22b89d0d05edd3b49a21e3

Download Submit
C:\Windows\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe

Filesize
204KB

MD5
ab91ec993caa2b9bffd42ce0ae8c2923

SHA1
66ff9151c39f17e1cb43b1d61d1e3937a278311c

SHA256
7718796d368f91fd58b0a13502e5bdf135d3318f91798187783437e5be72522b

SHA512
af6fd551ff2df73dbcf63c961e378c5024c231870c215b4f7df8a4f99b88b190f52da037a17af88abcb95977af19a6f2f1b8b851f0c1576c74d4f00fa07d4eda

Download Submit
C:\Windows\{DED77035-869C-46f5-95D1-2EA0EAC49509}.exe

Filesize
204KB

MD5
ab91ec993caa2b9bffd42ce0ae8c2923

SHA1
66ff9151c39f17e1cb43b1d61d1e3937a278311c

SHA256
7718796d368f91fd58b0a13502e5bdf135d3318f91798187783437e5be72522b

SHA512
af6fd551ff2df73dbcf63c961e378c5024c231870c215b4f7df8a4f99b88b190f52da037a17af88abcb95977af19a6f2f1b8b851f0c1576c74d4f00fa07d4eda

Download Submit
C:\Windows\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe

Filesize
204KB

MD5
53ad79cfb59b6d70ebc0497d370ee998

SHA1
cb0e7836c5477a772749eb98cface353660ec3ea

SHA256
102b31ff2b49090ec34be73a35d586d974618886432420821758bc9873584c59

SHA512
deee166fa094c2ab8066b7c976420be5bddd572af7420cdee3ecaf1b1970c65a57ab48a4b07865fd81786ea97a0a503769af4d74435b8e3f89a9725431537610

Download Submit
C:\Windows\{EDD00790-DE11-4a90-8C96-0C3A3E4A1CE5}.exe

Filesize
204KB

MD5
53ad79cfb59b6d70ebc0497d370ee998

SHA1
cb0e7836c5477a772749eb98cface353660ec3ea

SHA256
102b31ff2b49090ec34be73a35d586d974618886432420821758bc9873584c59

SHA512
deee166fa094c2ab8066b7c976420be5bddd572af7420cdee3ecaf1b1970c65a57ab48a4b07865fd81786ea97a0a503769af4d74435b8e3f89a9725431537610

Download Submit
C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe

Filesize
204KB

MD5
5a9c1f3babc686166b35558a96ab8199

SHA1
d3b7b0a7ba607f7fae39cae77dee6e4d392469fd

SHA256
9b37b18b6a151fd0465b4ddf06531c0505c20d0a5180cb86a47250d3e4cb4e73

SHA512
bcfaeb04c4482d2cc042a604ec950983d423e617eff3c0f1a278ac687b432d7611d5d0abd662090708ab8a8378b9d3f1841f6b318ff49c05bf10c148bb8e084f

Download Submit
C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe

Filesize
204KB

MD5
5a9c1f3babc686166b35558a96ab8199

SHA1
d3b7b0a7ba607f7fae39cae77dee6e4d392469fd

SHA256
9b37b18b6a151fd0465b4ddf06531c0505c20d0a5180cb86a47250d3e4cb4e73

SHA512
bcfaeb04c4482d2cc042a604ec950983d423e617eff3c0f1a278ac687b432d7611d5d0abd662090708ab8a8378b9d3f1841f6b318ff49c05bf10c148bb8e084f

Download Submit
C:\Windows\{F194BEA1-828C-4283-9577-0762FFAF91F8}.exe

Filesize
204KB

MD5
5a9c1f3babc686166b35558a96ab8199

SHA1
d3b7b0a7ba607f7fae39cae77dee6e4d392469fd

SHA256
9b37b18b6a151fd0465b4ddf06531c0505c20d0a5180cb86a47250d3e4cb4e73

SHA512
bcfaeb04c4482d2cc042a604ec950983d423e617eff3c0f1a278ac687b432d7611d5d0abd662090708ab8a8378b9d3f1841f6b318ff49c05bf10c148bb8e084f

Download Submit