29b87e136b6a415315c131af68fe6e0b5d657dbf4b91066f03b7f6730da6a082

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4312efde401009exeexeexeex.exe
Size

204KB
MD5

4312efde4010092f1cd878388f2d145f
SHA1

84a9824315dd90c79c46dc3d5a3b8170be5e4886
SHA256

29b87e136b6a415315c131af68fe6e0b5d657dbf4b91066f03b7f6730da6a082
SHA512

8d2eeb562769fd42b4667768f30674d2baa0d75c31158c5d17c51d696e0c5731b18248b45103026b2c56b3681e3d3c851c79d9bf3d72c1aa0e325b3c13cb3436
SSDEEP

1536:1EGh0oYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oYl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF36453A-C6DE-45f7-A248-2BC290ECF309}	{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}	{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}\stubpath = "C:\\Windows\\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe"	{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}\stubpath = "C:\\Windows\\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe"	4312efde401009exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91D6169-97F0-4ff6-A227-B064810F387E}	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}	4312efde401009exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}\stubpath = "C:\\Windows\\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe"	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6C1D54-C155-417e-B646-123AB138841C}\stubpath = "C:\\Windows\\{9D6C1D54-C155-417e-B646-123AB138841C}.exe"	{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}\stubpath = "C:\\Windows\\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe"	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}\stubpath = "C:\\Windows\\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe"	{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}	{9D6C1D54-C155-417e-B646-123AB138841C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}\stubpath = "C:\\Windows\\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe"	{9D6C1D54-C155-417e-B646-123AB138841C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}\stubpath = "C:\\Windows\\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe"	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91D6169-97F0-4ff6-A227-B064810F387E}\stubpath = "C:\\Windows\\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe"	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488B9DAB-E76B-46c4-879E-EAF166BB8185}	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488B9DAB-E76B-46c4-879E-EAF166BB8185}\stubpath = "C:\\Windows\\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe"	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF36453A-C6DE-45f7-A248-2BC290ECF309}\stubpath = "C:\\Windows\\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe"	{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}	{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6C1D54-C155-417e-B646-123AB138841C}	{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}\stubpath = "C:\\Windows\\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe"	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}\stubpath = "C:\\Windows\\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe"	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
2260	{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
2052	{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
2760	{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
2888	{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
2596	{9D6C1D54-C155-417e-B646-123AB138841C}.exe
1728	{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe	{9D6C1D54-C155-417e-B646-123AB138841C}.exe
File created	C:\Windows\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
File created	C:\Windows\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
File created	C:\Windows\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe	{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
File created	C:\Windows\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe	{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
File created	C:\Windows\{9D6C1D54-C155-417e-B646-123AB138841C}.exe	{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
File created	C:\Windows\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
File created	C:\Windows\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe	{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
File created	C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	4312efde401009exeexeexeex.exe
File created	C:\Windows\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
File created	C:\Windows\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
File created	C:\Windows\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
File created	C:\Windows\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	4312efde401009exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
Token: SeIncBasePriorityPrivilege	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
Token: SeIncBasePriorityPrivilege	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
Token: SeIncBasePriorityPrivilege	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
Token: SeIncBasePriorityPrivilege	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
Token: SeIncBasePriorityPrivilege	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
Token: SeIncBasePriorityPrivilege	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
Token: SeIncBasePriorityPrivilege	2260	{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
Token: SeIncBasePriorityPrivilege	2052	{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
Token: SeIncBasePriorityPrivilege	2760	{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
Token: SeIncBasePriorityPrivilege	2888	{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
Token: SeIncBasePriorityPrivilege	2596	{9D6C1D54-C155-417e-B646-123AB138841C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2064	1708	4312efde401009exeexeexeex.exe	29
PID 1708 wrote to memory of 2064	1708	4312efde401009exeexeexeex.exe	29
PID 1708 wrote to memory of 2064	1708	4312efde401009exeexeexeex.exe	29
PID 1708 wrote to memory of 2064	1708	4312efde401009exeexeexeex.exe	29
PID 1708 wrote to memory of 2392	1708	4312efde401009exeexeexeex.exe	30
PID 1708 wrote to memory of 2392	1708	4312efde401009exeexeexeex.exe	30
PID 1708 wrote to memory of 2392	1708	4312efde401009exeexeexeex.exe	30
PID 1708 wrote to memory of 2392	1708	4312efde401009exeexeexeex.exe	30
PID 2064 wrote to memory of 2420	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	31
PID 2064 wrote to memory of 2420	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	31
PID 2064 wrote to memory of 2420	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	31
PID 2064 wrote to memory of 2420	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	31
PID 2064 wrote to memory of 1964	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	32
PID 2064 wrote to memory of 1964	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	32
PID 2064 wrote to memory of 1964	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	32
PID 2064 wrote to memory of 1964	2064	{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe	32
PID 2420 wrote to memory of 464	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	33
PID 2420 wrote to memory of 464	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	33
PID 2420 wrote to memory of 464	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	33
PID 2420 wrote to memory of 464	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	33
PID 2420 wrote to memory of 2116	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	34
PID 2420 wrote to memory of 2116	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	34
PID 2420 wrote to memory of 2116	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	34
PID 2420 wrote to memory of 2116	2420	{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe	34
PID 464 wrote to memory of 2232	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	35
PID 464 wrote to memory of 2232	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	35
PID 464 wrote to memory of 2232	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	35
PID 464 wrote to memory of 2232	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	35
PID 464 wrote to memory of 2564	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	36
PID 464 wrote to memory of 2564	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	36
PID 464 wrote to memory of 2564	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	36
PID 464 wrote to memory of 2564	464	{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe	36
PID 2232 wrote to memory of 2880	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	37
PID 2232 wrote to memory of 2880	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	37
PID 2232 wrote to memory of 2880	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	37
PID 2232 wrote to memory of 2880	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	37
PID 2232 wrote to memory of 1504	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	38
PID 2232 wrote to memory of 1504	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	38
PID 2232 wrote to memory of 1504	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	38
PID 2232 wrote to memory of 1504	2232	{E91D6169-97F0-4ff6-A227-B064810F387E}.exe	38
PID 2880 wrote to memory of 952	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	40
PID 2880 wrote to memory of 952	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	40
PID 2880 wrote to memory of 952	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	40
PID 2880 wrote to memory of 952	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	40
PID 2880 wrote to memory of 2156	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	39
PID 2880 wrote to memory of 2156	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	39
PID 2880 wrote to memory of 2156	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	39
PID 2880 wrote to memory of 2156	2880	{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe	39
PID 952 wrote to memory of 2928	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	42
PID 952 wrote to memory of 2928	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	42
PID 952 wrote to memory of 2928	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	42
PID 952 wrote to memory of 2928	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	42
PID 952 wrote to memory of 2948	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	41
PID 952 wrote to memory of 2948	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	41
PID 952 wrote to memory of 2948	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	41
PID 952 wrote to memory of 2948	952	{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe	41
PID 2928 wrote to memory of 2260	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	44
PID 2928 wrote to memory of 2260	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	44
PID 2928 wrote to memory of 2260	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	44
PID 2928 wrote to memory of 2260	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	44
PID 2928 wrote to memory of 368	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	43
PID 2928 wrote to memory of 368	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	43
PID 2928 wrote to memory of 368	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	43
PID 2928 wrote to memory of 368	2928	{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe	43

C:\Users\Admin\AppData\Local\Temp\4312efde401009exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4312efde401009exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
  C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
    C:\Windows\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
      C:\Windows\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
        
        C:\Windows\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
        
        C:\Windows\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12CCF~1.EXE > nul
        7⤵
        
        PID:2156
        
        C:\Windows\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
        
        C:\Windows\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC22~1.EXE > nul
        8⤵
        
        PID:2948
        
        C:\Windows\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
        
        C:\Windows\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC42~1.EXE > nul
        9⤵
        
        PID:368
        
        C:\Windows\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
        
        C:\Windows\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
        
        C:\Windows\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF364~1.EXE > nul
        11⤵
        
        PID:2632
        
        C:\Windows\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
        
        C:\Windows\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
        
        C:\Windows\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{9D6C1D54-C155-417e-B646-123AB138841C}.exe
        
        C:\Windows\{9D6C1D54-C155-417e-B646-123AB138841C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe
        
        C:\Windows\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe
        14⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D6C1~1.EXE > nul
        14⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF9AC~1.EXE > nul
        13⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6493~1.EXE > nul
        12⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{488B9~1.EXE > nul
        10⤵
        
        PID:2724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E91D6~1.EXE > nul
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFF06~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9BA6~1.EXE > nul
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC55~1.EXE > nul
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4312EF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe

Filesize
204KB

MD5
336a41bf0aac22282151fc9e6cc15c9d

SHA1
f15370bd8cbdb7481308e381eaee2aff51c30f34

SHA256
a8dd7d450201d130f3b11fa254492c47fbb5caa2ca532c3d0f6cbec3a3e32a5e

SHA512
4d9f30dfa51f6a95299cc0b1d2c91873cf235fadbf981a0efeeab5f6aed3ee459af1fed1e01b1a24ddc64df07e07021298b821da97b3d740bb814292aad68a07

Download Submit
C:\Windows\{12CCFC65-9F94-4217-83F7-6CCB9C4BBE03}.exe

Filesize
204KB

MD5
336a41bf0aac22282151fc9e6cc15c9d

SHA1
f15370bd8cbdb7481308e381eaee2aff51c30f34

SHA256
a8dd7d450201d130f3b11fa254492c47fbb5caa2ca532c3d0f6cbec3a3e32a5e

SHA512
4d9f30dfa51f6a95299cc0b1d2c91873cf235fadbf981a0efeeab5f6aed3ee459af1fed1e01b1a24ddc64df07e07021298b821da97b3d740bb814292aad68a07

Download Submit
C:\Windows\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe

Filesize
204KB

MD5
613faa1352001d0b81b001fb6ef53528

SHA1
081de322e48a7e34188c380069d7f46da31bb644

SHA256
1db9ec7e1840245e11bab508bbb1152db9b6158d6cbb620f7aa2682b0facb474

SHA512
99953144d40e3e26e5eb0a1b6b0ae608a6a4ed5ec0c68224d2a644f6cca10b73d382071254173a9ab85687e1b5ec45344633af927b39f3c99c4feb9b924d1ac2

Download Submit
C:\Windows\{488B9DAB-E76B-46c4-879E-EAF166BB8185}.exe

Filesize
204KB

MD5
613faa1352001d0b81b001fb6ef53528

SHA1
081de322e48a7e34188c380069d7f46da31bb644

SHA256
1db9ec7e1840245e11bab508bbb1152db9b6158d6cbb620f7aa2682b0facb474

SHA512
99953144d40e3e26e5eb0a1b6b0ae608a6a4ed5ec0c68224d2a644f6cca10b73d382071254173a9ab85687e1b5ec45344633af927b39f3c99c4feb9b924d1ac2

Download Submit
C:\Windows\{7D0C84C0-7ABE-43b3-B865-E8FD8AC4B2D6}.exe

Filesize
204KB

MD5
0e5cbf0c904f7eaea8f50eda59831372

SHA1
60a3355fe1a54de510cf00436d8703a74ff8d81c

SHA256
e88ad0935f14f7d811817d937875d170b28c6c20366073d59fbc9ebac6f231c7

SHA512
7f43113e3eabc1399da4344390f582a6b97b7f0db636743802fd6f4e1bd562206a23ab3732edc45bf488ebe0c8a905f0937385ad524705db251e479d7be44daa

Download Submit
C:\Windows\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe

Filesize
204KB

MD5
370487ac364cae238066dbd21f756871

SHA1
d6736bb9f9810161aba30dd2cf96aa34042716a2

SHA256
7dd755b945c6fb29348f402cb1ad21490495bb1ebb8ad9b45a89aebc392678bf

SHA512
4d1ff8c6821525a655fef786868a2c5f1b97cb8952b73e527288625540b8637c7ec5fed7474c9d657b99865e93b555c6f0b08024ad148f74580754a98735d8bb

Download Submit
C:\Windows\{8DC428F2-5EE4-4bbb-ADBC-6052C738F3B3}.exe

Filesize
204KB

MD5
370487ac364cae238066dbd21f756871

SHA1
d6736bb9f9810161aba30dd2cf96aa34042716a2

SHA256
7dd755b945c6fb29348f402cb1ad21490495bb1ebb8ad9b45a89aebc392678bf

SHA512
4d1ff8c6821525a655fef786868a2c5f1b97cb8952b73e527288625540b8637c7ec5fed7474c9d657b99865e93b555c6f0b08024ad148f74580754a98735d8bb

Download Submit
C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe

Filesize
204KB

MD5
fdc9ef927f827a911fa7a8c6992af892

SHA1
391966f4fc96b1923c1fc8404661ed6698338082

SHA256
19ffe516cfb6ce62b2609bbd1c2cb4fc2b1f66989e8b4f084fa060fafa538995

SHA512
624228448f2154b95fe119694948dbbdff9c8e1390f9bfd987cb6683ad284a43ff991f85f0cde1a366645b255c142d5804aa0f7135c34dc2ddd8a834fc3cad91

Download Submit
C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe

Filesize
204KB

MD5
fdc9ef927f827a911fa7a8c6992af892

SHA1
391966f4fc96b1923c1fc8404661ed6698338082

SHA256
19ffe516cfb6ce62b2609bbd1c2cb4fc2b1f66989e8b4f084fa060fafa538995

SHA512
624228448f2154b95fe119694948dbbdff9c8e1390f9bfd987cb6683ad284a43ff991f85f0cde1a366645b255c142d5804aa0f7135c34dc2ddd8a834fc3cad91

Download Submit
C:\Windows\{8DC55F47-31CE-49db-B5C2-0D2A71A1D9EE}.exe

Filesize
204KB

MD5
fdc9ef927f827a911fa7a8c6992af892

SHA1
391966f4fc96b1923c1fc8404661ed6698338082

SHA256
19ffe516cfb6ce62b2609bbd1c2cb4fc2b1f66989e8b4f084fa060fafa538995

SHA512
624228448f2154b95fe119694948dbbdff9c8e1390f9bfd987cb6683ad284a43ff991f85f0cde1a366645b255c142d5804aa0f7135c34dc2ddd8a834fc3cad91

Download Submit
C:\Windows\{9D6C1D54-C155-417e-B646-123AB138841C}.exe

Filesize
204KB

MD5
a89d6ac79f2a477ed0ee306b001c7031

SHA1
6d79119d6d744897397421335ca73048ee25c678

SHA256
024e908ca38e0f6789881bcac523dab5709932c9fc0bc2ba86ce9adf18219814

SHA512
7629b14f6481221fd685257fbff19bf507a9bd3efd2080da7f5e64af9db7cc23c180b8a08f838290136ed617f4df9e14f5fb75986393975011dece183d0ce858

Download Submit
C:\Windows\{9D6C1D54-C155-417e-B646-123AB138841C}.exe

Filesize
204KB

MD5
a89d6ac79f2a477ed0ee306b001c7031

SHA1
6d79119d6d744897397421335ca73048ee25c678

SHA256
024e908ca38e0f6789881bcac523dab5709932c9fc0bc2ba86ce9adf18219814

SHA512
7629b14f6481221fd685257fbff19bf507a9bd3efd2080da7f5e64af9db7cc23c180b8a08f838290136ed617f4df9e14f5fb75986393975011dece183d0ce858

Download Submit
C:\Windows\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe

Filesize
204KB

MD5
e331e494c400af2d6bfc80d6130cad38

SHA1
11bdf7a245505f23b35d83d1f9d29e45447be13f

SHA256
2cf81dbe3cc98bc395db6ae7f6095091db48c7f2bd340af18b07a75f6f51af4a

SHA512
f2551efbedf6f6a04d0413fad3bd0e03cd10eb0aa9865d26290b73155ed51fc1f87e27b7b483e1a67bc20cbf60c1c79613435b1b0819e4b0ed639858d568a53f

Download Submit
C:\Windows\{9EC22BA5-6F64-4162-91E7-B0DF4CDA5419}.exe

Filesize
204KB

MD5
e331e494c400af2d6bfc80d6130cad38

SHA1
11bdf7a245505f23b35d83d1f9d29e45447be13f

SHA256
2cf81dbe3cc98bc395db6ae7f6095091db48c7f2bd340af18b07a75f6f51af4a

SHA512
f2551efbedf6f6a04d0413fad3bd0e03cd10eb0aa9865d26290b73155ed51fc1f87e27b7b483e1a67bc20cbf60c1c79613435b1b0819e4b0ed639858d568a53f

Download Submit
C:\Windows\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe

Filesize
204KB

MD5
385e966c3d9c44f934a747f7e96dc261

SHA1
666fbb3dfbed4a7641350d2fc43bc8e57edfa453

SHA256
5151980407b0a9f977733e828e8998023f0e52a87a95c29c59f87817b42e07ee

SHA512
55ab8fc2d791d9c8fc14171d7507918ea3bb531c40b24d84ef3facc7780964173bfd5a3a103bd5841fb98ee16b9132797e76483925b5893268b2982e6a8ae7a1

Download Submit
C:\Windows\{A9BA6FB1-B01E-4dec-AEEF-B9AAC0104243}.exe

Filesize
204KB

MD5
385e966c3d9c44f934a747f7e96dc261

SHA1
666fbb3dfbed4a7641350d2fc43bc8e57edfa453

SHA256
5151980407b0a9f977733e828e8998023f0e52a87a95c29c59f87817b42e07ee

SHA512
55ab8fc2d791d9c8fc14171d7507918ea3bb531c40b24d84ef3facc7780964173bfd5a3a103bd5841fb98ee16b9132797e76483925b5893268b2982e6a8ae7a1

Download Submit
C:\Windows\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe

Filesize
204KB

MD5
db02a06d94ed8b4bf012e18722f768ce

SHA1
74877bfe106ea4c237ddeac8b402f4ece61abe6a

SHA256
01d962dff64d67d0ec41e860caa02bbd269d7756f51b46f89405d5280c42bdd7

SHA512
3d1a879f377145eff39a178a3336c2c8dea9683ef1fc97a83d23337d7de71508d5cffd99f12d7fb8e0c016690952ce8390726ca04fe91d7b00a2b989fcf00bb3

Download Submit
C:\Windows\{AF36453A-C6DE-45f7-A248-2BC290ECF309}.exe

Filesize
204KB

MD5
db02a06d94ed8b4bf012e18722f768ce

SHA1
74877bfe106ea4c237ddeac8b402f4ece61abe6a

SHA256
01d962dff64d67d0ec41e860caa02bbd269d7756f51b46f89405d5280c42bdd7

SHA512
3d1a879f377145eff39a178a3336c2c8dea9683ef1fc97a83d23337d7de71508d5cffd99f12d7fb8e0c016690952ce8390726ca04fe91d7b00a2b989fcf00bb3

Download Submit
C:\Windows\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe

Filesize
204KB

MD5
955dd190b6f3109c55dce36601774f8a

SHA1
f00d7c9b58a796253232f13e7ada6b671ccb305f

SHA256
d59f3b73cfad57ccd5fb87dfe08407733f4e2952d5335a0f17013111e6044e9a

SHA512
5a11bb907201ac46aad7ac301031c85694b9fec3bdcb75ca9b66728d393c27acabe6e142368dd72c1bfb4a070ebdce5272d36fa711d6d3775dd626bca699c4ac

Download Submit
C:\Windows\{B6493548-BB95-4b70-83E6-57FEB5AEBF04}.exe

Filesize
204KB

MD5
955dd190b6f3109c55dce36601774f8a

SHA1
f00d7c9b58a796253232f13e7ada6b671ccb305f

SHA256
d59f3b73cfad57ccd5fb87dfe08407733f4e2952d5335a0f17013111e6044e9a

SHA512
5a11bb907201ac46aad7ac301031c85694b9fec3bdcb75ca9b66728d393c27acabe6e142368dd72c1bfb4a070ebdce5272d36fa711d6d3775dd626bca699c4ac

Download Submit
C:\Windows\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe

Filesize
204KB

MD5
21afae3ccb2f41fd703be079ed24e354

SHA1
afbe7a2d4c5f50565f8af2de35455e514cf5a3d1

SHA256
a3be1d37e00dbac9d1caf0d4308272ecb56b6472d5c06abc2d45b39fe8b19eb3

SHA512
2d5bfa32d6dbe56bddb410fe82daad1d7a1140f38a5d71accc20dee572625e2547c07078adfc07a6299fb74390b037aa89f20933e685667be947ade4343cb6c8

Download Submit
C:\Windows\{DFF0635F-CA53-4e19-87B1-62D5D1C50E82}.exe

Filesize
204KB

MD5
21afae3ccb2f41fd703be079ed24e354

SHA1
afbe7a2d4c5f50565f8af2de35455e514cf5a3d1

SHA256
a3be1d37e00dbac9d1caf0d4308272ecb56b6472d5c06abc2d45b39fe8b19eb3

SHA512
2d5bfa32d6dbe56bddb410fe82daad1d7a1140f38a5d71accc20dee572625e2547c07078adfc07a6299fb74390b037aa89f20933e685667be947ade4343cb6c8

Download Submit
C:\Windows\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe

Filesize
204KB

MD5
d2c1b988d470a7d959c773bb5d95ae84

SHA1
d23a85de7acaaa5563d66ba38d03cb8ec4f39b74

SHA256
be46d41d130a1c69b6581204457597f84234cff273d7a1e20bd95408920e71a4

SHA512
36450272f643fe17e052a549272e40a9a8c33eb1482bfb006d5c12dd1458b43f1cdcd06b0a0d2fe12e51daaca33c0767421c6edab8727b7e732e5bf03d533d6c

Download Submit
C:\Windows\{E91D6169-97F0-4ff6-A227-B064810F387E}.exe

Filesize
204KB

MD5
d2c1b988d470a7d959c773bb5d95ae84

SHA1
d23a85de7acaaa5563d66ba38d03cb8ec4f39b74

SHA256
be46d41d130a1c69b6581204457597f84234cff273d7a1e20bd95408920e71a4

SHA512
36450272f643fe17e052a549272e40a9a8c33eb1482bfb006d5c12dd1458b43f1cdcd06b0a0d2fe12e51daaca33c0767421c6edab8727b7e732e5bf03d533d6c

Download Submit
C:\Windows\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe

Filesize
204KB

MD5
c2eba14cc0f7f8fdf442ae4768c5db3c

SHA1
ad84d12845d95deddb1615d231acce2308193319

SHA256
caa7c6223d8984e118742148fa4ae74acffbce7054077e83ffae543b1a1350b9

SHA512
184d244d0007fd8521453539989af54c9211421762e40ec210fbd59ffb0d20dd89941c2763e5bad00d829c608ebdf974149970a19d5689a846b2e5c505c2261b

Download Submit
C:\Windows\{FF9AC1DA-B193-4898-85A3-5347B8FD2347}.exe

Filesize
204KB

MD5
c2eba14cc0f7f8fdf442ae4768c5db3c

SHA1
ad84d12845d95deddb1615d231acce2308193319

SHA256
caa7c6223d8984e118742148fa4ae74acffbce7054077e83ffae543b1a1350b9

SHA512
184d244d0007fd8521453539989af54c9211421762e40ec210fbd59ffb0d20dd89941c2763e5bad00d829c608ebdf974149970a19d5689a846b2e5c505c2261b

Download Submit