fa3e0cd0c84f2f2761db01d21bfdf26bd886387a609e3fc1853804a7be4a9815

Analysis

max time kernel
146s
max time network
30s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cd9e212cb170exeexeexeex.exe
Size

204KB
MD5

59cd9e212cb170d5bd298c4bcddc7c68
SHA1

d2c4479f3a99461cc2ff308ee1c9fe2877dbc205
SHA256

fa3e0cd0c84f2f2761db01d21bfdf26bd886387a609e3fc1853804a7be4a9815
SHA512

a0b6eb886638e08c9bb17ffbcf3dc8b675acdb2ff392aeed838c935dae82b2a49543ad92d2e1d6589f1c9808ffb936a57961588429e1d983be3d7b0c4848e316
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E158B1C-DADD-407d-A62F-85C01B20B077}\stubpath = "C:\\Windows\\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe"	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}	{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}	59cd9e212cb170exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E158B1C-DADD-407d-A62F-85C01B20B077}	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}	{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}\stubpath = "C:\\Windows\\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe"	{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}\stubpath = "C:\\Windows\\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe"	{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}\stubpath = "C:\\Windows\\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe"	{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}\stubpath = "C:\\Windows\\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe"	{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}	{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C991808D-03D1-472b-8FED-ADF6599061E4}	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C991808D-03D1-472b-8FED-ADF6599061E4}\stubpath = "C:\\Windows\\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe"	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}\stubpath = "C:\\Windows\\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe"	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47441729-0535-4577-835B-81D4F6F4C535}	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F2D341-F774-4fb6-9B89-05365C3931AD}	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F2D341-F774-4fb6-9B89-05365C3931AD}\stubpath = "C:\\Windows\\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe"	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47441729-0535-4577-835B-81D4F6F4C535}\stubpath = "C:\\Windows\\{47441729-0535-4577-835B-81D4F6F4C535}.exe"	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}	{47441729-0535-4577-835B-81D4F6F4C535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}\stubpath = "C:\\Windows\\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe"	{47441729-0535-4577-835B-81D4F6F4C535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}	{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}\stubpath = "C:\\Windows\\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe"	59cd9e212cb170exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}\stubpath = "C:\\Windows\\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe"	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}	{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}\stubpath = "C:\\Windows\\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe"	{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe
1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
2436	{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
2640	{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
2876	{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
2520	{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
2548	{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe
2560	{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe	{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe
File created	C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	59cd9e212cb170exeexeexeex.exe
File created	C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
File created	C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
File created	C:\Windows\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	{47441729-0535-4577-835B-81D4F6F4C535}.exe
File created	C:\Windows\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
File created	C:\Windows\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe	{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
File created	C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
File created	C:\Windows\{47441729-0535-4577-835B-81D4F6F4C535}.exe	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
File created	C:\Windows\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
File created	C:\Windows\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe	{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
File created	C:\Windows\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe	{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
File created	C:\Windows\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe	{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	59cd9e212cb170exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Token: SeIncBasePriorityPrivilege	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Token: SeIncBasePriorityPrivilege	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Token: SeIncBasePriorityPrivilege	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Token: SeIncBasePriorityPrivilege	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe
Token: SeIncBasePriorityPrivilege	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
Token: SeIncBasePriorityPrivilege	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
Token: SeIncBasePriorityPrivilege	2436	{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
Token: SeIncBasePriorityPrivilege	2640	{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
Token: SeIncBasePriorityPrivilege	2876	{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
Token: SeIncBasePriorityPrivilege	2520	{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
Token: SeIncBasePriorityPrivilege	2548	{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2368	2220	59cd9e212cb170exeexeexeex.exe	28
PID 2220 wrote to memory of 2368	2220	59cd9e212cb170exeexeexeex.exe	28
PID 2220 wrote to memory of 2368	2220	59cd9e212cb170exeexeexeex.exe	28
PID 2220 wrote to memory of 2368	2220	59cd9e212cb170exeexeexeex.exe	28
PID 2220 wrote to memory of 3004	2220	59cd9e212cb170exeexeexeex.exe	29
PID 2220 wrote to memory of 3004	2220	59cd9e212cb170exeexeexeex.exe	29
PID 2220 wrote to memory of 3004	2220	59cd9e212cb170exeexeexeex.exe	29
PID 2220 wrote to memory of 3004	2220	59cd9e212cb170exeexeexeex.exe	29
PID 2368 wrote to memory of 1532	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2368 wrote to memory of 1532	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2368 wrote to memory of 1532	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2368 wrote to memory of 1532	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2368 wrote to memory of 1704	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2368 wrote to memory of 1704	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2368 wrote to memory of 1704	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2368 wrote to memory of 1704	2368	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 1532 wrote to memory of 1356	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 1532 wrote to memory of 1356	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 1532 wrote to memory of 1356	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 1532 wrote to memory of 1356	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 1532 wrote to memory of 1636	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 1532 wrote to memory of 1636	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 1532 wrote to memory of 1636	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 1532 wrote to memory of 1636	1532	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 1356 wrote to memory of 1700	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 1700	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 1700	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 1700	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 1588	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 1588	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 1588	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 1588	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1700 wrote to memory of 1108	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 1700 wrote to memory of 1108	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 1700 wrote to memory of 1108	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 1700 wrote to memory of 1108	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 1700 wrote to memory of 2240	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 1700 wrote to memory of 2240	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 1700 wrote to memory of 2240	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 1700 wrote to memory of 2240	1700	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 1108 wrote to memory of 1460	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	38
PID 1108 wrote to memory of 1460	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	38
PID 1108 wrote to memory of 1460	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	38
PID 1108 wrote to memory of 1460	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	38
PID 1108 wrote to memory of 1496	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	39
PID 1108 wrote to memory of 1496	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	39
PID 1108 wrote to memory of 1496	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	39
PID 1108 wrote to memory of 1496	1108	{47441729-0535-4577-835B-81D4F6F4C535}.exe	39
PID 1460 wrote to memory of 568	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	40
PID 1460 wrote to memory of 568	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	40
PID 1460 wrote to memory of 568	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	40
PID 1460 wrote to memory of 568	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	40
PID 1460 wrote to memory of 2244	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	41
PID 1460 wrote to memory of 2244	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	41
PID 1460 wrote to memory of 2244	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	41
PID 1460 wrote to memory of 2244	1460	{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe	41
PID 568 wrote to memory of 2436	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	42
PID 568 wrote to memory of 2436	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	42
PID 568 wrote to memory of 2436	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	42
PID 568 wrote to memory of 2436	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	42
PID 568 wrote to memory of 1096	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	43
PID 568 wrote to memory of 1096	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	43
PID 568 wrote to memory of 1096	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	43
PID 568 wrote to memory of 1096	568	{C991808D-03D1-472b-8FED-ADF6599061E4}.exe	43

C:\Users\Admin\AppData\Local\Temp\59cd9e212cb170exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\59cd9e212cb170exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
  C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
    C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
      C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2F2D~1.EXE > nul
        5⤵
        
        PID:1588
    - - C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
        
        C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\{47441729-0535-4577-835B-81D4F6F4C535}.exe
        
        C:\Windows\{47441729-0535-4577-835B-81D4F6F4C535}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
        
        C:\Windows\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
        
        C:\Windows\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
        
        C:\Windows\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E158~1.EXE > nul
        10⤵
        
        PID:2792
        
        C:\Windows\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
        
        C:\Windows\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
        
        C:\Windows\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A57AE~1.EXE > nul
        12⤵
        
        PID:2952
        
        C:\Windows\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
        
        C:\Windows\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe
        
        C:\Windows\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89EFA~1.EXE > nul
        14⤵
        
        PID:2516
        
        C:\Windows\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe
        
        C:\Windows\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe
        14⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA701~1.EXE > nul
        13⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2E9~1.EXE > nul
        11⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9918~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62723~1.EXE > nul
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47441~1.EXE > nul
        7⤵
        
        PID:1496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8982C~1.EXE > nul
        6⤵
        
        PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E82EA~1.EXE > nul
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CCCB~1.EXE > nul
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59CD9E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47441729-0535-4577-835B-81D4F6F4C535}.exe

Filesize
204KB

MD5
bb746333efa46c0786b5e6576e6a0b5f

SHA1
14386bacb683d9d295c6906f1422407461a25182

SHA256
ec6070e9d71524fde4c650d03baa1d54a447e6a3c2a52064056bf0597ffb0776

SHA512
36ec201d3cfda489c5512eb25ce105616a7325f2d66ad8cd6d05d4cada460b798cafe4fdf09859982b8989b5477e6dfa499b38dab1c92d9321526a308726beb7

Download Submit
C:\Windows\{47441729-0535-4577-835B-81D4F6F4C535}.exe

Filesize
204KB

MD5
bb746333efa46c0786b5e6576e6a0b5f

SHA1
14386bacb683d9d295c6906f1422407461a25182

SHA256
ec6070e9d71524fde4c650d03baa1d54a447e6a3c2a52064056bf0597ffb0776

SHA512
36ec201d3cfda489c5512eb25ce105616a7325f2d66ad8cd6d05d4cada460b798cafe4fdf09859982b8989b5477e6dfa499b38dab1c92d9321526a308726beb7

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
204KB

MD5
3e4da7c7f6e84fc6845875d7bbd32aba

SHA1
d45074f4f4da9eb930a1e9a86e4ae998cb3cd988

SHA256
d55567fe360c5fe3edb33a559c23369598997cc03560d6e72129b9c5c794bd40

SHA512
794ee13e5d9aec80fb0ec77c0613f9d91cbcacef398a2f3391459bfbf9c67754b85f1bcdbf80953455c02639d451a663eecd8fbea38274165da942d879dc8459

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
204KB

MD5
3e4da7c7f6e84fc6845875d7bbd32aba

SHA1
d45074f4f4da9eb930a1e9a86e4ae998cb3cd988

SHA256
d55567fe360c5fe3edb33a559c23369598997cc03560d6e72129b9c5c794bd40

SHA512
794ee13e5d9aec80fb0ec77c0613f9d91cbcacef398a2f3391459bfbf9c67754b85f1bcdbf80953455c02639d451a663eecd8fbea38274165da942d879dc8459

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
204KB

MD5
3e4da7c7f6e84fc6845875d7bbd32aba

SHA1
d45074f4f4da9eb930a1e9a86e4ae998cb3cd988

SHA256
d55567fe360c5fe3edb33a559c23369598997cc03560d6e72129b9c5c794bd40

SHA512
794ee13e5d9aec80fb0ec77c0613f9d91cbcacef398a2f3391459bfbf9c67754b85f1bcdbf80953455c02639d451a663eecd8fbea38274165da942d879dc8459

Download Submit
C:\Windows\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe

Filesize
204KB

MD5
a335f2c22f077308a5bdbd2af3ef5b92

SHA1
697a4c8e79d1ed7cbad5444fea5acca80cc80e55

SHA256
e52d3bf7e2227d36ba561cdd90aa5fb73af559a3bf5ae0edf055c3c7d6f54094

SHA512
2348a5c8d0b68d76bd8bc691e8daacefdde3c5264248aec2108c3ace115cc213df2a0cc71e7ea97129d783dc1f172abd11dcd8de9aa52b5cbc8a3ab2857909ba

Download Submit
C:\Windows\{5D2E918C-048C-4fb5-86BF-D88A7E78F664}.exe

Filesize
204KB

MD5
a335f2c22f077308a5bdbd2af3ef5b92

SHA1
697a4c8e79d1ed7cbad5444fea5acca80cc80e55

SHA256
e52d3bf7e2227d36ba561cdd90aa5fb73af559a3bf5ae0edf055c3c7d6f54094

SHA512
2348a5c8d0b68d76bd8bc691e8daacefdde3c5264248aec2108c3ace115cc213df2a0cc71e7ea97129d783dc1f172abd11dcd8de9aa52b5cbc8a3ab2857909ba

Download Submit
C:\Windows\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe

Filesize
204KB

MD5
0be0f8690ccd90a01dbbec5bcfb94641

SHA1
0bf5d923642e3508dc80b88aac75c0ee6aca2bec

SHA256
67a0e24eed051b67c1ed3b67ccceefcaa03254ce66e5977db3151ca08b549662

SHA512
44fa791bbf2632ccf11221c5c6a7de87fc15ab703565a5d26e8183e58e27e25481a3baa0fd76fd43656070d1694cb519c0724b0565e49c22d297c0407b35e439

Download Submit
C:\Windows\{627231A5-0C1B-466c-BB2E-2E4C231EB0AD}.exe

Filesize
204KB

MD5
0be0f8690ccd90a01dbbec5bcfb94641

SHA1
0bf5d923642e3508dc80b88aac75c0ee6aca2bec

SHA256
67a0e24eed051b67c1ed3b67ccceefcaa03254ce66e5977db3151ca08b549662

SHA512
44fa791bbf2632ccf11221c5c6a7de87fc15ab703565a5d26e8183e58e27e25481a3baa0fd76fd43656070d1694cb519c0724b0565e49c22d297c0407b35e439

Download Submit
C:\Windows\{7C83BF36-30EC-4086-8FDD-0B775C2592A1}.exe

Filesize
204KB

MD5
f663ab10a08e93d0c1382b3b2c048583

SHA1
73178582e30cb3b2976099ba292aeb656bbdccc7

SHA256
e9bec353da1fbc172fb4758a40c42c036d4fde5e2f65f747a233af220eac3610

SHA512
e02c8bd4c9aefa2002d209bd0c240203f49dc3fc08feccaf9674e2c37d3f5632957afd05a519a93d799ff21afff814cabb74719e42167d41b0b3366bbe3d1997

Download Submit
C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe

Filesize
204KB

MD5
be91004da3c69efa3b41b11a4ba63abf

SHA1
a94783df305554389cd039ce5dd0728107768e90

SHA256
14cab6fe1e5b824dd0ebc39c5437a054d0f2694fa87f4f02b51a9fbf09b84a4d

SHA512
b17ac8af1dbd94497ba03e36b0476761423c419030e5fa3b9af3887cd6b9c716807a0806f58351d2f4e7b12a476e5d21bf112a8b8dba8fc01d3b56463f40cccf

Download Submit
C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe

Filesize
204KB

MD5
be91004da3c69efa3b41b11a4ba63abf

SHA1
a94783df305554389cd039ce5dd0728107768e90

SHA256
14cab6fe1e5b824dd0ebc39c5437a054d0f2694fa87f4f02b51a9fbf09b84a4d

SHA512
b17ac8af1dbd94497ba03e36b0476761423c419030e5fa3b9af3887cd6b9c716807a0806f58351d2f4e7b12a476e5d21bf112a8b8dba8fc01d3b56463f40cccf

Download Submit
C:\Windows\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe

Filesize
204KB

MD5
7f425dc428b1aae68b67be3fba8c1958

SHA1
49cc20f4a3adca8539e53cf41a2b7793edaf4a9c

SHA256
6d166f4a40674d96986f87ae75e1aebabcee33d559346eda311ba0b62a3fe77b

SHA512
701e12593fd4e03d746933dedb0b64fd4a5394923148a4bbdbd4e0377fec9781408bf9d4b5b687aea8e60d044dda1453b773f4dad38e240c70df097ff48aad33

Download Submit
C:\Windows\{89EFA802-BE7A-4b99-B6FD-18E8292124CC}.exe

Filesize
204KB

MD5
7f425dc428b1aae68b67be3fba8c1958

SHA1
49cc20f4a3adca8539e53cf41a2b7793edaf4a9c

SHA256
6d166f4a40674d96986f87ae75e1aebabcee33d559346eda311ba0b62a3fe77b

SHA512
701e12593fd4e03d746933dedb0b64fd4a5394923148a4bbdbd4e0377fec9781408bf9d4b5b687aea8e60d044dda1453b773f4dad38e240c70df097ff48aad33

Download Submit
C:\Windows\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe

Filesize
204KB

MD5
9a80f49bc1cf7710ba6fe732cba88dc9

SHA1
aaa3e115d1fd2306cd127057a54980bca16797ad

SHA256
93fb9bfe4c983ba524e105f62b7b086ea5e084c954e9f5e78977f097e65a95b9

SHA512
043204d94afa064fc7feca72dd262d90743e1d328252b9586c84de2079fad01dd331cf3a1cf48957dc70c1c15fdf95df7b07c1c26ac380b4aa21cea0d329a878

Download Submit
C:\Windows\{8E158B1C-DADD-407d-A62F-85C01B20B077}.exe

Filesize
204KB

MD5
9a80f49bc1cf7710ba6fe732cba88dc9

SHA1
aaa3e115d1fd2306cd127057a54980bca16797ad

SHA256
93fb9bfe4c983ba524e105f62b7b086ea5e084c954e9f5e78977f097e65a95b9

SHA512
043204d94afa064fc7feca72dd262d90743e1d328252b9586c84de2079fad01dd331cf3a1cf48957dc70c1c15fdf95df7b07c1c26ac380b4aa21cea0d329a878

Download Submit
C:\Windows\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe

Filesize
204KB

MD5
323bc35fed661e65eb51de1cfa3ed125

SHA1
a0e5747113a2100901022924c7fc28766f7342d1

SHA256
234176aaad73edb92fe9802a80cd977a19f9d98a0c13682c50f765d927c0f4a4

SHA512
bd0f610a8bebb472cf44600aea6565ad5e9bb193b81f53a9c48500c8e6c4a763556ce1c67a53a9023bb0f80df79576202262a9ac50e89d261655d063be97c65f

Download Submit
C:\Windows\{A57AE6CC-A89A-44e5-AB4C-654C09E1A729}.exe

Filesize
204KB

MD5
323bc35fed661e65eb51de1cfa3ed125

SHA1
a0e5747113a2100901022924c7fc28766f7342d1

SHA256
234176aaad73edb92fe9802a80cd977a19f9d98a0c13682c50f765d927c0f4a4

SHA512
bd0f610a8bebb472cf44600aea6565ad5e9bb193b81f53a9c48500c8e6c4a763556ce1c67a53a9023bb0f80df79576202262a9ac50e89d261655d063be97c65f

Download Submit
C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe

Filesize
204KB

MD5
92456a1d516400911eb2876e3b56744a

SHA1
8085dc007ecf93ebf0bddb8d4bbec7192989f639

SHA256
b9dc14d0ce71e9164fd837ec77294b1bcbc4fc8ad0b5fbdc20f016716a1979e4

SHA512
19e5b694ebfb8131ee0c52576815fa8d557a6639b523e92fcdf7096a73d4890fb79a0726d4e84610f775d3a61fb59a340665c186c4ea3a167ee970a4b70f0198

Download Submit
C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe

Filesize
204KB

MD5
92456a1d516400911eb2876e3b56744a

SHA1
8085dc007ecf93ebf0bddb8d4bbec7192989f639

SHA256
b9dc14d0ce71e9164fd837ec77294b1bcbc4fc8ad0b5fbdc20f016716a1979e4

SHA512
19e5b694ebfb8131ee0c52576815fa8d557a6639b523e92fcdf7096a73d4890fb79a0726d4e84610f775d3a61fb59a340665c186c4ea3a167ee970a4b70f0198

Download Submit
C:\Windows\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe

Filesize
204KB

MD5
9cee78745d37949c29ab75fc3c56b846

SHA1
86643120ede52c0aefff07e5567698c1f8e0f78d

SHA256
408b3dd9322ad92df6861a009258adb0f2f50b3af6d17c2c886924aa1435ba4d

SHA512
fedc6856ac3376ba07a31913888b1766d200f174b5e114e7c65fd5839cd355adc9c34e54ff7b1d8402747cd37cfad0ea7de155701d91481ce250f39ad1d5402f

Download Submit
C:\Windows\{C991808D-03D1-472b-8FED-ADF6599061E4}.exe

Filesize
204KB

MD5
9cee78745d37949c29ab75fc3c56b846

SHA1
86643120ede52c0aefff07e5567698c1f8e0f78d

SHA256
408b3dd9322ad92df6861a009258adb0f2f50b3af6d17c2c886924aa1435ba4d

SHA512
fedc6856ac3376ba07a31913888b1766d200f174b5e114e7c65fd5839cd355adc9c34e54ff7b1d8402747cd37cfad0ea7de155701d91481ce250f39ad1d5402f

Download Submit
C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe

Filesize
204KB

MD5
07d671a965d3b55c050c537aa3dfc2a0

SHA1
5771eb6e962e21aa01a37ee2bd279a57b9573809

SHA256
6700e8f7ef502fda93538efe28cd5fd484e9a42ee3e288c5ddf8765967eb9a41

SHA512
eadc163c767338a403cfff9e756ed52612b624146321f45c424754f6ec0c8329203d1c15db9952b0a82cb1c60b9c76c99f6e9c316e253d6456339a5f09b27956

Download Submit
C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe

Filesize
204KB

MD5
07d671a965d3b55c050c537aa3dfc2a0

SHA1
5771eb6e962e21aa01a37ee2bd279a57b9573809

SHA256
6700e8f7ef502fda93538efe28cd5fd484e9a42ee3e288c5ddf8765967eb9a41

SHA512
eadc163c767338a403cfff9e756ed52612b624146321f45c424754f6ec0c8329203d1c15db9952b0a82cb1c60b9c76c99f6e9c316e253d6456339a5f09b27956

Download Submit
C:\Windows\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe

Filesize
204KB

MD5
c74a83f69069c597a2f086c1fcbfe835

SHA1
1dbd1646eee0a85a019b25ee3ec1097568f470d8

SHA256
05171de9eece48797934f01f5a268b6b436684a1c20ea31503b719a5b20a9318

SHA512
62ad1050b0f0026c240ba680730bc6c3178aab3f93a67ebdb94737f9a7ffb7a7ce3878ae831806c96d8dc586b0d7c0b475581b2944c962a44cdfe8ec0628aad7

Download Submit
C:\Windows\{EA7017A7-CFBE-49e5-8FB1-4D1E61DAC329}.exe

Filesize
204KB

MD5
c74a83f69069c597a2f086c1fcbfe835

SHA1
1dbd1646eee0a85a019b25ee3ec1097568f470d8

SHA256
05171de9eece48797934f01f5a268b6b436684a1c20ea31503b719a5b20a9318

SHA512
62ad1050b0f0026c240ba680730bc6c3178aab3f93a67ebdb94737f9a7ffb7a7ce3878ae831806c96d8dc586b0d7c0b475581b2944c962a44cdfe8ec0628aad7

Download Submit