dde648cf8a337265ab9310a782b11749c51186e8c633accf0692633a9960a51e

Analysis

max time kernel
146s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b32595b4209c1exeexeexeex.exe
Size

408KB
MD5

6b32595b4209c1d63dade7171e20c6f1
SHA1

e0d59b6be02898c3aa428db520b590b39106afb5
SHA256

dde648cf8a337265ab9310a782b11749c51186e8c633accf0692633a9960a51e
SHA512

1a3b2402c6e65cfc06487883cb444399eaa0ad91411612c28d16fed94b6be7e0c8d4231d0469de83df02eca1dd92bc8c2dba57a2ba4d43a66decd5e90fa89ce9
SSDEEP

3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}\stubpath = "C:\\Windows\\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe"	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E140383-7ED9-466a-BC65-2319C2F182A9}	{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E140383-7ED9-466a-BC65-2319C2F182A9}\stubpath = "C:\\Windows\\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe"	{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}	6b32595b4209c1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}\stubpath = "C:\\Windows\\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe"	6b32595b4209c1exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}\stubpath = "C:\\Windows\\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe"	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}\stubpath = "C:\\Windows\\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe"	{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23213635-7794-4da9-82D5-BB4A1ABDEC11}\stubpath = "C:\\Windows\\{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe"	{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}\stubpath = "C:\\Windows\\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe"	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}	{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD13C2F8-763E-42a6-B204-C14D9E12F854}	{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}\stubpath = "C:\\Windows\\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe"	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7219560E-E59E-416f-9F09-185813E0FEDC}	{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7219560E-E59E-416f-9F09-185813E0FEDC}\stubpath = "C:\\Windows\\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe"	{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}\stubpath = "C:\\Windows\\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe"	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD13C2F8-763E-42a6-B204-C14D9E12F854}\stubpath = "C:\\Windows\\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe"	{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23213635-7794-4da9-82D5-BB4A1ABDEC11}	{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0033F39-62B4-4030-9CAC-7B65B89108A3}	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0033F39-62B4-4030-9CAC-7B65B89108A3}\stubpath = "C:\\Windows\\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe"	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F009364B-6653-4be8-8802-73BDE1DAAAF2}	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F009364B-6653-4be8-8802-73BDE1DAAAF2}\stubpath = "C:\\Windows\\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe"	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
1348	{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
2980	{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
2716	{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
1136	{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
2844	{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
2824	{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
File created	C:\Windows\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
File created	C:\Windows\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
File created	C:\Windows\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe	{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
File created	C:\Windows\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe	{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
File created	C:\Windows\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
File created	C:\Windows\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
File created	C:\Windows\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
File created	C:\Windows\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
File created	C:\Windows\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe	{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
File created	C:\Windows\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe	{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
File created	C:\Windows\{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe	{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
File created	C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	6b32595b4209c1exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	6b32595b4209c1exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
Token: SeIncBasePriorityPrivilege	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
Token: SeIncBasePriorityPrivilege	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
Token: SeIncBasePriorityPrivilege	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
Token: SeIncBasePriorityPrivilege	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
Token: SeIncBasePriorityPrivilege	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
Token: SeIncBasePriorityPrivilege	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
Token: SeIncBasePriorityPrivilege	1348	{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
Token: SeIncBasePriorityPrivilege	2980	{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
Token: SeIncBasePriorityPrivilege	2716	{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
Token: SeIncBasePriorityPrivilege	1136	{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
Token: SeIncBasePriorityPrivilege	2844	{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2088	2120	6b32595b4209c1exeexeexeex.exe	29
PID 2120 wrote to memory of 2088	2120	6b32595b4209c1exeexeexeex.exe	29
PID 2120 wrote to memory of 2088	2120	6b32595b4209c1exeexeexeex.exe	29
PID 2120 wrote to memory of 2088	2120	6b32595b4209c1exeexeexeex.exe	29
PID 2120 wrote to memory of 2344	2120	6b32595b4209c1exeexeexeex.exe	30
PID 2120 wrote to memory of 2344	2120	6b32595b4209c1exeexeexeex.exe	30
PID 2120 wrote to memory of 2344	2120	6b32595b4209c1exeexeexeex.exe	30
PID 2120 wrote to memory of 2344	2120	6b32595b4209c1exeexeexeex.exe	30
PID 2088 wrote to memory of 1824	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	31
PID 2088 wrote to memory of 1824	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	31
PID 2088 wrote to memory of 1824	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	31
PID 2088 wrote to memory of 1824	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	31
PID 2088 wrote to memory of 2056	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	32
PID 2088 wrote to memory of 2056	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	32
PID 2088 wrote to memory of 2056	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	32
PID 2088 wrote to memory of 2056	2088	{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe	32
PID 1824 wrote to memory of 2576	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	34
PID 1824 wrote to memory of 2576	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	34
PID 1824 wrote to memory of 2576	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	34
PID 1824 wrote to memory of 2576	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	34
PID 1824 wrote to memory of 1812	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	33
PID 1824 wrote to memory of 1812	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	33
PID 1824 wrote to memory of 1812	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	33
PID 1824 wrote to memory of 1812	1824	{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe	33
PID 2576 wrote to memory of 1224	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	36
PID 2576 wrote to memory of 1224	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	36
PID 2576 wrote to memory of 1224	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	36
PID 2576 wrote to memory of 1224	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	36
PID 2576 wrote to memory of 2260	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	35
PID 2576 wrote to memory of 2260	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	35
PID 2576 wrote to memory of 2260	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	35
PID 2576 wrote to memory of 2260	2576	{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe	35
PID 1224 wrote to memory of 2256	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	38
PID 1224 wrote to memory of 2256	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	38
PID 1224 wrote to memory of 2256	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	38
PID 1224 wrote to memory of 2256	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	38
PID 1224 wrote to memory of 2064	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	37
PID 1224 wrote to memory of 2064	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	37
PID 1224 wrote to memory of 2064	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	37
PID 1224 wrote to memory of 2064	1224	{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe	37
PID 2256 wrote to memory of 572	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	40
PID 2256 wrote to memory of 572	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	40
PID 2256 wrote to memory of 572	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	40
PID 2256 wrote to memory of 572	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	40
PID 2256 wrote to memory of 692	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	39
PID 2256 wrote to memory of 692	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	39
PID 2256 wrote to memory of 692	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	39
PID 2256 wrote to memory of 692	2256	{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe	39
PID 572 wrote to memory of 2452	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	41
PID 572 wrote to memory of 2452	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	41
PID 572 wrote to memory of 2452	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	41
PID 572 wrote to memory of 2452	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	41
PID 572 wrote to memory of 2160	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	42
PID 572 wrote to memory of 2160	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	42
PID 572 wrote to memory of 2160	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	42
PID 572 wrote to memory of 2160	572	{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe	42
PID 2452 wrote to memory of 1348	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	43
PID 2452 wrote to memory of 1348	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	43
PID 2452 wrote to memory of 1348	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	43
PID 2452 wrote to memory of 1348	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	43
PID 2452 wrote to memory of 2900	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	44
PID 2452 wrote to memory of 2900	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	44
PID 2452 wrote to memory of 2900	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	44
PID 2452 wrote to memory of 2900	2452	{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe	44

C:\Users\Admin\AppData\Local\Temp\6b32595b4209c1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6b32595b4209c1exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
  C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
    C:\Windows\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0033~1.EXE > nul
      4⤵
      PID:1812
  - - C:\Windows\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
      C:\Windows\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0093~1.EXE > nul
        5⤵
        
        PID:2260
    - - C:\Windows\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
        
        C:\Windows\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D24FA~1.EXE > nul
        6⤵
        
        PID:2064
      - C:\Windows\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
        
        C:\Windows\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3946~1.EXE > nul
        7⤵
        
        PID:692
        
        C:\Windows\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
        
        C:\Windows\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
        
        C:\Windows\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
        
        C:\Windows\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56B8D~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
        
        C:\Windows\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
        
        C:\Windows\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
        
        C:\Windows\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E140~1.EXE > nul
        13⤵
        
        PID:2664
        
        C:\Windows\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
        
        C:\Windows\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5C59~1.EXE > nul
        14⤵
        
        PID:2540
        
        C:\Windows\{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe
        
        C:\Windows\{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe
        14⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD13C~1.EXE > nul
        12⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72195~1.EXE > nul
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF57~1.EXE > nul
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D10F~1.EXE > nul
        8⤵
        
        PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20BDB~1.EXE > nul
    3⤵
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6B3259~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe

Filesize
408KB

MD5
916d819d497e7eb3d7ca878f63998853

SHA1
ad390695b5c46d7730bbdd3e499261ee94bda28c

SHA256
a9a8985d697b82d6aa29902503ef2e4b95c7922ff913e8d6352e5a67cd5d8674

SHA512
d2007103e7021b506cd2e41c639d3aceba6aa4ab35e9e6c648017687d29d9625e755d0444f846adbe32b4caf6c9514a42ee37045512b3337012ed99049ae5255

Download Submit
C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe

Filesize
408KB

MD5
916d819d497e7eb3d7ca878f63998853

SHA1
ad390695b5c46d7730bbdd3e499261ee94bda28c

SHA256
a9a8985d697b82d6aa29902503ef2e4b95c7922ff913e8d6352e5a67cd5d8674

SHA512
d2007103e7021b506cd2e41c639d3aceba6aa4ab35e9e6c648017687d29d9625e755d0444f846adbe32b4caf6c9514a42ee37045512b3337012ed99049ae5255

Download Submit
C:\Windows\{20BDB36D-D5D4-4d29-9053-0C79E5FDB4DD}.exe

Filesize
408KB

MD5
916d819d497e7eb3d7ca878f63998853

SHA1
ad390695b5c46d7730bbdd3e499261ee94bda28c

SHA256
a9a8985d697b82d6aa29902503ef2e4b95c7922ff913e8d6352e5a67cd5d8674

SHA512
d2007103e7021b506cd2e41c639d3aceba6aa4ab35e9e6c648017687d29d9625e755d0444f846adbe32b4caf6c9514a42ee37045512b3337012ed99049ae5255

Download Submit
C:\Windows\{23213635-7794-4da9-82D5-BB4A1ABDEC11}.exe

Filesize
408KB

MD5
cdd51107abcc0ac6a672af755c5eda9d

SHA1
18fcbefa372a19229e3f2e02265a3c3507b79a80

SHA256
9af9bfc1d6388f67532d237ca11106a827c78e10f69545db6fc16d32564e7daa

SHA512
1d8d115e5a2a99cd42e6c28bbdfc26a82c775b5f547b5a8f098ab41537a3669eb8c61375672e4706a3a6e8c0d890e4ef927e11ed98b4d14b80e72dfb53e952f7

Download Submit
C:\Windows\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe

Filesize
408KB

MD5
7b4854b9932d5945a288eca9f8cb4d34

SHA1
9439dc531c99c5628ce3f0a1256cf5f86900e4bb

SHA256
278b58600dc6cadae1824cce4393fd3eb2c2ca0cbb383ee8919740765842c4a2

SHA512
af78c357d361572673ebc2862218cfa5a59a9aadb746c08b356c45ed0c31e5fe7ae8cc3aebfdaccaaa4659666e935883b20515d0509957dd0f8bceb6828d9e3d

Download Submit
C:\Windows\{56B8DB3C-8544-4c38-A1ED-E2B6B7D2E3A1}.exe

Filesize
408KB

MD5
7b4854b9932d5945a288eca9f8cb4d34

SHA1
9439dc531c99c5628ce3f0a1256cf5f86900e4bb

SHA256
278b58600dc6cadae1824cce4393fd3eb2c2ca0cbb383ee8919740765842c4a2

SHA512
af78c357d361572673ebc2862218cfa5a59a9aadb746c08b356c45ed0c31e5fe7ae8cc3aebfdaccaaa4659666e935883b20515d0509957dd0f8bceb6828d9e3d

Download Submit
C:\Windows\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe

Filesize
408KB

MD5
27ea315a680760bddfff9103328be5c9

SHA1
ff824be31c1f6e81637e78ebfd861b7f8424ff7b

SHA256
d5ecc915e60e2a3918c8aa31fa59bc6b806891b91888347a863644d895831430

SHA512
3c1663f1b461929a8bba25a62cdb1edea7eed64ad4ef72bfc57810213117d5dd4204c779d8359ebe501a82509b685d0b4fd3f21a793d035f49338c3b560b183a

Download Submit
C:\Windows\{7219560E-E59E-416f-9F09-185813E0FEDC}.exe

Filesize
408KB

MD5
27ea315a680760bddfff9103328be5c9

SHA1
ff824be31c1f6e81637e78ebfd861b7f8424ff7b

SHA256
d5ecc915e60e2a3918c8aa31fa59bc6b806891b91888347a863644d895831430

SHA512
3c1663f1b461929a8bba25a62cdb1edea7eed64ad4ef72bfc57810213117d5dd4204c779d8359ebe501a82509b685d0b4fd3f21a793d035f49338c3b560b183a

Download Submit
C:\Windows\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe

Filesize
408KB

MD5
1a44aeeec78a1291fb7b5756d2e07835

SHA1
448fecd51477f35ddaa38d31fa995faae1ff89ad

SHA256
0091a06dc9b42194753c23b3bf7301effa71b3ce25a05a31f24082d9472fffe3

SHA512
b3365cfbb5d8884c6658362110456a9e23c45b2e289e33d6e380b1f767baf089feddc41114764c25e0a99bfa7127e08090a07af8ca727f06f7c682a1b179c909

Download Submit
C:\Windows\{7E140383-7ED9-466a-BC65-2319C2F182A9}.exe

Filesize
408KB

MD5
1a44aeeec78a1291fb7b5756d2e07835

SHA1
448fecd51477f35ddaa38d31fa995faae1ff89ad

SHA256
0091a06dc9b42194753c23b3bf7301effa71b3ce25a05a31f24082d9472fffe3

SHA512
b3365cfbb5d8884c6658362110456a9e23c45b2e289e33d6e380b1f767baf089feddc41114764c25e0a99bfa7127e08090a07af8ca727f06f7c682a1b179c909

Download Submit
C:\Windows\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe

Filesize
408KB

MD5
9d42aa876dc31e48f8817e5e9397773b

SHA1
41d2596ff277267cc22864f554a6d0df6b5081cf

SHA256
bab910ddbbfe4ea41e87e47d73e7a956215434ab0b5b9392827154dc3c0b2b9c

SHA512
2afe33f3139aba0d280a09b375974a6c40a00b0b19f6c7034683f9b5b7758a51981b18aad1486ea20d609f5ac273dac02a73607a928b07e2d100836f9bfc850b

Download Submit
C:\Windows\{8D10F69C-A412-42c1-9E4F-5A1D7AD32529}.exe

Filesize
408KB

MD5
9d42aa876dc31e48f8817e5e9397773b

SHA1
41d2596ff277267cc22864f554a6d0df6b5081cf

SHA256
bab910ddbbfe4ea41e87e47d73e7a956215434ab0b5b9392827154dc3c0b2b9c

SHA512
2afe33f3139aba0d280a09b375974a6c40a00b0b19f6c7034683f9b5b7758a51981b18aad1486ea20d609f5ac273dac02a73607a928b07e2d100836f9bfc850b

Download Submit
C:\Windows\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe

Filesize
408KB

MD5
cf597a02d4162449c787f99d6983e0a6

SHA1
9bc438888b5af3ab26a67fc90f573767248a7b3f

SHA256
c39f21bb02a7baba66a37be8fe20cf593e44fe484191c0e5cee65d4ecfe26625

SHA512
b999fd94982e6c35f6fb0d75c27a817b592d387d086524f2426939585eab3aa7a88692f1377622e19f486a31976d4df77588f2c84f724271a6cb582a790d8469

Download Submit
C:\Windows\{8FF57ADA-DA40-4931-AC9F-EFF8C269ED92}.exe

Filesize
408KB

MD5
cf597a02d4162449c787f99d6983e0a6

SHA1
9bc438888b5af3ab26a67fc90f573767248a7b3f

SHA256
c39f21bb02a7baba66a37be8fe20cf593e44fe484191c0e5cee65d4ecfe26625

SHA512
b999fd94982e6c35f6fb0d75c27a817b592d387d086524f2426939585eab3aa7a88692f1377622e19f486a31976d4df77588f2c84f724271a6cb582a790d8469

Download Submit
C:\Windows\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe

Filesize
408KB

MD5
fb0850b0bdc2727dec9553940b44eb5d

SHA1
eb1f2bc1f159599693fa23f44e3ff2825e892cf3

SHA256
3cb6045e994a428923b0d56b84b883951fb078b2b30fbc387bab38c650d85d81

SHA512
619d4fc6b772b4cfcfacf74211e8961178b0d208cf7c7687e56bc1a7ccd5207c078f015cef317832f8ab40723fa1d4d55fd61466d273409beea170a84e1f269e

Download Submit
C:\Windows\{BD13C2F8-763E-42a6-B204-C14D9E12F854}.exe

Filesize
408KB

MD5
fb0850b0bdc2727dec9553940b44eb5d

SHA1
eb1f2bc1f159599693fa23f44e3ff2825e892cf3

SHA256
3cb6045e994a428923b0d56b84b883951fb078b2b30fbc387bab38c650d85d81

SHA512
619d4fc6b772b4cfcfacf74211e8961178b0d208cf7c7687e56bc1a7ccd5207c078f015cef317832f8ab40723fa1d4d55fd61466d273409beea170a84e1f269e

Download Submit
C:\Windows\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe

Filesize
408KB

MD5
cb11e6b7acf55138ab62eaa8fe389236

SHA1
f4723ffaf6161f95bb9415da15e390e72170af27

SHA256
cc18642460efc68fd917e08460f42ac6e6b5dbc4a0fa13d31afaab04b189f825

SHA512
dcb96ca3bf43abb88924a23099562c278a7a050313a4555bb6e57e78d6c0380a6c506400345513adca01b37bfb5af1ce93ab6de40e70a2bb92d0a7ebdda8c865

Download Submit
C:\Windows\{D24FAF03-DAB5-4ff8-BACF-7A4555A1A150}.exe

Filesize
408KB

MD5
cb11e6b7acf55138ab62eaa8fe389236

SHA1
f4723ffaf6161f95bb9415da15e390e72170af27

SHA256
cc18642460efc68fd917e08460f42ac6e6b5dbc4a0fa13d31afaab04b189f825

SHA512
dcb96ca3bf43abb88924a23099562c278a7a050313a4555bb6e57e78d6c0380a6c506400345513adca01b37bfb5af1ce93ab6de40e70a2bb92d0a7ebdda8c865

Download Submit
C:\Windows\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe

Filesize
408KB

MD5
9e1c902a0ee2ca5e63743ab523848d47

SHA1
360df9d007abcdf2877e774c8ccbfa1d7a9289d9

SHA256
037848a40d7e86e6dcb45f6db94805afb3f46325b1fcdd04d6c88b990afcbe28

SHA512
19004d4900793324d3a29f7aeecf80a7f70599d6855d4e8e4e32d1a5a0b553f81044b73d8dc9901ed33625baf3e39682fbd2604e5fa4246a678abb540789f1c4

Download Submit
C:\Windows\{E5C59632-9E72-4ae7-8B7B-C166579BD9E7}.exe

Filesize
408KB

MD5
9e1c902a0ee2ca5e63743ab523848d47

SHA1
360df9d007abcdf2877e774c8ccbfa1d7a9289d9

SHA256
037848a40d7e86e6dcb45f6db94805afb3f46325b1fcdd04d6c88b990afcbe28

SHA512
19004d4900793324d3a29f7aeecf80a7f70599d6855d4e8e4e32d1a5a0b553f81044b73d8dc9901ed33625baf3e39682fbd2604e5fa4246a678abb540789f1c4

Download Submit
C:\Windows\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe

Filesize
408KB

MD5
5714c429839fadc0dc1813fd20d17903

SHA1
76bd67587c248d53c5df77589315eac6b9953b5d

SHA256
bb232345c7ac431b52ed7273e9e52425677896a71c4c62a9df669051e25d6903

SHA512
15cad7e51679e69bff941a5c63983a6f66e126f1bf93110df6360066e1e14609e5942d46b8c67399a551db17749ef97430fc2e516a00ebd33d906e2b0daf8f6b

Download Submit
C:\Windows\{F0033F39-62B4-4030-9CAC-7B65B89108A3}.exe

Filesize
408KB

MD5
5714c429839fadc0dc1813fd20d17903

SHA1
76bd67587c248d53c5df77589315eac6b9953b5d

SHA256
bb232345c7ac431b52ed7273e9e52425677896a71c4c62a9df669051e25d6903

SHA512
15cad7e51679e69bff941a5c63983a6f66e126f1bf93110df6360066e1e14609e5942d46b8c67399a551db17749ef97430fc2e516a00ebd33d906e2b0daf8f6b

Download Submit
C:\Windows\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe

Filesize
408KB

MD5
693caa9efdfdae5ed8d2e187e4b934e9

SHA1
cfebd8264238673e4d57efa305150cddc1115980

SHA256
3acbabcd6871ca35952ea19c21b451aa4206075142d91b6df8dd366dc4c80bd9

SHA512
596b373031bd722fa117ff7624edb87493c01dec23391a1cd22df3a6eea5051b7050e18adf0fe8a4fe38c083822b56030d45f3cf43752317ea473ef2337d7551

Download Submit
C:\Windows\{F009364B-6653-4be8-8802-73BDE1DAAAF2}.exe

Filesize
408KB

MD5
693caa9efdfdae5ed8d2e187e4b934e9

SHA1
cfebd8264238673e4d57efa305150cddc1115980

SHA256
3acbabcd6871ca35952ea19c21b451aa4206075142d91b6df8dd366dc4c80bd9

SHA512
596b373031bd722fa117ff7624edb87493c01dec23391a1cd22df3a6eea5051b7050e18adf0fe8a4fe38c083822b56030d45f3cf43752317ea473ef2337d7551

Download Submit
C:\Windows\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe

Filesize
408KB

MD5
eb69a8e478b978cd7d179e7f495fa782

SHA1
d5ceda08c8e59361500d5dd4b2149ee184faa8a2

SHA256
2e4d85ca1cea9a525acfe0dd40e02e56c06bbf41563138c7748c79447105ff2b

SHA512
71f2432265a6b31ed5c425489c75e331bccabae3f123a98d2dcf5e5cb83d6449f409f7d6262624c3e3899f5b286e0b8de036cb17d364da5cd2942d643bf61c7a

Download Submit
C:\Windows\{F3946EDF-7DEA-4722-9635-59EDB1E0E8BC}.exe

Filesize
408KB

MD5
eb69a8e478b978cd7d179e7f495fa782

SHA1
d5ceda08c8e59361500d5dd4b2149ee184faa8a2

SHA256
2e4d85ca1cea9a525acfe0dd40e02e56c06bbf41563138c7748c79447105ff2b

SHA512
71f2432265a6b31ed5c425489c75e331bccabae3f123a98d2dcf5e5cb83d6449f409f7d6262624c3e3899f5b286e0b8de036cb17d364da5cd2942d643bf61c7a

Download Submit