da2964f7d47a89f81452649979ab8804d42aabc160abdc41b05be0f924301218

Analysis

max time kernel
145s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70cab08d784021exeexeexeex.exe
Size

372KB
MD5

70cab08d7840213da2ef57006b93a588
SHA1

9ff5c3d942dec842c39fd4987df4fe3c597ec33c
SHA256

da2964f7d47a89f81452649979ab8804d42aabc160abdc41b05be0f924301218
SHA512

4813a75d6a776c966aaa24aa886986279e114051b8584e4767de277550fcfd31aeacb120704ac5d3fd51c9875c17436ba3b873b77ac4c9da61d839965f17e645
SSDEEP

3072:CEGh0o4mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGbl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8E7FC1-4138-405e-84CE-119DE87004BD}	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8E7FC1-4138-405e-84CE-119DE87004BD}\stubpath = "C:\\Windows\\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe"	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}\stubpath = "C:\\Windows\\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe"	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5718FD-1A18-4652-A9D3-F996A97321A7}	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9706D617-4999-4091-BCA2-E774FBCA262F}\stubpath = "C:\\Windows\\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe"	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189FE881-73B6-4380-9E45-02BD0558D727}	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}	{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}\stubpath = "C:\\Windows\\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe"	{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}	{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}	70cab08d784021exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F667D30-6879-48bc-9C97-DF30C7A56387}	{189FE881-73B6-4380-9E45-02BD0558D727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5718FD-1A18-4652-A9D3-F996A97321A7}\stubpath = "C:\\Windows\\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe"	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9706D617-4999-4091-BCA2-E774FBCA262F}	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F667D30-6879-48bc-9C97-DF30C7A56387}\stubpath = "C:\\Windows\\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe"	{189FE881-73B6-4380-9E45-02BD0558D727}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}	{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}\stubpath = "C:\\Windows\\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe"	{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}	{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}\stubpath = "C:\\Windows\\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe"	{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}\stubpath = "C:\\Windows\\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe"	70cab08d784021exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}\stubpath = "C:\\Windows\\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe"	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153C1F46-A0DF-471c-A2B0-B043FF154874}	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153C1F46-A0DF-471c-A2B0-B043FF154874}\stubpath = "C:\\Windows\\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe"	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189FE881-73B6-4380-9E45-02BD0558D727}\stubpath = "C:\\Windows\\{189FE881-73B6-4380-9E45-02BD0558D727}.exe"	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}\stubpath = "C:\\Windows\\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe"	{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe

Deletes itself 1 IoCs

pid	Process
1040	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
2204	{189FE881-73B6-4380-9E45-02BD0558D727}.exe
2720	{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
2624	{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
3032	{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
2668	{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
2268	{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
File created	C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
File created	C:\Windows\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe	{189FE881-73B6-4380-9E45-02BD0558D727}.exe
File created	C:\Windows\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe	{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
File created	C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	70cab08d784021exeexeexeex.exe
File created	C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
File created	C:\Windows\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
File created	C:\Windows\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
File created	C:\Windows\{189FE881-73B6-4380-9E45-02BD0558D727}.exe	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
File created	C:\Windows\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe	{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
File created	C:\Windows\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe	{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
File created	C:\Windows\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe	{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
File created	C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	70cab08d784021exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Token: SeIncBasePriorityPrivilege	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Token: SeIncBasePriorityPrivilege	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Token: SeIncBasePriorityPrivilege	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Token: SeIncBasePriorityPrivilege	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Token: SeIncBasePriorityPrivilege	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
Token: SeIncBasePriorityPrivilege	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
Token: SeIncBasePriorityPrivilege	2204	{189FE881-73B6-4380-9E45-02BD0558D727}.exe
Token: SeIncBasePriorityPrivilege	2720	{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
Token: SeIncBasePriorityPrivilege	2624	{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
Token: SeIncBasePriorityPrivilege	3032	{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
Token: SeIncBasePriorityPrivilege	2668	{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1156	1628	70cab08d784021exeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	70cab08d784021exeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	70cab08d784021exeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	70cab08d784021exeexeexeex.exe	28
PID 1628 wrote to memory of 1040	1628	70cab08d784021exeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	70cab08d784021exeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	70cab08d784021exeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	70cab08d784021exeexeexeex.exe	29
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1244 wrote to memory of 1716	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1716	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1716	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1716	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 272	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 272	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 272	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 272	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1716 wrote to memory of 2908	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 1716 wrote to memory of 2908	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 1716 wrote to memory of 2908	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 1716 wrote to memory of 2908	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 1716 wrote to memory of 2776	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 1716 wrote to memory of 2776	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 1716 wrote to memory of 2776	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 1716 wrote to memory of 2776	1716	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 2908 wrote to memory of 2064	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2064	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2064	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2064	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2944	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2944	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2944	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2944	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2064 wrote to memory of 3000	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2064 wrote to memory of 3000	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2064 wrote to memory of 3000	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2064 wrote to memory of 3000	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2064 wrote to memory of 1712	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2064 wrote to memory of 1712	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2064 wrote to memory of 1712	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2064 wrote to memory of 1712	2064	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 3000 wrote to memory of 2272	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	40
PID 3000 wrote to memory of 2272	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	40
PID 3000 wrote to memory of 2272	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	40
PID 3000 wrote to memory of 2272	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	40
PID 3000 wrote to memory of 3044	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	41
PID 3000 wrote to memory of 3044	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	41
PID 3000 wrote to memory of 3044	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	41
PID 3000 wrote to memory of 3044	3000	{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe	41
PID 2272 wrote to memory of 2204	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	43
PID 2272 wrote to memory of 2204	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	43
PID 2272 wrote to memory of 2204	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	43
PID 2272 wrote to memory of 2204	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	43
PID 2272 wrote to memory of 2196	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	42
PID 2272 wrote to memory of 2196	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	42
PID 2272 wrote to memory of 2196	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	42
PID 2272 wrote to memory of 2196	2272	{9706D617-4999-4091-BCA2-E774FBCA262F}.exe	42

C:\Users\Admin\AppData\Local\Temp\70cab08d784021exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\70cab08d784021exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
  C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
    C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
      C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{153C1~1.EXE > nul
        5⤵
        
        PID:2776
    - - C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
        
        C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
        
        C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
        
        C:\Windows\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
        
        C:\Windows\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9706D~1.EXE > nul
        9⤵
        
        PID:2196
        
        C:\Windows\{189FE881-73B6-4380-9E45-02BD0558D727}.exe
        
        C:\Windows\{189FE881-73B6-4380-9E45-02BD0558D727}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{189FE~1.EXE > nul
        10⤵
        
        PID:2704
        
        C:\Windows\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
        
        C:\Windows\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
        
        C:\Windows\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
        
        C:\Windows\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A16F4~1.EXE > nul
        13⤵
        
        PID:2636
        
        C:\Windows\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
        
        C:\Windows\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe
        
        C:\Windows\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe
        14⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A07C0~1.EXE > nul
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00CBC~1.EXE > nul
        12⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F667~1.EXE > nul
        11⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B571~1.EXE > nul
        8⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A6E2~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8E7~1.EXE > nul
        6⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E1BA~1.EXE > nul
      4⤵
      PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AFCD3~1.EXE > nul
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70CAB0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe

Filesize
372KB

MD5
8614e0d98e6fd80413b810d3b9a83b10

SHA1
a8b353eb616e80d7120aad0b16a3c0cef5e2c041

SHA256
a2656e44b994d7bd5b143f7363989a60845c719a5d15fccefb1c9a1fe8558c7d

SHA512
44377c1576b3ee7cb1e61315b806c30d3e72c9b86aeb89381de7932356bbe47402798a3d54f2071149e78058be3ff5ad12071c72582352974ca98bbc56639d17

Download Submit
C:\Windows\{00CBCCBE-80CD-443c-8843-DC1A12B86F74}.exe

Filesize
372KB

MD5
8614e0d98e6fd80413b810d3b9a83b10

SHA1
a8b353eb616e80d7120aad0b16a3c0cef5e2c041

SHA256
a2656e44b994d7bd5b143f7363989a60845c719a5d15fccefb1c9a1fe8558c7d

SHA512
44377c1576b3ee7cb1e61315b806c30d3e72c9b86aeb89381de7932356bbe47402798a3d54f2071149e78058be3ff5ad12071c72582352974ca98bbc56639d17

Download Submit
C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe

Filesize
372KB

MD5
a54be168540308f7ee1ef8261597d370

SHA1
d9667a47c6dc0ef74c8d5e09ddb5310e6b6af4a8

SHA256
9c96b88385bdfcaae381d887815fa10cb66667c2b9e1029d07b1c5756e2a8193

SHA512
42b24b15e2891fea3ae40e1002f841714767708db6dd62493a4053e634c9e7262f1f5d2d3092c0dd20447d538a9e058a66bf2c0ab9391e525b7d9410238b9981

Download Submit
C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe

Filesize
372KB

MD5
a54be168540308f7ee1ef8261597d370

SHA1
d9667a47c6dc0ef74c8d5e09ddb5310e6b6af4a8

SHA256
9c96b88385bdfcaae381d887815fa10cb66667c2b9e1029d07b1c5756e2a8193

SHA512
42b24b15e2891fea3ae40e1002f841714767708db6dd62493a4053e634c9e7262f1f5d2d3092c0dd20447d538a9e058a66bf2c0ab9391e525b7d9410238b9981

Download Submit
C:\Windows\{189FE881-73B6-4380-9E45-02BD0558D727}.exe

Filesize
372KB

MD5
72ff1f68cf8779254c31c7d2a733d13a

SHA1
e0751857700bebbf9cef384393461b0faabb971b

SHA256
67fa8bc1ea0b403e0af3ed0e56eaf6625b533e919996001aee9bd215d988d84f

SHA512
cbd4e9ebb961702e2abb1004b87bdc4f3ca58f5771de8bd3c826778a6c3b3261378734e0bad35820cfa7bec83230066cbd4060949832108b8b8eb41cf2c59964

Download Submit
C:\Windows\{189FE881-73B6-4380-9E45-02BD0558D727}.exe

Filesize
372KB

MD5
72ff1f68cf8779254c31c7d2a733d13a

SHA1
e0751857700bebbf9cef384393461b0faabb971b

SHA256
67fa8bc1ea0b403e0af3ed0e56eaf6625b533e919996001aee9bd215d988d84f

SHA512
cbd4e9ebb961702e2abb1004b87bdc4f3ca58f5771de8bd3c826778a6c3b3261378734e0bad35820cfa7bec83230066cbd4060949832108b8b8eb41cf2c59964

Download Submit
C:\Windows\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe

Filesize
372KB

MD5
b8b24f8058436231edf10493299de504

SHA1
c2b2c044533f74820c8b87c5f784b5cab7215bd1

SHA256
a87c24f4777342eecd8161ff10229bc9a8b7de4e0d43e56c9ba839c775d958c2

SHA512
e706da702cda063a01533c0fa3ad5eb5ca1e4480f25d4774059df9231476d06f484b125679456a687204290df834968adec1b4191dee5e27506261856e2202ee

Download Submit
C:\Windows\{2B5718FD-1A18-4652-A9D3-F996A97321A7}.exe

Filesize
372KB

MD5
b8b24f8058436231edf10493299de504

SHA1
c2b2c044533f74820c8b87c5f784b5cab7215bd1

SHA256
a87c24f4777342eecd8161ff10229bc9a8b7de4e0d43e56c9ba839c775d958c2

SHA512
e706da702cda063a01533c0fa3ad5eb5ca1e4480f25d4774059df9231476d06f484b125679456a687204290df834968adec1b4191dee5e27506261856e2202ee

Download Submit
C:\Windows\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe

Filesize
372KB

MD5
c2a2333010ea91c7ffee6a7651a52904

SHA1
ec294bedde79455a1332575821dd46489f18d711

SHA256
5ac2f022fd55e1528ba8aff733a4cdaa8dd3a5ef438b87db2d33b23fac6dc33a

SHA512
1486dfa8102e6fa093997532640aaa3aa5dbd9211367d857d8a7b980970e6abfaf62f42d36d5f927b14b3aaacd555f46da9aa087727418b0f7acf019618c6d8d

Download Submit
C:\Windows\{2F667D30-6879-48bc-9C97-DF30C7A56387}.exe

Filesize
372KB

MD5
c2a2333010ea91c7ffee6a7651a52904

SHA1
ec294bedde79455a1332575821dd46489f18d711

SHA256
5ac2f022fd55e1528ba8aff733a4cdaa8dd3a5ef438b87db2d33b23fac6dc33a

SHA512
1486dfa8102e6fa093997532640aaa3aa5dbd9211367d857d8a7b980970e6abfaf62f42d36d5f927b14b3aaacd555f46da9aa087727418b0f7acf019618c6d8d

Download Submit
C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe

Filesize
372KB

MD5
42255c96414a1c3f1fafa5a99c7c447f

SHA1
0544599faacf8cebdf980d9e9124172434c9b4df

SHA256
625d0cb79d49c4e3634656cac2036b6e64b945a3c0df6b6a622d80688fb326f2

SHA512
e6dee16cf10d1041be55befc1e2d0f23ebe6ea259876b8ff47ea015ef863c77219dadd1ff7dfbaa440ee64a8272da6f379d40c47f76c628f80605f10f676002c

Download Submit
C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe

Filesize
372KB

MD5
42255c96414a1c3f1fafa5a99c7c447f

SHA1
0544599faacf8cebdf980d9e9124172434c9b4df

SHA256
625d0cb79d49c4e3634656cac2036b6e64b945a3c0df6b6a622d80688fb326f2

SHA512
e6dee16cf10d1041be55befc1e2d0f23ebe6ea259876b8ff47ea015ef863c77219dadd1ff7dfbaa440ee64a8272da6f379d40c47f76c628f80605f10f676002c

Download Submit
C:\Windows\{424C9069-B6D3-412f-A382-6CCB5D6DD0DB}.exe

Filesize
372KB

MD5
e4feb9c0e5997959be363bdc22cbb649

SHA1
3504e74fbe8ad4b2ccafe8662f75ca21b22ef3a5

SHA256
1ab6936a0b2d8e3aa121c6ce45598305ce37560a3655b88aeb1f5d9d01332e80

SHA512
7108b94b9f86a7ffe3ea968fe7874e6d38938e32c1e18f7dc9d6dcdc86bd3d3453947e4f389ba9a5ef424c87b5503f1e96782376b543dc216de0e83d85bee896

Download Submit
C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe

Filesize
372KB

MD5
8f738d85e777f768ae95fa98d986450e

SHA1
bcd47976c35078d7a5f24acdf2f4ff6e4e35980c

SHA256
4281960dd6e4b844dfb15dd09de64e7da153340e15da8e4061a998f894dbe401

SHA512
947862bf0ea45ccd6a967e8a622b2b39f14dc9ef2ab1b6304015174dd4bfb06d54787d5984b74c8345cefb5e69116044a02710256296025de985f3a411f96220

Download Submit
C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe

Filesize
372KB

MD5
8f738d85e777f768ae95fa98d986450e

SHA1
bcd47976c35078d7a5f24acdf2f4ff6e4e35980c

SHA256
4281960dd6e4b844dfb15dd09de64e7da153340e15da8e4061a998f894dbe401

SHA512
947862bf0ea45ccd6a967e8a622b2b39f14dc9ef2ab1b6304015174dd4bfb06d54787d5984b74c8345cefb5e69116044a02710256296025de985f3a411f96220

Download Submit
C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe

Filesize
372KB

MD5
5253e8260802dcbb1821bf2fd8a714c7

SHA1
91e45ea8979bdbda1e27aa78276dee79d1b40671

SHA256
04aac51122dd2d514170b72094cd36d3146162df1e47a3cd3e17dd6988fa305f

SHA512
81cc82c17aefcb507e56e927eb0708fd6dee1845cc2cf2d865f3a5e60f2dd66e92b8be36315cd4d6286b291fa93abb006e4cd326eb7947a25abaffcc8f7d7582

Download Submit
C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe

Filesize
372KB

MD5
5253e8260802dcbb1821bf2fd8a714c7

SHA1
91e45ea8979bdbda1e27aa78276dee79d1b40671

SHA256
04aac51122dd2d514170b72094cd36d3146162df1e47a3cd3e17dd6988fa305f

SHA512
81cc82c17aefcb507e56e927eb0708fd6dee1845cc2cf2d865f3a5e60f2dd66e92b8be36315cd4d6286b291fa93abb006e4cd326eb7947a25abaffcc8f7d7582

Download Submit
C:\Windows\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe

Filesize
372KB

MD5
c0ca088e8f2705cb0cc7757ba3e0e575

SHA1
11bad81915707b69311095ab35d8c9c87f5a6fac

SHA256
907c8421800fd548788fd07050894147bb38e14c2004b83a8d87b10b92e21ccd

SHA512
2c35852d18fad84331229aeaccbe7e4a0d619633161e286d988acf48aed2b7d8d1019a45ef6ea8af2ec14d453b687f184258242bdde9c4f87df85c37bcca9664

Download Submit
C:\Windows\{9706D617-4999-4091-BCA2-E774FBCA262F}.exe

Filesize
372KB

MD5
c0ca088e8f2705cb0cc7757ba3e0e575

SHA1
11bad81915707b69311095ab35d8c9c87f5a6fac

SHA256
907c8421800fd548788fd07050894147bb38e14c2004b83a8d87b10b92e21ccd

SHA512
2c35852d18fad84331229aeaccbe7e4a0d619633161e286d988acf48aed2b7d8d1019a45ef6ea8af2ec14d453b687f184258242bdde9c4f87df85c37bcca9664

Download Submit
C:\Windows\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe

Filesize
372KB

MD5
4a8aab6b214f3cfaef0478adc1ef8b38

SHA1
8fff3b98d34332163bb2342f822ddad858aebfc5

SHA256
01b3a8f00b034be016c118dde7ada23421d8ab1236a741fd5ec9d9f94d516a79

SHA512
fff0510cda0a9859737add0f1889223d52be44a75d21d532f3d88cee7604941b50ab6f773315064367dc09a7c1e6a6272e2bcbb76864cf2a6cf2905b336e51c9

Download Submit
C:\Windows\{A07C0EB9-FEE8-4527-8CF9-8C9208FB5FF0}.exe

Filesize
372KB

MD5
4a8aab6b214f3cfaef0478adc1ef8b38

SHA1
8fff3b98d34332163bb2342f822ddad858aebfc5

SHA256
01b3a8f00b034be016c118dde7ada23421d8ab1236a741fd5ec9d9f94d516a79

SHA512
fff0510cda0a9859737add0f1889223d52be44a75d21d532f3d88cee7604941b50ab6f773315064367dc09a7c1e6a6272e2bcbb76864cf2a6cf2905b336e51c9

Download Submit
C:\Windows\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe

Filesize
372KB

MD5
3524859037204aeeba3dbcb88b255a73

SHA1
af245daa0917dd432d5810370c228663e97a8e3e

SHA256
986140320b326a4ae35f8d281094d1627725b0ed0fa1a7545878e3d1397fbd42

SHA512
8ceefdddb2e558f00d0ec06c650f56ab06e0ef82ffeb77c2bcd87bf962a0cafe82929de0ab4be8b5121aec5f49079f82902ab48cc68b8170d22c3de22ee68f17

Download Submit
C:\Windows\{A16F46F0-A014-4f14-AA89-DA0B590AABCE}.exe

Filesize
372KB

MD5
3524859037204aeeba3dbcb88b255a73

SHA1
af245daa0917dd432d5810370c228663e97a8e3e

SHA256
986140320b326a4ae35f8d281094d1627725b0ed0fa1a7545878e3d1397fbd42

SHA512
8ceefdddb2e558f00d0ec06c650f56ab06e0ef82ffeb77c2bcd87bf962a0cafe82929de0ab4be8b5121aec5f49079f82902ab48cc68b8170d22c3de22ee68f17

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
372KB

MD5
7080d80fecc4160dcd6169565c4419e8

SHA1
a326536221e9e5ce342215c7514b5105e0707bc5

SHA256
4c9c6350df50c78767d9af33a6472b05d5b1ac9c518afa9d3932e2fb7edbf113

SHA512
0527fcf20188104a0798225c8228d2848d8f6026e9a39793821b97e7e4e209da69afd79e4046cd2275e8bdc41095559b577e7a0cca90301bf6d925bfd8cc4831

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
372KB

MD5
7080d80fecc4160dcd6169565c4419e8

SHA1
a326536221e9e5ce342215c7514b5105e0707bc5

SHA256
4c9c6350df50c78767d9af33a6472b05d5b1ac9c518afa9d3932e2fb7edbf113

SHA512
0527fcf20188104a0798225c8228d2848d8f6026e9a39793821b97e7e4e209da69afd79e4046cd2275e8bdc41095559b577e7a0cca90301bf6d925bfd8cc4831

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
372KB

MD5
7080d80fecc4160dcd6169565c4419e8

SHA1
a326536221e9e5ce342215c7514b5105e0707bc5

SHA256
4c9c6350df50c78767d9af33a6472b05d5b1ac9c518afa9d3932e2fb7edbf113

SHA512
0527fcf20188104a0798225c8228d2848d8f6026e9a39793821b97e7e4e209da69afd79e4046cd2275e8bdc41095559b577e7a0cca90301bf6d925bfd8cc4831

Download Submit