c2e98321b1518828122bc9c309fd638c80f8cd2c39744b330f0ff640e4dfedc1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20966bfdf62e8exeexeexeex.exe
Size

372KB
MD5

b20966bfdf62e80851b50c234d3ab9f4
SHA1

90858c048efaf0c200465bc440042647967922fa
SHA256

c2e98321b1518828122bc9c309fd638c80f8cd2c39744b330f0ff640e4dfedc1
SHA512

91f0e241a3b3c09a03977ef34a93c1bcc1183927a1e5bfb82287409510db72437d3be8dbaba25a679d954eeb5bc72e832e99c861e92cfda41c70846f061c6565
SSDEEP

3072:CEGh0oDmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGol/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E10D930-D053-4384-A2D3-E932E436EC72}	b20966bfdf62e8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}\stubpath = "C:\\Windows\\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe"	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CCD25D-545C-495a-B84E-67D152801C45}\stubpath = "C:\\Windows\\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe"	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6F146F-EC5E-4940-8E31-995031B58204}	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}\stubpath = "C:\\Windows\\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe"	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6112211C-A1EE-4608-9A1F-0588178B54CD}\stubpath = "C:\\Windows\\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe"	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}\stubpath = "C:\\Windows\\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe"	{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E10D930-D053-4384-A2D3-E932E436EC72}\stubpath = "C:\\Windows\\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe"	b20966bfdf62e8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F63129-29AF-44c7-8196-73A2FECD7D16}	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F63129-29AF-44c7-8196-73A2FECD7D16}\stubpath = "C:\\Windows\\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe"	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}\stubpath = "C:\\Windows\\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe"	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934A760C-31EF-4a4c-84CD-125C859DDAFD}\stubpath = "C:\\Windows\\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe"	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}\stubpath = "C:\\Windows\\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe"	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CCD25D-545C-495a-B84E-67D152801C45}	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6F146F-EC5E-4940-8E31-995031B58204}\stubpath = "C:\\Windows\\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe"	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6112211C-A1EE-4608-9A1F-0588178B54CD}	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934A760C-31EF-4a4c-84CD-125C859DDAFD}	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE210877-1C59-49ca-81EA-083B4A7BB765}	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE210877-1C59-49ca-81EA-083B4A7BB765}\stubpath = "C:\\Windows\\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe"	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}	{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
2364	{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe
4120	{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{10059E1E-87B9-4033-97C3-D2C9E1D8D7C0}.catalogItem	svchost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
File created	C:\Windows\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe	{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe
File created	C:\Windows\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	b20966bfdf62e8exeexeexeex.exe
File created	C:\Windows\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
File created	C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
File created	C:\Windows\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
File created	C:\Windows\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
File created	C:\Windows\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
File created	C:\Windows\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
File created	C:\Windows\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
File created	C:\Windows\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
File created	C:\Windows\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3988	b20966bfdf62e8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
Token: SeIncBasePriorityPrivilege	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
Token: SeIncBasePriorityPrivilege	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
Token: SeIncBasePriorityPrivilege	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
Token: SeIncBasePriorityPrivilege	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
Token: SeIncBasePriorityPrivilege	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
Token: SeIncBasePriorityPrivilege	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
Token: SeIncBasePriorityPrivilege	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
Token: SeIncBasePriorityPrivilege	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
Token: SeIncBasePriorityPrivilege	3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
Token: SeIncBasePriorityPrivilege	2364	{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1848	3988	b20966bfdf62e8exeexeexeex.exe	79
PID 3988 wrote to memory of 1848	3988	b20966bfdf62e8exeexeexeex.exe	79
PID 3988 wrote to memory of 1848	3988	b20966bfdf62e8exeexeexeex.exe	79
PID 3988 wrote to memory of 3524	3988	b20966bfdf62e8exeexeexeex.exe	80
PID 3988 wrote to memory of 3524	3988	b20966bfdf62e8exeexeexeex.exe	80
PID 3988 wrote to memory of 3524	3988	b20966bfdf62e8exeexeexeex.exe	80
PID 1848 wrote to memory of 4144	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	81
PID 1848 wrote to memory of 4144	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	81
PID 1848 wrote to memory of 4144	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	81
PID 1848 wrote to memory of 732	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	82
PID 1848 wrote to memory of 732	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	82
PID 1848 wrote to memory of 732	1848	{5E10D930-D053-4384-A2D3-E932E436EC72}.exe	82
PID 4144 wrote to memory of 2164	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	83
PID 4144 wrote to memory of 2164	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	83
PID 4144 wrote to memory of 2164	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	83
PID 4144 wrote to memory of 3528	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	84
PID 4144 wrote to memory of 3528	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	84
PID 4144 wrote to memory of 3528	4144	{A6CCD25D-545C-495a-B84E-67D152801C45}.exe	84
PID 2164 wrote to memory of 2256	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	85
PID 2164 wrote to memory of 2256	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	85
PID 2164 wrote to memory of 2256	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	85
PID 2164 wrote to memory of 3816	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	86
PID 2164 wrote to memory of 3816	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	86
PID 2164 wrote to memory of 3816	2164	{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe	86
PID 2256 wrote to memory of 4992	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	87
PID 2256 wrote to memory of 4992	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	87
PID 2256 wrote to memory of 4992	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	87
PID 2256 wrote to memory of 1632	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	88
PID 2256 wrote to memory of 1632	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	88
PID 2256 wrote to memory of 1632	2256	{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe	88
PID 4992 wrote to memory of 4200	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	89
PID 4992 wrote to memory of 4200	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	89
PID 4992 wrote to memory of 4200	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	89
PID 4992 wrote to memory of 3976	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	90
PID 4992 wrote to memory of 3976	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	90
PID 4992 wrote to memory of 3976	4992	{FE6F146F-EC5E-4940-8E31-995031B58204}.exe	90
PID 4200 wrote to memory of 4396	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	91
PID 4200 wrote to memory of 4396	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	91
PID 4200 wrote to memory of 4396	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	91
PID 4200 wrote to memory of 3712	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	92
PID 4200 wrote to memory of 3712	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	92
PID 4200 wrote to memory of 3712	4200	{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe	92
PID 4396 wrote to memory of 3612	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	93
PID 4396 wrote to memory of 3612	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	93
PID 4396 wrote to memory of 3612	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	93
PID 4396 wrote to memory of 1556	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	94
PID 4396 wrote to memory of 1556	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	94
PID 4396 wrote to memory of 1556	4396	{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe	94
PID 3612 wrote to memory of 996	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	95
PID 3612 wrote to memory of 996	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	95
PID 3612 wrote to memory of 996	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	95
PID 3612 wrote to memory of 2308	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	96
PID 3612 wrote to memory of 2308	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	96
PID 3612 wrote to memory of 2308	3612	{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe	96
PID 996 wrote to memory of 3876	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	97
PID 996 wrote to memory of 3876	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	97
PID 996 wrote to memory of 3876	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	97
PID 996 wrote to memory of 3756	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	98
PID 996 wrote to memory of 3756	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	98
PID 996 wrote to memory of 3756	996	{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe	98
PID 3876 wrote to memory of 2364	3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe	99
PID 3876 wrote to memory of 2364	3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe	99
PID 3876 wrote to memory of 2364	3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe	99
PID 3876 wrote to memory of 4472	3876	{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b20966bfdf62e8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b20966bfdf62e8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
  C:\Windows\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
    C:\Windows\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
      C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
        
        C:\Windows\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
        
        C:\Windows\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
        
        C:\Windows\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
        
        C:\Windows\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
        
        C:\Windows\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
        
        C:\Windows\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
        
        C:\Windows\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe
        
        C:\Windows\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB28~1.EXE > nul
        13⤵
        
        PID:972
        
        C:\Windows\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe
        
        C:\Windows\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE210~1.EXE > nul
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C097~1.EXE > nul
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{934A7~1.EXE > nul
        10⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61122~1.EXE > nul
        9⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C548E~1.EXE > nul
        8⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE6F1~1.EXE > nul
        7⤵
        
        PID:3976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A733~1.EXE > nul
        6⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F63~1.EXE > nul
        5⤵
        
        PID:3816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6CCD~1.EXE > nul
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E10D~1.EXE > nul
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B20966~1.EXE > nul
  2⤵
  PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe

Filesize
372KB

MD5
ddd96794e77182b9e3f479e4be5185a7

SHA1
9da68baa455fc0f5caf5d20eab34ceed00f4d2ad

SHA256
6bca941ff9e5334189ca635c9d85b89f262d8c2ceb676a47d52f843ffa562af8

SHA512
ec409ae0fc5c9d2b5e4de290ac4373d50b541b35a4184d3cd36caeefeb4bb63d57cca387383a02fb049df502c3483c3b5415ea5004634566adc868792642b44c

Download Submit
C:\Windows\{2C0972F3-14A9-41c3-B4F4-5422EE53930F}.exe

Filesize
372KB

MD5
ddd96794e77182b9e3f479e4be5185a7

SHA1
9da68baa455fc0f5caf5d20eab34ceed00f4d2ad

SHA256
6bca941ff9e5334189ca635c9d85b89f262d8c2ceb676a47d52f843ffa562af8

SHA512
ec409ae0fc5c9d2b5e4de290ac4373d50b541b35a4184d3cd36caeefeb4bb63d57cca387383a02fb049df502c3483c3b5415ea5004634566adc868792642b44c

Download Submit
C:\Windows\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe

Filesize
372KB

MD5
6b7c854eeaf263cf74ba1ea7627e0a49

SHA1
69c1147a8a006bbe6233f54dc43e808908e2efae

SHA256
82d0f367fa534703303ebdb8a1ca8a76146cf5b158b6216618af43582aa93787

SHA512
0b1d5d1b3047b373a9b830f9e68783670e4f610b9f93303f1e734b6cac53da9f2aa3b8312937b91cec0df71814c56a37725c16d4c2b4a1065eca7afb677b364d

Download Submit
C:\Windows\{2DB28A2A-D30A-479e-8A3A-1B99F38E9F3A}.exe

Filesize
372KB

MD5
6b7c854eeaf263cf74ba1ea7627e0a49

SHA1
69c1147a8a006bbe6233f54dc43e808908e2efae

SHA256
82d0f367fa534703303ebdb8a1ca8a76146cf5b158b6216618af43582aa93787

SHA512
0b1d5d1b3047b373a9b830f9e68783670e4f610b9f93303f1e734b6cac53da9f2aa3b8312937b91cec0df71814c56a37725c16d4c2b4a1065eca7afb677b364d

Download Submit
C:\Windows\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe

Filesize
372KB

MD5
4b150beac6fb75acb6ea1a607365d523

SHA1
06c28a0d278d5aeb335678076ad137ff6808343c

SHA256
2c7a0284c53d39cc4ec8dc3e6694f9196f672821d451eb87db30ea1286556f99

SHA512
c3d89e7c0b8932e37d84307315579fe83fbd417a70510413a6e4d0862c7339291c356cbeff446a4acdc494bc86a8962fdc78245cfda22a339bed4cc143d0c952

Download Submit
C:\Windows\{5E10D930-D053-4384-A2D3-E932E436EC72}.exe

Filesize
372KB

MD5
4b150beac6fb75acb6ea1a607365d523

SHA1
06c28a0d278d5aeb335678076ad137ff6808343c

SHA256
2c7a0284c53d39cc4ec8dc3e6694f9196f672821d451eb87db30ea1286556f99

SHA512
c3d89e7c0b8932e37d84307315579fe83fbd417a70510413a6e4d0862c7339291c356cbeff446a4acdc494bc86a8962fdc78245cfda22a339bed4cc143d0c952

Download Submit
C:\Windows\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe

Filesize
372KB

MD5
b6a35627816ccf34fe44cbc761fdba27

SHA1
a26a24f0446b4e54bfafe4b18e9a6efe327072ec

SHA256
cc8fc9e18d4b185a0a331a19227ffc2fc9c2615b026b9e1bd224ce0f687c1de7

SHA512
d5467add3b68f164c810f0884051852b4b914bd2c15da72f51f30c5b46ef4360f8cf0d630c780b3ec5596e5ff223367c41e0c6935d179e2f5487d8540dabe0f1

Download Submit
C:\Windows\{6112211C-A1EE-4608-9A1F-0588178B54CD}.exe

Filesize
372KB

MD5
b6a35627816ccf34fe44cbc761fdba27

SHA1
a26a24f0446b4e54bfafe4b18e9a6efe327072ec

SHA256
cc8fc9e18d4b185a0a331a19227ffc2fc9c2615b026b9e1bd224ce0f687c1de7

SHA512
d5467add3b68f164c810f0884051852b4b914bd2c15da72f51f30c5b46ef4360f8cf0d630c780b3ec5596e5ff223367c41e0c6935d179e2f5487d8540dabe0f1

Download Submit
C:\Windows\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe

Filesize
372KB

MD5
0f72872df5e483323080475a5f1c96b0

SHA1
e8094951d8743d643ed0be89502b79ba7a3cce73

SHA256
6208413746a0a26af77d5129a4763eb04e56981c85441818791f9260279361d1

SHA512
25e9c165298de91cc86778340bd0063aa6230a282014bdfc034f59a6541886438fa00873cb1982e28983e526a1acf6fb3f180b3f5d0c92661752f9e777135b54

Download Submit
C:\Windows\{6A73339F-4B7C-4487-96B9-8BCCBE93990A}.exe

Filesize
372KB

MD5
0f72872df5e483323080475a5f1c96b0

SHA1
e8094951d8743d643ed0be89502b79ba7a3cce73

SHA256
6208413746a0a26af77d5129a4763eb04e56981c85441818791f9260279361d1

SHA512
25e9c165298de91cc86778340bd0063aa6230a282014bdfc034f59a6541886438fa00873cb1982e28983e526a1acf6fb3f180b3f5d0c92661752f9e777135b54

Download Submit
C:\Windows\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe

Filesize
372KB

MD5
3ba4b4b99f478cae21afa62c3ca2d783

SHA1
066f0453ebd91f6bab9eddced512e4d15141f544

SHA256
c398dcb03e325b08b3c4bb9985353d0775389f2e8016c8837b5a3af7867cea16

SHA512
2c44b9525941fb2cd333ff97891d53075a077dc1e623c1fe41b629fcb71b96c96b120809aeca2dd292491f16805bd999857c6f602196da59c49df8971fd349f1

Download Submit
C:\Windows\{934A760C-31EF-4a4c-84CD-125C859DDAFD}.exe

Filesize
372KB

MD5
3ba4b4b99f478cae21afa62c3ca2d783

SHA1
066f0453ebd91f6bab9eddced512e4d15141f544

SHA256
c398dcb03e325b08b3c4bb9985353d0775389f2e8016c8837b5a3af7867cea16

SHA512
2c44b9525941fb2cd333ff97891d53075a077dc1e623c1fe41b629fcb71b96c96b120809aeca2dd292491f16805bd999857c6f602196da59c49df8971fd349f1

Download Submit
C:\Windows\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe

Filesize
372KB

MD5
7cb3f02850622c925ca62d8a9d6a3a9f

SHA1
c5ffa685e85d9a31cced61c4c74bf9d5665b2bfd

SHA256
73334ce4bae54d4e3492d8457d7833d9dcff8d0fbbfdf393dab82f51b5a5a992

SHA512
2bc9156bd37dbf6dc56e673a5feb2e49d9df52510e9587d8d298b461d03705c17e1ad22a9e63b18c9eb0dc9e7274da275ecc4c8e71d0a25e379e38592ce17aa6

Download Submit
C:\Windows\{A6CCD25D-545C-495a-B84E-67D152801C45}.exe

Filesize
372KB

MD5
7cb3f02850622c925ca62d8a9d6a3a9f

SHA1
c5ffa685e85d9a31cced61c4c74bf9d5665b2bfd

SHA256
73334ce4bae54d4e3492d8457d7833d9dcff8d0fbbfdf393dab82f51b5a5a992

SHA512
2bc9156bd37dbf6dc56e673a5feb2e49d9df52510e9587d8d298b461d03705c17e1ad22a9e63b18c9eb0dc9e7274da275ecc4c8e71d0a25e379e38592ce17aa6

Download Submit
C:\Windows\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe

Filesize
372KB

MD5
f235b584d2ff83e182fad353b77b4f43

SHA1
3e54a94dfc3c1d644a414cbe7b75059917b61ebb

SHA256
18d03181201127d2ee14b543f903176fdb409fc1fc4275a18c491aef9e8cbee1

SHA512
cbc3a5f77b4cbf2444529a22d97e12ebf6c10174da5a895a0e8e3ea076df831156082ef019efccad9d960dbd240a9dccd041d59f7690667fda8ccd19fd860f35

Download Submit
C:\Windows\{C548E07F-4B8C-43a3-9D02-1CFBC612B26D}.exe

Filesize
372KB

MD5
f235b584d2ff83e182fad353b77b4f43

SHA1
3e54a94dfc3c1d644a414cbe7b75059917b61ebb

SHA256
18d03181201127d2ee14b543f903176fdb409fc1fc4275a18c491aef9e8cbee1

SHA512
cbc3a5f77b4cbf2444529a22d97e12ebf6c10174da5a895a0e8e3ea076df831156082ef019efccad9d960dbd240a9dccd041d59f7690667fda8ccd19fd860f35

Download Submit
C:\Windows\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe

Filesize
372KB

MD5
a7255d1aa4c0162a6498e54ebd2914bb

SHA1
68961c1ca4e939ccb00844970f7a5998a89fed5c

SHA256
a62e9541716fe010654894a7777ea76db0b0b994a554a0915cd6b10854f26921

SHA512
2a6344c737d263ca0b06ff6cc685a821e5402487e3e1730099c45c90bb3cd7d7dcead2617d2d1fa88a2f2e0465a4f331d94c1b670582ec9f6347c2397cb3bc81

Download Submit
C:\Windows\{CEF3D118-0AAC-40fe-913D-24F28095EB2A}.exe

Filesize
372KB

MD5
a7255d1aa4c0162a6498e54ebd2914bb

SHA1
68961c1ca4e939ccb00844970f7a5998a89fed5c

SHA256
a62e9541716fe010654894a7777ea76db0b0b994a554a0915cd6b10854f26921

SHA512
2a6344c737d263ca0b06ff6cc685a821e5402487e3e1730099c45c90bb3cd7d7dcead2617d2d1fa88a2f2e0465a4f331d94c1b670582ec9f6347c2397cb3bc81

Download Submit
C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe

Filesize
372KB

MD5
04b2e93c6a85b0ec83102192efc66c22

SHA1
8920e2ea031a2e3cbb31d20ac922fec2a1db2947

SHA256
f00dda79b90e0e0477fd80b6d2e8084ff46a6d4a9f83a79916bc3544199518a6

SHA512
b21457241c3b9c1c2cc68fbf518f057b3c300540bc780efc0fe00a69de8794b674cff3c5a8740fdecaeacc1292a2263b66ddd5497285821b49f24cf31ef2bdd5

Download Submit
C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe

Filesize
372KB

MD5
04b2e93c6a85b0ec83102192efc66c22

SHA1
8920e2ea031a2e3cbb31d20ac922fec2a1db2947

SHA256
f00dda79b90e0e0477fd80b6d2e8084ff46a6d4a9f83a79916bc3544199518a6

SHA512
b21457241c3b9c1c2cc68fbf518f057b3c300540bc780efc0fe00a69de8794b674cff3c5a8740fdecaeacc1292a2263b66ddd5497285821b49f24cf31ef2bdd5

Download Submit
C:\Windows\{E0F63129-29AF-44c7-8196-73A2FECD7D16}.exe

Filesize
372KB

MD5
04b2e93c6a85b0ec83102192efc66c22

SHA1
8920e2ea031a2e3cbb31d20ac922fec2a1db2947

SHA256
f00dda79b90e0e0477fd80b6d2e8084ff46a6d4a9f83a79916bc3544199518a6

SHA512
b21457241c3b9c1c2cc68fbf518f057b3c300540bc780efc0fe00a69de8794b674cff3c5a8740fdecaeacc1292a2263b66ddd5497285821b49f24cf31ef2bdd5

Download Submit
C:\Windows\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe

Filesize
372KB

MD5
7e151d323da99bb1b555bc533ed57324

SHA1
eff7a4e2ee2b8fcdee1eaef80d7db69dc960e5bd

SHA256
325e97ed1426ff93d711fe475a62aa6bb5eb83c6bb8a72f06c7dddb8b0f605b9

SHA512
fea9c8538ba65ce1d56744d4f1570b08299c4fc883ef283ce6865f88c9af400b782af79b8826b4b4b48795771f4b7491eb9b2893e29e95be6029fe7b723c24dd

Download Submit
C:\Windows\{FE210877-1C59-49ca-81EA-083B4A7BB765}.exe

Filesize
372KB

MD5
7e151d323da99bb1b555bc533ed57324

SHA1
eff7a4e2ee2b8fcdee1eaef80d7db69dc960e5bd

SHA256
325e97ed1426ff93d711fe475a62aa6bb5eb83c6bb8a72f06c7dddb8b0f605b9

SHA512
fea9c8538ba65ce1d56744d4f1570b08299c4fc883ef283ce6865f88c9af400b782af79b8826b4b4b48795771f4b7491eb9b2893e29e95be6029fe7b723c24dd

Download Submit
C:\Windows\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe

Filesize
372KB

MD5
006a67bc5ee2261f689797f3bdd75db3

SHA1
a02cf8e12d9b944bedd72429815ad8986d1aebe9

SHA256
44b2cf7acae6f072633d6e7481ff976c4afac95dc119e1ecf03b38a4b5958920

SHA512
ea234f2e761b86b13a4c96453a4b2171e27ecfda2ca7b475850b22dffcb96ecefdceb1f22b81812a3c10e2a9ac159ea85acdd7b8f3d020a69f927adf5960fc96

Download Submit
C:\Windows\{FE6F146F-EC5E-4940-8E31-995031B58204}.exe

Filesize
372KB

MD5
006a67bc5ee2261f689797f3bdd75db3

SHA1
a02cf8e12d9b944bedd72429815ad8986d1aebe9

SHA256
44b2cf7acae6f072633d6e7481ff976c4afac95dc119e1ecf03b38a4b5958920

SHA512
ea234f2e761b86b13a4c96453a4b2171e27ecfda2ca7b475850b22dffcb96ecefdceb1f22b81812a3c10e2a9ac159ea85acdd7b8f3d020a69f927adf5960fc96

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads