2ac1189a34aa660b0665acee60ade67803b79b33e5ba8461971e794fcb04b072

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b520e746ab80d8exeexeexeex.exe
Size

372KB
MD5

b520e746ab80d8d8e46c6e11d692b72b
SHA1

cc22af188cbb24384109fbaf99a8baf8948d702f
SHA256

2ac1189a34aa660b0665acee60ade67803b79b33e5ba8461971e794fcb04b072
SHA512

4a124e6439b1c150782d621052d399974ceb6aeec3801d3ffce32d2f932cfe5d93fb7d6044a371f9bea66eb89e3f86c59873cd34b4c1bf41e383605f83286214
SSDEEP

3072:CEGh0oGmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGBl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}\stubpath = "C:\\Windows\\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe"	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10ECF33F-963D-44a8-8F39-345DB4E72A06}\stubpath = "C:\\Windows\\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe"	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}	{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{253ED85E-17B1-4af1-8796-D2317E978DF6}\stubpath = "C:\\Windows\\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe"	{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}	{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}\stubpath = "C:\\Windows\\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe"	{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24C9EA62-FDAB-43df-A944-C54A5536E713}\stubpath = "C:\\Windows\\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe"	b520e746ab80d8exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}\stubpath = "C:\\Windows\\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe"	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFB66F90-50A3-4178-A036-5D33A38B589E}	{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}\stubpath = "C:\\Windows\\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe"	{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}\stubpath = "C:\\Windows\\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe"	{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84570F70-7F63-445c-9505-D3070DEFA9F0}	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84570F70-7F63-445c-9505-D3070DEFA9F0}\stubpath = "C:\\Windows\\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe"	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}\stubpath = "C:\\Windows\\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe"	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}\stubpath = "C:\\Windows\\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe"	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFB66F90-50A3-4178-A036-5D33A38B589E}\stubpath = "C:\\Windows\\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe"	{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{253ED85E-17B1-4af1-8796-D2317E978DF6}	{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}	{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24C9EA62-FDAB-43df-A944-C54A5536E713}	b520e746ab80d8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{595EBBCC-50B8-445d-9FED-33906ACA12D6}	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{595EBBCC-50B8-445d-9FED-33906ACA12D6}\stubpath = "C:\\Windows\\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe"	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10ECF33F-963D-44a8-8F39-345DB4E72A06}	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe

Deletes itself 1 IoCs

pid	Process
2308	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
1984	{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
2588	{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
2752	{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
2704	{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
2244	{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe
752	{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
File created	C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
File created	C:\Windows\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
File created	C:\Windows\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe	{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
File created	C:\Windows\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe	{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
File created	C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	b520e746ab80d8exeexeexeex.exe
File created	C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
File created	C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
File created	C:\Windows\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
File created	C:\Windows\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
File created	C:\Windows\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe	{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
File created	C:\Windows\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe	{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
File created	C:\Windows\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe	{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2376	b520e746ab80d8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Token: SeIncBasePriorityPrivilege	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Token: SeIncBasePriorityPrivilege	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Token: SeIncBasePriorityPrivilege	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Token: SeIncBasePriorityPrivilege	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Token: SeIncBasePriorityPrivilege	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
Token: SeIncBasePriorityPrivilege	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
Token: SeIncBasePriorityPrivilege	1984	{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
Token: SeIncBasePriorityPrivilege	2588	{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
Token: SeIncBasePriorityPrivilege	2752	{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
Token: SeIncBasePriorityPrivilege	2704	{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
Token: SeIncBasePriorityPrivilege	2244	{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2192	2376	b520e746ab80d8exeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	b520e746ab80d8exeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	b520e746ab80d8exeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	b520e746ab80d8exeexeexeex.exe	29
PID 2376 wrote to memory of 2308	2376	b520e746ab80d8exeexeexeex.exe	30
PID 2376 wrote to memory of 2308	2376	b520e746ab80d8exeexeexeex.exe	30
PID 2376 wrote to memory of 2308	2376	b520e746ab80d8exeexeexeex.exe	30
PID 2376 wrote to memory of 2308	2376	b520e746ab80d8exeexeexeex.exe	30
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2096 wrote to memory of 2252	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 2252	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 2252	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 2252	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 2384	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2384	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2384	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2384	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2252 wrote to memory of 2560	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 2252 wrote to memory of 2560	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 2252 wrote to memory of 2560	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 2252 wrote to memory of 2560	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 2252 wrote to memory of 2080	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 2252 wrote to memory of 2080	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 2252 wrote to memory of 2080	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 2252 wrote to memory of 2080	2252	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 2560 wrote to memory of 2104	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 2560 wrote to memory of 2104	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 2560 wrote to memory of 2104	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 2560 wrote to memory of 2104	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 2560 wrote to memory of 2236	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 2560 wrote to memory of 2236	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 2560 wrote to memory of 2236	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 2560 wrote to memory of 2236	2560	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 2104 wrote to memory of 2988	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2104 wrote to memory of 2988	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2104 wrote to memory of 2988	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2104 wrote to memory of 2988	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2104 wrote to memory of 3052	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2104 wrote to memory of 3052	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2104 wrote to memory of 3052	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2104 wrote to memory of 3052	2104	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2988 wrote to memory of 2780	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	41
PID 2988 wrote to memory of 2780	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	41
PID 2988 wrote to memory of 2780	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	41
PID 2988 wrote to memory of 2780	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	41
PID 2988 wrote to memory of 1340	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	42
PID 2988 wrote to memory of 1340	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	42
PID 2988 wrote to memory of 1340	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	42
PID 2988 wrote to memory of 1340	2988	{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe	42
PID 2780 wrote to memory of 1984	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	44
PID 2780 wrote to memory of 1984	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	44
PID 2780 wrote to memory of 1984	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	44
PID 2780 wrote to memory of 1984	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	44
PID 2780 wrote to memory of 1804	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	43
PID 2780 wrote to memory of 1804	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	43
PID 2780 wrote to memory of 1804	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	43
PID 2780 wrote to memory of 1804	2780	{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe	43

C:\Users\Admin\AppData\Local\Temp\b520e746ab80d8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b520e746ab80d8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
  C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24C9E~1.EXE > nul
    3⤵
    PID:1856
- - C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
    C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84570~1.EXE > nul
      4⤵
      PID:2384
  - - C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
      C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
        
        C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D94A3~1.EXE > nul
        6⤵
        
        PID:2236
      - C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
        
        C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{595EB~1.EXE > nul
        7⤵
        
        PID:3052
        
        C:\Windows\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
        
        C:\Windows\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
        
        C:\Windows\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10ECF~1.EXE > nul
        9⤵
        
        PID:1804
        
        C:\Windows\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
        
        C:\Windows\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
        
        C:\Windows\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
        
        C:\Windows\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
        
        C:\Windows\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{253ED~1.EXE > nul
        13⤵
        
        PID:2896
        
        C:\Windows\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe
        
        C:\Windows\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0C84~1.EXE > nul
        14⤵
        
        PID:2764
        
        C:\Windows\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe
        
        C:\Windows\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe
        14⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB0AC~1.EXE > nul
        12⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFB66~1.EXE > nul
        11⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCEB7~1.EXE > nul
        10⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B91E~1.EXE > nul
        8⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{896CF~1.EXE > nul
        5⤵
        
        PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B520E7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe

Filesize
372KB

MD5
71b7eb442e2a7c4664141e06554a7c8e

SHA1
8c5928f9c72504e4500bd519fbb8661db48ba4c7

SHA256
76baea6efd4afd887ba1e63fdeaa8c20169afccb5c422638d73d28ece23342ca

SHA512
d157773c90502c6cedf4571f3e0e4dca04a8b088f0e67f9588946bcacc43f8f8becc4eb45c66b4bffdb8ef9d8a72792b52ca5711f10560d4a4fe52f350e4c433

Download Submit
C:\Windows\{10ECF33F-963D-44a8-8F39-345DB4E72A06}.exe

Filesize
372KB

MD5
71b7eb442e2a7c4664141e06554a7c8e

SHA1
8c5928f9c72504e4500bd519fbb8661db48ba4c7

SHA256
76baea6efd4afd887ba1e63fdeaa8c20169afccb5c422638d73d28ece23342ca

SHA512
d157773c90502c6cedf4571f3e0e4dca04a8b088f0e67f9588946bcacc43f8f8becc4eb45c66b4bffdb8ef9d8a72792b52ca5711f10560d4a4fe52f350e4c433

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
372KB

MD5
4666df0a007032e2bc7b73fd6fbc944c

SHA1
0c37fd412f6a1730adce2009b706592ecdfb7d17

SHA256
3731b7f41cd0e4ef6be330b8850fdb3caabd4e5265ff9df8e064c7e346a7e2b5

SHA512
4ad85de31f717ff94173f13b4baaf37146a2318519551e51032d17fe30d2b70d5ad05d1887bcdc12ce90bd00abb7427c41596c007cd88e65983f3e6326e6e8d1

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
372KB

MD5
4666df0a007032e2bc7b73fd6fbc944c

SHA1
0c37fd412f6a1730adce2009b706592ecdfb7d17

SHA256
3731b7f41cd0e4ef6be330b8850fdb3caabd4e5265ff9df8e064c7e346a7e2b5

SHA512
4ad85de31f717ff94173f13b4baaf37146a2318519551e51032d17fe30d2b70d5ad05d1887bcdc12ce90bd00abb7427c41596c007cd88e65983f3e6326e6e8d1

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
372KB

MD5
4666df0a007032e2bc7b73fd6fbc944c

SHA1
0c37fd412f6a1730adce2009b706592ecdfb7d17

SHA256
3731b7f41cd0e4ef6be330b8850fdb3caabd4e5265ff9df8e064c7e346a7e2b5

SHA512
4ad85de31f717ff94173f13b4baaf37146a2318519551e51032d17fe30d2b70d5ad05d1887bcdc12ce90bd00abb7427c41596c007cd88e65983f3e6326e6e8d1

Download Submit
C:\Windows\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe

Filesize
372KB

MD5
3ca36a6768f55040e03336f13099514c

SHA1
8ac569ab7b745cd7b23ea21cc5ab7539d901bd1e

SHA256
9fa0d44670dc2660836f5446c9c0c383853bcab58225bbeffc6fa78679d169f6

SHA512
bccd19a5e8819e5c89ed8052c9c451163ac397f8a01cd11064a850b599405ad553a40288c865af426b10e82d89f9313f5bf8e20418e28b52d25939ab45ab506d

Download Submit
C:\Windows\{253ED85E-17B1-4af1-8796-D2317E978DF6}.exe

Filesize
372KB

MD5
3ca36a6768f55040e03336f13099514c

SHA1
8ac569ab7b745cd7b23ea21cc5ab7539d901bd1e

SHA256
9fa0d44670dc2660836f5446c9c0c383853bcab58225bbeffc6fa78679d169f6

SHA512
bccd19a5e8819e5c89ed8052c9c451163ac397f8a01cd11064a850b599405ad553a40288c865af426b10e82d89f9313f5bf8e20418e28b52d25939ab45ab506d

Download Submit
C:\Windows\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe

Filesize
372KB

MD5
28ff9ad5544bde5e610906d33041df29

SHA1
1292d99262072c2f9b722f170e446bebb6002c3d

SHA256
ce96de6c6288d866f1b364cfd270e23ebc24bd95ac8c4e66490a334dd3421e32

SHA512
cdf59612f4e49464c0e4518f63ffb8be373f6c13dd440ae58a4cdb012e265080b2be549fd90784d8ac1cdfe9d38407d0bdcc3cfa1eecfc0cf9fdc18de452d826

Download Submit
C:\Windows\{3B91EC33-FA22-45a4-B4EB-B9D1116E7470}.exe

Filesize
372KB

MD5
28ff9ad5544bde5e610906d33041df29

SHA1
1292d99262072c2f9b722f170e446bebb6002c3d

SHA256
ce96de6c6288d866f1b364cfd270e23ebc24bd95ac8c4e66490a334dd3421e32

SHA512
cdf59612f4e49464c0e4518f63ffb8be373f6c13dd440ae58a4cdb012e265080b2be549fd90784d8ac1cdfe9d38407d0bdcc3cfa1eecfc0cf9fdc18de452d826

Download Submit
C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe

Filesize
372KB

MD5
eb51fbfa231cd7d65a73eba7f7abc4db

SHA1
74b7e3e699d8dba9431d87942736991284ae9e71

SHA256
2208785c97bf9d70e8369acc8fee397afdaed361010f870aa085ba0ec88fe706

SHA512
59a2eec376bfb81d308bd66885c00c9eec02b14243a2d6533dd7fc0ff393776330c372ec50c37cac85c400fa82b81b41a322f1b907ab7c8441a4719d127457ea

Download Submit
C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe

Filesize
372KB

MD5
eb51fbfa231cd7d65a73eba7f7abc4db

SHA1
74b7e3e699d8dba9431d87942736991284ae9e71

SHA256
2208785c97bf9d70e8369acc8fee397afdaed361010f870aa085ba0ec88fe706

SHA512
59a2eec376bfb81d308bd66885c00c9eec02b14243a2d6533dd7fc0ff393776330c372ec50c37cac85c400fa82b81b41a322f1b907ab7c8441a4719d127457ea

Download Submit
C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe

Filesize
372KB

MD5
6028eee42d84e5ecc1789c3e2bd0f6b4

SHA1
0fe28e6d79d59b03c979650d02e513cd999321e1

SHA256
1ac19adbf1b59ccbf63371eb4c48557c3f9963dac969e2ece2a77eddce9de6b9

SHA512
b35c32d40964b676d55c9fa83ec2491b12f6769ec80f28f6dd544e57a707242daefbcc5a86d3a88bba076603be1cf33f3af385e60b6f76e81aa6f0295995440b

Download Submit
C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe

Filesize
372KB

MD5
6028eee42d84e5ecc1789c3e2bd0f6b4

SHA1
0fe28e6d79d59b03c979650d02e513cd999321e1

SHA256
1ac19adbf1b59ccbf63371eb4c48557c3f9963dac969e2ece2a77eddce9de6b9

SHA512
b35c32d40964b676d55c9fa83ec2491b12f6769ec80f28f6dd544e57a707242daefbcc5a86d3a88bba076603be1cf33f3af385e60b6f76e81aa6f0295995440b

Download Submit
C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe

Filesize
372KB

MD5
d44f3e92aceca28f9eed35c5f1ee2e15

SHA1
a64cac41dc0919b1dc1d09989d5bffa0b035e4d4

SHA256
7ad25ce3784ed76cb7697121dad10f86cad2c7b7d8d1c46aba369591ac0b9ddd

SHA512
ab3e57f4a39dd66807b2fde23999c3615e33f69ee17a865c67c8a4e89961164b2bf32dc8dcc91c2f339001b86b475d5ced37ad671c31be764b1e62048e1494bc

Download Submit
C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe

Filesize
372KB

MD5
d44f3e92aceca28f9eed35c5f1ee2e15

SHA1
a64cac41dc0919b1dc1d09989d5bffa0b035e4d4

SHA256
7ad25ce3784ed76cb7697121dad10f86cad2c7b7d8d1c46aba369591ac0b9ddd

SHA512
ab3e57f4a39dd66807b2fde23999c3615e33f69ee17a865c67c8a4e89961164b2bf32dc8dcc91c2f339001b86b475d5ced37ad671c31be764b1e62048e1494bc

Download Submit
C:\Windows\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe

Filesize
372KB

MD5
1a2ac92fe846aa33cb6e760bf386bbef

SHA1
c972022253a36de9991749265192f75725841f3d

SHA256
a16b22be0359cc17e976d6492c181d1c244ce48a243b32d23cf8f067e9694a02

SHA512
075061abfd684db51a696a6bfec1df273c20fbd6c304d5be07d150c5400c6d3ef430ed67fbc2707692bdab5facb7c2f2e3247b7a16e0d62139c6cabd6e56d039

Download Submit
C:\Windows\{CCEB7D1C-39C9-40b2-BFEC-ABB3C425D1CC}.exe

Filesize
372KB

MD5
1a2ac92fe846aa33cb6e760bf386bbef

SHA1
c972022253a36de9991749265192f75725841f3d

SHA256
a16b22be0359cc17e976d6492c181d1c244ce48a243b32d23cf8f067e9694a02

SHA512
075061abfd684db51a696a6bfec1df273c20fbd6c304d5be07d150c5400c6d3ef430ed67fbc2707692bdab5facb7c2f2e3247b7a16e0d62139c6cabd6e56d039

Download Submit
C:\Windows\{CD023A4C-F9C0-4c8d-A9EA-644C99080B60}.exe

Filesize
372KB

MD5
44796e7472bf21d3534b89ef767ecaf4

SHA1
e8ade5be0864e535a70c4305740bf5be99e0f661

SHA256
1a0f984d808800a538bc8272be1ad35679cd4226ef659a6378f33f519f67129e

SHA512
d6d7c795e047e594d00411400bf3ebd16a39417e5a985650eb99e81619b6f11c268e93c0faa5208f8302a1d2a0f142160735f10de272cf5e5280bef5d86d2637

Download Submit
C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe

Filesize
372KB

MD5
5544551c053858e0de2e3e1664a8a351

SHA1
ed3201f4dc75ffccf6abd41bc1d73a9759370690

SHA256
ddc93d87f0dc96c1c0c16cf19c3620ec751e1161925074a817224b85592ac70a

SHA512
4b86edd6621b2538e7dd1ba4c7f42b76960ebf8037a6d2294a1e7c8f270d074abaacb7e7bd41f2e0d621c440c3d526d9fadc9ffcdac25f87f64fd321719dca7b

Download Submit
C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe

Filesize
372KB

MD5
5544551c053858e0de2e3e1664a8a351

SHA1
ed3201f4dc75ffccf6abd41bc1d73a9759370690

SHA256
ddc93d87f0dc96c1c0c16cf19c3620ec751e1161925074a817224b85592ac70a

SHA512
4b86edd6621b2538e7dd1ba4c7f42b76960ebf8037a6d2294a1e7c8f270d074abaacb7e7bd41f2e0d621c440c3d526d9fadc9ffcdac25f87f64fd321719dca7b

Download Submit
C:\Windows\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe

Filesize
372KB

MD5
af358f86dde659436228bd4368ed1128

SHA1
cb36f9f70309761bc1d06d2bc4e1a22561e6f728

SHA256
9fb7204fa18055ecd2aee575e9a00a7827ffd03234985da8b8c2f714780d711f

SHA512
c02d7166f958c8fe87893c045b1b613d8290b235232a1bf89da2ee5ee744228c19b04cbc5f733e2ebae1e7fb220be57c7a0c0cc932221c65dadbfe5d270762e6

Download Submit
C:\Windows\{F0C84AF1-BB75-48e8-BEA2-80D96C1DBEAB}.exe

Filesize
372KB

MD5
af358f86dde659436228bd4368ed1128

SHA1
cb36f9f70309761bc1d06d2bc4e1a22561e6f728

SHA256
9fb7204fa18055ecd2aee575e9a00a7827ffd03234985da8b8c2f714780d711f

SHA512
c02d7166f958c8fe87893c045b1b613d8290b235232a1bf89da2ee5ee744228c19b04cbc5f733e2ebae1e7fb220be57c7a0c0cc932221c65dadbfe5d270762e6

Download Submit
C:\Windows\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe

Filesize
372KB

MD5
7de07541932f8aea8cf510f79e164ad8

SHA1
b3cc0e7eeb79ca46954fad9f9602655c63d733d6

SHA256
4c26a123b60d18830187913fc9f97ed3f87e87c9830d42e888ebc585ccf53550

SHA512
444b13048ed1f0a826206d8e6bd4afc4f1681e74e1ccd96b99b83457b9254a209f34de9edad75c205f82d44a0431e9c49f9c38e481c980b54710e99dc3177093

Download Submit
C:\Windows\{FB0AC81F-424E-401d-B4F1-AE6A150C495D}.exe

Filesize
372KB

MD5
7de07541932f8aea8cf510f79e164ad8

SHA1
b3cc0e7eeb79ca46954fad9f9602655c63d733d6

SHA256
4c26a123b60d18830187913fc9f97ed3f87e87c9830d42e888ebc585ccf53550

SHA512
444b13048ed1f0a826206d8e6bd4afc4f1681e74e1ccd96b99b83457b9254a209f34de9edad75c205f82d44a0431e9c49f9c38e481c980b54710e99dc3177093

Download Submit
C:\Windows\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe

Filesize
372KB

MD5
a989c72f3709f13e200a54f9945f0ea9

SHA1
0e29e757f1d8760d6b86e867d3ec2c01d629b356

SHA256
e4c3afd7636f84356be8e428158eaaf8d0d4b249efdae9ca6c06b74869af03b6

SHA512
90fa3783cd601b855144094ab8c6a38a919ea4b32bc117a96fe05db4d89f8dfd63a3ce56de89d2819d87a3e79a281fe543d07d4fd2efceab3f947e7ea3cae86c

Download Submit
C:\Windows\{FFB66F90-50A3-4178-A036-5D33A38B589E}.exe

Filesize
372KB

MD5
a989c72f3709f13e200a54f9945f0ea9

SHA1
0e29e757f1d8760d6b86e867d3ec2c01d629b356

SHA256
e4c3afd7636f84356be8e428158eaaf8d0d4b249efdae9ca6c06b74869af03b6

SHA512
90fa3783cd601b855144094ab8c6a38a919ea4b32bc117a96fe05db4d89f8dfd63a3ce56de89d2819d87a3e79a281fe543d07d4fd2efceab3f947e7ea3cae86c

Download Submit