ad11ca3ce0ad501cd74f5508933216c7e12bb655e69fd21992ed10a825113b3f

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8219d2660e4aexeexeexeex.exe
Size

372KB
MD5

be8219d2660e4a609b9fa6329966183a
SHA1

58ef8ff01b49afa98fda9a1a4bcf513aa73abd60
SHA256

ad11ca3ce0ad501cd74f5508933216c7e12bb655e69fd21992ed10a825113b3f
SHA512

e31a4e6d7c90926ffa668a76fe06e08b2566cd41e712c2742dd12fda893324d3c94459ad7f5bbfe429c68cf738886d0784f54b3749819c3c6e9ca1e64959f289
SSDEEP

3072:CEGh0o2mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGRl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A50CFF89-1C57-498e-8377-331BCF22A36E}	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07EE334C-19E3-4eea-9502-9ED86194FF75}	{44BDAC89-C9D2-44df-81A0-834514143684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}	{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4564E6E-348F-4473-8044-F6B0421AAB18}	be8219d2660e4aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}\stubpath = "C:\\Windows\\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe"	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6A3012-2227-4af6-A209-8A6673CF82CD}\stubpath = "C:\\Windows\\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe"	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B22304-1508-4a37-BA3E-6E45449DF6BF}\stubpath = "C:\\Windows\\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe"	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A50CFF89-1C57-498e-8377-331BCF22A36E}\stubpath = "C:\\Windows\\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe"	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BDAC89-C9D2-44df-81A0-834514143684}	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07EE334C-19E3-4eea-9502-9ED86194FF75}\stubpath = "C:\\Windows\\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe"	{44BDAC89-C9D2-44df-81A0-834514143684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}	{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4564E6E-348F-4473-8044-F6B0421AAB18}\stubpath = "C:\\Windows\\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe"	be8219d2660e4aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}\stubpath = "C:\\Windows\\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe"	{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24582435-F644-41f1-A446-88ECEB1E8769}	{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}	{24582435-F644-41f1-A446-88ECEB1E8769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55964D16-C077-41b2-81CD-0F316A5C5D06}\stubpath = "C:\\Windows\\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe"	{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24582435-F644-41f1-A446-88ECEB1E8769}\stubpath = "C:\\Windows\\{24582435-F644-41f1-A446-88ECEB1E8769}.exe"	{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B22304-1508-4a37-BA3E-6E45449DF6BF}	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}\stubpath = "C:\\Windows\\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe"	{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55964D16-C077-41b2-81CD-0F316A5C5D06}	{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}\stubpath = "C:\\Windows\\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe"	{24582435-F644-41f1-A446-88ECEB1E8769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}\stubpath = "C:\\Windows\\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe"	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6A3012-2227-4af6-A209-8A6673CF82CD}	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BDAC89-C9D2-44df-81A0-834514143684}\stubpath = "C:\\Windows\\{44BDAC89-C9D2-44df-81A0-834514143684}.exe"	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe
1388	{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
3040	{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
2724	{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
876	{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
2896	{24582435-F644-41f1-A446-88ECEB1E8769}.exe
2352	{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe	{44BDAC89-C9D2-44df-81A0-834514143684}.exe
File created	C:\Windows\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe	{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
File created	C:\Windows\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe	{24582435-F644-41f1-A446-88ECEB1E8769}.exe
File created	C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	be8219d2660e4aexeexeexeex.exe
File created	C:\Windows\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
File created	C:\Windows\{44BDAC89-C9D2-44df-81A0-834514143684}.exe	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
File created	C:\Windows\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
File created	C:\Windows\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe	{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
File created	C:\Windows\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe	{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
File created	C:\Windows\{24582435-F644-41f1-A446-88ECEB1E8769}.exe	{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
File created	C:\Windows\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
File created	C:\Windows\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
File created	C:\Windows\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	be8219d2660e4aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
Token: SeIncBasePriorityPrivilege	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
Token: SeIncBasePriorityPrivilege	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
Token: SeIncBasePriorityPrivilege	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
Token: SeIncBasePriorityPrivilege	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
Token: SeIncBasePriorityPrivilege	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
Token: SeIncBasePriorityPrivilege	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe
Token: SeIncBasePriorityPrivilege	1388	{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
Token: SeIncBasePriorityPrivilege	3040	{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
Token: SeIncBasePriorityPrivilege	2724	{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
Token: SeIncBasePriorityPrivilege	876	{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
Token: SeIncBasePriorityPrivilege	2896	{24582435-F644-41f1-A446-88ECEB1E8769}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2132	2228	be8219d2660e4aexeexeexeex.exe	28
PID 2228 wrote to memory of 2132	2228	be8219d2660e4aexeexeexeex.exe	28
PID 2228 wrote to memory of 2132	2228	be8219d2660e4aexeexeexeex.exe	28
PID 2228 wrote to memory of 2132	2228	be8219d2660e4aexeexeexeex.exe	28
PID 2228 wrote to memory of 2320	2228	be8219d2660e4aexeexeexeex.exe	29
PID 2228 wrote to memory of 2320	2228	be8219d2660e4aexeexeexeex.exe	29
PID 2228 wrote to memory of 2320	2228	be8219d2660e4aexeexeexeex.exe	29
PID 2228 wrote to memory of 2320	2228	be8219d2660e4aexeexeexeex.exe	29
PID 2132 wrote to memory of 2284	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	30
PID 2132 wrote to memory of 2284	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	30
PID 2132 wrote to memory of 2284	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	30
PID 2132 wrote to memory of 2284	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	30
PID 2132 wrote to memory of 1392	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	31
PID 2132 wrote to memory of 1392	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	31
PID 2132 wrote to memory of 1392	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	31
PID 2132 wrote to memory of 1392	2132	{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe	31
PID 2284 wrote to memory of 2360	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	32
PID 2284 wrote to memory of 2360	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	32
PID 2284 wrote to memory of 2360	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	32
PID 2284 wrote to memory of 2360	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	32
PID 2284 wrote to memory of 2072	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	33
PID 2284 wrote to memory of 2072	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	33
PID 2284 wrote to memory of 2072	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	33
PID 2284 wrote to memory of 2072	2284	{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe	33
PID 2360 wrote to memory of 1068	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	34
PID 2360 wrote to memory of 1068	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	34
PID 2360 wrote to memory of 1068	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	34
PID 2360 wrote to memory of 1068	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	34
PID 2360 wrote to memory of 1260	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	35
PID 2360 wrote to memory of 1260	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	35
PID 2360 wrote to memory of 1260	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	35
PID 2360 wrote to memory of 1260	2360	{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe	35
PID 1068 wrote to memory of 2064	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	36
PID 1068 wrote to memory of 2064	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	36
PID 1068 wrote to memory of 2064	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	36
PID 1068 wrote to memory of 2064	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	36
PID 1068 wrote to memory of 2060	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	37
PID 1068 wrote to memory of 2060	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	37
PID 1068 wrote to memory of 2060	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	37
PID 1068 wrote to memory of 2060	1068	{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe	37
PID 2064 wrote to memory of 2964	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	39
PID 2064 wrote to memory of 2964	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	39
PID 2064 wrote to memory of 2964	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	39
PID 2064 wrote to memory of 2964	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	39
PID 2064 wrote to memory of 2512	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	38
PID 2064 wrote to memory of 2512	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	38
PID 2064 wrote to memory of 2512	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	38
PID 2064 wrote to memory of 2512	2064	{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe	38
PID 2964 wrote to memory of 2200	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	41
PID 2964 wrote to memory of 2200	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	41
PID 2964 wrote to memory of 2200	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	41
PID 2964 wrote to memory of 2200	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	41
PID 2964 wrote to memory of 700	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	40
PID 2964 wrote to memory of 700	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	40
PID 2964 wrote to memory of 700	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	40
PID 2964 wrote to memory of 700	2964	{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe	40
PID 2200 wrote to memory of 1388	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	43
PID 2200 wrote to memory of 1388	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	43
PID 2200 wrote to memory of 1388	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	43
PID 2200 wrote to memory of 1388	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	43
PID 2200 wrote to memory of 2172	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	42
PID 2200 wrote to memory of 2172	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	42
PID 2200 wrote to memory of 2172	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	42
PID 2200 wrote to memory of 2172	2200	{44BDAC89-C9D2-44df-81A0-834514143684}.exe	42

C:\Users\Admin\AppData\Local\Temp\be8219d2660e4aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\be8219d2660e4aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
  C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
    C:\Windows\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
      C:\Windows\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
        
        C:\Windows\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
        
        C:\Windows\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6A3~1.EXE > nul
        7⤵
        
        PID:2512
        
        C:\Windows\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
        
        C:\Windows\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A50CF~1.EXE > nul
        8⤵
        
        PID:700
        
        C:\Windows\{44BDAC89-C9D2-44df-81A0-834514143684}.exe
        
        C:\Windows\{44BDAC89-C9D2-44df-81A0-834514143684}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44BDA~1.EXE > nul
        9⤵
        
        PID:2172
        
        C:\Windows\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
        
        C:\Windows\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
        
        C:\Windows\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
        
        C:\Windows\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B1B1~1.EXE > nul
        12⤵
        
        PID:2696
        
        C:\Windows\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
        
        C:\Windows\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{24582435-F644-41f1-A446-88ECEB1E8769}.exe
        
        C:\Windows\{24582435-F644-41f1-A446-88ECEB1E8769}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe
        
        C:\Windows\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe
        14⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24582~1.EXE > nul
        14⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55964~1.EXE > nul
        13⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C15~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07EE3~1.EXE > nul
        10⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B22~1.EXE > nul
        6⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA738~1.EXE > nul
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B5FF~1.EXE > nul
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4564~1.EXE > nul
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE8219~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe

Filesize
372KB

MD5
fa16d4307572bfae9fab2632df57ec28

SHA1
63c75e306b5921f668c0365866e29eb6498bed57

SHA256
dd378e8842457bc7036c0f8e3a6e5064c6666254a967810e6b4cddac02a00e5c

SHA512
b56441c03913df9bafd5632f906735174dac95cd7f4a2138afb96faa36fdf2e5af6035d1ac0eeb3eae4fb6a16bab4b019794ef72fa5062838672aa1701ee54b3

Download Submit
C:\Windows\{07EE334C-19E3-4eea-9502-9ED86194FF75}.exe

Filesize
372KB

MD5
fa16d4307572bfae9fab2632df57ec28

SHA1
63c75e306b5921f668c0365866e29eb6498bed57

SHA256
dd378e8842457bc7036c0f8e3a6e5064c6666254a967810e6b4cddac02a00e5c

SHA512
b56441c03913df9bafd5632f906735174dac95cd7f4a2138afb96faa36fdf2e5af6035d1ac0eeb3eae4fb6a16bab4b019794ef72fa5062838672aa1701ee54b3

Download Submit
C:\Windows\{24582435-F644-41f1-A446-88ECEB1E8769}.exe

Filesize
372KB

MD5
8ab8e35258fd2223be0449dfce9478e5

SHA1
d39e91f9ea2559bdf79e5508dd6f4c73a8fe126e

SHA256
54922ba500d31de601a32b9fb0eeb92c40f53e73d493bcf1e756f4dd0d360392

SHA512
6420c514a502e7e26446869b5077897f06f22477f311d5d2358a354ca46ea431ef7fe09552f2985bbfb29f3916e8ccddb828c732bb06998465ccbbe459c2f466

Download Submit
C:\Windows\{24582435-F644-41f1-A446-88ECEB1E8769}.exe

Filesize
372KB

MD5
8ab8e35258fd2223be0449dfce9478e5

SHA1
d39e91f9ea2559bdf79e5508dd6f4c73a8fe126e

SHA256
54922ba500d31de601a32b9fb0eeb92c40f53e73d493bcf1e756f4dd0d360392

SHA512
6420c514a502e7e26446869b5077897f06f22477f311d5d2358a354ca46ea431ef7fe09552f2985bbfb29f3916e8ccddb828c732bb06998465ccbbe459c2f466

Download Submit
C:\Windows\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe

Filesize
372KB

MD5
d0db0ad8ce541dfb09bfd49478eb284d

SHA1
acf2d801887bd87148ec3c74cfbb368f1bb098e3

SHA256
a4f1fc6f10fe6f72487a24511eaf8d9f42286a6218409efc3317165fd197d071

SHA512
9e954ad820bc821219a4cbc0f935e9cdee1ba2ed81d90aad1bf6b184d1afee381589cd06d4c6c1b718bc090e83409b4a4fb088da1932335209a379eed444413c

Download Submit
C:\Windows\{2B1B1A94-DBAF-43c2-9090-BCCF511FD020}.exe

Filesize
372KB

MD5
d0db0ad8ce541dfb09bfd49478eb284d

SHA1
acf2d801887bd87148ec3c74cfbb368f1bb098e3

SHA256
a4f1fc6f10fe6f72487a24511eaf8d9f42286a6218409efc3317165fd197d071

SHA512
9e954ad820bc821219a4cbc0f935e9cdee1ba2ed81d90aad1bf6b184d1afee381589cd06d4c6c1b718bc090e83409b4a4fb088da1932335209a379eed444413c

Download Submit
C:\Windows\{44BDAC89-C9D2-44df-81A0-834514143684}.exe

Filesize
372KB

MD5
81a9829da94273eaa2e89cb3c9f7e0a8

SHA1
319229de1e05f4c8437388bc396ee2804782522a

SHA256
2f2a939489fff6e888ee7fe8431f1f22e47ef1162628ac5bcd5cabb0493d3286

SHA512
ffdfbc43a4f3657f99d303f51598b1aad104b1b78cddbcbbb13de8c502d3457a1939be946804f436cf07fbb0ceb1401512749a4eaae9a89addce8161af5ab68f

Download Submit
C:\Windows\{44BDAC89-C9D2-44df-81A0-834514143684}.exe

Filesize
372KB

MD5
81a9829da94273eaa2e89cb3c9f7e0a8

SHA1
319229de1e05f4c8437388bc396ee2804782522a

SHA256
2f2a939489fff6e888ee7fe8431f1f22e47ef1162628ac5bcd5cabb0493d3286

SHA512
ffdfbc43a4f3657f99d303f51598b1aad104b1b78cddbcbbb13de8c502d3457a1939be946804f436cf07fbb0ceb1401512749a4eaae9a89addce8161af5ab68f

Download Submit
C:\Windows\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe

Filesize
372KB

MD5
7fd640c1a5c6bf7c51c9cee96d5dd50d

SHA1
1251393c3f0e3d391bc26f8cf6c5068502dcd033

SHA256
10d25bf6f8cb18c1e226c9e54f493ae595163f7bf5c4c0d7db776a10ac0e64a8

SHA512
820d230f07d0b9b37c88675e9a9bbfa8c4fda36ca6cac8bb2e293e028ba58d5d4fc723588d0b56c86c8f360bde4825d235fe296b71b0b7d603333ba048c8443e

Download Submit
C:\Windows\{55964D16-C077-41b2-81CD-0F316A5C5D06}.exe

Filesize
372KB

MD5
7fd640c1a5c6bf7c51c9cee96d5dd50d

SHA1
1251393c3f0e3d391bc26f8cf6c5068502dcd033

SHA256
10d25bf6f8cb18c1e226c9e54f493ae595163f7bf5c4c0d7db776a10ac0e64a8

SHA512
820d230f07d0b9b37c88675e9a9bbfa8c4fda36ca6cac8bb2e293e028ba58d5d4fc723588d0b56c86c8f360bde4825d235fe296b71b0b7d603333ba048c8443e

Download Submit
C:\Windows\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe

Filesize
372KB

MD5
e39b34d53e85337e5b457fb16693335b

SHA1
fc4f8d3931a2b8e8698d2e9ebccc46470669369f

SHA256
09d2a875e234729f47e2f0d76a990db3a3342304089a5a14b8c4555bff54920d

SHA512
3b08cfba96f5f2aa1f0cca1bc3d45efc912d6b6cb385d231f69dbe169c43a54803fa6f2cad0acc0fe41763f835c8f10aee8be13b968fa050f0e21e673de95eb7

Download Submit
C:\Windows\{67B22304-1508-4a37-BA3E-6E45449DF6BF}.exe

Filesize
372KB

MD5
e39b34d53e85337e5b457fb16693335b

SHA1
fc4f8d3931a2b8e8698d2e9ebccc46470669369f

SHA256
09d2a875e234729f47e2f0d76a990db3a3342304089a5a14b8c4555bff54920d

SHA512
3b08cfba96f5f2aa1f0cca1bc3d45efc912d6b6cb385d231f69dbe169c43a54803fa6f2cad0acc0fe41763f835c8f10aee8be13b968fa050f0e21e673de95eb7

Download Submit
C:\Windows\{6F0ED937-C4DA-4e77-A367-6FBFCB3829B4}.exe

Filesize
372KB

MD5
08eed6120b39b72d163dca521c27bd4f

SHA1
2e51a02fc22906843a02026b6bb2e2e9e6f6db27

SHA256
14932a56e8b7dec9790a0b99b87fd0663c66d58ed4785a937797d077b16b687d

SHA512
037a8c63a9827790ca3a6d4adb7892e58c9e093e38af5d0e9ab3371b39bc5fcfaca33be72728ef6642d3ef6306fb14611d15af3241e206095d8a4c3fd564c444

Download Submit
C:\Windows\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe

Filesize
372KB

MD5
1e6ec6ad7dd0786d90a71b9b709a0194

SHA1
e35e132880947ca25dcd8792bcc588ca06a4e612

SHA256
f573c5fc60b3053b07a241bbb09da53c57ebe90a33f676c6812708fc211972eb

SHA512
51532f962ee55be1f104c492eb3be1c520d2fb1c98745d1f599166befe9b3df9e27c8d6d5a31b618443c33534363bd25f77a20944c4345e6ab7947d1bd5ab6fa

Download Submit
C:\Windows\{78C15F96-96F0-4b2c-9E5A-C1F09C86D46C}.exe

Filesize
372KB

MD5
1e6ec6ad7dd0786d90a71b9b709a0194

SHA1
e35e132880947ca25dcd8792bcc588ca06a4e612

SHA256
f573c5fc60b3053b07a241bbb09da53c57ebe90a33f676c6812708fc211972eb

SHA512
51532f962ee55be1f104c492eb3be1c520d2fb1c98745d1f599166befe9b3df9e27c8d6d5a31b618443c33534363bd25f77a20944c4345e6ab7947d1bd5ab6fa

Download Submit
C:\Windows\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe

Filesize
372KB

MD5
3f1452662f8fafb704ef9727c16911f3

SHA1
b5acb5186a3b459684062616cc94c39cdde0c88b

SHA256
68efe1eacd21f434865a279192b48cf740169a6e8ba2ca76b8521c8d5f155748

SHA512
03d4f74e9db613da17ef7c584a877bc92d0679901ebd1bf767f0a8c36859262f6ba5616ce7a8a380368166a65098ddc7a7d6d04f118a1aba0a6925810bdf43f4

Download Submit
C:\Windows\{9B5FF327-186F-4dbb-91A4-16CE1592C8E5}.exe

Filesize
372KB

MD5
3f1452662f8fafb704ef9727c16911f3

SHA1
b5acb5186a3b459684062616cc94c39cdde0c88b

SHA256
68efe1eacd21f434865a279192b48cf740169a6e8ba2ca76b8521c8d5f155748

SHA512
03d4f74e9db613da17ef7c584a877bc92d0679901ebd1bf767f0a8c36859262f6ba5616ce7a8a380368166a65098ddc7a7d6d04f118a1aba0a6925810bdf43f4

Download Submit
C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe

Filesize
372KB

MD5
c0331b5b57d05309a741316fc3760f87

SHA1
ec588c43024c824e089089f288200a85820ec000

SHA256
89d796bb19fa7d8622689b6bb33cbdf70e268f6a8614656ae82ceed21be5177a

SHA512
02335f1e524f972f88cdde6ea18639ffd62091e47001830be7cc22dd50a7fd0746bf3e53f0be72fc73fb2dd7e8ddb165bd80322ba3de50c2fad23df264072712

Download Submit
C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe

Filesize
372KB

MD5
c0331b5b57d05309a741316fc3760f87

SHA1
ec588c43024c824e089089f288200a85820ec000

SHA256
89d796bb19fa7d8622689b6bb33cbdf70e268f6a8614656ae82ceed21be5177a

SHA512
02335f1e524f972f88cdde6ea18639ffd62091e47001830be7cc22dd50a7fd0746bf3e53f0be72fc73fb2dd7e8ddb165bd80322ba3de50c2fad23df264072712

Download Submit
C:\Windows\{A4564E6E-348F-4473-8044-F6B0421AAB18}.exe

Filesize
372KB

MD5
c0331b5b57d05309a741316fc3760f87

SHA1
ec588c43024c824e089089f288200a85820ec000

SHA256
89d796bb19fa7d8622689b6bb33cbdf70e268f6a8614656ae82ceed21be5177a

SHA512
02335f1e524f972f88cdde6ea18639ffd62091e47001830be7cc22dd50a7fd0746bf3e53f0be72fc73fb2dd7e8ddb165bd80322ba3de50c2fad23df264072712

Download Submit
C:\Windows\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe

Filesize
372KB

MD5
e38afe7405ca391f92d9d17497d6ef7b

SHA1
161b8cfe5c86cb53319c2b1c5345d0464b4a272a

SHA256
a2be7ad95692252747a229e7a138eab61edd588389c4985c8732d84034a4a6d7

SHA512
697bbf301ae4777c6f66efb68031e5e7eabf6126feb7de6559c0ab3ae36d821f4f70a3af908f896ec3bfe0f541058db3b88821888da2cf4f44179918a9d57ceb

Download Submit
C:\Windows\{A50CFF89-1C57-498e-8377-331BCF22A36E}.exe

Filesize
372KB

MD5
e38afe7405ca391f92d9d17497d6ef7b

SHA1
161b8cfe5c86cb53319c2b1c5345d0464b4a272a

SHA256
a2be7ad95692252747a229e7a138eab61edd588389c4985c8732d84034a4a6d7

SHA512
697bbf301ae4777c6f66efb68031e5e7eabf6126feb7de6559c0ab3ae36d821f4f70a3af908f896ec3bfe0f541058db3b88821888da2cf4f44179918a9d57ceb

Download Submit
C:\Windows\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe

Filesize
372KB

MD5
fb600cfde6b6b0863861281cd6e19ae8

SHA1
2ab65abcde035ce8211ce7263e116e4fb3cbcc28

SHA256
d28c39dfea76a8a03de87ef1bfbebd511c58336ea45ba6b750f6c504e94833b3

SHA512
f6f73c0c49521a58f4875f5064485158111c674e05b1ff5057abbc1c56d80d5b4081b8fcbb8711aa9cb5577acca86347540c9bbb30e004e54b6eeef4c53901d2

Download Submit
C:\Windows\{EA738CA9-4084-4e77-85CE-B5BFF92F6838}.exe

Filesize
372KB

MD5
fb600cfde6b6b0863861281cd6e19ae8

SHA1
2ab65abcde035ce8211ce7263e116e4fb3cbcc28

SHA256
d28c39dfea76a8a03de87ef1bfbebd511c58336ea45ba6b750f6c504e94833b3

SHA512
f6f73c0c49521a58f4875f5064485158111c674e05b1ff5057abbc1c56d80d5b4081b8fcbb8711aa9cb5577acca86347540c9bbb30e004e54b6eeef4c53901d2

Download Submit
C:\Windows\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe

Filesize
372KB

MD5
a003816259f327268a72657bfa61d66e

SHA1
c1f4452c7157e038e9714777dfb568b571a97194

SHA256
29a9469aaf781c288a15b16a13764b64aa9e4206890246ae99ed28244ad67ceb

SHA512
8c5400a2c626db804297f6fb5e5130c7cbf6cd557079bf2eba3c7cb6aba5bcd3d8f05d9f38e07ea61aedfd36d28a10a9868129b777c827ce077687a19a0c1f22

Download Submit
C:\Windows\{EB6A3012-2227-4af6-A209-8A6673CF82CD}.exe

Filesize
372KB

MD5
a003816259f327268a72657bfa61d66e

SHA1
c1f4452c7157e038e9714777dfb568b571a97194

SHA256
29a9469aaf781c288a15b16a13764b64aa9e4206890246ae99ed28244ad67ceb

SHA512
8c5400a2c626db804297f6fb5e5130c7cbf6cd557079bf2eba3c7cb6aba5bcd3d8f05d9f38e07ea61aedfd36d28a10a9868129b777c827ce077687a19a0c1f22

Download Submit