8db5c8ba98c1095b87126e16de99cba6e24cf28f6a03b3a38cf9b7a9987d6b18

Analysis

max time kernel
147s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ef01ad2c737fexeexeexeex.exe
Size

204KB
MD5

c1ef01ad2c737f7ec4b20daafb38fa7d
SHA1

c61c804c1efb7904f0ffc051c3b7ec7e5d804b06
SHA256

8db5c8ba98c1095b87126e16de99cba6e24cf28f6a03b3a38cf9b7a9987d6b18
SHA512

a731ff8a2130a26203d5f833b5a1ff7914f5df63933c923a0bb10ae8e49e6e248544ac428065cc032ae24ab30e22155f06cff2bbc9b4990365ad8642dca5092c
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0FFD836-B159-414b-9025-F286299E4FB9}\stubpath = "C:\\Windows\\{E0FFD836-B159-414b-9025-F286299E4FB9}.exe"	{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}\stubpath = "C:\\Windows\\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe"	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D9CFDD-C893-4fb3-8383-39301980F306}	{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D9CFDD-C893-4fb3-8383-39301980F306}\stubpath = "C:\\Windows\\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe"	{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9123C0C3-498E-4ff9-9444-1B1A773BE226}\stubpath = "C:\\Windows\\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe"	{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}	{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}\stubpath = "C:\\Windows\\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe"	{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462D4F21-3798-4f7f-B8F1-4979727A9400}\stubpath = "C:\\Windows\\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe"	c1ef01ad2c737fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3803E888-D26E-4447-907B-917CA3FB8B65}	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5156091A-DBF8-4236-AF93-06BF10FCD740}	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36400E0-9485-4159-8D6D-B3EA10270BA5}	{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36400E0-9485-4159-8D6D-B3EA10270BA5}\stubpath = "C:\\Windows\\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe"	{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0FFD836-B159-414b-9025-F286299E4FB9}	{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3803E888-D26E-4447-907B-917CA3FB8B65}\stubpath = "C:\\Windows\\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe"	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{748592F0-4147-4646-B5A1-DD2E4BC3654C}	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{748592F0-4147-4646-B5A1-DD2E4BC3654C}\stubpath = "C:\\Windows\\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe"	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}\stubpath = "C:\\Windows\\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe"	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96EC846-430B-4fb3-97F0-741633756206}\stubpath = "C:\\Windows\\{D96EC846-430B-4fb3-97F0-741633756206}.exe"	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}\stubpath = "C:\\Windows\\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe"	{D96EC846-430B-4fb3-97F0-741633756206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9123C0C3-498E-4ff9-9444-1B1A773BE226}	{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462D4F21-3798-4f7f-B8F1-4979727A9400}	c1ef01ad2c737fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5156091A-DBF8-4236-AF93-06BF10FCD740}\stubpath = "C:\\Windows\\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe"	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96EC846-430B-4fb3-97F0-741633756206}	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}	{D96EC846-430B-4fb3-97F0-741633756206}.exe

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe
3020	{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
2628	{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
2632	{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
2612	{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
2788	{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
2644	{E0FFD836-B159-414b-9025-F286299E4FB9}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
File created	C:\Windows\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
File created	C:\Windows\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe	{D96EC846-430B-4fb3-97F0-741633756206}.exe
File created	C:\Windows\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe	{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
File created	C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	c1ef01ad2c737fexeexeexeex.exe
File created	C:\Windows\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
File created	C:\Windows\{D96EC846-430B-4fb3-97F0-741633756206}.exe	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
File created	C:\Windows\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe	{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
File created	C:\Windows\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe	{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
File created	C:\Windows\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe	{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
File created	C:\Windows\{E0FFD836-B159-414b-9025-F286299E4FB9}.exe	{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
File created	C:\Windows\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
File created	C:\Windows\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1236	c1ef01ad2c737fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
Token: SeIncBasePriorityPrivilege	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
Token: SeIncBasePriorityPrivilege	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
Token: SeIncBasePriorityPrivilege	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
Token: SeIncBasePriorityPrivilege	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
Token: SeIncBasePriorityPrivilege	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
Token: SeIncBasePriorityPrivilege	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe
Token: SeIncBasePriorityPrivilege	3020	{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
Token: SeIncBasePriorityPrivilege	2628	{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
Token: SeIncBasePriorityPrivilege	2632	{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
Token: SeIncBasePriorityPrivilege	2612	{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
Token: SeIncBasePriorityPrivilege	2788	{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2024	1236	c1ef01ad2c737fexeexeexeex.exe	28
PID 1236 wrote to memory of 2024	1236	c1ef01ad2c737fexeexeexeex.exe	28
PID 1236 wrote to memory of 2024	1236	c1ef01ad2c737fexeexeexeex.exe	28
PID 1236 wrote to memory of 2024	1236	c1ef01ad2c737fexeexeexeex.exe	28
PID 1236 wrote to memory of 2320	1236	c1ef01ad2c737fexeexeexeex.exe	29
PID 1236 wrote to memory of 2320	1236	c1ef01ad2c737fexeexeexeex.exe	29
PID 1236 wrote to memory of 2320	1236	c1ef01ad2c737fexeexeexeex.exe	29
PID 1236 wrote to memory of 2320	1236	c1ef01ad2c737fexeexeexeex.exe	29
PID 2024 wrote to memory of 3032	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	30
PID 2024 wrote to memory of 3032	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	30
PID 2024 wrote to memory of 3032	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	30
PID 2024 wrote to memory of 3032	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	30
PID 2024 wrote to memory of 2092	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	31
PID 2024 wrote to memory of 2092	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	31
PID 2024 wrote to memory of 2092	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	31
PID 2024 wrote to memory of 2092	2024	{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe	31
PID 3032 wrote to memory of 2236	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	32
PID 3032 wrote to memory of 2236	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	32
PID 3032 wrote to memory of 2236	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	32
PID 3032 wrote to memory of 2236	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	32
PID 3032 wrote to memory of 2052	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	33
PID 3032 wrote to memory of 2052	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	33
PID 3032 wrote to memory of 2052	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	33
PID 3032 wrote to memory of 2052	3032	{3803E888-D26E-4447-907B-917CA3FB8B65}.exe	33
PID 2236 wrote to memory of 520	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	34
PID 2236 wrote to memory of 520	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	34
PID 2236 wrote to memory of 520	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	34
PID 2236 wrote to memory of 520	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	34
PID 2236 wrote to memory of 1956	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	35
PID 2236 wrote to memory of 1956	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	35
PID 2236 wrote to memory of 1956	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	35
PID 2236 wrote to memory of 1956	2236	{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe	35
PID 520 wrote to memory of 2896	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	36
PID 520 wrote to memory of 2896	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	36
PID 520 wrote to memory of 2896	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	36
PID 520 wrote to memory of 2896	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	36
PID 520 wrote to memory of 2268	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	37
PID 520 wrote to memory of 2268	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	37
PID 520 wrote to memory of 2268	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	37
PID 520 wrote to memory of 2268	520	{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe	37
PID 2896 wrote to memory of 1688	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	38
PID 2896 wrote to memory of 1688	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	38
PID 2896 wrote to memory of 1688	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	38
PID 2896 wrote to memory of 1688	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	38
PID 2896 wrote to memory of 268	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	39
PID 2896 wrote to memory of 268	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	39
PID 2896 wrote to memory of 268	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	39
PID 2896 wrote to memory of 268	2896	{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe	39
PID 1688 wrote to memory of 1796	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	40
PID 1688 wrote to memory of 1796	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	40
PID 1688 wrote to memory of 1796	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	40
PID 1688 wrote to memory of 1796	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	40
PID 1688 wrote to memory of 2940	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	41
PID 1688 wrote to memory of 2940	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	41
PID 1688 wrote to memory of 2940	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	41
PID 1688 wrote to memory of 2940	1688	{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe	41
PID 1796 wrote to memory of 3020	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	42
PID 1796 wrote to memory of 3020	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	42
PID 1796 wrote to memory of 3020	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	42
PID 1796 wrote to memory of 3020	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	42
PID 1796 wrote to memory of 2792	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	43
PID 1796 wrote to memory of 2792	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	43
PID 1796 wrote to memory of 2792	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	43
PID 1796 wrote to memory of 2792	1796	{D96EC846-430B-4fb3-97F0-741633756206}.exe	43

C:\Users\Admin\AppData\Local\Temp\c1ef01ad2c737fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c1ef01ad2c737fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
  C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
    C:\Windows\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
      C:\Windows\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
        
        C:\Windows\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:520
      - C:\Windows\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
        
        C:\Windows\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
        
        C:\Windows\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{D96EC846-430B-4fb3-97F0-741633756206}.exe
        
        C:\Windows\{D96EC846-430B-4fb3-97F0-741633756206}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
        
        C:\Windows\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
        
        C:\Windows\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
        
        C:\Windows\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9123C~1.EXE > nul
        12⤵
        
        PID:2752
        
        C:\Windows\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
        
        C:\Windows\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E0AF~1.EXE > nul
        13⤵
        
        PID:2828
        
        C:\Windows\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
        
        C:\Windows\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3640~1.EXE > nul
        14⤵
        
        PID:2476
        
        C:\Windows\{E0FFD836-B159-414b-9025-F286299E4FB9}.exe
        
        C:\Windows\{E0FFD836-B159-414b-9025-F286299E4FB9}.exe
        14⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7D9C~1.EXE > nul
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8319E~1.EXE > nul
        10⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D96EC~1.EXE > nul
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D07~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CF5~1.EXE > nul
        7⤵
        
        PID:268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51560~1.EXE > nul
        6⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74859~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3803E~1.EXE > nul
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{462D4~1.EXE > nul
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C1EF01~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe

Filesize
204KB

MD5
8e25e6ca6ac711c998662953a8c12a88

SHA1
f09e6b88b4923ec00c460355c5165324e98a741f

SHA256
30ca33b0f4ceee5a19acfd4d21e2b045a4a0d5b4a0650ca52868e0316ee3e59c

SHA512
7ae862627a323f50192a1d24c640c2670afe51c22c1a94e577e59e1d604f1d7378570ad437ffccd11a9911f070c766797051444afb94e086e2dda0300d2a471b

Download Submit
C:\Windows\{0E0AF0E8-5A15-486d-BFE4-2C00DAD2ED50}.exe

Filesize
204KB

MD5
8e25e6ca6ac711c998662953a8c12a88

SHA1
f09e6b88b4923ec00c460355c5165324e98a741f

SHA256
30ca33b0f4ceee5a19acfd4d21e2b045a4a0d5b4a0650ca52868e0316ee3e59c

SHA512
7ae862627a323f50192a1d24c640c2670afe51c22c1a94e577e59e1d604f1d7378570ad437ffccd11a9911f070c766797051444afb94e086e2dda0300d2a471b

Download Submit
C:\Windows\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe

Filesize
204KB

MD5
b2f9d3d4455ff81b73f0343b0f225af6

SHA1
6b076b77f16729f7457b36dbea092fae751e80f9

SHA256
df73e294be5e703a9706d87553ec1f52d95c364d49435da9aea928f0802f0588

SHA512
b5a918be2fe5046af2081e40da05ec66691b9b0a33a3ca40a592af637d961a11a63830a04f5fc4f9ea32d2919dcf104538556923d5eb2fefb54001a2aad5eae8

Download Submit
C:\Windows\{26D07429-C7F1-423e-8A24-7BE453BDAAD4}.exe

Filesize
204KB

MD5
b2f9d3d4455ff81b73f0343b0f225af6

SHA1
6b076b77f16729f7457b36dbea092fae751e80f9

SHA256
df73e294be5e703a9706d87553ec1f52d95c364d49435da9aea928f0802f0588

SHA512
b5a918be2fe5046af2081e40da05ec66691b9b0a33a3ca40a592af637d961a11a63830a04f5fc4f9ea32d2919dcf104538556923d5eb2fefb54001a2aad5eae8

Download Submit
C:\Windows\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe

Filesize
204KB

MD5
18f1d8a89b89fb7a9a072c3f758159bb

SHA1
676ed660f41e8b7e140b1a3b879ed188b9fb8bbc

SHA256
f0ed3ff04084f45e90d862dd8276534cab4bea75dcda63043867fe99b2c44006

SHA512
788078831cf7d02b7b4250cd42d857258177a1c7a65ab891c9f461ff69c8159d980a05a297f46e0cb8242027bef3ae8937860f84026978ba73fd4cd52c835f30

Download Submit
C:\Windows\{3803E888-D26E-4447-907B-917CA3FB8B65}.exe

Filesize
204KB

MD5
18f1d8a89b89fb7a9a072c3f758159bb

SHA1
676ed660f41e8b7e140b1a3b879ed188b9fb8bbc

SHA256
f0ed3ff04084f45e90d862dd8276534cab4bea75dcda63043867fe99b2c44006

SHA512
788078831cf7d02b7b4250cd42d857258177a1c7a65ab891c9f461ff69c8159d980a05a297f46e0cb8242027bef3ae8937860f84026978ba73fd4cd52c835f30

Download Submit
C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe

Filesize
204KB

MD5
8043579fe49ddf7a860c117e9d5ea7a4

SHA1
5435a758750e0d9ef4ef4d7dc40e543388f89b2e

SHA256
7acb00da01bfcb8c1b1f7f8d799e7cd552552ccee99287d99ed46e181bd55ddc

SHA512
27e423dba4d3f1171f5d1fd6ba071b0bf2dfebae030be13a6b13271ce99a058f378a60fd9c43f3366b336d52b1806cbfd6c33779d727f745dccc13d0a70408a1

Download Submit
C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe

Filesize
204KB

MD5
8043579fe49ddf7a860c117e9d5ea7a4

SHA1
5435a758750e0d9ef4ef4d7dc40e543388f89b2e

SHA256
7acb00da01bfcb8c1b1f7f8d799e7cd552552ccee99287d99ed46e181bd55ddc

SHA512
27e423dba4d3f1171f5d1fd6ba071b0bf2dfebae030be13a6b13271ce99a058f378a60fd9c43f3366b336d52b1806cbfd6c33779d727f745dccc13d0a70408a1

Download Submit
C:\Windows\{462D4F21-3798-4f7f-B8F1-4979727A9400}.exe

Filesize
204KB

MD5
8043579fe49ddf7a860c117e9d5ea7a4

SHA1
5435a758750e0d9ef4ef4d7dc40e543388f89b2e

SHA256
7acb00da01bfcb8c1b1f7f8d799e7cd552552ccee99287d99ed46e181bd55ddc

SHA512
27e423dba4d3f1171f5d1fd6ba071b0bf2dfebae030be13a6b13271ce99a058f378a60fd9c43f3366b336d52b1806cbfd6c33779d727f745dccc13d0a70408a1

Download Submit
C:\Windows\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe

Filesize
204KB

MD5
2f84f3205074bfaca1678833d4b1985b

SHA1
15e09b9836a653f46f021e2f20717128f2f7101f

SHA256
2404787a0f527ba9fd15135c65beaa5e5ec299fa02de609aca9af07ed31e72a9

SHA512
54efd8ac58022c62cda43cf8c97fab2a30d6d2445fd390a2030a6fa99f9873319e1d196ab43af05af5e9e4ada031f7f8972a8a59865f963e40dec5c7aef3b389

Download Submit
C:\Windows\{5156091A-DBF8-4236-AF93-06BF10FCD740}.exe

Filesize
204KB

MD5
2f84f3205074bfaca1678833d4b1985b

SHA1
15e09b9836a653f46f021e2f20717128f2f7101f

SHA256
2404787a0f527ba9fd15135c65beaa5e5ec299fa02de609aca9af07ed31e72a9

SHA512
54efd8ac58022c62cda43cf8c97fab2a30d6d2445fd390a2030a6fa99f9873319e1d196ab43af05af5e9e4ada031f7f8972a8a59865f963e40dec5c7aef3b389

Download Submit
C:\Windows\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe

Filesize
204KB

MD5
2659ffc51abd00253d54717802aabf5d

SHA1
134b10cceda96df4f3c2048ec7585c5b0f2f10e8

SHA256
ce3ca82b6ffd7e6321258b72f02af77c18dcf52d2746cf8a04848feed2f0b36c

SHA512
13d930521c3fba83bc432fd13f5f2f47c844769dd69664cee3a979c63fab12278015121b656d58833620fe5f3d764004bec9744e4ee8797d6818992b9343bb7e

Download Submit
C:\Windows\{748592F0-4147-4646-B5A1-DD2E4BC3654C}.exe

Filesize
204KB

MD5
2659ffc51abd00253d54717802aabf5d

SHA1
134b10cceda96df4f3c2048ec7585c5b0f2f10e8

SHA256
ce3ca82b6ffd7e6321258b72f02af77c18dcf52d2746cf8a04848feed2f0b36c

SHA512
13d930521c3fba83bc432fd13f5f2f47c844769dd69664cee3a979c63fab12278015121b656d58833620fe5f3d764004bec9744e4ee8797d6818992b9343bb7e

Download Submit
C:\Windows\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe

Filesize
204KB

MD5
ca9d3f4d1098badda7ce14c82a543399

SHA1
0d769a064d0cf81931ca6017e3ebe83842e3e7a8

SHA256
b0bdad5eff2e50a1c8e3768778ced7c5c60ecb0f9f26132e9ddcb386d3bb6c41

SHA512
1303bb2ff6f2ce1f6277c2ce0efd0a30bdbe10a9ceab3187e24099523acdb918efe87bfa04aba2969ced027229bcb4174bda43bdd252eea9150b59350e7be62b

Download Submit
C:\Windows\{8319E6DD-A840-44f9-B8B6-C5B8D524E23E}.exe

Filesize
204KB

MD5
ca9d3f4d1098badda7ce14c82a543399

SHA1
0d769a064d0cf81931ca6017e3ebe83842e3e7a8

SHA256
b0bdad5eff2e50a1c8e3768778ced7c5c60ecb0f9f26132e9ddcb386d3bb6c41

SHA512
1303bb2ff6f2ce1f6277c2ce0efd0a30bdbe10a9ceab3187e24099523acdb918efe87bfa04aba2969ced027229bcb4174bda43bdd252eea9150b59350e7be62b

Download Submit
C:\Windows\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe

Filesize
204KB

MD5
34c7faa3a80a5d787225cfe2a31bbc5b

SHA1
0f261849df0adbaa3092b611323b4db4ba272799

SHA256
f31c62402bb7d45cdc73ccad1afebcdbb01b14e943c415548cce463963a41008

SHA512
dc1e080a1e49529cb981e7046914b584ceb2c48edeba75e369abfef718f3e7b0d683f72410b7b33725f867bbf8a6200aeb16dbe4781bf25580a5f076dece2cd4

Download Submit
C:\Windows\{9123C0C3-498E-4ff9-9444-1B1A773BE226}.exe

Filesize
204KB

MD5
34c7faa3a80a5d787225cfe2a31bbc5b

SHA1
0f261849df0adbaa3092b611323b4db4ba272799

SHA256
f31c62402bb7d45cdc73ccad1afebcdbb01b14e943c415548cce463963a41008

SHA512
dc1e080a1e49529cb981e7046914b584ceb2c48edeba75e369abfef718f3e7b0d683f72410b7b33725f867bbf8a6200aeb16dbe4781bf25580a5f076dece2cd4

Download Submit
C:\Windows\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe

Filesize
204KB

MD5
c5efb97f7a3ec3cc62055c60af167ab0

SHA1
0a6d738e48a265d44140a760aab5f1389ff31ec9

SHA256
95ee8ee5d62649378d550f5718b528b7db7700a58c804bd49543f7d1a6a7db6c

SHA512
7117976da10af383360cdd271d0b2ac29317f8ac77ae9cd6154036579d2c4e6fd2433939a92d577579de3afaca68de8391a343547d90064f4a869bf1ee7cf614

Download Submit
C:\Windows\{C36400E0-9485-4159-8D6D-B3EA10270BA5}.exe

Filesize
204KB

MD5
c5efb97f7a3ec3cc62055c60af167ab0

SHA1
0a6d738e48a265d44140a760aab5f1389ff31ec9

SHA256
95ee8ee5d62649378d550f5718b528b7db7700a58c804bd49543f7d1a6a7db6c

SHA512
7117976da10af383360cdd271d0b2ac29317f8ac77ae9cd6154036579d2c4e6fd2433939a92d577579de3afaca68de8391a343547d90064f4a869bf1ee7cf614

Download Submit
C:\Windows\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe

Filesize
204KB

MD5
36104a97a1458bd86e0972d6b3fa6677

SHA1
0ddbd9d8b97e5b9eac68f5940383ca5c668b04e3

SHA256
98757ca04f02d2beec004e4e286ea919fd7ccf3d654c7ecb01ac2c0490787fa3

SHA512
726eee2d40b5bb6f5623765ea2e4212edcd5e089ce28e574b4a05edbda2c1bc4b9b2ec198cb1aea4cb04cd0ea2cf5f20ec11f45cbcc90b55961b1e5c70edd895

Download Submit
C:\Windows\{C6CF5BBA-49B5-48e0-BD54-6FA732CEF675}.exe

Filesize
204KB

MD5
36104a97a1458bd86e0972d6b3fa6677

SHA1
0ddbd9d8b97e5b9eac68f5940383ca5c668b04e3

SHA256
98757ca04f02d2beec004e4e286ea919fd7ccf3d654c7ecb01ac2c0490787fa3

SHA512
726eee2d40b5bb6f5623765ea2e4212edcd5e089ce28e574b4a05edbda2c1bc4b9b2ec198cb1aea4cb04cd0ea2cf5f20ec11f45cbcc90b55961b1e5c70edd895

Download Submit
C:\Windows\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe

Filesize
204KB

MD5
d37f024fc2df11050bebdd071a543b62

SHA1
48cbc1c2f16d5b6a90ad78cd50499db2df24e5f8

SHA256
aeb6a7768ff07fc8e07cd806473dae89251a6ced47a5e576561d46b53cdbe3fe

SHA512
58451fdb68825c1c32dbbd246ecacd9979d66dedb6d4fa6b7132578258f31a004f3c54f8902e9a387ef626a41b6678d32c0c741f6f1d726e741bea39c71fc3ec

Download Submit
C:\Windows\{C7D9CFDD-C893-4fb3-8383-39301980F306}.exe

Filesize
204KB

MD5
d37f024fc2df11050bebdd071a543b62

SHA1
48cbc1c2f16d5b6a90ad78cd50499db2df24e5f8

SHA256
aeb6a7768ff07fc8e07cd806473dae89251a6ced47a5e576561d46b53cdbe3fe

SHA512
58451fdb68825c1c32dbbd246ecacd9979d66dedb6d4fa6b7132578258f31a004f3c54f8902e9a387ef626a41b6678d32c0c741f6f1d726e741bea39c71fc3ec

Download Submit
C:\Windows\{D96EC846-430B-4fb3-97F0-741633756206}.exe

Filesize
204KB

MD5
9eb2040ffd46ad884bf0ab20b975d447

SHA1
5f1e810bd14611259b5f8b22025cc90ecd5b7900

SHA256
2b1840950867a7b8c91f378b8d0da655aa4eb53b4337d2e352d7a9bacae59fb4

SHA512
140b3d212cd0e472edc275f90e787cd79149b8e40e0394875e55ad2f9bc8e9bb0a8d35a403c03b32efaf8f7c62363a961968fb9c28c9c256139caff32b343f42

Download Submit
C:\Windows\{D96EC846-430B-4fb3-97F0-741633756206}.exe

Filesize
204KB

MD5
9eb2040ffd46ad884bf0ab20b975d447

SHA1
5f1e810bd14611259b5f8b22025cc90ecd5b7900

SHA256
2b1840950867a7b8c91f378b8d0da655aa4eb53b4337d2e352d7a9bacae59fb4

SHA512
140b3d212cd0e472edc275f90e787cd79149b8e40e0394875e55ad2f9bc8e9bb0a8d35a403c03b32efaf8f7c62363a961968fb9c28c9c256139caff32b343f42

Download Submit
C:\Windows\{E0FFD836-B159-414b-9025-F286299E4FB9}.exe

Filesize
204KB

MD5
041187145d3418b70a95f0b6031662b9

SHA1
59cff2bd12aaad78d98355c211f3a0a7975f4c40

SHA256
db0d2132b1944f87312cdf50232b017e4517f887cd3a21639aec8df878f53452

SHA512
b0258511c067354de60410831a2730798037feddd3a1bb0e1f79527fe938cd459f229bbfc2cbe6fa1a1ca47dc2a62bb214baf3ab49a40e94cd059e9b647f38fc

Download Submit