a7ceba7f1aec52a4fecd4376b7a502f001a565eb392581e26a0a7a62688a153f

Analysis

max time kernel
151s
max time network
31s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 13:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2d2219f83bc1eexeexeexeex.exe
Size

408KB
MD5

c2d2219f83bc1e00574b4a02ac14031d
SHA1

9098e59789f2548f8a3fdd139318eeb8a1584d8d
SHA256

a7ceba7f1aec52a4fecd4376b7a502f001a565eb392581e26a0a7a62688a153f
SHA512

d9c02193b94cd8e3510c9c0f12e7670299a38af9465b541cc01608bb6b1794a744ae1c379f7793bc068bb47178d50b9bde8ffc048fcd32cc8cf6facc2dc30255
SSDEEP

3072:CEGh0o8l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGOldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9293614-66CC-4084-AA10-0EC8782683B9}\stubpath = "C:\\Windows\\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe"	{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}\stubpath = "C:\\Windows\\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe"	{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}\stubpath = "C:\\Windows\\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe"	{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25B63311-4003-4516-8F52-BA5F3847BB80}\stubpath = "C:\\Windows\\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe"	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}\stubpath = "C:\\Windows\\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe"	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1428ACA6-0387-4d49-BAC8-B651FC602A03}\stubpath = "C:\\Windows\\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe"	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F176EB80-5212-463b-B8F8-2A9516ACE471}	{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9293614-66CC-4084-AA10-0EC8782683B9}	{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}	{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}\stubpath = "C:\\Windows\\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe"	{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}	c2d2219f83bc1eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F2D341-F774-4fb6-9B89-05365C3931AD}	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25B63311-4003-4516-8F52-BA5F3847BB80}	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1428ACA6-0387-4d49-BAC8-B651FC602A03}	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9576FAD3-8CEA-446e-AFD9-49664827494C}	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}	{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}	{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F176EB80-5212-463b-B8F8-2A9516ACE471}\stubpath = "C:\\Windows\\{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe"	{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}\stubpath = "C:\\Windows\\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe"	c2d2219f83bc1eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}\stubpath = "C:\\Windows\\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe"	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F2D341-F774-4fb6-9B89-05365C3931AD}\stubpath = "C:\\Windows\\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe"	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}\stubpath = "C:\\Windows\\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe"	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9576FAD3-8CEA-446e-AFD9-49664827494C}\stubpath = "C:\\Windows\\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe"	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
2404	{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
2656	{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
2872	{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
2520	{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
2548	{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
2560	{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
File created	C:\Windows\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe	{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
File created	C:\Windows\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe	{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
File created	C:\Windows\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe	{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
File created	C:\Windows\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe	{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
File created	C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
File created	C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
File created	C:\Windows\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
File created	C:\Windows\{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe	{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
File created	C:\Windows\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
File created	C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	c2d2219f83bc1eexeexeexeex.exe
File created	C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
File created	C:\Windows\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1692	c2d2219f83bc1eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
Token: SeIncBasePriorityPrivilege	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
Token: SeIncBasePriorityPrivilege	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
Token: SeIncBasePriorityPrivilege	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
Token: SeIncBasePriorityPrivilege	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
Token: SeIncBasePriorityPrivilege	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
Token: SeIncBasePriorityPrivilege	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
Token: SeIncBasePriorityPrivilege	2404	{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
Token: SeIncBasePriorityPrivilege	2656	{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
Token: SeIncBasePriorityPrivilege	2872	{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
Token: SeIncBasePriorityPrivilege	2520	{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
Token: SeIncBasePriorityPrivilege	2548	{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2200	1692	c2d2219f83bc1eexeexeexeex.exe	28
PID 1692 wrote to memory of 2200	1692	c2d2219f83bc1eexeexeexeex.exe	28
PID 1692 wrote to memory of 2200	1692	c2d2219f83bc1eexeexeexeex.exe	28
PID 1692 wrote to memory of 2200	1692	c2d2219f83bc1eexeexeexeex.exe	28
PID 1692 wrote to memory of 3000	1692	c2d2219f83bc1eexeexeexeex.exe	29
PID 1692 wrote to memory of 3000	1692	c2d2219f83bc1eexeexeexeex.exe	29
PID 1692 wrote to memory of 3000	1692	c2d2219f83bc1eexeexeexeex.exe	29
PID 1692 wrote to memory of 3000	1692	c2d2219f83bc1eexeexeexeex.exe	29
PID 2200 wrote to memory of 3020	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2200 wrote to memory of 3020	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2200 wrote to memory of 3020	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2200 wrote to memory of 3020	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	31
PID 2200 wrote to memory of 1972	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2200 wrote to memory of 1972	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2200 wrote to memory of 1972	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 2200 wrote to memory of 1972	2200	{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe	30
PID 3020 wrote to memory of 1356	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 3020 wrote to memory of 1356	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 3020 wrote to memory of 1356	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 3020 wrote to memory of 1356	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	33
PID 3020 wrote to memory of 2180	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 3020 wrote to memory of 2180	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 3020 wrote to memory of 2180	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 3020 wrote to memory of 2180	3020	{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe	32
PID 1356 wrote to memory of 916	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 916	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 916	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 916	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	35
PID 1356 wrote to memory of 2464	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 2464	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 2464	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 1356 wrote to memory of 2464	1356	{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe	34
PID 916 wrote to memory of 2144	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 916 wrote to memory of 2144	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 916 wrote to memory of 2144	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 916 wrote to memory of 2144	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	36
PID 916 wrote to memory of 2248	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 916 wrote to memory of 2248	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 916 wrote to memory of 2248	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 916 wrote to memory of 2248	916	{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe	37
PID 2144 wrote to memory of 1000	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	39
PID 2144 wrote to memory of 1000	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	39
PID 2144 wrote to memory of 1000	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	39
PID 2144 wrote to memory of 1000	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	39
PID 2144 wrote to memory of 380	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	38
PID 2144 wrote to memory of 380	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	38
PID 2144 wrote to memory of 380	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	38
PID 2144 wrote to memory of 380	2144	{25B63311-4003-4516-8F52-BA5F3847BB80}.exe	38
PID 1000 wrote to memory of 2260	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	41
PID 1000 wrote to memory of 2260	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	41
PID 1000 wrote to memory of 2260	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	41
PID 1000 wrote to memory of 2260	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	41
PID 1000 wrote to memory of 852	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	40
PID 1000 wrote to memory of 852	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	40
PID 1000 wrote to memory of 852	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	40
PID 1000 wrote to memory of 852	1000	{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe	40
PID 2260 wrote to memory of 2404	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	43
PID 2260 wrote to memory of 2404	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	43
PID 2260 wrote to memory of 2404	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	43
PID 2260 wrote to memory of 2404	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	43
PID 2260 wrote to memory of 1008	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	42
PID 2260 wrote to memory of 1008	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	42
PID 2260 wrote to memory of 1008	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	42
PID 2260 wrote to memory of 1008	2260	{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe	42

C:\Users\Admin\AppData\Local\Temp\c2d2219f83bc1eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2219f83bc1eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
  C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CCCB~1.EXE > nul
    3⤵
    PID:1972
- - C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
    C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E82EA~1.EXE > nul
      4⤵
      PID:2180
  - - C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
      C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2F2D~1.EXE > nul
        5⤵
        
        PID:2464
    - - C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
        
        C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
        
        C:\Windows\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B63~1.EXE > nul
        7⤵
        
        PID:380
        
        C:\Windows\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
        
        C:\Windows\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE6E~1.EXE > nul
        8⤵
        
        PID:852
        
        C:\Windows\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
        
        C:\Windows\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1428A~1.EXE > nul
        9⤵
        
        PID:1008
        
        C:\Windows\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
        
        C:\Windows\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9576F~1.EXE > nul
        10⤵
        
        PID:2796
        
        C:\Windows\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
        
        C:\Windows\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9293~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
        
        C:\Windows\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C7B4~1.EXE > nul
        12⤵
        
        PID:2952
        
        C:\Windows\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
        
        C:\Windows\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
        
        C:\Windows\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{763C1~1.EXE > nul
        14⤵
        
        PID:2516
        
        C:\Windows\{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe
        
        C:\Windows\{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe
        14⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{270A6~1.EXE > nul
        13⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8982C~1.EXE > nul
        6⤵
        
        PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C2D221~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe

Filesize
408KB

MD5
f0b37af5b464f38a33adde2f76adf3df

SHA1
a0d1120647917207c5cacb379b9414373168a35d

SHA256
ac5b04146374e044478ec15ddb98547a16c6435eb29dd45fe81cb91d49796d57

SHA512
ed4e6c3cbd4e39a2c5e62b210b5d947e7d943addb2a6f988bf409258b5930ec2e847a320e7a8acd4b8a2154e31995e8e5ce19cd5056d9a7bb7d8be9341935cbd

Download Submit
C:\Windows\{1428ACA6-0387-4d49-BAC8-B651FC602A03}.exe

Filesize
408KB

MD5
f0b37af5b464f38a33adde2f76adf3df

SHA1
a0d1120647917207c5cacb379b9414373168a35d

SHA256
ac5b04146374e044478ec15ddb98547a16c6435eb29dd45fe81cb91d49796d57

SHA512
ed4e6c3cbd4e39a2c5e62b210b5d947e7d943addb2a6f988bf409258b5930ec2e847a320e7a8acd4b8a2154e31995e8e5ce19cd5056d9a7bb7d8be9341935cbd

Download Submit
C:\Windows\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe

Filesize
408KB

MD5
92f1d36476fed11487ff996fdff3500f

SHA1
219f90043c311c9031cb1612d676563bf7fe163b

SHA256
35492caae6126761240db937baa0ba7d8300d603f449bb78e519f742b4268f5c

SHA512
5df07cac529d189efc8143f7de67e74a5a75f3287c5a47ba7ef14bcbf592f0b0662b1511066d7dde3667165cccb128466fe5140f2154ed6fab9638ff699142e2

Download Submit
C:\Windows\{25B63311-4003-4516-8F52-BA5F3847BB80}.exe

Filesize
408KB

MD5
92f1d36476fed11487ff996fdff3500f

SHA1
219f90043c311c9031cb1612d676563bf7fe163b

SHA256
35492caae6126761240db937baa0ba7d8300d603f449bb78e519f742b4268f5c

SHA512
5df07cac529d189efc8143f7de67e74a5a75f3287c5a47ba7ef14bcbf592f0b0662b1511066d7dde3667165cccb128466fe5140f2154ed6fab9638ff699142e2

Download Submit
C:\Windows\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe

Filesize
408KB

MD5
f4695e895b1bd6111b8d0d2cba75acba

SHA1
c472c82d5bae7f246b8d01065a2323cd8a379008

SHA256
b09a94b683ff78c52fa7bbe879e8fe0b17f8590031c1bbcda1ae8e6149bc0759

SHA512
142689dfa8ca8076b3381a12a04275fb6ba2fc24ff17cc7915637d70b0d88490ccc1cb46abdfe1c7fd1a7b1cdbc716fa45ed0addde5d6c4a905790de4687a841

Download Submit
C:\Windows\{270A6DCE-3FF5-4723-A62F-3E5216A8A138}.exe

Filesize
408KB

MD5
f4695e895b1bd6111b8d0d2cba75acba

SHA1
c472c82d5bae7f246b8d01065a2323cd8a379008

SHA256
b09a94b683ff78c52fa7bbe879e8fe0b17f8590031c1bbcda1ae8e6149bc0759

SHA512
142689dfa8ca8076b3381a12a04275fb6ba2fc24ff17cc7915637d70b0d88490ccc1cb46abdfe1c7fd1a7b1cdbc716fa45ed0addde5d6c4a905790de4687a841

Download Submit
C:\Windows\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe

Filesize
408KB

MD5
21ef1c441c5f0789964313951be7721a

SHA1
d11bc0bc9111283ec29dcf437093261172f68df4

SHA256
a41a4d54616c4d33451c2606d4da6420da31d9c7e12942dee7faa54c31e97c57

SHA512
890b2c99dadb515fe0367878a02b9b905c74a4c1935a3e6c151f9333898b502d477729a08b8a4d70bb5023445b6e3c9ec491232f44e1fe4eeba942aa4181b6f7

Download Submit
C:\Windows\{3C7B4398-FF9F-4149-A1A5-836B4EB66E6B}.exe

Filesize
408KB

MD5
21ef1c441c5f0789964313951be7721a

SHA1
d11bc0bc9111283ec29dcf437093261172f68df4

SHA256
a41a4d54616c4d33451c2606d4da6420da31d9c7e12942dee7faa54c31e97c57

SHA512
890b2c99dadb515fe0367878a02b9b905c74a4c1935a3e6c151f9333898b502d477729a08b8a4d70bb5023445b6e3c9ec491232f44e1fe4eeba942aa4181b6f7

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
408KB

MD5
c08453a22e885ce591fb20194e25b9ce

SHA1
a14feb57154ae4a9e25b6470aba35bddc7c3d5e2

SHA256
236f0de444335827a30ceae7f7c486be53e484815070ebfb21ee1b9e05fc1d40

SHA512
ed51d1052a9a42bb4ba183b5e0074d2ee9708178fceddb35caab80d8e28f0bd1282f7eade941c1c48f54d55e9c321f41aeeaf3d89d9c0018d1c4b1b2a4032002

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
408KB

MD5
c08453a22e885ce591fb20194e25b9ce

SHA1
a14feb57154ae4a9e25b6470aba35bddc7c3d5e2

SHA256
236f0de444335827a30ceae7f7c486be53e484815070ebfb21ee1b9e05fc1d40

SHA512
ed51d1052a9a42bb4ba183b5e0074d2ee9708178fceddb35caab80d8e28f0bd1282f7eade941c1c48f54d55e9c321f41aeeaf3d89d9c0018d1c4b1b2a4032002

Download Submit
C:\Windows\{4CCCB6A2-23EE-45a1-80B6-8FC76E0DF2A3}.exe

Filesize
408KB

MD5
c08453a22e885ce591fb20194e25b9ce

SHA1
a14feb57154ae4a9e25b6470aba35bddc7c3d5e2

SHA256
236f0de444335827a30ceae7f7c486be53e484815070ebfb21ee1b9e05fc1d40

SHA512
ed51d1052a9a42bb4ba183b5e0074d2ee9708178fceddb35caab80d8e28f0bd1282f7eade941c1c48f54d55e9c321f41aeeaf3d89d9c0018d1c4b1b2a4032002

Download Submit
C:\Windows\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe

Filesize
408KB

MD5
3e9ef532f74c5ff05f845da69d00662b

SHA1
838957e38c183863b86933ce40696b2cd9929e2a

SHA256
b55ae9f75fb99bc11952224b2699333b77a78b87b04c4e141804757fac2589d4

SHA512
14473325e3f4b14e1901cd5a2b18db90dd09ec98a5b848e72d9abba4fe45a81774fd6bc52873ffc60a8e5033ae94e69219744fd678e3eb2d75998ddb4add426d

Download Submit
C:\Windows\{763C1AC6-59DD-4b6d-B414-6306ABFE6E09}.exe

Filesize
408KB

MD5
3e9ef532f74c5ff05f845da69d00662b

SHA1
838957e38c183863b86933ce40696b2cd9929e2a

SHA256
b55ae9f75fb99bc11952224b2699333b77a78b87b04c4e141804757fac2589d4

SHA512
14473325e3f4b14e1901cd5a2b18db90dd09ec98a5b848e72d9abba4fe45a81774fd6bc52873ffc60a8e5033ae94e69219744fd678e3eb2d75998ddb4add426d

Download Submit
C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe

Filesize
408KB

MD5
5aba627f3b76e829e852e4bf8242b9a3

SHA1
3cf254375b59d9119323cdf4fdbba614e9193039

SHA256
3f183cfd237b5777654935767bdffd30c12c9cda6bc491531719f27ffeede1f2

SHA512
0faa13a03787670652a6c1ede8dac461a48d10d486f8cf702a6764835ac503138899b92f4a879bdc0ff0f921c403a95d620c74ec7fa7133966ec8a464f6dd60b

Download Submit
C:\Windows\{8982CD1E-DAB1-4c78-8C05-B8429A67E9DD}.exe

Filesize
408KB

MD5
5aba627f3b76e829e852e4bf8242b9a3

SHA1
3cf254375b59d9119323cdf4fdbba614e9193039

SHA256
3f183cfd237b5777654935767bdffd30c12c9cda6bc491531719f27ffeede1f2

SHA512
0faa13a03787670652a6c1ede8dac461a48d10d486f8cf702a6764835ac503138899b92f4a879bdc0ff0f921c403a95d620c74ec7fa7133966ec8a464f6dd60b

Download Submit
C:\Windows\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe

Filesize
408KB

MD5
c1b6d9bdeb6a935ce80f55bf37e13cb4

SHA1
8393960eee948ffa80ff389db6a4b2a12a942e99

SHA256
8cfd6edf0bae0106b4a58fa1ad6e265b6a94141736b6d71cb08f6d1244c97281

SHA512
fad4436c1c7d0310517cbe9ed5bf03da5ccfa40068605f595a22ac5d3a303ffa35a484560d3a323e7b50542174345812e589cedf88df053691879a0891ba0433

Download Submit
C:\Windows\{9576FAD3-8CEA-446e-AFD9-49664827494C}.exe

Filesize
408KB

MD5
c1b6d9bdeb6a935ce80f55bf37e13cb4

SHA1
8393960eee948ffa80ff389db6a4b2a12a942e99

SHA256
8cfd6edf0bae0106b4a58fa1ad6e265b6a94141736b6d71cb08f6d1244c97281

SHA512
fad4436c1c7d0310517cbe9ed5bf03da5ccfa40068605f595a22ac5d3a303ffa35a484560d3a323e7b50542174345812e589cedf88df053691879a0891ba0433

Download Submit
C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe

Filesize
408KB

MD5
97b8c5871055abc6fe61f1cad77af356

SHA1
e7f52470dd00dabf3d055f2ec56a8cfb6b995334

SHA256
9c3f8fc6f0733be344269db889e1896dad57b2c6f7148ea64b50cb2648e1a4eb

SHA512
5bc4039a7fa59835f151a2c40f4d9204620cd266225ca1e7e045057ec9a023941ac4e15703c5dfadc55e3347bfcbae368249af3ca063f4a263dbd528db66ee74

Download Submit
C:\Windows\{B2F2D341-F774-4fb6-9B89-05365C3931AD}.exe

Filesize
408KB

MD5
97b8c5871055abc6fe61f1cad77af356

SHA1
e7f52470dd00dabf3d055f2ec56a8cfb6b995334

SHA256
9c3f8fc6f0733be344269db889e1896dad57b2c6f7148ea64b50cb2648e1a4eb

SHA512
5bc4039a7fa59835f151a2c40f4d9204620cd266225ca1e7e045057ec9a023941ac4e15703c5dfadc55e3347bfcbae368249af3ca063f4a263dbd528db66ee74

Download Submit
C:\Windows\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe

Filesize
408KB

MD5
42a0fa7a1558ca3146fb8b3ece4e344e

SHA1
f462845a363b9cc0faf3711e0c823e3a0f485d58

SHA256
1320347f506d52aa0f7b0913018fb3b7e5d67d0383266dba769566a08632e49e

SHA512
282cfc7a61f59b4e448f3a7b16c97a596bd781b6fb96b4ce0966572450165c354f162b2623a6f254fe6edd0dab31132974cc8f3c2233d6845df500c2415939d1

Download Submit
C:\Windows\{CEE6E001-2ED6-4f8a-92E9-35958152E9AF}.exe

Filesize
408KB

MD5
42a0fa7a1558ca3146fb8b3ece4e344e

SHA1
f462845a363b9cc0faf3711e0c823e3a0f485d58

SHA256
1320347f506d52aa0f7b0913018fb3b7e5d67d0383266dba769566a08632e49e

SHA512
282cfc7a61f59b4e448f3a7b16c97a596bd781b6fb96b4ce0966572450165c354f162b2623a6f254fe6edd0dab31132974cc8f3c2233d6845df500c2415939d1

Download Submit
C:\Windows\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe

Filesize
408KB

MD5
44429cd549e1eec14b802c8768fcf03d

SHA1
a818d33b9cd9ec34dee3bb8566d5bdb910fc6098

SHA256
75f491a005baebfcaa20cdc56622ac403f90afa6c5db7b964b3eedecc95cc701

SHA512
1f8c2e02ed54b553805983d30b9e644c1a93dae83508b0f6864e62197df31f3cdf12648e68ec65e122262be69828d2619d2c9cb82b0c386d2f30f43de026d449

Download Submit
C:\Windows\{D9293614-66CC-4084-AA10-0EC8782683B9}.exe

Filesize
408KB

MD5
44429cd549e1eec14b802c8768fcf03d

SHA1
a818d33b9cd9ec34dee3bb8566d5bdb910fc6098

SHA256
75f491a005baebfcaa20cdc56622ac403f90afa6c5db7b964b3eedecc95cc701

SHA512
1f8c2e02ed54b553805983d30b9e644c1a93dae83508b0f6864e62197df31f3cdf12648e68ec65e122262be69828d2619d2c9cb82b0c386d2f30f43de026d449

Download Submit
C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe

Filesize
408KB

MD5
16afc587c4e8f118939bfb4c9d65634b

SHA1
0dc867c98eea9136e6a25071aaaef3b39cd8b302

SHA256
84f97efe6f0122e726812d7640da3fb06fa2cb90f22f7d62e6d3e8bf95552a70

SHA512
3d9d5c2483345318e8cda4727d163b5e77d244167ba0af51df8c6b5da690c4de563bcceac85dc65b8672ac382d5fe8b03d515c4a427ad406f260220e7c61664b

Download Submit
C:\Windows\{E82EA66C-D527-4fc6-9E14-98A61FA0C0C5}.exe

Filesize
408KB

MD5
16afc587c4e8f118939bfb4c9d65634b

SHA1
0dc867c98eea9136e6a25071aaaef3b39cd8b302

SHA256
84f97efe6f0122e726812d7640da3fb06fa2cb90f22f7d62e6d3e8bf95552a70

SHA512
3d9d5c2483345318e8cda4727d163b5e77d244167ba0af51df8c6b5da690c4de563bcceac85dc65b8672ac382d5fe8b03d515c4a427ad406f260220e7c61664b

Download Submit
C:\Windows\{F176EB80-5212-463b-B8F8-2A9516ACE471}.exe

Filesize
408KB

MD5
1f531c91623d7df73f5afe3683b27801

SHA1
a53e57b4a19ff210e49c3c43762613df06713d91

SHA256
46c9edb949ed47c95d66065e4e518107af19f3c26fd70077160cb56cf24ef5c7

SHA512
61c0395eabc4f55dd8c91349ee1298c20788ae47d2a90b4072cac4c6ab8af395653cbb894520d60e6fa0f63ce8612fdc52e64380be09ab3345f8ea0bf9b68178

Download Submit