ee5ac6f48ec42be7a828e8ecedebb442d93e4d07d781572fa31aff4237abb4aa

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1681256b1cd8bexeexeexeex.exe
Size

372KB
MD5

d1681256b1cd8bd1e221acadf8b696d3
SHA1

5c26717c69408c38bb5718bd0791529ac316f2af
SHA256

ee5ac6f48ec42be7a828e8ecedebb442d93e4d07d781572fa31aff4237abb4aa
SHA512

1ac50bfa0e6be8a8994b2079d9611376f7eb098615f662d5857698ca431cd7b50424ff9fa4720290f4a36d40cb1f1a2d0111e5866136a0034acb24b8d05d9b24
SSDEEP

3072:CEGh0obmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGgl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4707B95E-67C9-499b-8B92-F1113A15CFCE}	{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C026E501-87B3-4d5d-9437-7555894A28E1}	{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}\stubpath = "C:\\Windows\\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe"	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61257647-B56F-4bd1-9182-9FA0F11D2128}\stubpath = "C:\\Windows\\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe"	{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20DD5DF8-D30D-4149-90DD-82F558754062}	{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C2582B-25B8-481f-BF98-814655E8840A}\stubpath = "C:\\Windows\\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe"	d1681256b1cd8bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92FA17C-4BF9-4c90-9138-331BF79B8125}	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61257647-B56F-4bd1-9182-9FA0F11D2128}	{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4707B95E-67C9-499b-8B92-F1113A15CFCE}\stubpath = "C:\\Windows\\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe"	{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C026E501-87B3-4d5d-9437-7555894A28E1}\stubpath = "C:\\Windows\\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe"	{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92FA17C-4BF9-4c90-9138-331BF79B8125}\stubpath = "C:\\Windows\\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe"	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}\stubpath = "C:\\Windows\\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe"	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BB7FDC-E569-4e3d-8EC8-449872A00271}	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BB7FDC-E569-4e3d-8EC8-449872A00271}\stubpath = "C:\\Windows\\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe"	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}\stubpath = "C:\\Windows\\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe"	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}	{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}\stubpath = "C:\\Windows\\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe"	{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C2582B-25B8-481f-BF98-814655E8840A}	d1681256b1cd8bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}\stubpath = "C:\\Windows\\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe"	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}\stubpath = "C:\\Windows\\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe"	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20DD5DF8-D30D-4149-90DD-82F558754062}\stubpath = "C:\\Windows\\{20DD5DF8-D30D-4149-90DD-82F558754062}.exe"	{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
1412	{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
2188	{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
2752	{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
2608	{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
2768	{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe
2612	{20DD5DF8-D30D-4149-90DD-82F558754062}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe	{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
File created	C:\Windows\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe	{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
File created	C:\Windows\{20DD5DF8-D30D-4149-90DD-82F558754062}.exe	{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe
File created	C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	d1681256b1cd8bexeexeexeex.exe
File created	C:\Windows\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
File created	C:\Windows\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
File created	C:\Windows\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
File created	C:\Windows\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
File created	C:\Windows\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
File created	C:\Windows\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
File created	C:\Windows\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
File created	C:\Windows\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe	{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
File created	C:\Windows\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe	{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	836	d1681256b1cd8bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
Token: SeIncBasePriorityPrivilege	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
Token: SeIncBasePriorityPrivilege	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
Token: SeIncBasePriorityPrivilege	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
Token: SeIncBasePriorityPrivilege	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
Token: SeIncBasePriorityPrivilege	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
Token: SeIncBasePriorityPrivilege	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
Token: SeIncBasePriorityPrivilege	1412	{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
Token: SeIncBasePriorityPrivilege	2188	{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
Token: SeIncBasePriorityPrivilege	2752	{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
Token: SeIncBasePriorityPrivilege	2608	{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
Token: SeIncBasePriorityPrivilege	2768	{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2408	836	d1681256b1cd8bexeexeexeex.exe	29
PID 836 wrote to memory of 2408	836	d1681256b1cd8bexeexeexeex.exe	29
PID 836 wrote to memory of 2408	836	d1681256b1cd8bexeexeexeex.exe	29
PID 836 wrote to memory of 2408	836	d1681256b1cd8bexeexeexeex.exe	29
PID 836 wrote to memory of 2312	836	d1681256b1cd8bexeexeexeex.exe	30
PID 836 wrote to memory of 2312	836	d1681256b1cd8bexeexeexeex.exe	30
PID 836 wrote to memory of 2312	836	d1681256b1cd8bexeexeexeex.exe	30
PID 836 wrote to memory of 2312	836	d1681256b1cd8bexeexeexeex.exe	30
PID 2408 wrote to memory of 2180	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	31
PID 2408 wrote to memory of 2180	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	31
PID 2408 wrote to memory of 2180	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	31
PID 2408 wrote to memory of 2180	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	31
PID 2408 wrote to memory of 2192	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	32
PID 2408 wrote to memory of 2192	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	32
PID 2408 wrote to memory of 2192	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	32
PID 2408 wrote to memory of 2192	2408	{E4C2582B-25B8-481f-BF98-814655E8840A}.exe	32
PID 2180 wrote to memory of 2124	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	34
PID 2180 wrote to memory of 2124	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	34
PID 2180 wrote to memory of 2124	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	34
PID 2180 wrote to memory of 2124	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	34
PID 2180 wrote to memory of 340	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	33
PID 2180 wrote to memory of 340	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	33
PID 2180 wrote to memory of 340	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	33
PID 2180 wrote to memory of 340	2180	{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe	33
PID 2124 wrote to memory of 1652	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	35
PID 2124 wrote to memory of 1652	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	35
PID 2124 wrote to memory of 1652	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	35
PID 2124 wrote to memory of 1652	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	35
PID 2124 wrote to memory of 2128	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	36
PID 2124 wrote to memory of 2128	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	36
PID 2124 wrote to memory of 2128	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	36
PID 2124 wrote to memory of 2128	2124	{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe	36
PID 1652 wrote to memory of 2004	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	38
PID 1652 wrote to memory of 2004	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	38
PID 1652 wrote to memory of 2004	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	38
PID 1652 wrote to memory of 2004	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	38
PID 1652 wrote to memory of 2840	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	37
PID 1652 wrote to memory of 2840	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	37
PID 1652 wrote to memory of 2840	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	37
PID 1652 wrote to memory of 2840	1652	{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe	37
PID 2004 wrote to memory of 2440	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	39
PID 2004 wrote to memory of 2440	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	39
PID 2004 wrote to memory of 2440	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	39
PID 2004 wrote to memory of 2440	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	39
PID 2004 wrote to memory of 3000	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	40
PID 2004 wrote to memory of 3000	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	40
PID 2004 wrote to memory of 3000	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	40
PID 2004 wrote to memory of 3000	2004	{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe	40
PID 2440 wrote to memory of 3028	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	42
PID 2440 wrote to memory of 3028	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	42
PID 2440 wrote to memory of 3028	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	42
PID 2440 wrote to memory of 3028	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	42
PID 2440 wrote to memory of 2076	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	41
PID 2440 wrote to memory of 2076	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	41
PID 2440 wrote to memory of 2076	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	41
PID 2440 wrote to memory of 2076	2440	{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe	41
PID 3028 wrote to memory of 1412	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	43
PID 3028 wrote to memory of 1412	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	43
PID 3028 wrote to memory of 1412	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	43
PID 3028 wrote to memory of 1412	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	43
PID 3028 wrote to memory of 2276	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	44
PID 3028 wrote to memory of 2276	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	44
PID 3028 wrote to memory of 2276	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	44
PID 3028 wrote to memory of 2276	3028	{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe	44

C:\Users\Admin\AppData\Local\Temp\d1681256b1cd8bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d1681256b1cd8bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
  C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
    C:\Windows\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E92FA~1.EXE > nul
      4⤵
      PID:340
  - - C:\Windows\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
      C:\Windows\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
        
        C:\Windows\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E43E~1.EXE > nul
        6⤵
        
        PID:2840
      - C:\Windows\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
        
        C:\Windows\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
        
        C:\Windows\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68BB7~1.EXE > nul
        8⤵
        
        PID:2076
        
        C:\Windows\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
        
        C:\Windows\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
        
        C:\Windows\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EA2D~1.EXE > nul
        10⤵
        
        PID:2604
        
        C:\Windows\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
        
        C:\Windows\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61257~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
        
        C:\Windows\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
        
        C:\Windows\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe
        
        C:\Windows\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F36D~1.EXE > nul
        14⤵
        
        PID:2000
        
        C:\Windows\{20DD5DF8-D30D-4149-90DD-82F558754062}.exe
        
        C:\Windows\{20DD5DF8-D30D-4149-90DD-82F558754062}.exe
        14⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C026E~1.EXE > nul
        13⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4707B~1.EXE > nul
        12⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4642A~1.EXE > nul
        9⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA57~1.EXE > nul
        7⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DDF~1.EXE > nul
        5⤵
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C25~1.EXE > nul
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D16812~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20DD5DF8-D30D-4149-90DD-82F558754062}.exe

Filesize
372KB

MD5
51f974a79f8abf1e505c0e627597bce4

SHA1
be17fd808003df628470f763a15eb0e6d42fa65a

SHA256
4ddbed030108f09f967f5000925eb0d4d3cd51005bb36ea820db7aa2db0edff4

SHA512
2acabd7159364332e87029f42f9086ab72dc3c4aa52003fee4374594bb757ff0ef9efc7059eda52c5737316ac4c674ef2e693a9850f17ecbb36cac4bf210d83c

Download Submit
C:\Windows\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe

Filesize
372KB

MD5
adac2cc2a5f60974f5604dc419501708

SHA1
543c5d168e128fda0244a4667723932a51672c6b

SHA256
5dfc5f8494a6aa0afabfacdecd605624efa0ccb430493b39075edd48606565ad

SHA512
9d01bba6901184ea58848023d2efb83be79af2f9056da4b13c4b3e3543894e1a3c220f707f504a178a79e07ccc759cf7b4c977c9b01538dd21085daaeda0b66a

Download Submit
C:\Windows\{2CA57E40-6805-4a1c-A4CB-48B48EE56DAA}.exe

Filesize
372KB

MD5
adac2cc2a5f60974f5604dc419501708

SHA1
543c5d168e128fda0244a4667723932a51672c6b

SHA256
5dfc5f8494a6aa0afabfacdecd605624efa0ccb430493b39075edd48606565ad

SHA512
9d01bba6901184ea58848023d2efb83be79af2f9056da4b13c4b3e3543894e1a3c220f707f504a178a79e07ccc759cf7b4c977c9b01538dd21085daaeda0b66a

Download Submit
C:\Windows\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe

Filesize
372KB

MD5
d63b66f9e33bf60a5306816414115e88

SHA1
9baeb0f3b9fc6143eaf42be4dee05289fcd7a423

SHA256
6d6f15f6490bc96c2d5960c712397311846912abecd6261356a6094da3a4038c

SHA512
3f5b6fb13ac2dce4c8693f4425075ef0fd711aea6755608d7565f0c65b386403954014bbce08c5d6c3ebb086bc3a177f0f5c9a33bcf0f1df01b284372a62ce79

Download Submit
C:\Windows\{2F36DD23-5EBE-4ca6-BE08-6F5C8025EEB8}.exe

Filesize
372KB

MD5
d63b66f9e33bf60a5306816414115e88

SHA1
9baeb0f3b9fc6143eaf42be4dee05289fcd7a423

SHA256
6d6f15f6490bc96c2d5960c712397311846912abecd6261356a6094da3a4038c

SHA512
3f5b6fb13ac2dce4c8693f4425075ef0fd711aea6755608d7565f0c65b386403954014bbce08c5d6c3ebb086bc3a177f0f5c9a33bcf0f1df01b284372a62ce79

Download Submit
C:\Windows\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe

Filesize
372KB

MD5
30f7d79df35081d69c54ab70ac850837

SHA1
2098437eb95239d6a7d3303413d512af57e206b6

SHA256
4228b84e2f4d4e820fb6e8a4fd0a8409fdd229c4110ee54b27fb463f6c8847c1

SHA512
d0732ad80a59fdbe59a67d136eedc9da8eec9052687c1b62873b273fc04f52ba55f04cb51e066ad5edfcf0028bb8fbd047bf5586113b75393b732814831a1c13

Download Submit
C:\Windows\{4642AB0B-E8B3-42ac-8CD1-74D78CE1DF69}.exe

Filesize
372KB

MD5
30f7d79df35081d69c54ab70ac850837

SHA1
2098437eb95239d6a7d3303413d512af57e206b6

SHA256
4228b84e2f4d4e820fb6e8a4fd0a8409fdd229c4110ee54b27fb463f6c8847c1

SHA512
d0732ad80a59fdbe59a67d136eedc9da8eec9052687c1b62873b273fc04f52ba55f04cb51e066ad5edfcf0028bb8fbd047bf5586113b75393b732814831a1c13

Download Submit
C:\Windows\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe

Filesize
372KB

MD5
3395a8d113490735bf1146aa3b172384

SHA1
4fd81a3a102ac1c742e0d09e2d3822daee879d8d

SHA256
4af1a6f39b31656be1853441231ad2f5559360beff1a6796c1d2c6179d5253cc

SHA512
ef107223a7a0742a1d62d766fa1136225173d56d50893e61b80d77f2cca1c067d0e76e5cd2fee9c61afa43aad4bc18994b7d8d0946f005fb6f349370c848e1ef

Download Submit
C:\Windows\{4707B95E-67C9-499b-8B92-F1113A15CFCE}.exe

Filesize
372KB

MD5
3395a8d113490735bf1146aa3b172384

SHA1
4fd81a3a102ac1c742e0d09e2d3822daee879d8d

SHA256
4af1a6f39b31656be1853441231ad2f5559360beff1a6796c1d2c6179d5253cc

SHA512
ef107223a7a0742a1d62d766fa1136225173d56d50893e61b80d77f2cca1c067d0e76e5cd2fee9c61afa43aad4bc18994b7d8d0946f005fb6f349370c848e1ef

Download Submit
C:\Windows\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe

Filesize
372KB

MD5
9be5df508bb60b063f555b0cb8420b47

SHA1
cfb178861fa46399f2104b7730568efcdf5ac24d

SHA256
a7f00f254874316f2c5523e7e5aa1fbe098af703304c194745f3f1247cd0e5a0

SHA512
6fbd6f0318ba11e08275fb8a2069a3785ddccc7c51223cec92dce3aa518445ba21f814787b2a6f1dc3282ba7c5011634590aab8772daf3839272652d723ac979

Download Submit
C:\Windows\{4E43E9D8-C7E0-4402-BA56-928C1B4B0A6C}.exe

Filesize
372KB

MD5
9be5df508bb60b063f555b0cb8420b47

SHA1
cfb178861fa46399f2104b7730568efcdf5ac24d

SHA256
a7f00f254874316f2c5523e7e5aa1fbe098af703304c194745f3f1247cd0e5a0

SHA512
6fbd6f0318ba11e08275fb8a2069a3785ddccc7c51223cec92dce3aa518445ba21f814787b2a6f1dc3282ba7c5011634590aab8772daf3839272652d723ac979

Download Submit
C:\Windows\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe

Filesize
372KB

MD5
bd6fe5cde52f7a64cb61b28b5791d3de

SHA1
c82140d1f93dc016d184059b277cb66cbd9e92f3

SHA256
5eee29858387b192627a32b3b7d228baa651fea84bda7a206d16865e12a1a57b

SHA512
b3d832330c1879ce0d9753af735ca2c1ec1ec66fd5fcb8742ef9b4764a589a899d167e3970b4de41d482984340987554d8735155d1c8964e01b91957c7975168

Download Submit
C:\Windows\{5EA2DD45-6FE9-437d-A9F4-CD6FFA919E63}.exe

Filesize
372KB

MD5
bd6fe5cde52f7a64cb61b28b5791d3de

SHA1
c82140d1f93dc016d184059b277cb66cbd9e92f3

SHA256
5eee29858387b192627a32b3b7d228baa651fea84bda7a206d16865e12a1a57b

SHA512
b3d832330c1879ce0d9753af735ca2c1ec1ec66fd5fcb8742ef9b4764a589a899d167e3970b4de41d482984340987554d8735155d1c8964e01b91957c7975168

Download Submit
C:\Windows\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe

Filesize
372KB

MD5
2a97f72b7903abd6116b9f7a2bb6760f

SHA1
0eb36f836e5aad6cbb98397e88a9a569203c1061

SHA256
1477c278779760987cdd6d20e9470d88b01570ade31f1cdf7825918cd4e449c0

SHA512
d758be5cc1f9aa22922301f92f1181f09c6efdfa7fb6da90f1cc57dbd96e367da7104c804edce851f91d057897e54e9cd02a873a27e52e3ee4d115a5f0d6b547

Download Submit
C:\Windows\{61257647-B56F-4bd1-9182-9FA0F11D2128}.exe

Filesize
372KB

MD5
2a97f72b7903abd6116b9f7a2bb6760f

SHA1
0eb36f836e5aad6cbb98397e88a9a569203c1061

SHA256
1477c278779760987cdd6d20e9470d88b01570ade31f1cdf7825918cd4e449c0

SHA512
d758be5cc1f9aa22922301f92f1181f09c6efdfa7fb6da90f1cc57dbd96e367da7104c804edce851f91d057897e54e9cd02a873a27e52e3ee4d115a5f0d6b547

Download Submit
C:\Windows\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe

Filesize
372KB

MD5
6035561970026074f1a36d78fd4e7e2e

SHA1
16115825a2592c14d4260f60108d4af6f49fb435

SHA256
94d1cb16d3dc4dcda16e3accefd7856dfa42ea4bd1d4b60409d76f9ba3eaeae0

SHA512
e4ed35207ebe9a3c8564df6433deb5a883a69c213f085b7ba3f33bc12984a03e261b1071b3b26a87afa23cfe0d9e405ddf3d4e378854af2d82ed2986b004388f

Download Submit
C:\Windows\{68BB7FDC-E569-4e3d-8EC8-449872A00271}.exe

Filesize
372KB

MD5
6035561970026074f1a36d78fd4e7e2e

SHA1
16115825a2592c14d4260f60108d4af6f49fb435

SHA256
94d1cb16d3dc4dcda16e3accefd7856dfa42ea4bd1d4b60409d76f9ba3eaeae0

SHA512
e4ed35207ebe9a3c8564df6433deb5a883a69c213f085b7ba3f33bc12984a03e261b1071b3b26a87afa23cfe0d9e405ddf3d4e378854af2d82ed2986b004388f

Download Submit
C:\Windows\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe

Filesize
372KB

MD5
24998a45cf8529db21226b0ff9103f07

SHA1
94b1e88c204d190bf362398b458f6afbb0a65351

SHA256
3f8ab4245f6167171e90af080074f82ff3d4f2f11cb5b6c2d8bdcae21ddbf067

SHA512
e665cdb0f6b70483cecf0a1367e1f26ad4483395e77b4ab0d5a10b7dceeecb71161e367026805a3a2096152158da1766784950051b6d1a660107ecbc5e1fa3eb

Download Submit
C:\Windows\{C026E501-87B3-4d5d-9437-7555894A28E1}.exe

Filesize
372KB

MD5
24998a45cf8529db21226b0ff9103f07

SHA1
94b1e88c204d190bf362398b458f6afbb0a65351

SHA256
3f8ab4245f6167171e90af080074f82ff3d4f2f11cb5b6c2d8bdcae21ddbf067

SHA512
e665cdb0f6b70483cecf0a1367e1f26ad4483395e77b4ab0d5a10b7dceeecb71161e367026805a3a2096152158da1766784950051b6d1a660107ecbc5e1fa3eb

Download Submit
C:\Windows\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe

Filesize
372KB

MD5
b5bc14a8f70f3d954621d9be86328696

SHA1
1637892d8603b8e0305defeb76280d56668af07d

SHA256
ea73e886e3e0dfe87734890671e2300ccb9fd1433e384231a12506317783c5a8

SHA512
2e64ef2c59c02692b073d0b8cc02ab4693af340abe1a9cdf2a492a6440174a5c3beff54360066cc0d740d427e349c89cfa1bca03427d57bdb7cc9ee7edf95419

Download Submit
C:\Windows\{D9DDF8B4-33F3-47dd-908C-BE6F5ED4CA65}.exe

Filesize
372KB

MD5
b5bc14a8f70f3d954621d9be86328696

SHA1
1637892d8603b8e0305defeb76280d56668af07d

SHA256
ea73e886e3e0dfe87734890671e2300ccb9fd1433e384231a12506317783c5a8

SHA512
2e64ef2c59c02692b073d0b8cc02ab4693af340abe1a9cdf2a492a6440174a5c3beff54360066cc0d740d427e349c89cfa1bca03427d57bdb7cc9ee7edf95419

Download Submit
C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe

Filesize
372KB

MD5
d1264a8a0fedd0f635f1a1e18590f57c

SHA1
ffff193ea2598c5550179f10b5ba780c1b055771

SHA256
746abccff747ee3a726b01b6f5522909510d7e6a7ede053f818e295f7f6e72d4

SHA512
66f545548606f0a120547cc65482874b952fe081634b62dfa5f93386e07b584cd4005df4be21b09281d8d24419a649498bb2567a1181e05de7c8197faf32476e

Download Submit
C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe

Filesize
372KB

MD5
d1264a8a0fedd0f635f1a1e18590f57c

SHA1
ffff193ea2598c5550179f10b5ba780c1b055771

SHA256
746abccff747ee3a726b01b6f5522909510d7e6a7ede053f818e295f7f6e72d4

SHA512
66f545548606f0a120547cc65482874b952fe081634b62dfa5f93386e07b584cd4005df4be21b09281d8d24419a649498bb2567a1181e05de7c8197faf32476e

Download Submit
C:\Windows\{E4C2582B-25B8-481f-BF98-814655E8840A}.exe

Filesize
372KB

MD5
d1264a8a0fedd0f635f1a1e18590f57c

SHA1
ffff193ea2598c5550179f10b5ba780c1b055771

SHA256
746abccff747ee3a726b01b6f5522909510d7e6a7ede053f818e295f7f6e72d4

SHA512
66f545548606f0a120547cc65482874b952fe081634b62dfa5f93386e07b584cd4005df4be21b09281d8d24419a649498bb2567a1181e05de7c8197faf32476e

Download Submit
C:\Windows\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe

Filesize
372KB

MD5
367311688cf861cabf0a4337ed6cf430

SHA1
fa48c9e31515ea34915342d0551552327902b195

SHA256
6797a275ea09f6080e411928207df8921e70c24c0c57220e2bc739747fa50112

SHA512
496bb48c1e04e02bde26d83251d19ff5f2116910883028064298599a7e606ad86bb193e7bc1cec01f22ea53b3c6db01d52f66d77fd66f74e2f61f36e8b58913f

Download Submit
C:\Windows\{E92FA17C-4BF9-4c90-9138-331BF79B8125}.exe

Filesize
372KB

MD5
367311688cf861cabf0a4337ed6cf430

SHA1
fa48c9e31515ea34915342d0551552327902b195

SHA256
6797a275ea09f6080e411928207df8921e70c24c0c57220e2bc739747fa50112

SHA512
496bb48c1e04e02bde26d83251d19ff5f2116910883028064298599a7e606ad86bb193e7bc1cec01f22ea53b3c6db01d52f66d77fd66f74e2f61f36e8b58913f

Download Submit