96fff1de0aa73c2cf852b51f3357363c6af786f3424a94c4d776c9413e0455de

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e071d2962b5035exeexeexeex.exe
Size

168KB
MD5

e071d2962b50352a2dc1218df47fcf7f
SHA1

a3982cac9af0b7bca95e0bddca2f4b77007eb4e2
SHA256

96fff1de0aa73c2cf852b51f3357363c6af786f3424a94c4d776c9413e0455de
SHA512

62bb34961d00424c58457a6999409d4bd0096c6ce54bb7d687ec146a03ed567f320480864fc393ff69e5560af979a22ef7cf7b0d77e34b606bbc794e6b104371
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}\stubpath = "C:\\Windows\\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe"	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}\stubpath = "C:\\Windows\\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe"	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8235A524-607C-4a19-A4E9-1BA5627DCB92}\stubpath = "C:\\Windows\\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe"	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39479007-05EA-4680-8894-25F34CCCCA80}	{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}	{39479007-05EA-4680-8894-25F34CCCCA80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657FBADB-B65D-48e3-8415-FCF24B22A336}\stubpath = "C:\\Windows\\{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe"	{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962758BE-ABE8-4d1a-A428-31CDE60E138D}\stubpath = "C:\\Windows\\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe"	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8235A524-607C-4a19-A4E9-1BA5627DCB92}	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}\stubpath = "C:\\Windows\\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe"	{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43184438-F52A-4436-921F-DA04A8CA8BD6}\stubpath = "C:\\Windows\\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe"	{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39479007-05EA-4680-8894-25F34CCCCA80}\stubpath = "C:\\Windows\\{39479007-05EA-4680-8894-25F34CCCCA80}.exe"	{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}\stubpath = "C:\\Windows\\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe"	{39479007-05EA-4680-8894-25F34CCCCA80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657FBADB-B65D-48e3-8415-FCF24B22A336}	{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}\stubpath = "C:\\Windows\\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe"	e071d2962b5035exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}\stubpath = "C:\\Windows\\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe"	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}\stubpath = "C:\\Windows\\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe"	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}	{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43184438-F52A-4436-921F-DA04A8CA8BD6}	{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}	e071d2962b5035exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}\stubpath = "C:\\Windows\\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe"	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962758BE-ABE8-4d1a-A428-31CDE60E138D}	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
2944	{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
2704	{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
2812	{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
2792	{39479007-05EA-4680-8894-25F34CCCCA80}.exe
2572	{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
2492	{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
File created	C:\Windows\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
File created	C:\Windows\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
File created	C:\Windows\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe	{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
File created	C:\Windows\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe	{39479007-05EA-4680-8894-25F34CCCCA80}.exe
File created	C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
File created	C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
File created	C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
File created	C:\Windows\{39479007-05EA-4680-8894-25F34CCCCA80}.exe	{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
File created	C:\Windows\{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe	{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
File created	C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	e071d2962b5035exeexeexeex.exe
File created	C:\Windows\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
File created	C:\Windows\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe	{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	e071d2962b5035exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Token: SeIncBasePriorityPrivilege	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Token: SeIncBasePriorityPrivilege	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Token: SeIncBasePriorityPrivilege	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Token: SeIncBasePriorityPrivilege	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
Token: SeIncBasePriorityPrivilege	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
Token: SeIncBasePriorityPrivilege	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
Token: SeIncBasePriorityPrivilege	2944	{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
Token: SeIncBasePriorityPrivilege	2704	{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
Token: SeIncBasePriorityPrivilege	2812	{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
Token: SeIncBasePriorityPrivilege	2792	{39479007-05EA-4680-8894-25F34CCCCA80}.exe
Token: SeIncBasePriorityPrivilege	2572	{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 848	2356	e071d2962b5035exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	e071d2962b5035exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	e071d2962b5035exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	e071d2962b5035exeexeexeex.exe	28
PID 2356 wrote to memory of 2212	2356	e071d2962b5035exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	e071d2962b5035exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	e071d2962b5035exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	e071d2962b5035exeexeexeex.exe	29
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 328 wrote to memory of 2216	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2216	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2216	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2216	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2956	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 2956	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 2956	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 2956	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2332 wrote to memory of 2080	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	38
PID 2332 wrote to memory of 2080	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	38
PID 2332 wrote to memory of 2080	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	38
PID 2332 wrote to memory of 2080	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	38
PID 2332 wrote to memory of 2068	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	39
PID 2332 wrote to memory of 2068	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	39
PID 2332 wrote to memory of 2068	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	39
PID 2332 wrote to memory of 2068	2332	{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe	39
PID 2080 wrote to memory of 2864	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	40
PID 2080 wrote to memory of 2864	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	40
PID 2080 wrote to memory of 2864	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	40
PID 2080 wrote to memory of 2864	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	40
PID 2080 wrote to memory of 2940	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	41
PID 2080 wrote to memory of 2940	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	41
PID 2080 wrote to memory of 2940	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	41
PID 2080 wrote to memory of 2940	2080	{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe	41
PID 2864 wrote to memory of 2944	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	42
PID 2864 wrote to memory of 2944	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	42
PID 2864 wrote to memory of 2944	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	42
PID 2864 wrote to memory of 2944	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	42
PID 2864 wrote to memory of 2288	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	43
PID 2864 wrote to memory of 2288	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	43
PID 2864 wrote to memory of 2288	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	43
PID 2864 wrote to memory of 2288	2864	{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe	43

C:\Users\Admin\AppData\Local\Temp\e071d2962b5035exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e071d2962b5035exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        
        C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
        
        C:\Windows\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
        
        C:\Windows\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
        
        C:\Windows\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
        
        C:\Windows\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
        
        C:\Windows\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
        
        C:\Windows\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{39479007-05EA-4680-8894-25F34CCCCA80}.exe
        
        C:\Windows\{39479007-05EA-4680-8894-25F34CCCCA80}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
        
        C:\Windows\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe
        
        C:\Windows\{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe
        14⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B98F2~1.EXE > nul
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39479~1.EXE > nul
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43184~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D272F~1.EXE > nul
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8235A~1.EXE > nul
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09520~1.EXE > nul
        9⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96275~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA01~1.EXE > nul
        7⤵
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{233BD~1.EXE > nul
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14ECD~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4450B~1.EXE > nul
      4⤵
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE40~1.EXE > nul
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E071D2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe

Filesize
168KB

MD5
d67fde800b0b1c4a90c3c3e662e0fe05

SHA1
b5f9781ebb7a815d17af62663dced076d38fc8e8

SHA256
865d90869e248dc310fcaeab4b5ee6d455987bb072fbd3b93c3e36e88e454705

SHA512
922972a02e522d58d659ed9544c18aea77ad38ecad0b9a8cd6f88e14013b5996d2ae53bcb429df7e58707e8ee9a8c4e75303bacf6d3f4d049b238d5887204666

Download Submit
C:\Windows\{0952063C-76EB-4825-BF85-F8D9FDD7ED5A}.exe

Filesize
168KB

MD5
d67fde800b0b1c4a90c3c3e662e0fe05

SHA1
b5f9781ebb7a815d17af62663dced076d38fc8e8

SHA256
865d90869e248dc310fcaeab4b5ee6d455987bb072fbd3b93c3e36e88e454705

SHA512
922972a02e522d58d659ed9544c18aea77ad38ecad0b9a8cd6f88e14013b5996d2ae53bcb429df7e58707e8ee9a8c4e75303bacf6d3f4d049b238d5887204666

Download Submit
C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
168KB

MD5
6b0ff5c674a702320380f39681f19ee7

SHA1
37d0ed0b793d7d3a47e0e5db88231cbd1e07de58

SHA256
1a816a7f86c557b193463e9996665e4df75eed9696f2c069cf6ff2c2eb95ee95

SHA512
7b6342bf2e6fdb703227df87cc92e8d1c06ffb9a6a05deec2a8217db0af14eb1dd58d532e38b2d9581236de1e96c6d1045bae58b7bdf9f4db6090ff3e30edf14

Download Submit
C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
168KB

MD5
6b0ff5c674a702320380f39681f19ee7

SHA1
37d0ed0b793d7d3a47e0e5db88231cbd1e07de58

SHA256
1a816a7f86c557b193463e9996665e4df75eed9696f2c069cf6ff2c2eb95ee95

SHA512
7b6342bf2e6fdb703227df87cc92e8d1c06ffb9a6a05deec2a8217db0af14eb1dd58d532e38b2d9581236de1e96c6d1045bae58b7bdf9f4db6090ff3e30edf14

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
168KB

MD5
3da972ab09ba76bd88ed2b09d6e070b4

SHA1
22119f1eec5d89f0076963cc6c1af15b090d5387

SHA256
06ec526be9530622cc23174e4f175ab3b09e8adf9728b475b315cd9ab2749962

SHA512
927c68700a945f6de2c844de498287d8d02122915c2d8f6dc306742b3dd957ccb816980f60b4d9474d4dc268601a3be788db0efd51768073c3d862a55f0054a9

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
168KB

MD5
3da972ab09ba76bd88ed2b09d6e070b4

SHA1
22119f1eec5d89f0076963cc6c1af15b090d5387

SHA256
06ec526be9530622cc23174e4f175ab3b09e8adf9728b475b315cd9ab2749962

SHA512
927c68700a945f6de2c844de498287d8d02122915c2d8f6dc306742b3dd957ccb816980f60b4d9474d4dc268601a3be788db0efd51768073c3d862a55f0054a9

Download Submit
C:\Windows\{39479007-05EA-4680-8894-25F34CCCCA80}.exe

Filesize
168KB

MD5
ebfe45369818579b55827425bf9dfdf9

SHA1
96b4bb1c536b369bad93700dd4da9420ddb7e66e

SHA256
7d0e3bb286ed24ffaf6b036d1766f02f9152e925969ec1464ddadc4d335cd5c0

SHA512
95de7f81a83d259da28cfe4406842f20ef720a239de5d5eaedd02298475afc8e1af007c305a9778b07a16fa51ee12f5e9abfc5fe9d22a1595d1843877ae18ad6

Download Submit
C:\Windows\{39479007-05EA-4680-8894-25F34CCCCA80}.exe

Filesize
168KB

MD5
ebfe45369818579b55827425bf9dfdf9

SHA1
96b4bb1c536b369bad93700dd4da9420ddb7e66e

SHA256
7d0e3bb286ed24ffaf6b036d1766f02f9152e925969ec1464ddadc4d335cd5c0

SHA512
95de7f81a83d259da28cfe4406842f20ef720a239de5d5eaedd02298475afc8e1af007c305a9778b07a16fa51ee12f5e9abfc5fe9d22a1595d1843877ae18ad6

Download Submit
C:\Windows\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe

Filesize
168KB

MD5
4a5bcf1fff668e5af1f69d0730ed1bca

SHA1
86072b08779a552c29f74d93f85ce1839b01edf4

SHA256
769424738842985d32fa5c6a53360e83e0ea1158625589f80f5f840ad6d74e2f

SHA512
f136bcd0d5f35ec3d413c85e32a026fcfa7cfd5823127823762b2f7475df638d917bf5603533a3fec2f5a5d4ee7c381061fa70b97f138efe54211bb46fc78ec5

Download Submit
C:\Windows\{43184438-F52A-4436-921F-DA04A8CA8BD6}.exe

Filesize
168KB

MD5
4a5bcf1fff668e5af1f69d0730ed1bca

SHA1
86072b08779a552c29f74d93f85ce1839b01edf4

SHA256
769424738842985d32fa5c6a53360e83e0ea1158625589f80f5f840ad6d74e2f

SHA512
f136bcd0d5f35ec3d413c85e32a026fcfa7cfd5823127823762b2f7475df638d917bf5603533a3fec2f5a5d4ee7c381061fa70b97f138efe54211bb46fc78ec5

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
168KB

MD5
040947a9566254739c0afa23456f44b8

SHA1
a584b734c1f05be6ece453b96795d15042f427ff

SHA256
2d4ad51481f5f18af654e67d6bc27ed787ddcab8ea1eb3eccbfd99f4d77a49f8

SHA512
d636063d8881194761b7d2b15ca9e69cefd311d95df809a70d3be794b1f752fbd2df03fb466dd3fb3b318d5fab958c2bdee1c1fd6077d5ba055211062555984a

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
168KB

MD5
040947a9566254739c0afa23456f44b8

SHA1
a584b734c1f05be6ece453b96795d15042f427ff

SHA256
2d4ad51481f5f18af654e67d6bc27ed787ddcab8ea1eb3eccbfd99f4d77a49f8

SHA512
d636063d8881194761b7d2b15ca9e69cefd311d95df809a70d3be794b1f752fbd2df03fb466dd3fb3b318d5fab958c2bdee1c1fd6077d5ba055211062555984a

Download Submit
C:\Windows\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe

Filesize
168KB

MD5
d6b0eac07e18c0630d119e0a15e0a0ba

SHA1
b22a9d18b54a23d67d97c7d4a1080ad4822d21c3

SHA256
3b0403b0cbbe6149169c8d29267cacee454bc0ee4eaa891df733dbffe36f1128

SHA512
123b2266d08b09a541342ae2d79be85c91e7ff76913f1c5659a180a9003340072ad578b47401e91aec5f5157aa99ca80c39c3cd9fd78efba225439011b87b150

Download Submit
C:\Windows\{4EA01D4C-0AD4-4545-8280-3AFD00BE0781}.exe

Filesize
168KB

MD5
d6b0eac07e18c0630d119e0a15e0a0ba

SHA1
b22a9d18b54a23d67d97c7d4a1080ad4822d21c3

SHA256
3b0403b0cbbe6149169c8d29267cacee454bc0ee4eaa891df733dbffe36f1128

SHA512
123b2266d08b09a541342ae2d79be85c91e7ff76913f1c5659a180a9003340072ad578b47401e91aec5f5157aa99ca80c39c3cd9fd78efba225439011b87b150

Download Submit
C:\Windows\{657FBADB-B65D-48e3-8415-FCF24B22A336}.exe

Filesize
168KB

MD5
186b06afc51f406983975f0c78409cdc

SHA1
87b5b18dc9af684657d06c8fcb75468b347016a0

SHA256
c3d664c6165bc108c81b09831b93efc5f7de748faa3a7ded893f752b246fb075

SHA512
90858a4bec5832e625bb9b9202d9947dc54e9fe12046d2dc81f9a4b67e13767c50cba8d9abb7c441b4e2d6bbd46a7ee1c4b6e60a4bd771ab4f8380760b40ed8e

Download Submit
C:\Windows\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe

Filesize
168KB

MD5
6816db62444ddde9d234bfb63ba8a9c6

SHA1
363132fe679af5e9dd90f29c04f3dc1dff498de0

SHA256
7ac195d0fc39b21ae16b5b1d2ff7b027dc00fd7731d491b852eb825e6ca23fcf

SHA512
ee82315f454efd6d165d5321011e1a76715cff4543835d2db899923f803088090e5980e2fafe608507ffb9e283820225bd8c64bd42e32b798c5233c0cdcb6187

Download Submit
C:\Windows\{8235A524-607C-4a19-A4E9-1BA5627DCB92}.exe

Filesize
168KB

MD5
6816db62444ddde9d234bfb63ba8a9c6

SHA1
363132fe679af5e9dd90f29c04f3dc1dff498de0

SHA256
7ac195d0fc39b21ae16b5b1d2ff7b027dc00fd7731d491b852eb825e6ca23fcf

SHA512
ee82315f454efd6d165d5321011e1a76715cff4543835d2db899923f803088090e5980e2fafe608507ffb9e283820225bd8c64bd42e32b798c5233c0cdcb6187

Download Submit
C:\Windows\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe

Filesize
168KB

MD5
52c8837f9f892472a4066bd8ad1cc93a

SHA1
080f3abba88946113c5fb12f1340e780727c044d

SHA256
73f2eadf0e63e91b320bde2997f5e985d37e5b373b5d0c97ed54a10fe9e37033

SHA512
b67afc5bcc8689573aebf08c2ebd1e06373d5f6d47ba839920d48dd0ab5e60fb3ca678127466ff4e5a3d6ba471aa5d5c4da922cefe66bf5dcaeedfb1a39ee596

Download Submit
C:\Windows\{962758BE-ABE8-4d1a-A428-31CDE60E138D}.exe

Filesize
168KB

MD5
52c8837f9f892472a4066bd8ad1cc93a

SHA1
080f3abba88946113c5fb12f1340e780727c044d

SHA256
73f2eadf0e63e91b320bde2997f5e985d37e5b373b5d0c97ed54a10fe9e37033

SHA512
b67afc5bcc8689573aebf08c2ebd1e06373d5f6d47ba839920d48dd0ab5e60fb3ca678127466ff4e5a3d6ba471aa5d5c4da922cefe66bf5dcaeedfb1a39ee596

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe

Filesize
168KB

MD5
c328eb1c6e55e52a4d0335c427089a77

SHA1
ef0e2806413b24d0f1a95f3011d990d60aa7837d

SHA256
1877946de1d1503dca639083b886171dc5bb927ae91f53070c6bae81f3c82e3d

SHA512
fb8b71a334d5f1e6bd49584cbc479375503e2fd34651d867f8ef3fa46ac7a8c3a308497958f164e7a9049e8acf5f50b6bfcbf1bbcfccf6595379a170193088a5

Download Submit
C:\Windows\{B98F2CAD-F8E4-439c-ABA9-AC2EAF544BCD}.exe

Filesize
168KB

MD5
c328eb1c6e55e52a4d0335c427089a77

SHA1
ef0e2806413b24d0f1a95f3011d990d60aa7837d

SHA256
1877946de1d1503dca639083b886171dc5bb927ae91f53070c6bae81f3c82e3d

SHA512
fb8b71a334d5f1e6bd49584cbc479375503e2fd34651d867f8ef3fa46ac7a8c3a308497958f164e7a9049e8acf5f50b6bfcbf1bbcfccf6595379a170193088a5

Download Submit
C:\Windows\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe

Filesize
168KB

MD5
2fe41dcaf1fa758c4ab1c676f3096130

SHA1
72a37ce3f7f7814dcd35b9b589567f917aa62b8c

SHA256
56b2964304d97ed152fc2bc4ecae6897d2adc571b45ab25dccec764b91a43e06

SHA512
b94346d4dabeee430202a4048259d8c5251e4f78a56a9ca98287171cbb96d53b8d78c938145b4fa610fc0b108e6e4da6a1b008a1868bc8bf8c0da2e363e9ee86

Download Submit
C:\Windows\{D272FC30-3434-44c3-8CF8-A53EC5B5054D}.exe

Filesize
168KB

MD5
2fe41dcaf1fa758c4ab1c676f3096130

SHA1
72a37ce3f7f7814dcd35b9b589567f917aa62b8c

SHA256
56b2964304d97ed152fc2bc4ecae6897d2adc571b45ab25dccec764b91a43e06

SHA512
b94346d4dabeee430202a4048259d8c5251e4f78a56a9ca98287171cbb96d53b8d78c938145b4fa610fc0b108e6e4da6a1b008a1868bc8bf8c0da2e363e9ee86

Download Submit