7664fe0d197f52b3ea22f98c28b7fa0e69119bc30f76f89f0114bffbf9ad28b2

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7be2a21ed4eccexeexeexeex.exe
Size

168KB
MD5

e7be2a21ed4ecc4d26960c3ad8d3b921
SHA1

ad1bc2ac60c500c7e2afce1f9ddf25df3f6e079c
SHA256

7664fe0d197f52b3ea22f98c28b7fa0e69119bc30f76f89f0114bffbf9ad28b2
SHA512

42723face53c1657525055ec03016d8513a10c59f829cd7d9160e631fd9abae7b94dd3fd1fcc613436b27b8ef29cc66780f8bc315482a08a2f4b55be801dfb46
SSDEEP

1536:1EGh0oBlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oBlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A834968-4362-4c3c-A62F-225C1D0D42F2}	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}	{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08AECDC-3201-49d8-A17E-5D558815489D}\stubpath = "C:\\Windows\\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe"	{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A834968-4362-4c3c-A62F-225C1D0D42F2}\stubpath = "C:\\Windows\\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe"	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E31A9C-9849-48a6-8CC2-583B3A38A146}\stubpath = "C:\\Windows\\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe"	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}\stubpath = "C:\\Windows\\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe"	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE13A1A-9328-4194-9323-D6082B32DC74}	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}\stubpath = "C:\\Windows\\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe"	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4194048C-B245-4eff-A959-3800845E7145}	{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4194048C-B245-4eff-A959-3800845E7145}\stubpath = "C:\\Windows\\{4194048C-B245-4eff-A959-3800845E7145}.exe"	{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}\stubpath = "C:\\Windows\\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe"	e7be2a21ed4eccexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}\stubpath = "C:\\Windows\\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe"	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}\stubpath = "C:\\Windows\\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe"	{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08AECDC-3201-49d8-A17E-5D558815489D}	{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}\stubpath = "C:\\Windows\\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe"	{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}	{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECAA175-5614-4220-8C52-ED06F6722F98}	{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}	e7be2a21ed4eccexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E31A9C-9849-48a6-8CC2-583B3A38A146}	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE13A1A-9328-4194-9323-D6082B32DC74}\stubpath = "C:\\Windows\\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe"	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}\stubpath = "C:\\Windows\\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe"	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECAA175-5614-4220-8C52-ED06F6722F98}\stubpath = "C:\\Windows\\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe"	{D08AECDC-3201-49d8-A17E-5D558815489D}.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
1496	{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
2232	{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
2628	{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
2632	{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
2484	{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe
2856	{4194048C-B245-4eff-A959-3800845E7145}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	e7be2a21ed4eccexeexeexeex.exe
File created	C:\Windows\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
File created	C:\Windows\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
File created	C:\Windows\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
File created	C:\Windows\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
File created	C:\Windows\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
File created	C:\Windows\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe	{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
File created	C:\Windows\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe	{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
File created	C:\Windows\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe	{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
File created	C:\Windows\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
File created	C:\Windows\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
File created	C:\Windows\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe	{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
File created	C:\Windows\{4194048C-B245-4eff-A959-3800845E7145}.exe	{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	e7be2a21ed4eccexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
Token: SeIncBasePriorityPrivilege	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
Token: SeIncBasePriorityPrivilege	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
Token: SeIncBasePriorityPrivilege	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
Token: SeIncBasePriorityPrivilege	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
Token: SeIncBasePriorityPrivilege	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
Token: SeIncBasePriorityPrivilege	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
Token: SeIncBasePriorityPrivilege	1496	{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
Token: SeIncBasePriorityPrivilege	2232	{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
Token: SeIncBasePriorityPrivilege	2628	{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
Token: SeIncBasePriorityPrivilege	2632	{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
Token: SeIncBasePriorityPrivilege	2484	{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2968	3048	e7be2a21ed4eccexeexeexeex.exe	28
PID 3048 wrote to memory of 2968	3048	e7be2a21ed4eccexeexeexeex.exe	28
PID 3048 wrote to memory of 2968	3048	e7be2a21ed4eccexeexeexeex.exe	28
PID 3048 wrote to memory of 2968	3048	e7be2a21ed4eccexeexeexeex.exe	28
PID 3048 wrote to memory of 3044	3048	e7be2a21ed4eccexeexeexeex.exe	29
PID 3048 wrote to memory of 3044	3048	e7be2a21ed4eccexeexeexeex.exe	29
PID 3048 wrote to memory of 3044	3048	e7be2a21ed4eccexeexeexeex.exe	29
PID 3048 wrote to memory of 3044	3048	e7be2a21ed4eccexeexeexeex.exe	29
PID 2968 wrote to memory of 2240	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	30
PID 2968 wrote to memory of 2240	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	30
PID 2968 wrote to memory of 2240	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	30
PID 2968 wrote to memory of 2240	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	30
PID 2968 wrote to memory of 2256	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	31
PID 2968 wrote to memory of 2256	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	31
PID 2968 wrote to memory of 2256	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	31
PID 2968 wrote to memory of 2256	2968	{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe	31
PID 2240 wrote to memory of 2368	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	32
PID 2240 wrote to memory of 2368	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	32
PID 2240 wrote to memory of 2368	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	32
PID 2240 wrote to memory of 2368	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	32
PID 2240 wrote to memory of 2312	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	33
PID 2240 wrote to memory of 2312	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	33
PID 2240 wrote to memory of 2312	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	33
PID 2240 wrote to memory of 2312	2240	{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe	33
PID 2368 wrote to memory of 2168	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	34
PID 2368 wrote to memory of 2168	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	34
PID 2368 wrote to memory of 2168	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	34
PID 2368 wrote to memory of 2168	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	34
PID 2368 wrote to memory of 2064	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	35
PID 2368 wrote to memory of 2064	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	35
PID 2368 wrote to memory of 2064	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	35
PID 2368 wrote to memory of 2064	2368	{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe	35
PID 2168 wrote to memory of 2072	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	36
PID 2168 wrote to memory of 2072	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	36
PID 2168 wrote to memory of 2072	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	36
PID 2168 wrote to memory of 2072	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	36
PID 2168 wrote to memory of 2096	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	37
PID 2168 wrote to memory of 2096	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	37
PID 2168 wrote to memory of 2096	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	37
PID 2168 wrote to memory of 2096	2168	{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe	37
PID 2072 wrote to memory of 1432	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	38
PID 2072 wrote to memory of 1432	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	38
PID 2072 wrote to memory of 1432	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	38
PID 2072 wrote to memory of 1432	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	38
PID 2072 wrote to memory of 2284	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	39
PID 2072 wrote to memory of 2284	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	39
PID 2072 wrote to memory of 2284	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	39
PID 2072 wrote to memory of 2284	2072	{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe	39
PID 1432 wrote to memory of 588	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	40
PID 1432 wrote to memory of 588	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	40
PID 1432 wrote to memory of 588	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	40
PID 1432 wrote to memory of 588	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	40
PID 1432 wrote to memory of 1796	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	41
PID 1432 wrote to memory of 1796	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	41
PID 1432 wrote to memory of 1796	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	41
PID 1432 wrote to memory of 1796	1432	{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe	41
PID 588 wrote to memory of 1496	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	42
PID 588 wrote to memory of 1496	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	42
PID 588 wrote to memory of 1496	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	42
PID 588 wrote to memory of 1496	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	42
PID 588 wrote to memory of 396	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	43
PID 588 wrote to memory of 396	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	43
PID 588 wrote to memory of 396	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	43
PID 588 wrote to memory of 396	588	{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe	43

C:\Users\Admin\AppData\Local\Temp\e7be2a21ed4eccexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e7be2a21ed4eccexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
  C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
    C:\Windows\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
      C:\Windows\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
        
        C:\Windows\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
        
        C:\Windows\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
        
        C:\Windows\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
        
        C:\Windows\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
        
        C:\Windows\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
        
        C:\Windows\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
        
        C:\Windows\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
        
        C:\Windows\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe
        
        C:\Windows\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{4194048C-B245-4eff-A959-3800845E7145}.exe
        
        C:\Windows\{4194048C-B245-4eff-A959-3800845E7145}.exe
        14⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECAA~1.EXE > nul
        14⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D08AE~1.EXE > nul
        13⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE2FB~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34257~1.EXE > nul
        11⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A834~1.EXE > nul
        10⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE759~1.EXE > nul
        9⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBCD~1.EXE > nul
        8⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42F2F~1.EXE > nul
        7⤵
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE13~1.EXE > nul
        6⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F803F~1.EXE > nul
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26E31~1.EXE > nul
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AE183~1.EXE > nul
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E7BE2A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe

Filesize
168KB

MD5
ac2bb82a3c6a6a164b626dc58f07ab27

SHA1
249a6b27be4e24238a996385e4b6f1bdb32284d1

SHA256
96a65b5d1ac872fcd97e50be82787aec765f5885296f1933e70536ab1b228c18

SHA512
dc7d452f87912a1beeee1646927674bc817351d2da89731527925aa5a2682fc779ce80bac9e1224b569c66a6d05b8416073f4e7a9e29deff8e68fe5b7ccf0229

Download Submit
C:\Windows\{26E31A9C-9849-48a6-8CC2-583B3A38A146}.exe

Filesize
168KB

MD5
ac2bb82a3c6a6a164b626dc58f07ab27

SHA1
249a6b27be4e24238a996385e4b6f1bdb32284d1

SHA256
96a65b5d1ac872fcd97e50be82787aec765f5885296f1933e70536ab1b228c18

SHA512
dc7d452f87912a1beeee1646927674bc817351d2da89731527925aa5a2682fc779ce80bac9e1224b569c66a6d05b8416073f4e7a9e29deff8e68fe5b7ccf0229

Download Submit
C:\Windows\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe

Filesize
168KB

MD5
5fefe004a6e3f761a4e8e8aeaca73733

SHA1
951742cc53b40dea99a7fb488bbc7b8f1a172a95

SHA256
aaa944014855fe2c593885b25be8962f0c8a3932363941bb4024dce6db21bfa5

SHA512
6ac3fd2f976eb80471f978fe91a5d53d254dfb0589d33cfc8f4a1e6c29b6f48b7a4031eabfe193412960bfe347a06e01372a72a75410ece5aa75f0b5b90cf88c

Download Submit
C:\Windows\{342571CC-6BFE-42a0-B6D3-DBFE798EF246}.exe

Filesize
168KB

MD5
5fefe004a6e3f761a4e8e8aeaca73733

SHA1
951742cc53b40dea99a7fb488bbc7b8f1a172a95

SHA256
aaa944014855fe2c593885b25be8962f0c8a3932363941bb4024dce6db21bfa5

SHA512
6ac3fd2f976eb80471f978fe91a5d53d254dfb0589d33cfc8f4a1e6c29b6f48b7a4031eabfe193412960bfe347a06e01372a72a75410ece5aa75f0b5b90cf88c

Download Submit
C:\Windows\{4194048C-B245-4eff-A959-3800845E7145}.exe

Filesize
168KB

MD5
b4dd4abc959aa55f0afd180c32f3a9b8

SHA1
1f59bd5c0bf8d892f56e4d1bc68140e5572c1815

SHA256
89fda273ceb794178b6ad0630f53ae21e58f512b0d364e27acbe5c34b24a4658

SHA512
4c8026261dc0383579d7c22b4fc9641ce64820fa067a25502ec4a444f2290f687e8d1c6f68ae20527002bfe118ccefa0083ad56628242ef9635fa7f4eb79b6c0

Download Submit
C:\Windows\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe

Filesize
168KB

MD5
f31dcd3c55f4148dc05a5f3eb937c6c2

SHA1
76f6f3d7ef6559d42d14bb49fa095eb1be9aa4e9

SHA256
cd079e7ccc98377bad4fe1d4ceb1c0f00a728ab8b31c5d53822955d48c05fcad

SHA512
e08b547d5d1bdb724106fddfcd173d6ad01849b95710e33d9d31ddfbcf6197287c5b2b465b9027aadbae2dcf29a2ce936bd0c71ecb63338a9aeb778df5ac8090

Download Submit
C:\Windows\{42F2FDF6-ABDB-4f57-8D54-48E88BD51BF2}.exe

Filesize
168KB

MD5
f31dcd3c55f4148dc05a5f3eb937c6c2

SHA1
76f6f3d7ef6559d42d14bb49fa095eb1be9aa4e9

SHA256
cd079e7ccc98377bad4fe1d4ceb1c0f00a728ab8b31c5d53822955d48c05fcad

SHA512
e08b547d5d1bdb724106fddfcd173d6ad01849b95710e33d9d31ddfbcf6197287c5b2b465b9027aadbae2dcf29a2ce936bd0c71ecb63338a9aeb778df5ac8090

Download Submit
C:\Windows\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe

Filesize
168KB

MD5
c472206507602fdf441475443230ac65

SHA1
0b99783e72a8ea47b687216df9d5808dcb068e3e

SHA256
a4fc702a96796b45f64326c5153d9e44c37c353a6ba120e21d02a88fdbefff8b

SHA512
7be276e6c7a8e652b9e57e4a25c9bfee1c849492989ed6ab61c612ca51e37caf6ce2131cd6fd575af6a4dcd61bd5bda2a3ff198ed0f2c20e1785ff6dffd42a79

Download Submit
C:\Windows\{4AE13A1A-9328-4194-9323-D6082B32DC74}.exe

Filesize
168KB

MD5
c472206507602fdf441475443230ac65

SHA1
0b99783e72a8ea47b687216df9d5808dcb068e3e

SHA256
a4fc702a96796b45f64326c5153d9e44c37c353a6ba120e21d02a88fdbefff8b

SHA512
7be276e6c7a8e652b9e57e4a25c9bfee1c849492989ed6ab61c612ca51e37caf6ce2131cd6fd575af6a4dcd61bd5bda2a3ff198ed0f2c20e1785ff6dffd42a79

Download Submit
C:\Windows\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe

Filesize
168KB

MD5
16b2ca125ff2b1a7154a26a319d60283

SHA1
e2f0709cb1586f4be14de23a5392aa84780942a9

SHA256
41aac5880c3aa032694865a34a5bc1625c9b001b67631eea700a9efebccf20af

SHA512
dde98495a3e7e8592edde8af792eb7b7c34300844e94463292eb027f6899a6d4ba7fbe642f0f4acf2e5b07c157d33eded1d4285795be93004e5fd04aa9ce1aff

Download Submit
C:\Windows\{9A834968-4362-4c3c-A62F-225C1D0D42F2}.exe

Filesize
168KB

MD5
16b2ca125ff2b1a7154a26a319d60283

SHA1
e2f0709cb1586f4be14de23a5392aa84780942a9

SHA256
41aac5880c3aa032694865a34a5bc1625c9b001b67631eea700a9efebccf20af

SHA512
dde98495a3e7e8592edde8af792eb7b7c34300844e94463292eb027f6899a6d4ba7fbe642f0f4acf2e5b07c157d33eded1d4285795be93004e5fd04aa9ce1aff

Download Submit
C:\Windows\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe

Filesize
168KB

MD5
d42310a255a2631c2d93a3535e4b0e67

SHA1
fea434af9f8bc8b2c45a7d64f1e5eacdd9fdf8b9

SHA256
dd077725ceb997d7c9c52e680533f1e3d13e24592f4999d51458c1cd1edec39f

SHA512
a660206ab52b5be1832fde94b5703807600dad6b3b0f10c0d997cfdb2bf36d55c012efa1a6899a03a7a7b0427d51273edbb180ce043a9b09071a8f215021114c

Download Submit
C:\Windows\{9ECAA175-5614-4220-8C52-ED06F6722F98}.exe

Filesize
168KB

MD5
d42310a255a2631c2d93a3535e4b0e67

SHA1
fea434af9f8bc8b2c45a7d64f1e5eacdd9fdf8b9

SHA256
dd077725ceb997d7c9c52e680533f1e3d13e24592f4999d51458c1cd1edec39f

SHA512
a660206ab52b5be1832fde94b5703807600dad6b3b0f10c0d997cfdb2bf36d55c012efa1a6899a03a7a7b0427d51273edbb180ce043a9b09071a8f215021114c

Download Submit
C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe

Filesize
168KB

MD5
606076a4aa445f02516a39aa4461d184

SHA1
1122363171fd17377a9daa33a34d42b3b79357f5

SHA256
b7b5dffa5814c8a7ced314291bc266d158fad75e8313c22d496ebdf073fb1c6c

SHA512
6adfa986cee2e8d263ce255626347f7ec1f86852ceda69a625069d2912d7871af58f87dee285c4a22b60edff1e71230daa7a76450c67ba6cd8d73727b97bd5ef

Download Submit
C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe

Filesize
168KB

MD5
606076a4aa445f02516a39aa4461d184

SHA1
1122363171fd17377a9daa33a34d42b3b79357f5

SHA256
b7b5dffa5814c8a7ced314291bc266d158fad75e8313c22d496ebdf073fb1c6c

SHA512
6adfa986cee2e8d263ce255626347f7ec1f86852ceda69a625069d2912d7871af58f87dee285c4a22b60edff1e71230daa7a76450c67ba6cd8d73727b97bd5ef

Download Submit
C:\Windows\{AE183EE3-BE1B-46a1-8246-0A5FD9321347}.exe

Filesize
168KB

MD5
606076a4aa445f02516a39aa4461d184

SHA1
1122363171fd17377a9daa33a34d42b3b79357f5

SHA256
b7b5dffa5814c8a7ced314291bc266d158fad75e8313c22d496ebdf073fb1c6c

SHA512
6adfa986cee2e8d263ce255626347f7ec1f86852ceda69a625069d2912d7871af58f87dee285c4a22b60edff1e71230daa7a76450c67ba6cd8d73727b97bd5ef

Download Submit
C:\Windows\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe

Filesize
168KB

MD5
71e69206ed768c9dc309e7991181f030

SHA1
b1b0b5aee7bde26c4d645ffffd9000f91d2bfb77

SHA256
24ba60462ed3dbfeb0a6ac388d481aeb380d04ce335e5f35e02bf37ec0b7a972

SHA512
fab4bf59df9381d5bac42ac852c4d90787ab57106cd3c82fe98af8fbfd62e12d3829aed3f5d963082760f342073b6bd38a6f3e19ce70c8d9036c19e6b09bcad3

Download Submit
C:\Windows\{CE759FD6-E0A8-4cc1-AB6B-24BF72259562}.exe

Filesize
168KB

MD5
71e69206ed768c9dc309e7991181f030

SHA1
b1b0b5aee7bde26c4d645ffffd9000f91d2bfb77

SHA256
24ba60462ed3dbfeb0a6ac388d481aeb380d04ce335e5f35e02bf37ec0b7a972

SHA512
fab4bf59df9381d5bac42ac852c4d90787ab57106cd3c82fe98af8fbfd62e12d3829aed3f5d963082760f342073b6bd38a6f3e19ce70c8d9036c19e6b09bcad3

Download Submit
C:\Windows\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe

Filesize
168KB

MD5
aba7eca729f87d0da73ebc81e801cc98

SHA1
5bed202dec5781f6be96af951611d069277d7430

SHA256
5ad83f3f4fe89455c20995d0aec2e64ba7ac56814e06da5c91a6963d2f210a31

SHA512
71bd1ad14cff248485400c62f8a224b58cc4c2aaaeab1d3d90951960aca63b92f21e3a936590d306e1f35a91186143ee6d614d4cd8ed1b99a475ac82c0ce66d9

Download Submit
C:\Windows\{D08AECDC-3201-49d8-A17E-5D558815489D}.exe

Filesize
168KB

MD5
aba7eca729f87d0da73ebc81e801cc98

SHA1
5bed202dec5781f6be96af951611d069277d7430

SHA256
5ad83f3f4fe89455c20995d0aec2e64ba7ac56814e06da5c91a6963d2f210a31

SHA512
71bd1ad14cff248485400c62f8a224b58cc4c2aaaeab1d3d90951960aca63b92f21e3a936590d306e1f35a91186143ee6d614d4cd8ed1b99a475ac82c0ce66d9

Download Submit
C:\Windows\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe

Filesize
168KB

MD5
89a44c72bac0f8ec2b1a82bc0b662749

SHA1
4d034454f242866bec8d964fa2dea3f851f8365c

SHA256
13090b67499728a2b2d8523c98c1317159982b58e82d79e713bbf69c1b7b6c6f

SHA512
d27fbbe0428db4a2ae94e0ce02b2c5b1f93a4de3d775efaf1699f6a0bbd351d00fbbf54c83aa92f743486fd09ddc5552336ff8138ffacbed9d333d87e0c046db

Download Submit
C:\Windows\{EE2FBA15-AC0E-461d-B49A-FBC5C213DF5C}.exe

Filesize
168KB

MD5
89a44c72bac0f8ec2b1a82bc0b662749

SHA1
4d034454f242866bec8d964fa2dea3f851f8365c

SHA256
13090b67499728a2b2d8523c98c1317159982b58e82d79e713bbf69c1b7b6c6f

SHA512
d27fbbe0428db4a2ae94e0ce02b2c5b1f93a4de3d775efaf1699f6a0bbd351d00fbbf54c83aa92f743486fd09ddc5552336ff8138ffacbed9d333d87e0c046db

Download Submit
C:\Windows\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe

Filesize
168KB

MD5
5156bb3cf4a5039558882af6264fd08f

SHA1
d3f2b40b6dc7d2bc7898b5895bee42e33bf7ae7c

SHA256
964b6b961e46bd790a963251f0839c1394dc5960093c8cad89976bd76a87de45

SHA512
89e54591d630c78480b8413e5c203dbc5185dfbf946dcccf046fb7bce8369eec92004c47f3a6541dcdfa193ffa7a27f7e2249a889497782b91f77a409f70ccf4

Download Submit
C:\Windows\{F803F6B7-A7DD-4273-8051-F04B7955D3CE}.exe

Filesize
168KB

MD5
5156bb3cf4a5039558882af6264fd08f

SHA1
d3f2b40b6dc7d2bc7898b5895bee42e33bf7ae7c

SHA256
964b6b961e46bd790a963251f0839c1394dc5960093c8cad89976bd76a87de45

SHA512
89e54591d630c78480b8413e5c203dbc5185dfbf946dcccf046fb7bce8369eec92004c47f3a6541dcdfa193ffa7a27f7e2249a889497782b91f77a409f70ccf4

Download Submit
C:\Windows\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe

Filesize
168KB

MD5
0103d3af229a0632a6f1d14766e4f8b0

SHA1
23243aa5f7a1560c7990f15e0a88773b0dbe6467

SHA256
59aa4efdb8ef075770416576b968329e7cf87eb2e4d0e0ff6b181ae64c70318e

SHA512
2a1e6769390be95bd37787f2678816079087317a22bdbe72fa0cffcc470d7d808de8a775887f366559a5f77eb93d9749633aebc18abd2fb61ec58d23f9dfcc7e

Download Submit
C:\Windows\{FCBCDD9F-7699-4bbe-B147-1CFEA0F68BC7}.exe

Filesize
168KB

MD5
0103d3af229a0632a6f1d14766e4f8b0

SHA1
23243aa5f7a1560c7990f15e0a88773b0dbe6467

SHA256
59aa4efdb8ef075770416576b968329e7cf87eb2e4d0e0ff6b181ae64c70318e

SHA512
2a1e6769390be95bd37787f2678816079087317a22bdbe72fa0cffcc470d7d808de8a775887f366559a5f77eb93d9749633aebc18abd2fb61ec58d23f9dfcc7e

Download Submit