70f2aada5de7ce94d699f9d3d5a0d466de36198ff43d2b39af80d4caf1d7a41a

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8678ccfb25fccexeexeexeex.exe
Size

408KB
MD5

e8678ccfb25fcc88baa0f58f47d25445
SHA1

4ac0c965f6aa8ee82b43a420ab91671de25e49f5
SHA256

70f2aada5de7ce94d699f9d3d5a0d466de36198ff43d2b39af80d4caf1d7a41a
SHA512

2e32cda23ff3b8bdb17b1efe59ee705ec54d781f69784921b40565a75717dea15e04e427c693e876bc3e0e19dc2a3a1811eec05e451c6b3b07c74bac362b5a2a
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}\stubpath = "C:\\Windows\\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe"	{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B47230-5886-4ba6-90FE-6298EDEBE816}	e8678ccfb25fccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}\stubpath = "C:\\Windows\\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe"	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}\stubpath = "C:\\Windows\\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe"	{04562D0E-2063-46d4-89B1-A038295290AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04562D0E-2063-46d4-89B1-A038295290AE}	{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41CE5D25-6875-4c28-827E-14E7DADBB452}\stubpath = "C:\\Windows\\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe"	{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B47230-5886-4ba6-90FE-6298EDEBE816}\stubpath = "C:\\Windows\\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe"	e8678ccfb25fccexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FA911B4-4917-4bba-A76D-C5376043372A}	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FA911B4-4917-4bba-A76D-C5376043372A}\stubpath = "C:\\Windows\\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe"	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D143033-5902-4258-9F87-B74CBBF794B1}\stubpath = "C:\\Windows\\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe"	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}\stubpath = "C:\\Windows\\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe"	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04562D0E-2063-46d4-89B1-A038295290AE}\stubpath = "C:\\Windows\\{04562D0E-2063-46d4-89B1-A038295290AE}.exe"	{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}	{04562D0E-2063-46d4-89B1-A038295290AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}	{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41CE5D25-6875-4c28-827E-14E7DADBB452}	{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}	{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D143033-5902-4258-9F87-B74CBBF794B1}	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}\stubpath = "C:\\Windows\\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe"	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}\stubpath = "C:\\Windows\\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe"	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}\stubpath = "C:\\Windows\\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe"	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}\stubpath = "C:\\Windows\\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe"	{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
2788	{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
2972	{04562D0E-2063-46d4-89B1-A038295290AE}.exe
2436	{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
2876	{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
2700	{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe
2520	{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
File created	C:\Windows\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
File created	C:\Windows\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe	{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
File created	C:\Windows\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe	{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
File created	C:\Windows\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
File created	C:\Windows\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
File created	C:\Windows\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
File created	C:\Windows\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
File created	C:\Windows\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
File created	C:\Windows\{04562D0E-2063-46d4-89B1-A038295290AE}.exe	{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
File created	C:\Windows\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe	{04562D0E-2063-46d4-89B1-A038295290AE}.exe
File created	C:\Windows\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe	{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe
File created	C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	e8678ccfb25fccexeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	e8678ccfb25fccexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
Token: SeIncBasePriorityPrivilege	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
Token: SeIncBasePriorityPrivilege	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
Token: SeIncBasePriorityPrivilege	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
Token: SeIncBasePriorityPrivilege	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
Token: SeIncBasePriorityPrivilege	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
Token: SeIncBasePriorityPrivilege	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
Token: SeIncBasePriorityPrivilege	2788	{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
Token: SeIncBasePriorityPrivilege	2972	{04562D0E-2063-46d4-89B1-A038295290AE}.exe
Token: SeIncBasePriorityPrivilege	2436	{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
Token: SeIncBasePriorityPrivilege	2876	{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
Token: SeIncBasePriorityPrivilege	2700	{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2396	2216	e8678ccfb25fccexeexeexeex.exe	29
PID 2216 wrote to memory of 2396	2216	e8678ccfb25fccexeexeexeex.exe	29
PID 2216 wrote to memory of 2396	2216	e8678ccfb25fccexeexeexeex.exe	29
PID 2216 wrote to memory of 2396	2216	e8678ccfb25fccexeexeexeex.exe	29
PID 2216 wrote to memory of 2356	2216	e8678ccfb25fccexeexeexeex.exe	30
PID 2216 wrote to memory of 2356	2216	e8678ccfb25fccexeexeexeex.exe	30
PID 2216 wrote to memory of 2356	2216	e8678ccfb25fccexeexeexeex.exe	30
PID 2216 wrote to memory of 2356	2216	e8678ccfb25fccexeexeexeex.exe	30
PID 2396 wrote to memory of 2992	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	31
PID 2396 wrote to memory of 2992	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	31
PID 2396 wrote to memory of 2992	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	31
PID 2396 wrote to memory of 2992	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	31
PID 2396 wrote to memory of 2080	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	32
PID 2396 wrote to memory of 2080	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	32
PID 2396 wrote to memory of 2080	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	32
PID 2396 wrote to memory of 2080	2396	{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe	32
PID 2992 wrote to memory of 1808	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	33
PID 2992 wrote to memory of 1808	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	33
PID 2992 wrote to memory of 1808	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	33
PID 2992 wrote to memory of 1808	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	33
PID 2992 wrote to memory of 2268	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	34
PID 2992 wrote to memory of 2268	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	34
PID 2992 wrote to memory of 2268	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	34
PID 2992 wrote to memory of 2268	2992	{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe	34
PID 1808 wrote to memory of 2352	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	35
PID 1808 wrote to memory of 2352	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	35
PID 1808 wrote to memory of 2352	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	35
PID 1808 wrote to memory of 2352	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	35
PID 1808 wrote to memory of 2280	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	36
PID 1808 wrote to memory of 2280	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	36
PID 1808 wrote to memory of 2280	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	36
PID 1808 wrote to memory of 2280	1808	{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe	36
PID 2352 wrote to memory of 932	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	37
PID 2352 wrote to memory of 932	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	37
PID 2352 wrote to memory of 932	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	37
PID 2352 wrote to memory of 932	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	37
PID 2352 wrote to memory of 2292	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	38
PID 2352 wrote to memory of 2292	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	38
PID 2352 wrote to memory of 2292	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	38
PID 2352 wrote to memory of 2292	2352	{1FA911B4-4917-4bba-A76D-C5376043372A}.exe	38
PID 932 wrote to memory of 1312	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	39
PID 932 wrote to memory of 1312	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	39
PID 932 wrote to memory of 1312	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	39
PID 932 wrote to memory of 1312	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	39
PID 932 wrote to memory of 332	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	40
PID 932 wrote to memory of 332	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	40
PID 932 wrote to memory of 332	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	40
PID 932 wrote to memory of 332	932	{0D143033-5902-4258-9F87-B74CBBF794B1}.exe	40
PID 1312 wrote to memory of 1428	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	41
PID 1312 wrote to memory of 1428	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	41
PID 1312 wrote to memory of 1428	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	41
PID 1312 wrote to memory of 1428	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	41
PID 1312 wrote to memory of 1484	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	42
PID 1312 wrote to memory of 1484	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	42
PID 1312 wrote to memory of 1484	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	42
PID 1312 wrote to memory of 1484	1312	{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe	42
PID 1428 wrote to memory of 2788	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	43
PID 1428 wrote to memory of 2788	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	43
PID 1428 wrote to memory of 2788	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	43
PID 1428 wrote to memory of 2788	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	43
PID 1428 wrote to memory of 2600	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	44
PID 1428 wrote to memory of 2600	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	44
PID 1428 wrote to memory of 2600	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	44
PID 1428 wrote to memory of 2600	1428	{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe	44

C:\Users\Admin\AppData\Local\Temp\e8678ccfb25fccexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e8678ccfb25fccexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
  C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
    C:\Windows\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
      C:\Windows\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
        
        C:\Windows\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
        
        C:\Windows\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
        
        C:\Windows\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
        
        C:\Windows\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
        
        C:\Windows\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{04562D0E-2063-46d4-89B1-A038295290AE}.exe
        
        C:\Windows\{04562D0E-2063-46d4-89B1-A038295290AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
        
        C:\Windows\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
        
        C:\Windows\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe
        
        C:\Windows\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe
        
        C:\Windows\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe
        14⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41CE5~1.EXE > nul
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63CEA~1.EXE > nul
        13⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C26BB~1.EXE > nul
        12⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04562~1.EXE > nul
        11⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C666~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1802~1.EXE > nul
        9⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{779EC~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D143~1.EXE > nul
        7⤵
        
        PID:332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FA91~1.EXE > nul
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE7C~1.EXE > nul
        5⤵
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{09E4B~1.EXE > nul
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28B47~1.EXE > nul
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E8678C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04562D0E-2063-46d4-89B1-A038295290AE}.exe

Filesize
408KB

MD5
6c3a65c92552e6e420057d52154b9942

SHA1
0796f2e480ef386c9a6bfdba53bc41972f7d030e

SHA256
e90ebd234461cdf6910ab1f286ba2a064c431c7abc40a03c5a0f7ee65c4873dd

SHA512
b7647057eb5f074df86e71689ee0f77cce16f37075d13ffe11bd4a5db6375d57c9dd136e897cdbb9c925ac841f138ea0205e410f4b72f9e0d73f34242e4445ff

Download Submit
C:\Windows\{04562D0E-2063-46d4-89B1-A038295290AE}.exe

Filesize
408KB

MD5
6c3a65c92552e6e420057d52154b9942

SHA1
0796f2e480ef386c9a6bfdba53bc41972f7d030e

SHA256
e90ebd234461cdf6910ab1f286ba2a064c431c7abc40a03c5a0f7ee65c4873dd

SHA512
b7647057eb5f074df86e71689ee0f77cce16f37075d13ffe11bd4a5db6375d57c9dd136e897cdbb9c925ac841f138ea0205e410f4b72f9e0d73f34242e4445ff

Download Submit
C:\Windows\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe

Filesize
408KB

MD5
75f927bc8e8fb7236e00f816d807485b

SHA1
0b783d56e276f8925f5a01836919e37259a5646f

SHA256
87046682fc818d2df48052f7a334540eea0360a9ba46855ffc44b6f299504654

SHA512
f331b7269b8dcba8e748c540edec16b8a596157e02599125265c9a7c6b66cfa180208ce55ea8814e19d7e0a8f6734743c31405df0197cef6483e6cc2ba3fa766

Download Submit
C:\Windows\{09E4B833-B0DB-4e69-B099-8A92BFFE2EAF}.exe

Filesize
408KB

MD5
75f927bc8e8fb7236e00f816d807485b

SHA1
0b783d56e276f8925f5a01836919e37259a5646f

SHA256
87046682fc818d2df48052f7a334540eea0360a9ba46855ffc44b6f299504654

SHA512
f331b7269b8dcba8e748c540edec16b8a596157e02599125265c9a7c6b66cfa180208ce55ea8814e19d7e0a8f6734743c31405df0197cef6483e6cc2ba3fa766

Download Submit
C:\Windows\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe

Filesize
408KB

MD5
65bb54a1ef615277d7a907881043aeed

SHA1
7a2708bfd356a9951e9fb6faee7e57dab4848342

SHA256
273aac911198e277072ef099a76a25b9b390c16b4a406db951fdb060368819ee

SHA512
4873a21032f4d30c3c2f5540d282cb4b54508703d4c219e095961cc018d60a73c546aeaccd6becaca4b8f40bb3fb9573c75f9b81acc4ba82f72e49a8bb01e084

Download Submit
C:\Windows\{0D143033-5902-4258-9F87-B74CBBF794B1}.exe

Filesize
408KB

MD5
65bb54a1ef615277d7a907881043aeed

SHA1
7a2708bfd356a9951e9fb6faee7e57dab4848342

SHA256
273aac911198e277072ef099a76a25b9b390c16b4a406db951fdb060368819ee

SHA512
4873a21032f4d30c3c2f5540d282cb4b54508703d4c219e095961cc018d60a73c546aeaccd6becaca4b8f40bb3fb9573c75f9b81acc4ba82f72e49a8bb01e084

Download Submit
C:\Windows\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe

Filesize
408KB

MD5
9228ee1a96ca393203ea03edae964757

SHA1
1a5eede1ed9caaf03636ee21d50d6c37c927faca

SHA256
c23d9d8dd5fa7a2ea1064ad452d8126140239d8e5b4e4c670414b853db61df5b

SHA512
f944d6034ad33cbe6634b2dffb7b46b22aefc173a1b8e409b3694ad989cbe4a3430c3024aa97a20f5f81559f01bb59defe4ffc08aa89dcb4b963ee1921300e8b

Download Submit
C:\Windows\{0DE7C36A-2F48-4f90-B8FD-D1BA51A55814}.exe

Filesize
408KB

MD5
9228ee1a96ca393203ea03edae964757

SHA1
1a5eede1ed9caaf03636ee21d50d6c37c927faca

SHA256
c23d9d8dd5fa7a2ea1064ad452d8126140239d8e5b4e4c670414b853db61df5b

SHA512
f944d6034ad33cbe6634b2dffb7b46b22aefc173a1b8e409b3694ad989cbe4a3430c3024aa97a20f5f81559f01bb59defe4ffc08aa89dcb4b963ee1921300e8b

Download Submit
C:\Windows\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe

Filesize
408KB

MD5
5c2b564351097c3eabbaeea465de0271

SHA1
92f3f48a8d383724e2675551dd55523775b318fe

SHA256
3b84c4f1b2d77409c9e8f09b7bafa770fe2665d27dde70ae7bdc4aff48b0be73

SHA512
3f60f6db87cc7e7c811dbf89a5c30b0a5b0fcf9bca62aa69e4f02889e7cc251cae30f63cc2bdffaf22ff79f2d31209fffcb64ef9b57e6e327fe942405466db26

Download Submit
C:\Windows\{1FA911B4-4917-4bba-A76D-C5376043372A}.exe

Filesize
408KB

MD5
5c2b564351097c3eabbaeea465de0271

SHA1
92f3f48a8d383724e2675551dd55523775b318fe

SHA256
3b84c4f1b2d77409c9e8f09b7bafa770fe2665d27dde70ae7bdc4aff48b0be73

SHA512
3f60f6db87cc7e7c811dbf89a5c30b0a5b0fcf9bca62aa69e4f02889e7cc251cae30f63cc2bdffaf22ff79f2d31209fffcb64ef9b57e6e327fe942405466db26

Download Submit
C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe

Filesize
408KB

MD5
d855743e5a4b0114d2731ce826e627d0

SHA1
948b859088a12a6bbecc8742b0412a31618454f3

SHA256
1e484e6cfd0db24b41e5653320d8b26e806c8896ae080b7cb11efebcb07ba5b3

SHA512
2fc1fa3a38ca0c1cd6304aa702fa2c3b18e8a4dac73ebe48783e5e4eac759e5520d516f2a41e367678c746d6502613c0f3712de2e66273ea32720975d75fc139

Download Submit
C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe

Filesize
408KB

MD5
d855743e5a4b0114d2731ce826e627d0

SHA1
948b859088a12a6bbecc8742b0412a31618454f3

SHA256
1e484e6cfd0db24b41e5653320d8b26e806c8896ae080b7cb11efebcb07ba5b3

SHA512
2fc1fa3a38ca0c1cd6304aa702fa2c3b18e8a4dac73ebe48783e5e4eac759e5520d516f2a41e367678c746d6502613c0f3712de2e66273ea32720975d75fc139

Download Submit
C:\Windows\{28B47230-5886-4ba6-90FE-6298EDEBE816}.exe

Filesize
408KB

MD5
d855743e5a4b0114d2731ce826e627d0

SHA1
948b859088a12a6bbecc8742b0412a31618454f3

SHA256
1e484e6cfd0db24b41e5653320d8b26e806c8896ae080b7cb11efebcb07ba5b3

SHA512
2fc1fa3a38ca0c1cd6304aa702fa2c3b18e8a4dac73ebe48783e5e4eac759e5520d516f2a41e367678c746d6502613c0f3712de2e66273ea32720975d75fc139

Download Submit
C:\Windows\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe

Filesize
408KB

MD5
a22bb86cb7cf641765d68ddd68d21716

SHA1
f9ac423a3f36c600004ac1cb8b857f01d06ee084

SHA256
efd8d5b07049de2f8f6a7060bda9b34c42baa2900bbf4dcd7840af44a591d250

SHA512
e356cf156f599c8c8c8bc844a78111672abe56b900dc5aa50d298786575e3ae1efd77beacefc93c65559806891a4b6894edc981e882232844473df102133602d

Download Submit
C:\Windows\{41CE5D25-6875-4c28-827E-14E7DADBB452}.exe

Filesize
408KB

MD5
a22bb86cb7cf641765d68ddd68d21716

SHA1
f9ac423a3f36c600004ac1cb8b857f01d06ee084

SHA256
efd8d5b07049de2f8f6a7060bda9b34c42baa2900bbf4dcd7840af44a591d250

SHA512
e356cf156f599c8c8c8bc844a78111672abe56b900dc5aa50d298786575e3ae1efd77beacefc93c65559806891a4b6894edc981e882232844473df102133602d

Download Submit
C:\Windows\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe

Filesize
408KB

MD5
0c17b9fa540e1c942ac44e51a792bbc8

SHA1
2a6eb1202043da91a707f0e1a9004a574be15361

SHA256
aca0270e84b48e217ca85d317adba0d2ce6b61021e94c2ecd945ac636dcdbc22

SHA512
9194721ad9d1e71b6622e87a050ecdcf063deac2f11521c4ed6794b937ffb2c64c261233b671e43bb7b73bb46fc51e89d862a77f30eb2c1e0fb7bb429e7e15f7

Download Submit
C:\Windows\{63CEA0CE-5FF4-47a3-A5DA-85AA183B985C}.exe

Filesize
408KB

MD5
0c17b9fa540e1c942ac44e51a792bbc8

SHA1
2a6eb1202043da91a707f0e1a9004a574be15361

SHA256
aca0270e84b48e217ca85d317adba0d2ce6b61021e94c2ecd945ac636dcdbc22

SHA512
9194721ad9d1e71b6622e87a050ecdcf063deac2f11521c4ed6794b937ffb2c64c261233b671e43bb7b73bb46fc51e89d862a77f30eb2c1e0fb7bb429e7e15f7

Download Submit
C:\Windows\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe

Filesize
408KB

MD5
464cafd0ca94a04e1b6ec3c7bb316747

SHA1
286f1aa140d86be1d804d9d7cfd8ca36e4478716

SHA256
dc4786fb948ea88b5cc7fd1a4ff582e0e1845a668118afa0e1470e07ddfaf974

SHA512
749bc03f180eb8fa542c8e9493331a12313fccc9d46a37281e49f783af8a7fbf9e1ff2fb72f72fbc523f60f442a74cc17eaa9158cdab9fe27590c3efc9aaad24

Download Submit
C:\Windows\{779ECAEF-C014-4f2f-9947-D6CC2C30DC24}.exe

Filesize
408KB

MD5
464cafd0ca94a04e1b6ec3c7bb316747

SHA1
286f1aa140d86be1d804d9d7cfd8ca36e4478716

SHA256
dc4786fb948ea88b5cc7fd1a4ff582e0e1845a668118afa0e1470e07ddfaf974

SHA512
749bc03f180eb8fa542c8e9493331a12313fccc9d46a37281e49f783af8a7fbf9e1ff2fb72f72fbc523f60f442a74cc17eaa9158cdab9fe27590c3efc9aaad24

Download Submit
C:\Windows\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe

Filesize
408KB

MD5
258d017b3f10cde429086f545c2d3620

SHA1
28754fda82be2115cece5d43a0962f8e593f37b9

SHA256
4f54947dbc36f1ad7cf32781cb70c846fb3dea68fdbfa37e3ca41ecb65fe0b56

SHA512
cd9a5a47d11666d722e6a6653ed03b31b2db1d384f7e0a4e5ab2ee154539b2bb979018b26524f98e91c70272151a646cce96a5f63ae537580ebcb24197febda5

Download Submit
C:\Windows\{9C666106-7A4F-4ad5-8E1E-4BC1D766C28F}.exe

Filesize
408KB

MD5
258d017b3f10cde429086f545c2d3620

SHA1
28754fda82be2115cece5d43a0962f8e593f37b9

SHA256
4f54947dbc36f1ad7cf32781cb70c846fb3dea68fdbfa37e3ca41ecb65fe0b56

SHA512
cd9a5a47d11666d722e6a6653ed03b31b2db1d384f7e0a4e5ab2ee154539b2bb979018b26524f98e91c70272151a646cce96a5f63ae537580ebcb24197febda5

Download Submit
C:\Windows\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe

Filesize
408KB

MD5
88e23ae10f364f2b805d70be17995f3d

SHA1
75520e9cd820be019714a311167469ad36f95e6c

SHA256
0889fb77c1789285e99086b4a2c280d390bfb129cda798c8c119ffedc77e5b3e

SHA512
6f97b7edfbb108a68185c429eadb38aa9ee9cac64e98e8330dbbc1a235833a75ef9aa3d05926424d3fa96de8f93e54cdf4191d7e7e2e76cc0fa7de0371e1d378

Download Submit
C:\Windows\{C26BB882-4D63-4b3b-AEF5-F2F82D96EA97}.exe

Filesize
408KB

MD5
88e23ae10f364f2b805d70be17995f3d

SHA1
75520e9cd820be019714a311167469ad36f95e6c

SHA256
0889fb77c1789285e99086b4a2c280d390bfb129cda798c8c119ffedc77e5b3e

SHA512
6f97b7edfbb108a68185c429eadb38aa9ee9cac64e98e8330dbbc1a235833a75ef9aa3d05926424d3fa96de8f93e54cdf4191d7e7e2e76cc0fa7de0371e1d378

Download Submit
C:\Windows\{D14B6A5E-F6DD-4a5e-85BD-5A77AB607420}.exe

Filesize
408KB

MD5
ae290e455aee5c119f9837251fc8e634

SHA1
7f0db18d12bdd080eee75e021d328737ab96f712

SHA256
36c2be2d6cbcf421bd4bf93ad6c6390c7a3f9b9cb559c32a572c7e15612dd44c

SHA512
bc1f4e6a1e3b5b53e52a3466ebf896699df53f4112990172350368b6b27af94b4785193bfe72162b023a1196c439ee8d275e7d43a3a980ef9e050a1e5102e9da

Download Submit
C:\Windows\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe

Filesize
408KB

MD5
735514e2cd92128d2101a452f465e089

SHA1
79764c1ddd5497f631e0b550be702726c163e32a

SHA256
1ffd9aa1b46f74c38a126c0ae49c563c878901f8b3f5111ec67c09e91519786c

SHA512
3bdd0a5b717f3ce9ef747eb4eeb7c0975ccc66b1aa61ba415056c39c440ce3eef19763fa15bcae5c09501ca50434fd944303d2f45b5ab9e894758981f92c7bd3

Download Submit
C:\Windows\{F1802443-F84D-4d6b-977F-8D5A2AF1088E}.exe

Filesize
408KB

MD5
735514e2cd92128d2101a452f465e089

SHA1
79764c1ddd5497f631e0b550be702726c163e32a

SHA256
1ffd9aa1b46f74c38a126c0ae49c563c878901f8b3f5111ec67c09e91519786c

SHA512
3bdd0a5b717f3ce9ef747eb4eeb7c0975ccc66b1aa61ba415056c39c440ce3eef19763fa15bcae5c09501ca50434fd944303d2f45b5ab9e894758981f92c7bd3

Download Submit