c77e284313542a91bb80c44f02f71c0cea3d3ad947e2971ea83445dade704ca2

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4a7eaf3b3f911exeexeexeex.exe
Size

204KB
MD5

e4a7eaf3b3f9112f124508c4fa6b1466
SHA1

c0f1e8bcdd37cfbfa934cd4550665d8157f993d5
SHA256

c77e284313542a91bb80c44f02f71c0cea3d3ad947e2971ea83445dade704ca2
SHA512

c607e14a770f012d169a571e13113a8c846e2b963f8a2ddf6c5e2c418731c91ea1760e5a86e472a3f31c58ef430e5bdf731036408dabb65b66443896112d6dae
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ojl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA7DF174-5C25-4210-B543-E6FE110B6129}	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C64BD1A-1250-45e5-8512-DC26867113D5}\stubpath = "C:\\Windows\\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe"	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}\stubpath = "C:\\Windows\\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe"	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0F687B-FE83-4f61-9F09-06842505B7A8}\stubpath = "C:\\Windows\\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe"	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C64BD1A-1250-45e5-8512-DC26867113D5}	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}\stubpath = "C:\\Windows\\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe"	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0F687B-FE83-4f61-9F09-06842505B7A8}	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9D2B116-97AC-42d4-804B-9D158409EE0B}\stubpath = "C:\\Windows\\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe"	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}\stubpath = "C:\\Windows\\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe"	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}\stubpath = "C:\\Windows\\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe"	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9D2B116-97AC-42d4-804B-9D158409EE0B}	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}\stubpath = "C:\\Windows\\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe"	e4a7eaf3b3f911exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA7DF174-5C25-4210-B543-E6FE110B6129}\stubpath = "C:\\Windows\\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe"	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}\stubpath = "C:\\Windows\\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe"	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}\stubpath = "C:\\Windows\\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe"	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}	e4a7eaf3b3f911exeexeexeex.exe

Executes dropped EXE 11 IoCs

pid	Process
1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
3828	{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3F12FAA1-1BF7-46E5-875E-88D372918FEA}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
File created	C:\Windows\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
File created	C:\Windows\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
File created	C:\Windows\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
File created	C:\Windows\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
File created	C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
File created	C:\Windows\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
File created	C:\Windows\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
File created	C:\Windows\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
File created	C:\Windows\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
File created	C:\Windows\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	e4a7eaf3b3f911exeexeexeex.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4080	e4a7eaf3b3f911exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
Token: SeIncBasePriorityPrivilege	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
Token: SeIncBasePriorityPrivilege	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
Token: SeIncBasePriorityPrivilege	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
Token: SeIncBasePriorityPrivilege	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
Token: SeIncBasePriorityPrivilege	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
Token: SeIncBasePriorityPrivilege	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
Token: SeIncBasePriorityPrivilege	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
Token: SeIncBasePriorityPrivilege	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
Token: SeIncBasePriorityPrivilege	1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1620	4080	e4a7eaf3b3f911exeexeexeex.exe	93
PID 4080 wrote to memory of 1620	4080	e4a7eaf3b3f911exeexeexeex.exe	93
PID 4080 wrote to memory of 1620	4080	e4a7eaf3b3f911exeexeexeex.exe	93
PID 4080 wrote to memory of 2828	4080	e4a7eaf3b3f911exeexeexeex.exe	94
PID 4080 wrote to memory of 2828	4080	e4a7eaf3b3f911exeexeexeex.exe	94
PID 4080 wrote to memory of 2828	4080	e4a7eaf3b3f911exeexeexeex.exe	94
PID 1620 wrote to memory of 1280	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	97
PID 1620 wrote to memory of 1280	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	97
PID 1620 wrote to memory of 1280	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	97
PID 1620 wrote to memory of 4344	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	98
PID 1620 wrote to memory of 4344	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	98
PID 1620 wrote to memory of 4344	1620	{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe	98
PID 1280 wrote to memory of 3760	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	102
PID 1280 wrote to memory of 3760	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	102
PID 1280 wrote to memory of 3760	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	102
PID 1280 wrote to memory of 1324	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	103
PID 1280 wrote to memory of 1324	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	103
PID 1280 wrote to memory of 1324	1280	{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe	103
PID 3760 wrote to memory of 4408	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	104
PID 3760 wrote to memory of 4408	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	104
PID 3760 wrote to memory of 4408	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	104
PID 3760 wrote to memory of 4948	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	105
PID 3760 wrote to memory of 4948	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	105
PID 3760 wrote to memory of 4948	3760	{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe	105
PID 4408 wrote to memory of 1512	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	106
PID 4408 wrote to memory of 1512	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	106
PID 4408 wrote to memory of 1512	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	106
PID 4408 wrote to memory of 4904	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	107
PID 4408 wrote to memory of 4904	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	107
PID 4408 wrote to memory of 4904	4408	{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe	107
PID 1512 wrote to memory of 4736	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	108
PID 1512 wrote to memory of 4736	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	108
PID 1512 wrote to memory of 4736	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	108
PID 1512 wrote to memory of 408	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	109
PID 1512 wrote to memory of 408	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	109
PID 1512 wrote to memory of 408	1512	{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe	109
PID 4736 wrote to memory of 436	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	110
PID 4736 wrote to memory of 436	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	110
PID 4736 wrote to memory of 436	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	110
PID 4736 wrote to memory of 2004	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	111
PID 4736 wrote to memory of 2004	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	111
PID 4736 wrote to memory of 2004	4736	{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe	111
PID 436 wrote to memory of 5016	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	112
PID 436 wrote to memory of 5016	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	112
PID 436 wrote to memory of 5016	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	112
PID 436 wrote to memory of 2108	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	113
PID 436 wrote to memory of 2108	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	113
PID 436 wrote to memory of 2108	436	{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe	113
PID 5016 wrote to memory of 3408	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	114
PID 5016 wrote to memory of 3408	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	114
PID 5016 wrote to memory of 3408	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	114
PID 5016 wrote to memory of 1492	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	115
PID 5016 wrote to memory of 1492	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	115
PID 5016 wrote to memory of 1492	5016	{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe	115
PID 3408 wrote to memory of 1536	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	116
PID 3408 wrote to memory of 1536	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	116
PID 3408 wrote to memory of 1536	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	116
PID 3408 wrote to memory of 2584	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	117
PID 3408 wrote to memory of 2584	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	117
PID 3408 wrote to memory of 2584	3408	{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe	117
PID 1536 wrote to memory of 3828	1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe	118
PID 1536 wrote to memory of 3828	1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe	118
PID 1536 wrote to memory of 3828	1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe	118
PID 1536 wrote to memory of 5036	1536	{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4a7eaf3b3f911exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e4a7eaf3b3f911exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
  C:\Windows\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
    C:\Windows\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
      C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
        
        C:\Windows\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
        
        C:\Windows\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
        
        C:\Windows\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
        
        C:\Windows\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
        
        C:\Windows\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
        
        C:\Windows\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
        
        C:\Windows\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe
        
        C:\Windows\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe
        12⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0F6~1.EXE > nul
        12⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DADE~1.EXE > nul
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E196~1.EXE > nul
        10⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D51B9~1.EXE > nul
        9⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D263~1.EXE > nul
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C64B~1.EXE > nul
        7⤵
        
        PID:408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D2ED~1.EXE > nul
        6⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7DF~1.EXE > nul
        5⤵
        
        PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BBE4~1.EXE > nul
      4⤵
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F833~1.EXE > nul
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E4A7EA~1.EXE > nul
  2⤵
  PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuBBBE.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe

Filesize
204KB

MD5
fdbc065a8729c23daf1d7c0505932cdd

SHA1
34b5a47bb4ac9a7db18b20c57f759f1c980f1fcf

SHA256
1084fad694b73f85cdfa7540b1efd40228ae32b40be7e5cc4e9c98176f4604d4

SHA512
ca3f5c81943c32d7f52e855fadc76d3dffc61045ef7801d9b25a7e5ff4f18b5f3392119995c9c76fe8a88b3c9a9ab892b4101478fb70fa3ca2b9ca869e10fd6d

Download Submit
C:\Windows\{1F0F687B-FE83-4f61-9F09-06842505B7A8}.exe

Filesize
204KB

MD5
fdbc065a8729c23daf1d7c0505932cdd

SHA1
34b5a47bb4ac9a7db18b20c57f759f1c980f1fcf

SHA256
1084fad694b73f85cdfa7540b1efd40228ae32b40be7e5cc4e9c98176f4604d4

SHA512
ca3f5c81943c32d7f52e855fadc76d3dffc61045ef7801d9b25a7e5ff4f18b5f3392119995c9c76fe8a88b3c9a9ab892b4101478fb70fa3ca2b9ca869e10fd6d

Download Submit
C:\Windows\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe

Filesize
204KB

MD5
4c68d01a043ae10abf6224c5e6bb0cfd

SHA1
fa0811adefb3ba0647d6f9e220c93e9a2643f3d6

SHA256
a9e9237a35e2400d27df37ab820d0ae6febd58849f2d55e591242f76d4893be4

SHA512
e1d1c6e6f503dc1b2c05b00516f2fcf824fb3381a85c595097fa87def6d43c654e3a7a8b740745ad07ba91cb8760777d81133f03368fb9711a10351c159e4d52

Download Submit
C:\Windows\{2E196A7A-DD6F-4fcb-927F-7575D712DB57}.exe

Filesize
204KB

MD5
4c68d01a043ae10abf6224c5e6bb0cfd

SHA1
fa0811adefb3ba0647d6f9e220c93e9a2643f3d6

SHA256
a9e9237a35e2400d27df37ab820d0ae6febd58849f2d55e591242f76d4893be4

SHA512
e1d1c6e6f503dc1b2c05b00516f2fcf824fb3381a85c595097fa87def6d43c654e3a7a8b740745ad07ba91cb8760777d81133f03368fb9711a10351c159e4d52

Download Submit
C:\Windows\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe

Filesize
204KB

MD5
0de5b0c75b93477c54d7570218c0582a

SHA1
b95c0e56af9692c6d3d667aad3c9a8835cc6b927

SHA256
6a4c96415b1a02f2883b71492ccde2a2398e01a41e12aac2cc3364a62ffecf9b

SHA512
e1a3104344516e51a393f6d8028299992ad2d89737124be0d80b5151631c73553d52acee0c502959ea1dd3d461052362e5e9c993405b48c60c962b9745320676

Download Submit
C:\Windows\{4D263DE5-F1E1-4690-B9A1-8F84A0A07512}.exe

Filesize
204KB

MD5
0de5b0c75b93477c54d7570218c0582a

SHA1
b95c0e56af9692c6d3d667aad3c9a8835cc6b927

SHA256
6a4c96415b1a02f2883b71492ccde2a2398e01a41e12aac2cc3364a62ffecf9b

SHA512
e1a3104344516e51a393f6d8028299992ad2d89737124be0d80b5151631c73553d52acee0c502959ea1dd3d461052362e5e9c993405b48c60c962b9745320676

Download Submit
C:\Windows\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe

Filesize
204KB

MD5
1fd1d202ea50ac526664f17e21f8a99a

SHA1
efc244ff53d041e2e1b76a31931557f197ea497d

SHA256
17e67c2044ff8053ab6548702f648ee3e7acb6b76e27999e12da5de075278fc0

SHA512
a5966b03375cf020f90be31eaca436f4171edc7902f5c69e6010f190e48e6b1ba3238a253ea9a34d92cf3b585b9af2f437715ef1f51a36105c303c4d099d43a2

Download Submit
C:\Windows\{4F8333BD-82E7-4fe7-8EBE-A6E105126FB3}.exe

Filesize
204KB

MD5
1fd1d202ea50ac526664f17e21f8a99a

SHA1
efc244ff53d041e2e1b76a31931557f197ea497d

SHA256
17e67c2044ff8053ab6548702f648ee3e7acb6b76e27999e12da5de075278fc0

SHA512
a5966b03375cf020f90be31eaca436f4171edc7902f5c69e6010f190e48e6b1ba3238a253ea9a34d92cf3b585b9af2f437715ef1f51a36105c303c4d099d43a2

Download Submit
C:\Windows\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe

Filesize
204KB

MD5
e18c6060915ef813d9716d6cf80299e2

SHA1
e15d28d658655dcc1469fe8c09b66f6b4a8d6c10

SHA256
7f37fab6f17df1473e1213678c3fad96de1a98f1828f6903d061e1fea50c04a2

SHA512
a8c4f7b09f9b12c47106928d66cdd255e62ebab6bbff71432adfdc6798cea4d88ca99f1c898ab4995bf7fa8cdcd494738ff388e08f6d932bc2cb918658056989

Download Submit
C:\Windows\{6C64BD1A-1250-45e5-8512-DC26867113D5}.exe

Filesize
204KB

MD5
e18c6060915ef813d9716d6cf80299e2

SHA1
e15d28d658655dcc1469fe8c09b66f6b4a8d6c10

SHA256
7f37fab6f17df1473e1213678c3fad96de1a98f1828f6903d061e1fea50c04a2

SHA512
a8c4f7b09f9b12c47106928d66cdd255e62ebab6bbff71432adfdc6798cea4d88ca99f1c898ab4995bf7fa8cdcd494738ff388e08f6d932bc2cb918658056989

Download Submit
C:\Windows\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe

Filesize
204KB

MD5
e84676aaf484cca564cc846e8474e357

SHA1
494e4ed7497e2aaa0a1c0ae59e6b5d6da9c0e88e

SHA256
85cd70cc158dd98da57bacfb329138d0534ec9cf16e0230ff721cc8cb54c0b32

SHA512
59cb11874a9a3c9847b8d994f9f9ac18bd939f57e6318f07490a9e86eb6532d779f0363313836eed9e7634df54b37411e74c7d77efb5bb6347f823d76e26cdab

Download Submit
C:\Windows\{7D2EDDCE-4ACE-4260-BB1C-2D8FA60B3609}.exe

Filesize
204KB

MD5
e84676aaf484cca564cc846e8474e357

SHA1
494e4ed7497e2aaa0a1c0ae59e6b5d6da9c0e88e

SHA256
85cd70cc158dd98da57bacfb329138d0534ec9cf16e0230ff721cc8cb54c0b32

SHA512
59cb11874a9a3c9847b8d994f9f9ac18bd939f57e6318f07490a9e86eb6532d779f0363313836eed9e7634df54b37411e74c7d77efb5bb6347f823d76e26cdab

Download Submit
C:\Windows\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe

Filesize
204KB

MD5
42818f711266e0e6d56f2f2c12cced59

SHA1
043c705cc778fdd21028504a7ee67fba5d8cdccc

SHA256
b8b3be6a40130d4f518dfd0104efebeb648d78d121bd53730f1203863b06104c

SHA512
74291079ba80961e63294ffc49198689136c5d8313ba7738df5585798e819c44dbb60bd86c927729cd3ce910a60e7339fc9cbf2d02c631c8abed278aa434545b

Download Submit
C:\Windows\{8BBE48B7-B932-4ed7-8913-A1F5A7A04C63}.exe

Filesize
204KB

MD5
42818f711266e0e6d56f2f2c12cced59

SHA1
043c705cc778fdd21028504a7ee67fba5d8cdccc

SHA256
b8b3be6a40130d4f518dfd0104efebeb648d78d121bd53730f1203863b06104c

SHA512
74291079ba80961e63294ffc49198689136c5d8313ba7738df5585798e819c44dbb60bd86c927729cd3ce910a60e7339fc9cbf2d02c631c8abed278aa434545b

Download Submit
C:\Windows\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe

Filesize
204KB

MD5
7d22167ebed2bf1c1c175faa3f53fba7

SHA1
b288aafa5e0e62a950465b5d61f203612fe7ef74

SHA256
4a7e51bdd0113138d0a98fe02c08b5596fa206a991e980659ef9d6df15273b71

SHA512
6cd38559032ca77e576c1548efe897a538d321a1c904cf41c1ecf1bb8820b9ff36b42dab799a7f6a1aad1498ba80b02c253ac0df1f22b9de1d205028c25d94ce

Download Submit
C:\Windows\{9DADEBCC-DA43-4a27-9017-EBD154FD5E03}.exe

Filesize
204KB

MD5
7d22167ebed2bf1c1c175faa3f53fba7

SHA1
b288aafa5e0e62a950465b5d61f203612fe7ef74

SHA256
4a7e51bdd0113138d0a98fe02c08b5596fa206a991e980659ef9d6df15273b71

SHA512
6cd38559032ca77e576c1548efe897a538d321a1c904cf41c1ecf1bb8820b9ff36b42dab799a7f6a1aad1498ba80b02c253ac0df1f22b9de1d205028c25d94ce

Download Submit
C:\Windows\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe

Filesize
204KB

MD5
892a1adcbb6eefc51b5b0e1c0eeb182f

SHA1
3a939b0bab9ec55db65633881745689766a9cab1

SHA256
9e56dbcb79810e1fb07e3666bb932577f3185b4d0eeae083e56344f66663628c

SHA512
527712033920c9b333c8083b4ed8f303fc666523044c5a68054c79a8384992476c8fb6ceddf7c52425403821c0c625f05b0cbc2a8de61e7ced90e01502dcf7b3

Download Submit
C:\Windows\{C9D2B116-97AC-42d4-804B-9D158409EE0B}.exe

Filesize
204KB

MD5
892a1adcbb6eefc51b5b0e1c0eeb182f

SHA1
3a939b0bab9ec55db65633881745689766a9cab1

SHA256
9e56dbcb79810e1fb07e3666bb932577f3185b4d0eeae083e56344f66663628c

SHA512
527712033920c9b333c8083b4ed8f303fc666523044c5a68054c79a8384992476c8fb6ceddf7c52425403821c0c625f05b0cbc2a8de61e7ced90e01502dcf7b3

Download Submit
C:\Windows\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe

Filesize
204KB

MD5
c0599df2bf899ca2b1ccf1f83e966556

SHA1
e44ae81da83ff6573e1ed91d2134fa223c5be416

SHA256
6453e8391988948c3cb8f47dbd0ff3d4a6f034cce8773fa8b572d6a6c2ec3847

SHA512
36e0a25a14abb511ac0c6268818cc5a46cfc7207e8e5904910d7e5eed322c05cdfee26fec19371ad9ead669a593eebf2ac96b5ee75bb3e1efd9ad3bdaecc6cc6

Download Submit
C:\Windows\{D51B91B6-1E54-4634-B8C5-B8A82340C28D}.exe

Filesize
204KB

MD5
c0599df2bf899ca2b1ccf1f83e966556

SHA1
e44ae81da83ff6573e1ed91d2134fa223c5be416

SHA256
6453e8391988948c3cb8f47dbd0ff3d4a6f034cce8773fa8b572d6a6c2ec3847

SHA512
36e0a25a14abb511ac0c6268818cc5a46cfc7207e8e5904910d7e5eed322c05cdfee26fec19371ad9ead669a593eebf2ac96b5ee75bb3e1efd9ad3bdaecc6cc6

Download Submit
C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe

Filesize
204KB

MD5
d47c0d37f9977a05ad4510aa74f2ac4b

SHA1
ba9ebbeb97b3a6da81da3bee39e97bfaa3b8d765

SHA256
8be6c819c9df8c3d6e04e9d20a4a782fa3522abe4d383cfaaa6b83067321c3be

SHA512
94f3e58c4998250085a2eb0ba80218f7139211c70978ed5405364eea4a0c20f10ef0e6e073b1bccd115f3c254485dc9e7ff3c7525e075045d5166f1b27f16707

Download Submit
C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe

Filesize
204KB

MD5
d47c0d37f9977a05ad4510aa74f2ac4b

SHA1
ba9ebbeb97b3a6da81da3bee39e97bfaa3b8d765

SHA256
8be6c819c9df8c3d6e04e9d20a4a782fa3522abe4d383cfaaa6b83067321c3be

SHA512
94f3e58c4998250085a2eb0ba80218f7139211c70978ed5405364eea4a0c20f10ef0e6e073b1bccd115f3c254485dc9e7ff3c7525e075045d5166f1b27f16707

Download Submit
C:\Windows\{EA7DF174-5C25-4210-B543-E6FE110B6129}.exe

Filesize
204KB

MD5
d47c0d37f9977a05ad4510aa74f2ac4b

SHA1
ba9ebbeb97b3a6da81da3bee39e97bfaa3b8d765

SHA256
8be6c819c9df8c3d6e04e9d20a4a782fa3522abe4d383cfaaa6b83067321c3be

SHA512
94f3e58c4998250085a2eb0ba80218f7139211c70978ed5405364eea4a0c20f10ef0e6e073b1bccd115f3c254485dc9e7ff3c7525e075045d5166f1b27f16707

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads