de433580efd1f03eaaa348928659a2dfb9cf5ced13e7d37ccc829b4c6e0276fe

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb21c24dc93fc6exeexeexeex.exe
Size

168KB
MD5

eb21c24dc93fc604a475f83e7f28040f
SHA1

d0cf95582d8a3fc63d013679d7717f3c4ab0c56a
SHA256

de433580efd1f03eaaa348928659a2dfb9cf5ced13e7d37ccc829b4c6e0276fe
SHA512

c4ea65869ce5ed6ccf234e183d9414eaa6eee6b2ca497f31be16f5d4fef72159d11fe54a4e0b8fda4196b6a359a20b67e40a62a374e9ac7362e24bb378a5614e
SSDEEP

1536:1EGh0oulq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oulqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}\stubpath = "C:\\Windows\\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe"	eb21c24dc93fc6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6861290-C763-4e3a-8BCE-72EF06C1E513}	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}\stubpath = "C:\\Windows\\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe"	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}	{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}	{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}\stubpath = "C:\\Windows\\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe"	{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16ACC34D-5A95-43cc-8159-433304B8E747}	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16ACC34D-5A95-43cc-8159-433304B8E747}\stubpath = "C:\\Windows\\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe"	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD71C250-6EFC-4aed-8868-8313F2E02E07}	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}\stubpath = "C:\\Windows\\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe"	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F74D11-A506-4dd2-8329-EDB401C37283}	{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}	{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}	eb21c24dc93fc6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}\stubpath = "C:\\Windows\\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe"	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}\stubpath = "C:\\Windows\\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe"	{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}	{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}\stubpath = "C:\\Windows\\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe"	{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6861290-C763-4e3a-8BCE-72EF06C1E513}\stubpath = "C:\\Windows\\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe"	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39908397-C66E-45c9-83B9-ABFBF22FE149}	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39908397-C66E-45c9-83B9-ABFBF22FE149}\stubpath = "C:\\Windows\\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe"	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD71C250-6EFC-4aed-8868-8313F2E02E07}\stubpath = "C:\\Windows\\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe"	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7F74D11-A506-4dd2-8329-EDB401C37283}\stubpath = "C:\\Windows\\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe"	{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}\stubpath = "C:\\Windows\\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe"	{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe

Deletes itself 1 IoCs

pid	Process
912	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
2000	{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
1352	{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
2752	{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
2684	{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
2768	{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe
2384	{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
File created	C:\Windows\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
File created	C:\Windows\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
File created	C:\Windows\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
File created	C:\Windows\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe	{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
File created	C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	eb21c24dc93fc6exeexeexeex.exe
File created	C:\Windows\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
File created	C:\Windows\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
File created	C:\Windows\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe	{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
File created	C:\Windows\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe	{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
File created	C:\Windows\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe	{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
File created	C:\Windows\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe	{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe
File created	C:\Windows\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	eb21c24dc93fc6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
Token: SeIncBasePriorityPrivilege	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
Token: SeIncBasePriorityPrivilege	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
Token: SeIncBasePriorityPrivilege	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
Token: SeIncBasePriorityPrivilege	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
Token: SeIncBasePriorityPrivilege	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
Token: SeIncBasePriorityPrivilege	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
Token: SeIncBasePriorityPrivilege	2000	{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
Token: SeIncBasePriorityPrivilege	1352	{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
Token: SeIncBasePriorityPrivilege	2752	{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
Token: SeIncBasePriorityPrivilege	2684	{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
Token: SeIncBasePriorityPrivilege	2768	{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3036	2664	eb21c24dc93fc6exeexeexeex.exe	29
PID 2664 wrote to memory of 3036	2664	eb21c24dc93fc6exeexeexeex.exe	29
PID 2664 wrote to memory of 3036	2664	eb21c24dc93fc6exeexeexeex.exe	29
PID 2664 wrote to memory of 3036	2664	eb21c24dc93fc6exeexeexeex.exe	29
PID 2664 wrote to memory of 912	2664	eb21c24dc93fc6exeexeexeex.exe	30
PID 2664 wrote to memory of 912	2664	eb21c24dc93fc6exeexeexeex.exe	30
PID 2664 wrote to memory of 912	2664	eb21c24dc93fc6exeexeexeex.exe	30
PID 2664 wrote to memory of 912	2664	eb21c24dc93fc6exeexeexeex.exe	30
PID 3036 wrote to memory of 2200	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	31
PID 3036 wrote to memory of 2200	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	31
PID 3036 wrote to memory of 2200	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	31
PID 3036 wrote to memory of 2200	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	31
PID 3036 wrote to memory of 1464	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	32
PID 3036 wrote to memory of 1464	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	32
PID 3036 wrote to memory of 1464	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	32
PID 3036 wrote to memory of 1464	3036	{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe	32
PID 2200 wrote to memory of 1956	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	34
PID 2200 wrote to memory of 1956	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	34
PID 2200 wrote to memory of 1956	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	34
PID 2200 wrote to memory of 1956	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	34
PID 2200 wrote to memory of 1796	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	33
PID 2200 wrote to memory of 1796	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	33
PID 2200 wrote to memory of 1796	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	33
PID 2200 wrote to memory of 1796	2200	{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe	33
PID 1956 wrote to memory of 2092	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	35
PID 1956 wrote to memory of 2092	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	35
PID 1956 wrote to memory of 2092	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	35
PID 1956 wrote to memory of 2092	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	35
PID 1956 wrote to memory of 2128	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	36
PID 1956 wrote to memory of 2128	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	36
PID 1956 wrote to memory of 2128	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	36
PID 1956 wrote to memory of 2128	1956	{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe	36
PID 2092 wrote to memory of 2236	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	37
PID 2092 wrote to memory of 2236	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	37
PID 2092 wrote to memory of 2236	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	37
PID 2092 wrote to memory of 2236	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	37
PID 2092 wrote to memory of 2892	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	38
PID 2092 wrote to memory of 2892	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	38
PID 2092 wrote to memory of 2892	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	38
PID 2092 wrote to memory of 2892	2092	{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe	38
PID 2236 wrote to memory of 612	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	39
PID 2236 wrote to memory of 612	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	39
PID 2236 wrote to memory of 612	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	39
PID 2236 wrote to memory of 612	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	39
PID 2236 wrote to memory of 2924	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	40
PID 2236 wrote to memory of 2924	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	40
PID 2236 wrote to memory of 2924	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	40
PID 2236 wrote to memory of 2924	2236	{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe	40
PID 612 wrote to memory of 3008	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	41
PID 612 wrote to memory of 3008	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	41
PID 612 wrote to memory of 3008	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	41
PID 612 wrote to memory of 3008	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	41
PID 612 wrote to memory of 2152	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	42
PID 612 wrote to memory of 2152	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	42
PID 612 wrote to memory of 2152	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	42
PID 612 wrote to memory of 2152	612	{16ACC34D-5A95-43cc-8159-433304B8E747}.exe	42
PID 3008 wrote to memory of 2000	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	43
PID 3008 wrote to memory of 2000	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	43
PID 3008 wrote to memory of 2000	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	43
PID 3008 wrote to memory of 2000	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	43
PID 3008 wrote to memory of 2872	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	44
PID 3008 wrote to memory of 2872	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	44
PID 3008 wrote to memory of 2872	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	44
PID 3008 wrote to memory of 2872	3008	{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe	44

C:\Users\Admin\AppData\Local\Temp\eb21c24dc93fc6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\eb21c24dc93fc6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
  C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
    C:\Windows\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6861~1.EXE > nul
      4⤵
      PID:1796
  - - C:\Windows\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
      C:\Windows\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
        
        C:\Windows\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
        
        C:\Windows\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
        
        C:\Windows\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
        
        C:\Windows\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
        
        C:\Windows\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
        
        C:\Windows\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7F74~1.EXE > nul
        11⤵
        
        PID:2640
        
        C:\Windows\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
        
        C:\Windows\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C522~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
        
        C:\Windows\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FF14~1.EXE > nul
        13⤵
        
        PID:2864
        
        C:\Windows\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe
        
        C:\Windows\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe
        
        C:\Windows\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe
        14⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3BF3~1.EXE > nul
        14⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F5A~1.EXE > nul
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD71C~1.EXE > nul
        9⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16ACC~1.EXE > nul
        8⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38AEC~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF4F9~1.EXE > nul
        6⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39908~1.EXE > nul
        5⤵
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2C687~1.EXE > nul
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EB21C2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe

Filesize
168KB

MD5
d3d115f142d393e31b325a61fb64c201

SHA1
07cdd5ea16b4c890e1b3ba39264fad083a031fd0

SHA256
b39cd6b51e919d79252ad251cd377a7c0b16d63c830569cb115decbec692676f

SHA512
97e2aa9ddc74a11dcbce435c2cda281858a987c8462c1cf1da1e1bfb491e8247dc6397795fce99c65e6f330d223e934e0b475aa924c3740921b64f8f210d1587

Download Submit
C:\Windows\{16ACC34D-5A95-43cc-8159-433304B8E747}.exe

Filesize
168KB

MD5
d3d115f142d393e31b325a61fb64c201

SHA1
07cdd5ea16b4c890e1b3ba39264fad083a031fd0

SHA256
b39cd6b51e919d79252ad251cd377a7c0b16d63c830569cb115decbec692676f

SHA512
97e2aa9ddc74a11dcbce435c2cda281858a987c8462c1cf1da1e1bfb491e8247dc6397795fce99c65e6f330d223e934e0b475aa924c3740921b64f8f210d1587

Download Submit
C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe

Filesize
168KB

MD5
1713d47b893f27ba2255acad337003ed

SHA1
03fe7f44f96c09c16df5c3c8fe7400d76af9283d

SHA256
6cbecd99b6aeea49240b003714c1118273df993f82d4a06acbe67bc8c261b33d

SHA512
c611766ca6e93007499dd0650932a441c35ebe50b8ebde5d886a4dd4defb89db9dadf42ad343f3e97ab1d3f6f3f6e70872a40f077fbcfc32ef52f4320d81a4ed

Download Submit
C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe

Filesize
168KB

MD5
1713d47b893f27ba2255acad337003ed

SHA1
03fe7f44f96c09c16df5c3c8fe7400d76af9283d

SHA256
6cbecd99b6aeea49240b003714c1118273df993f82d4a06acbe67bc8c261b33d

SHA512
c611766ca6e93007499dd0650932a441c35ebe50b8ebde5d886a4dd4defb89db9dadf42ad343f3e97ab1d3f6f3f6e70872a40f077fbcfc32ef52f4320d81a4ed

Download Submit
C:\Windows\{2C687CF4-E50F-4322-B4C2-345C7AB6E959}.exe

Filesize
168KB

MD5
1713d47b893f27ba2255acad337003ed

SHA1
03fe7f44f96c09c16df5c3c8fe7400d76af9283d

SHA256
6cbecd99b6aeea49240b003714c1118273df993f82d4a06acbe67bc8c261b33d

SHA512
c611766ca6e93007499dd0650932a441c35ebe50b8ebde5d886a4dd4defb89db9dadf42ad343f3e97ab1d3f6f3f6e70872a40f077fbcfc32ef52f4320d81a4ed

Download Submit
C:\Windows\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe

Filesize
168KB

MD5
deaae596c194f77cec259db921cfd764

SHA1
7478e4ccb232677029bc3567b998ebb36e52a276

SHA256
13610ae309524146d0e9f2e2ecda982dface2aab115d27bffb7bd060faea086b

SHA512
08bca42b63a5821f5793cc450542853ef21690e63527855f551cb9491461b60e44372f4d4ae4bce7ec54c89df0abc5a2c9e1027401f771c9ef259311eb47a5b6

Download Submit
C:\Windows\{2FF1431A-26F0-4f21-AB45-5E6136E6C506}.exe

Filesize
168KB

MD5
deaae596c194f77cec259db921cfd764

SHA1
7478e4ccb232677029bc3567b998ebb36e52a276

SHA256
13610ae309524146d0e9f2e2ecda982dface2aab115d27bffb7bd060faea086b

SHA512
08bca42b63a5821f5793cc450542853ef21690e63527855f551cb9491461b60e44372f4d4ae4bce7ec54c89df0abc5a2c9e1027401f771c9ef259311eb47a5b6

Download Submit
C:\Windows\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe

Filesize
168KB

MD5
74c9a87e947f0e8f1951d913762c0ab2

SHA1
4137b30f92931edd544c156f8e05794719b26d39

SHA256
dac0521933e3b5dbaf587a7d74b28b6a780fdaa2d0c8e7ba36c6cec9a74992d6

SHA512
d38da2c44fe61311a9d925a6abc26be8c6c5716e1c6c8616d5b07f8f736ec18286b75cb72d14799372cfc4f8211d38ff857f3aa019f96a1f452d3be920123162

Download Submit
C:\Windows\{38AEC5A1-7153-43cd-AF2D-AFBA3EFC94C0}.exe

Filesize
168KB

MD5
74c9a87e947f0e8f1951d913762c0ab2

SHA1
4137b30f92931edd544c156f8e05794719b26d39

SHA256
dac0521933e3b5dbaf587a7d74b28b6a780fdaa2d0c8e7ba36c6cec9a74992d6

SHA512
d38da2c44fe61311a9d925a6abc26be8c6c5716e1c6c8616d5b07f8f736ec18286b75cb72d14799372cfc4f8211d38ff857f3aa019f96a1f452d3be920123162

Download Submit
C:\Windows\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe

Filesize
168KB

MD5
052b1ae50b7750fc4dbde7ffef9d18e1

SHA1
6240e9a14f3cb977ad9462d572393c7d0b7d65ea

SHA256
4746a5d3ee22bdd504cc952c762c894bec52abdb9bfb42ea37cb3e67293d5340

SHA512
47fcd3341b6769402adfd4d80530ced3552e1955ddd0cb18c5387b45da97b30bd9864b8a510b8357b55a812b9a40f68518778755f94be84020ccc49ffa219b89

Download Submit
C:\Windows\{39908397-C66E-45c9-83B9-ABFBF22FE149}.exe

Filesize
168KB

MD5
052b1ae50b7750fc4dbde7ffef9d18e1

SHA1
6240e9a14f3cb977ad9462d572393c7d0b7d65ea

SHA256
4746a5d3ee22bdd504cc952c762c894bec52abdb9bfb42ea37cb3e67293d5340

SHA512
47fcd3341b6769402adfd4d80530ced3552e1955ddd0cb18c5387b45da97b30bd9864b8a510b8357b55a812b9a40f68518778755f94be84020ccc49ffa219b89

Download Submit
C:\Windows\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe

Filesize
168KB

MD5
1947b77f0a7933eb608733666d4a017e

SHA1
4cfe24248496751b1ab8e84daf5306244aec491b

SHA256
d049fc6b35cc40d8c9b60700e203105996ab0b2c7b661d407271a65623d4b785

SHA512
40906d647cfcdfa99447f149c0e3e5a9ca6227b05487880fcf733c8e1df029799e70a2a19d448326abdc49c9028ea48d7f4333ce00f8c38a936fcd253daa399f

Download Submit
C:\Windows\{5C522B3A-B974-4709-BDF1-61CC5B8EB210}.exe

Filesize
168KB

MD5
1947b77f0a7933eb608733666d4a017e

SHA1
4cfe24248496751b1ab8e84daf5306244aec491b

SHA256
d049fc6b35cc40d8c9b60700e203105996ab0b2c7b661d407271a65623d4b785

SHA512
40906d647cfcdfa99447f149c0e3e5a9ca6227b05487880fcf733c8e1df029799e70a2a19d448326abdc49c9028ea48d7f4333ce00f8c38a936fcd253daa399f

Download Submit
C:\Windows\{A6692B5B-9A0C-409b-BA6A-79DD0783CCA4}.exe

Filesize
168KB

MD5
4969fa7351a4e9285959ba6f17fc726e

SHA1
e385dc6c34b9b323dcec36c276e7d28c784224d5

SHA256
2afc9ed69ac654b219ce727c2630fb460755641fc14fd85f97e88304ed47679a

SHA512
93b854d388041120c7cc7c51b7190fff3dc52eff9b8baca2fe511ec5f260dbc5a5e471b0b6109717c466ac27e4578dd497391e1542b989ff2dc389c136802324

Download Submit
C:\Windows\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe

Filesize
168KB

MD5
0744945825717d8c4f4823cc4898a7e8

SHA1
abb1b05247081771c33e59795220b151d5597c61

SHA256
8bd99188bd47ae9c9e8088c23ee9754080af01976ddfcef30af923850c89e148

SHA512
f626936baef44bfe0486deb618b6f49be234b07ac41df4c0232459af7079d7e8bef75f2ef9614560fd01a6b46e579867b0e33c0406596b7ebe4269a64a97e010

Download Submit
C:\Windows\{A6F5AF2B-5E9C-41f4-903F-1F2F86B1246F}.exe

Filesize
168KB

MD5
0744945825717d8c4f4823cc4898a7e8

SHA1
abb1b05247081771c33e59795220b151d5597c61

SHA256
8bd99188bd47ae9c9e8088c23ee9754080af01976ddfcef30af923850c89e148

SHA512
f626936baef44bfe0486deb618b6f49be234b07ac41df4c0232459af7079d7e8bef75f2ef9614560fd01a6b46e579867b0e33c0406596b7ebe4269a64a97e010

Download Submit
C:\Windows\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe

Filesize
168KB

MD5
5de7afca58bb5d1acc4218c85ce7fbce

SHA1
407cfa0f8e062b63a8c665c02bbdc908bb43985b

SHA256
734d12ebfe3f4c9292204d89fec406cdfceb23490c6108b96910ba30d3f2dba5

SHA512
ad5fa2a053f6b94f1f855336bada7686290db44a0d4054c7fe39bcdac1d5d5d916338da6fe9e80690c953defdddc8054f77efcb3ef1578cc4ee994dab004e4d1

Download Submit
C:\Windows\{CD71C250-6EFC-4aed-8868-8313F2E02E07}.exe

Filesize
168KB

MD5
5de7afca58bb5d1acc4218c85ce7fbce

SHA1
407cfa0f8e062b63a8c665c02bbdc908bb43985b

SHA256
734d12ebfe3f4c9292204d89fec406cdfceb23490c6108b96910ba30d3f2dba5

SHA512
ad5fa2a053f6b94f1f855336bada7686290db44a0d4054c7fe39bcdac1d5d5d916338da6fe9e80690c953defdddc8054f77efcb3ef1578cc4ee994dab004e4d1

Download Submit
C:\Windows\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe

Filesize
168KB

MD5
0898917f1fd9a65f82e5d9bdd1a89081

SHA1
e6ada1857095f367a39d68d74fc3627c6f860673

SHA256
667dc12cee126eac33116e7cf8d7c64da8a044dba067e87a2da9a27d1a9078a3

SHA512
665f636ec69d3715c73426baf962bc1e719554c0264dce4f08070e54eab3beb275b02b3381817115d506637fd377a9557d97f6d5ad679455a542130bea1e9a79

Download Submit
C:\Windows\{D3BF3EBD-94D6-4a6b-8F47-172D030E1EB6}.exe

Filesize
168KB

MD5
0898917f1fd9a65f82e5d9bdd1a89081

SHA1
e6ada1857095f367a39d68d74fc3627c6f860673

SHA256
667dc12cee126eac33116e7cf8d7c64da8a044dba067e87a2da9a27d1a9078a3

SHA512
665f636ec69d3715c73426baf962bc1e719554c0264dce4f08070e54eab3beb275b02b3381817115d506637fd377a9557d97f6d5ad679455a542130bea1e9a79

Download Submit
C:\Windows\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe

Filesize
168KB

MD5
7c8751307fc855855f2f393059089a8a

SHA1
3ac5b0f79b2367052a1be27cb156fd207c24b2d9

SHA256
a18a582b37455e06ce623f404567e2ca58adee65fb257a5359de32174dac4e5e

SHA512
344ddfca7ed74ba337320e18f38c83d1b5fd6c4bfd6bf654b42f14cacb6382dd506ac9ac2d3d8e6c66a68b94a09534914f67fecd7a1bac83e089c2ad6cb44f2b

Download Submit
C:\Windows\{D7F74D11-A506-4dd2-8329-EDB401C37283}.exe

Filesize
168KB

MD5
7c8751307fc855855f2f393059089a8a

SHA1
3ac5b0f79b2367052a1be27cb156fd207c24b2d9

SHA256
a18a582b37455e06ce623f404567e2ca58adee65fb257a5359de32174dac4e5e

SHA512
344ddfca7ed74ba337320e18f38c83d1b5fd6c4bfd6bf654b42f14cacb6382dd506ac9ac2d3d8e6c66a68b94a09534914f67fecd7a1bac83e089c2ad6cb44f2b

Download Submit
C:\Windows\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe

Filesize
168KB

MD5
e420ae74442d5509871f8705502b0473

SHA1
c1aa7d1a8c72076fde5dfa62af567723a1adf222

SHA256
6d522f03471524d58d2b76c53e08dd59f84b379fff9e0095a0cd4c9b6b584be0

SHA512
be61559664cd7d197fd384c6402cb0922257f22fde3487a2b4891b6acff361850bd090f6cbc90802c2d8ac666fa02c69c1ef4caa8a61afef74a70af8eca41da5

Download Submit
C:\Windows\{E6861290-C763-4e3a-8BCE-72EF06C1E513}.exe

Filesize
168KB

MD5
e420ae74442d5509871f8705502b0473

SHA1
c1aa7d1a8c72076fde5dfa62af567723a1adf222

SHA256
6d522f03471524d58d2b76c53e08dd59f84b379fff9e0095a0cd4c9b6b584be0

SHA512
be61559664cd7d197fd384c6402cb0922257f22fde3487a2b4891b6acff361850bd090f6cbc90802c2d8ac666fa02c69c1ef4caa8a61afef74a70af8eca41da5

Download Submit
C:\Windows\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe

Filesize
168KB

MD5
b3356e543964413421d1b9f404a377a7

SHA1
fedf2525a290d9d07907d4a0ca73b9d9a89b0b12

SHA256
5acf0df8a29db2fb8ad7d6c7d8af2e1f68c5678aaf81d550617dd673a1bc3e7d

SHA512
2eab6b66b3c89681e28bc7f749f783d52dcf2231cbda8e1b12a65cf6a303c453235ed00163ee5a55d97f08f89dbc375bdc703ab6860585a6d5e1f436810d586d

Download Submit
C:\Windows\{EF4F9A9E-79BC-409a-AEC0-03BEA7E64A05}.exe

Filesize
168KB

MD5
b3356e543964413421d1b9f404a377a7

SHA1
fedf2525a290d9d07907d4a0ca73b9d9a89b0b12

SHA256
5acf0df8a29db2fb8ad7d6c7d8af2e1f68c5678aaf81d550617dd673a1bc3e7d

SHA512
2eab6b66b3c89681e28bc7f749f783d52dcf2231cbda8e1b12a65cf6a303c453235ed00163ee5a55d97f08f89dbc375bdc703ab6860585a6d5e1f436810d586d

Download Submit