5518cce6955515257bb16a763e16ee1bc9131f91e9cfa72a36f5c6c6b6cd058c

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 17:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdb834b2971e83exeexeexeex.exe
Size

408KB
MD5

fdb834b2971e834636f50902643b87e8
SHA1

ee552e5621513a116dc30d76bba0f34afba8e017
SHA256

5518cce6955515257bb16a763e16ee1bc9131f91e9cfa72a36f5c6c6b6cd058c
SHA512

0d4beb53149715949609d9b6502e49728c1b13dd69416cc2033aba61ee56e136205d4860b90e5d7c279da9d0da404ae70c37ed27c02264c6186ecc9001ee03ce
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG6ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}\stubpath = "C:\\Windows\\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe"	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D29945-812C-4073-865B-0C42BAB47542}\stubpath = "C:\\Windows\\{65D29945-812C-4073-865B-0C42BAB47542}.exe"	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}\stubpath = "C:\\Windows\\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe"	{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}	{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}	fdb834b2971e83exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}	{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5294040E-0909-4b32-A48B-A6758D37DC82}\stubpath = "C:\\Windows\\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe"	{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8961B400-A557-4ab2-B992-C3C422A1A5BD}\stubpath = "C:\\Windows\\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe"	{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}\stubpath = "C:\\Windows\\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe"	{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FF07CB-F794-40b6-94D6-5413AE10F994}\stubpath = "C:\\Windows\\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe"	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FF07CB-F794-40b6-94D6-5413AE10F994}	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F4249D-B86B-4734-A303-76151D9D88BD}\stubpath = "C:\\Windows\\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe"	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}\stubpath = "C:\\Windows\\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe"	{65D29945-812C-4073-865B-0C42BAB47542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8961B400-A557-4ab2-B992-C3C422A1A5BD}	{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}\stubpath = "C:\\Windows\\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe"	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}\stubpath = "C:\\Windows\\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe"	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}\stubpath = "C:\\Windows\\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe"	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F4249D-B86B-4734-A303-76151D9D88BD}	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D29945-812C-4073-865B-0C42BAB47542}	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}\stubpath = "C:\\Windows\\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe"	fdb834b2971e83exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5294040E-0909-4b32-A48B-A6758D37DC82}	{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}	{65D29945-812C-4073-865B-0C42BAB47542}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
832	{65D29945-812C-4073-865B-0C42BAB47542}.exe
1084	{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
2688	{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
2576	{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
2952	{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
2904	{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	fdb834b2971e83exeexeexeex.exe
File created	C:\Windows\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
File created	C:\Windows\{65D29945-812C-4073-865B-0C42BAB47542}.exe	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
File created	C:\Windows\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe	{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
File created	C:\Windows\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe	{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
File created	C:\Windows\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe	{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
File created	C:\Windows\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe	{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
File created	C:\Windows\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
File created	C:\Windows\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
File created	C:\Windows\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
File created	C:\Windows\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
File created	C:\Windows\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
File created	C:\Windows\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe	{65D29945-812C-4073-865B-0C42BAB47542}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	296	fdb834b2971e83exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
Token: SeIncBasePriorityPrivilege	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
Token: SeIncBasePriorityPrivilege	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
Token: SeIncBasePriorityPrivilege	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
Token: SeIncBasePriorityPrivilege	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
Token: SeIncBasePriorityPrivilege	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
Token: SeIncBasePriorityPrivilege	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
Token: SeIncBasePriorityPrivilege	832	{65D29945-812C-4073-865B-0C42BAB47542}.exe
Token: SeIncBasePriorityPrivilege	1084	{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
Token: SeIncBasePriorityPrivilege	2688	{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
Token: SeIncBasePriorityPrivilege	2576	{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
Token: SeIncBasePriorityPrivilege	2952	{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2272	296	fdb834b2971e83exeexeexeex.exe	29
PID 296 wrote to memory of 2272	296	fdb834b2971e83exeexeexeex.exe	29
PID 296 wrote to memory of 2272	296	fdb834b2971e83exeexeexeex.exe	29
PID 296 wrote to memory of 2272	296	fdb834b2971e83exeexeexeex.exe	29
PID 296 wrote to memory of 2220	296	fdb834b2971e83exeexeexeex.exe	30
PID 296 wrote to memory of 2220	296	fdb834b2971e83exeexeexeex.exe	30
PID 296 wrote to memory of 2220	296	fdb834b2971e83exeexeexeex.exe	30
PID 296 wrote to memory of 2220	296	fdb834b2971e83exeexeexeex.exe	30
PID 2272 wrote to memory of 888	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	31
PID 2272 wrote to memory of 888	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	31
PID 2272 wrote to memory of 888	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	31
PID 2272 wrote to memory of 888	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	31
PID 2272 wrote to memory of 1964	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	32
PID 2272 wrote to memory of 1964	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	32
PID 2272 wrote to memory of 1964	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	32
PID 2272 wrote to memory of 1964	2272	{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe	32
PID 888 wrote to memory of 2028	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	33
PID 888 wrote to memory of 2028	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	33
PID 888 wrote to memory of 2028	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	33
PID 888 wrote to memory of 2028	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	33
PID 888 wrote to memory of 856	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	34
PID 888 wrote to memory of 856	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	34
PID 888 wrote to memory of 856	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	34
PID 888 wrote to memory of 856	888	{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe	34
PID 2028 wrote to memory of 1224	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	36
PID 2028 wrote to memory of 1224	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	36
PID 2028 wrote to memory of 1224	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	36
PID 2028 wrote to memory of 1224	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	36
PID 2028 wrote to memory of 2988	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	35
PID 2028 wrote to memory of 2988	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	35
PID 2028 wrote to memory of 2988	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	35
PID 2028 wrote to memory of 2988	2028	{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe	35
PID 1224 wrote to memory of 2324	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	37
PID 1224 wrote to memory of 2324	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	37
PID 1224 wrote to memory of 2324	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	37
PID 1224 wrote to memory of 2324	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	37
PID 1224 wrote to memory of 2208	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	38
PID 1224 wrote to memory of 2208	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	38
PID 1224 wrote to memory of 2208	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	38
PID 1224 wrote to memory of 2208	1224	{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe	38
PID 2324 wrote to memory of 2224	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	40
PID 2324 wrote to memory of 2224	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	40
PID 2324 wrote to memory of 2224	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	40
PID 2324 wrote to memory of 2224	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	40
PID 2324 wrote to memory of 2240	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	39
PID 2324 wrote to memory of 2240	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	39
PID 2324 wrote to memory of 2240	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	39
PID 2324 wrote to memory of 2240	2324	{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe	39
PID 2224 wrote to memory of 1620	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	42
PID 2224 wrote to memory of 1620	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	42
PID 2224 wrote to memory of 1620	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	42
PID 2224 wrote to memory of 1620	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	42
PID 2224 wrote to memory of 2052	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	41
PID 2224 wrote to memory of 2052	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	41
PID 2224 wrote to memory of 2052	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	41
PID 2224 wrote to memory of 2052	2224	{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe	41
PID 1620 wrote to memory of 832	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	43
PID 1620 wrote to memory of 832	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	43
PID 1620 wrote to memory of 832	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	43
PID 1620 wrote to memory of 832	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	43
PID 1620 wrote to memory of 1652	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	44
PID 1620 wrote to memory of 1652	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	44
PID 1620 wrote to memory of 1652	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	44
PID 1620 wrote to memory of 1652	1620	{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe	44

C:\Users\Admin\AppData\Local\Temp\fdb834b2971e83exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fdb834b2971e83exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
  C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
    C:\Windows\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
      C:\Windows\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A56A2~1.EXE > nul
        5⤵
        
        PID:2988
    - - C:\Windows\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
        
        C:\Windows\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
        
        C:\Windows\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59BFC~1.EXE > nul
        7⤵
        
        PID:2240
        
        C:\Windows\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
        
        C:\Windows\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46FF0~1.EXE > nul
        8⤵
        
        PID:2052
        
        C:\Windows\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
        
        C:\Windows\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{65D29945-812C-4073-865B-0C42BAB47542}.exe
        
        C:\Windows\{65D29945-812C-4073-865B-0C42BAB47542}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65D29~1.EXE > nul
        10⤵
        
        PID:2580
        
        C:\Windows\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
        
        C:\Windows\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
        
        C:\Windows\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9697C~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
        
        C:\Windows\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52940~1.EXE > nul
        13⤵
        
        PID:2504
        
        C:\Windows\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
        
        C:\Windows\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe
        
        C:\Windows\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe
        14⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8961B~1.EXE > nul
        14⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D26B~1.EXE > nul
        11⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F42~1.EXE > nul
        9⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE9DA~1.EXE > nul
        6⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0389~1.EXE > nul
      4⤵
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E8B5~1.EXE > nul
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDB834~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe

Filesize
408KB

MD5
7bfe48f22c0ef07b7794d77ac7d2349f

SHA1
a871900c58d41fe31714cc55f36171b03c88162f

SHA256
f815cc0738c038471e34556ecbb16f142cdd27d1a13b265694b837895f0ad666

SHA512
bc28df6ada2990fbd0fa4e6a2d041bde2d2636aef00fe850aabdf43084d06b8fd6e38ea0bb72acd75bc80f87e665c3d53af407bccbfa82ee7bcfa8516c8857a0

Download Submit
C:\Windows\{46FF07CB-F794-40b6-94D6-5413AE10F994}.exe

Filesize
408KB

MD5
7bfe48f22c0ef07b7794d77ac7d2349f

SHA1
a871900c58d41fe31714cc55f36171b03c88162f

SHA256
f815cc0738c038471e34556ecbb16f142cdd27d1a13b265694b837895f0ad666

SHA512
bc28df6ada2990fbd0fa4e6a2d041bde2d2636aef00fe850aabdf43084d06b8fd6e38ea0bb72acd75bc80f87e665c3d53af407bccbfa82ee7bcfa8516c8857a0

Download Submit
C:\Windows\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe

Filesize
408KB

MD5
782d0a0b4e67c7410f8ec69fbfdd496d

SHA1
fd3829003988a54e8076532e66208a850cb6ed03

SHA256
2e137c0be58f35a9a31cc7a5ff22dad5a3667167f6ac8103d1d2255c03818dfa

SHA512
9b4c2cad03662a060412b88867bc8a0a47a26ea04c69df6a61236c5c8c45b8f381cce7aa72ca4977de36334eee4e1dcad6dd23e8036f0a3096a1e9a1e389e5b6

Download Submit
C:\Windows\{5294040E-0909-4b32-A48B-A6758D37DC82}.exe

Filesize
408KB

MD5
782d0a0b4e67c7410f8ec69fbfdd496d

SHA1
fd3829003988a54e8076532e66208a850cb6ed03

SHA256
2e137c0be58f35a9a31cc7a5ff22dad5a3667167f6ac8103d1d2255c03818dfa

SHA512
9b4c2cad03662a060412b88867bc8a0a47a26ea04c69df6a61236c5c8c45b8f381cce7aa72ca4977de36334eee4e1dcad6dd23e8036f0a3096a1e9a1e389e5b6

Download Submit
C:\Windows\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe

Filesize
408KB

MD5
74214caeb7c2f08264700a3d2e104b26

SHA1
2bcec890e88351330f95fd80f6bd5d5dc72234f2

SHA256
7448efad5d3a59ab03d0b0649a666eaac7d1e8336ada82201b92ee06b858bfa8

SHA512
793d07671957cb2109b53c290ce1c094040d087e980bf58b5cb4a03e3fe326e147220de0917e874a9f53f96b89834d8b622cc908dcbeb99b88d61d4e1a245ec7

Download Submit
C:\Windows\{59BFC50D-4785-45d1-9912-14B90D5FE1A8}.exe

Filesize
408KB

MD5
74214caeb7c2f08264700a3d2e104b26

SHA1
2bcec890e88351330f95fd80f6bd5d5dc72234f2

SHA256
7448efad5d3a59ab03d0b0649a666eaac7d1e8336ada82201b92ee06b858bfa8

SHA512
793d07671957cb2109b53c290ce1c094040d087e980bf58b5cb4a03e3fe326e147220de0917e874a9f53f96b89834d8b622cc908dcbeb99b88d61d4e1a245ec7

Download Submit
C:\Windows\{5F48BA72-09FE-4e4a-B9FB-48AC0CFD26B7}.exe

Filesize
408KB

MD5
86f43c1543011001f10cf41255ef9421

SHA1
96d35088c9e8ad01bec902c2c72e2a8ddebecc1a

SHA256
cf5f4ec579b34c65008d37c70896efeaebdd827131d36a3891371f1faf16b363

SHA512
a31b4d2b8f0349f31937f8431c84ab7b9d79a4765a5abfa4608160a2e9cef568be9bba53baaaad14829d9ae21a4ad221906264ebcd8358d237aa09db71d91ecb

Download Submit
C:\Windows\{65D29945-812C-4073-865B-0C42BAB47542}.exe

Filesize
408KB

MD5
5b2fe17382fc1cc5f04140114b72f726

SHA1
35ce30cc21ee8bb61c4b089ac722363896843eea

SHA256
556ec06cfd5886ab78886347f0158e0e9166814bb4fc66b0fd0c9c09eab288c7

SHA512
999f9be6cb1540b37627728ebc87ef4fc921ec1482ee3c82278d7c7cbb26cc1149537a57683aac65e3ab322e189dd5454799718e09bfecee83c33aae16b19c76

Download Submit
C:\Windows\{65D29945-812C-4073-865B-0C42BAB47542}.exe

Filesize
408KB

MD5
5b2fe17382fc1cc5f04140114b72f726

SHA1
35ce30cc21ee8bb61c4b089ac722363896843eea

SHA256
556ec06cfd5886ab78886347f0158e0e9166814bb4fc66b0fd0c9c09eab288c7

SHA512
999f9be6cb1540b37627728ebc87ef4fc921ec1482ee3c82278d7c7cbb26cc1149537a57683aac65e3ab322e189dd5454799718e09bfecee83c33aae16b19c76

Download Submit
C:\Windows\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe

Filesize
408KB

MD5
9e0f7ce86e916dcf79177e48ca5d2dd2

SHA1
e3d6ea562babeb715213ad7bd678d41ed06fdf68

SHA256
b8191e5bd61e83f00abee5d490f13e7fdb8b1f8e11831801cd590644297c4994

SHA512
1de83559ee438c379bfb41c0d367d625aec1166618fb179f62f306db8dfdb69ff654c9b52ad8ea31a00de54446b7220a8618fe1e630fafd4c784e17636e00ddb

Download Submit
C:\Windows\{7D26BEB7-DDD8-407c-A977-BBD2A068EC5F}.exe

Filesize
408KB

MD5
9e0f7ce86e916dcf79177e48ca5d2dd2

SHA1
e3d6ea562babeb715213ad7bd678d41ed06fdf68

SHA256
b8191e5bd61e83f00abee5d490f13e7fdb8b1f8e11831801cd590644297c4994

SHA512
1de83559ee438c379bfb41c0d367d625aec1166618fb179f62f306db8dfdb69ff654c9b52ad8ea31a00de54446b7220a8618fe1e630fafd4c784e17636e00ddb

Download Submit
C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe

Filesize
408KB

MD5
9871f4e741dcb76067b81871eb4d0382

SHA1
7383e5280896b03b8e562592ceef0181aae371f4

SHA256
6c946c4ab2a150ad172e5d9e93179f6e47e12638f2f05f07300a71096be72535

SHA512
a60464036182bd44796865a782625e0e22bcb2ad045b36aeda304f8dcd37ac8c7365986aaf7e4b5a546d418679abe900d76700260dfe2640f97d89f866d7154f

Download Submit
C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe

Filesize
408KB

MD5
9871f4e741dcb76067b81871eb4d0382

SHA1
7383e5280896b03b8e562592ceef0181aae371f4

SHA256
6c946c4ab2a150ad172e5d9e93179f6e47e12638f2f05f07300a71096be72535

SHA512
a60464036182bd44796865a782625e0e22bcb2ad045b36aeda304f8dcd37ac8c7365986aaf7e4b5a546d418679abe900d76700260dfe2640f97d89f866d7154f

Download Submit
C:\Windows\{7E8B57D9-A3B4-4cd0-AD3C-91E650459A6E}.exe

Filesize
408KB

MD5
9871f4e741dcb76067b81871eb4d0382

SHA1
7383e5280896b03b8e562592ceef0181aae371f4

SHA256
6c946c4ab2a150ad172e5d9e93179f6e47e12638f2f05f07300a71096be72535

SHA512
a60464036182bd44796865a782625e0e22bcb2ad045b36aeda304f8dcd37ac8c7365986aaf7e4b5a546d418679abe900d76700260dfe2640f97d89f866d7154f

Download Submit
C:\Windows\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe

Filesize
408KB

MD5
42a449f405824fa7878365b916efedff

SHA1
dc621fb143c0f71620a914876189e993ba4f80c7

SHA256
2873ee0e90c9e6dac8b8faef3433f1e429aaf26adc230918fd93433c29ee7942

SHA512
0186ec196e0f6806e20c719d9b6d7c54d780f62671f96e268990acd28510d611fe2c9840582bc730b3f88518ebeaf0bf6c82f94e638b2cf773c75b7739808259

Download Submit
C:\Windows\{8961B400-A557-4ab2-B992-C3C422A1A5BD}.exe

Filesize
408KB

MD5
42a449f405824fa7878365b916efedff

SHA1
dc621fb143c0f71620a914876189e993ba4f80c7

SHA256
2873ee0e90c9e6dac8b8faef3433f1e429aaf26adc230918fd93433c29ee7942

SHA512
0186ec196e0f6806e20c719d9b6d7c54d780f62671f96e268990acd28510d611fe2c9840582bc730b3f88518ebeaf0bf6c82f94e638b2cf773c75b7739808259

Download Submit
C:\Windows\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe

Filesize
408KB

MD5
47eb3bb48712ce0c6a2e7160773e8b2d

SHA1
34eb31848553ce9eb705390aeac4f69a3a735197

SHA256
4dc9269a9ea3578c3507742938ba40f5c50d1a52f7423b6a0ad69537476f8e74

SHA512
ea1904a91c07119888dc49d1f8092e2642e4a4fa97aaa6cff336ac3a79dc3893b1f6525d323dcdacb42c3963709a5b2f104ea7ebdb40f8ac9c823e97b5f60817

Download Submit
C:\Windows\{9697CFBE-B00A-451c-980B-AE10CAE13B4C}.exe

Filesize
408KB

MD5
47eb3bb48712ce0c6a2e7160773e8b2d

SHA1
34eb31848553ce9eb705390aeac4f69a3a735197

SHA256
4dc9269a9ea3578c3507742938ba40f5c50d1a52f7423b6a0ad69537476f8e74

SHA512
ea1904a91c07119888dc49d1f8092e2642e4a4fa97aaa6cff336ac3a79dc3893b1f6525d323dcdacb42c3963709a5b2f104ea7ebdb40f8ac9c823e97b5f60817

Download Submit
C:\Windows\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe

Filesize
408KB

MD5
2bd442df7b5ff7172ae42a137983e883

SHA1
fd6ad4d1191ad130c657015b1afe94732bc79a36

SHA256
a249757cf0fba01971e6ef860b7b1a9f26ea3b7f390c6a7467125c1fbf6e6fa0

SHA512
ab6192f4ee4f7263f9a48ea1baa5766b514bba092cff19425f20936cb5a4b2a0259f16b4b665f3709294a374fb80d4ae98fbce3b0379fc9b09e50634680f1622

Download Submit
C:\Windows\{A56A2EB7-CBE0-437f-A2BA-6BC3D7395A2A}.exe

Filesize
408KB

MD5
2bd442df7b5ff7172ae42a137983e883

SHA1
fd6ad4d1191ad130c657015b1afe94732bc79a36

SHA256
a249757cf0fba01971e6ef860b7b1a9f26ea3b7f390c6a7467125c1fbf6e6fa0

SHA512
ab6192f4ee4f7263f9a48ea1baa5766b514bba092cff19425f20936cb5a4b2a0259f16b4b665f3709294a374fb80d4ae98fbce3b0379fc9b09e50634680f1622

Download Submit
C:\Windows\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe

Filesize
408KB

MD5
d0f849282f7e6adb0a9672c056d7bf60

SHA1
04b1ace08b613e43aa9d4122a69ae879d6c05d8c

SHA256
ecf669a4ef74df9770bb7f0553b0d69c41df28b7f93bccb2446435e729305085

SHA512
5428c9cdd7e60f7a575256407171860fa998f05db1f8a339e0ee3968a9043a704c0dfc27b8cf62ea2bfec91fbdfd1142aca5b9942c16a7f0468883d35b0e5923

Download Submit
C:\Windows\{B1F4249D-B86B-4734-A303-76151D9D88BD}.exe

Filesize
408KB

MD5
d0f849282f7e6adb0a9672c056d7bf60

SHA1
04b1ace08b613e43aa9d4122a69ae879d6c05d8c

SHA256
ecf669a4ef74df9770bb7f0553b0d69c41df28b7f93bccb2446435e729305085

SHA512
5428c9cdd7e60f7a575256407171860fa998f05db1f8a339e0ee3968a9043a704c0dfc27b8cf62ea2bfec91fbdfd1142aca5b9942c16a7f0468883d35b0e5923

Download Submit
C:\Windows\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe

Filesize
408KB

MD5
8238d0afa54876bfab3bd2a79240d247

SHA1
da31de7d7644838dc396f2a760e31b17225103ee

SHA256
46c4491b1534a6815bd9eb11e9d71a75bf596790df3a0b26cec18384df4db800

SHA512
9dbd53dd17f4342163021c71e881264c7bb20c2734282ff5ace15010995ff40edeb02fcd5875d836a3cb839abcbbe6a0598241d659ba083301186e5f345ca1e5

Download Submit
C:\Windows\{CE9DAD53-97BA-4a13-92C0-12A49C1B084E}.exe

Filesize
408KB

MD5
8238d0afa54876bfab3bd2a79240d247

SHA1
da31de7d7644838dc396f2a760e31b17225103ee

SHA256
46c4491b1534a6815bd9eb11e9d71a75bf596790df3a0b26cec18384df4db800

SHA512
9dbd53dd17f4342163021c71e881264c7bb20c2734282ff5ace15010995ff40edeb02fcd5875d836a3cb839abcbbe6a0598241d659ba083301186e5f345ca1e5

Download Submit
C:\Windows\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe

Filesize
408KB

MD5
d33f0fc7ea16f372626d5d4e3d116176

SHA1
de09e8a65deb94eda4642d6e8d5eeb98f206c57c

SHA256
4cc932e0213941bc6808e3282d25608d5aeeb8205fcf7f7ff2fd1ee4373ae5f5

SHA512
193013f5e04da241296f6263e6dfe07b14a19b0d0e86a960d1284ee8cf6983542c432410ac9408273cbddaa7a3cf70971a624da2624d9135c97c4a3beea714b3

Download Submit
C:\Windows\{F038944B-F6A0-4fa5-8BE0-8ABD0E561280}.exe

Filesize
408KB

MD5
d33f0fc7ea16f372626d5d4e3d116176

SHA1
de09e8a65deb94eda4642d6e8d5eeb98f206c57c

SHA256
4cc932e0213941bc6808e3282d25608d5aeeb8205fcf7f7ff2fd1ee4373ae5f5

SHA512
193013f5e04da241296f6263e6dfe07b14a19b0d0e86a960d1284ee8cf6983542c432410ac9408273cbddaa7a3cf70971a624da2624d9135c97c4a3beea714b3

Download Submit