0c37b798a5d7aaef3c7f8de55cd4a3b7aa60eee7fae52171797743d6312176e2

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0015838af8857fexe.exe
Size

204KB
MD5

0015838af8857fb448e941e905be2703
SHA1

78944f62d8c03822fa1c483af501e1c2b858238f
SHA256

0c37b798a5d7aaef3c7f8de55cd4a3b7aa60eee7fae52171797743d6312176e2
SHA512

bcd9249d1521a550fd653096d443783c756896b26e36a3b9fe6142cd7c46c6106977aec159cfcc1dfd3acfb6c8ec55f70e499c4cff89ebf3038775df8468eadf
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58682CD1-6BE5-4788-BA16-4691562BDF04}	{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}	0015838af8857fexe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}\stubpath = "C:\\Windows\\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe"	0015838af8857fexe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2851A71-D410-4dab-9C21-6B9AE1E56259}\stubpath = "C:\\Windows\\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe"	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}\stubpath = "C:\\Windows\\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe"	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}\stubpath = "C:\\Windows\\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe"	{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}\stubpath = "C:\\Windows\\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe"	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}\stubpath = "C:\\Windows\\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe"	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F4028F-8A04-437d-B3A6-D762916CE099}\stubpath = "C:\\Windows\\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe"	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}	{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{128ED14A-7882-4d07-953C-B69C2A43D2CC}\stubpath = "C:\\Windows\\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe"	{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}\stubpath = "C:\\Windows\\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe"	{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}	{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2851A71-D410-4dab-9C21-6B9AE1E56259}	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F4028F-8A04-437d-B3A6-D762916CE099}	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}\stubpath = "C:\\Windows\\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe"	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{128ED14A-7882-4d07-953C-B69C2A43D2CC}	{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58682CD1-6BE5-4788-BA16-4691562BDF04}\stubpath = "C:\\Windows\\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe"	{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}\stubpath = "C:\\Windows\\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe"	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}	{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}\stubpath = "C:\\Windows\\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe"	{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
1324	{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
2600	{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe
2708	{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
2000	{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
2444	{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
2964	{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe	{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
File created	C:\Windows\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
File created	C:\Windows\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
File created	C:\Windows\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
File created	C:\Windows\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe	{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
File created	C:\Windows\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe	{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
File created	C:\Windows\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe	{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
File created	C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	0015838af8857fexe.exe
File created	C:\Windows\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
File created	C:\Windows\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
File created	C:\Windows\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
File created	C:\Windows\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
File created	C:\Windows\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe	{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	0015838af8857fexe.exe
Token: SeIncBasePriorityPrivilege	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
Token: SeIncBasePriorityPrivilege	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
Token: SeIncBasePriorityPrivilege	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
Token: SeIncBasePriorityPrivilege	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
Token: SeIncBasePriorityPrivilege	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
Token: SeIncBasePriorityPrivilege	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
Token: SeIncBasePriorityPrivilege	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
Token: SeIncBasePriorityPrivilege	1324	{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
Token: SeIncBasePriorityPrivilege	2600	{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe
Token: SeIncBasePriorityPrivilege	2708	{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
Token: SeIncBasePriorityPrivilege	2000	{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
Token: SeIncBasePriorityPrivilege	2444	{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 668	2052	0015838af8857fexe.exe	28
PID 2052 wrote to memory of 668	2052	0015838af8857fexe.exe	28
PID 2052 wrote to memory of 668	2052	0015838af8857fexe.exe	28
PID 2052 wrote to memory of 668	2052	0015838af8857fexe.exe	28
PID 2052 wrote to memory of 2372	2052	0015838af8857fexe.exe	29
PID 2052 wrote to memory of 2372	2052	0015838af8857fexe.exe	29
PID 2052 wrote to memory of 2372	2052	0015838af8857fexe.exe	29
PID 2052 wrote to memory of 2372	2052	0015838af8857fexe.exe	29
PID 668 wrote to memory of 1476	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	30
PID 668 wrote to memory of 1476	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	30
PID 668 wrote to memory of 1476	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	30
PID 668 wrote to memory of 1476	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	30
PID 668 wrote to memory of 2308	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	31
PID 668 wrote to memory of 2308	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	31
PID 668 wrote to memory of 2308	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	31
PID 668 wrote to memory of 2308	668	{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe	31
PID 1476 wrote to memory of 1148	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	32
PID 1476 wrote to memory of 1148	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	32
PID 1476 wrote to memory of 1148	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	32
PID 1476 wrote to memory of 1148	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	32
PID 1476 wrote to memory of 1168	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	33
PID 1476 wrote to memory of 1168	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	33
PID 1476 wrote to memory of 1168	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	33
PID 1476 wrote to memory of 1168	1476	{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe	33
PID 1148 wrote to memory of 2248	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	34
PID 1148 wrote to memory of 2248	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	34
PID 1148 wrote to memory of 2248	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	34
PID 1148 wrote to memory of 2248	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	34
PID 1148 wrote to memory of 2260	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	35
PID 1148 wrote to memory of 2260	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	35
PID 1148 wrote to memory of 2260	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	35
PID 1148 wrote to memory of 2260	1148	{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe	35
PID 2248 wrote to memory of 812	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	36
PID 2248 wrote to memory of 812	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	36
PID 2248 wrote to memory of 812	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	36
PID 2248 wrote to memory of 812	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	36
PID 2248 wrote to memory of 2952	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	37
PID 2248 wrote to memory of 2952	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	37
PID 2248 wrote to memory of 2952	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	37
PID 2248 wrote to memory of 2952	2248	{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe	37
PID 812 wrote to memory of 2992	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	38
PID 812 wrote to memory of 2992	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	38
PID 812 wrote to memory of 2992	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	38
PID 812 wrote to memory of 2992	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	38
PID 812 wrote to memory of 2036	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	39
PID 812 wrote to memory of 2036	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	39
PID 812 wrote to memory of 2036	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	39
PID 812 wrote to memory of 2036	812	{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe	39
PID 2992 wrote to memory of 2944	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	40
PID 2992 wrote to memory of 2944	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	40
PID 2992 wrote to memory of 2944	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	40
PID 2992 wrote to memory of 2944	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	40
PID 2992 wrote to memory of 2132	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	41
PID 2992 wrote to memory of 2132	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	41
PID 2992 wrote to memory of 2132	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	41
PID 2992 wrote to memory of 2132	2992	{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe	41
PID 2944 wrote to memory of 1324	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	43
PID 2944 wrote to memory of 1324	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	43
PID 2944 wrote to memory of 1324	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	43
PID 2944 wrote to memory of 1324	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	43
PID 2944 wrote to memory of 2116	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	42
PID 2944 wrote to memory of 2116	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	42
PID 2944 wrote to memory of 2116	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	42
PID 2944 wrote to memory of 2116	2944	{23F4028F-8A04-437d-B3A6-D762916CE099}.exe	42

C:\Users\Admin\AppData\Local\Temp\0015838af8857fexe.exe
"C:\Users\Admin\AppData\Local\Temp\0015838af8857fexe.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
  C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
    C:\Windows\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
      C:\Windows\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
        
        C:\Windows\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
        
        C:\Windows\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
        
        C:\Windows\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
        
        C:\Windows\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23F40~1.EXE > nul
        9⤵
        
        PID:2116
        
        C:\Windows\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
        
        C:\Windows\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7A8E~1.EXE > nul
        10⤵
        
        PID:2684
        
        C:\Windows\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe
        
        C:\Windows\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
        
        C:\Windows\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
        
        C:\Windows\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
        
        C:\Windows\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58682~1.EXE > nul
        14⤵
        
        PID:2768
        
        C:\Windows\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe
        
        C:\Windows\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe
        14⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{128ED~1.EXE > nul
        13⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CED5~1.EXE > nul
        12⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CAA0~1.EXE > nul
        11⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90D91~1.EXE > nul
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE636~1.EXE > nul
        7⤵
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2851~1.EXE > nul
        6⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E063~1.EXE > nul
        5⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EA62~1.EXE > nul
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA05~1.EXE > nul
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\001583~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AFD6121-988D-4601-B3B4-8D66FDD3CF0F}.exe

Filesize
204KB

MD5
171db9509c51881b20ca54064db544bd

SHA1
ae705e5ffb4df8a6f58b998baf754e764cf41b57

SHA256
f1f82cbba2d030605acf71f45b6b128d22540099982ab1ac10bfc353f3d05343

SHA512
6cee78f78b13fbbd64617c648ef8454a7e8b33534c365b99289eec743e04df3019c7a745145c84f48701bf76892e894e150319399986928d42fe85f8001bbd51

Download Submit
C:\Windows\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe

Filesize
204KB

MD5
91a629bda2dc7c4eb5c027ae107e4e63

SHA1
26da7c2175211fc4f3ff85e1b38e28f55bf3f23f

SHA256
757e0cbf2acf5c331dcd3ad3f2da19f45438e42176b0e359331d8cfb9be0bea9

SHA512
e3d18d2489de127e9fb3bb51c2795bf26ec8d8c55ef8711a384ee921f6f07ac64a268d0833a349c8fafdc3bf364c7570b10c827ab041a14cc2db4c11ce5e52ca

Download Submit
C:\Windows\{128ED14A-7882-4d07-953C-B69C2A43D2CC}.exe

Filesize
204KB

MD5
91a629bda2dc7c4eb5c027ae107e4e63

SHA1
26da7c2175211fc4f3ff85e1b38e28f55bf3f23f

SHA256
757e0cbf2acf5c331dcd3ad3f2da19f45438e42176b0e359331d8cfb9be0bea9

SHA512
e3d18d2489de127e9fb3bb51c2795bf26ec8d8c55ef8711a384ee921f6f07ac64a268d0833a349c8fafdc3bf364c7570b10c827ab041a14cc2db4c11ce5e52ca

Download Submit
C:\Windows\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe

Filesize
204KB

MD5
5c9c5c51afdc043065c9d22a13b30394

SHA1
9d3d33dabdb5c2791c27542b0e4de3ca96d35057

SHA256
2a1079bca3a701f6ad9dcfea630e86cf7181c460dd2cacb84226a46afb97a704

SHA512
81f1935b12238af00ee17df0e1c472cc133ffa4a1ff39e86012df2f9f079e95c4720965a7396dcb42090c175f7d8c6bea139182650c4b68fa3a8130898aaa7eb

Download Submit
C:\Windows\{1E063B1D-EAB7-469e-A7F2-ED7E109FFBEA}.exe

Filesize
204KB

MD5
5c9c5c51afdc043065c9d22a13b30394

SHA1
9d3d33dabdb5c2791c27542b0e4de3ca96d35057

SHA256
2a1079bca3a701f6ad9dcfea630e86cf7181c460dd2cacb84226a46afb97a704

SHA512
81f1935b12238af00ee17df0e1c472cc133ffa4a1ff39e86012df2f9f079e95c4720965a7396dcb42090c175f7d8c6bea139182650c4b68fa3a8130898aaa7eb

Download Submit
C:\Windows\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe

Filesize
204KB

MD5
6dee461f90b4d7531a7a8698d7998d00

SHA1
28d1dee47cff35544e04b774918ea85ef67ef199

SHA256
0809a3cd64c01d8093e9eb6adedf3f2358ff5b02d4589b3cf3abf5d7b63a1a9b

SHA512
aedf41adac689d631f424fcd23a5bbc785600f7b5ea30e213bf10154fcb739e10b755f4b4eae3bd4dcb64aff249cc30b2ce409141eec363be91d1241f0c2561b

Download Submit
C:\Windows\{23F4028F-8A04-437d-B3A6-D762916CE099}.exe

Filesize
204KB

MD5
6dee461f90b4d7531a7a8698d7998d00

SHA1
28d1dee47cff35544e04b774918ea85ef67ef199

SHA256
0809a3cd64c01d8093e9eb6adedf3f2358ff5b02d4589b3cf3abf5d7b63a1a9b

SHA512
aedf41adac689d631f424fcd23a5bbc785600f7b5ea30e213bf10154fcb739e10b755f4b4eae3bd4dcb64aff249cc30b2ce409141eec363be91d1241f0c2561b

Download Submit
C:\Windows\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe

Filesize
204KB

MD5
cf0205ad48c5d30760ffd1d218ef9e35

SHA1
6d3d486123b0238741772b82ca8a8ac5ec6b2e7f

SHA256
ab398916c0889f1feda01fe543beb759af0024ca61185e9d8898bedc92250c29

SHA512
b89dcbaed6636eeac5e72329c7e49151247cf71f09ceef2f6d91e9ad9da74533cebaa0fba5e3dd6ae3af2b6353bb2313e09a9811b2e62d9ed2d7e6b754f7dda7

Download Submit
C:\Windows\{3CED5AE3-533C-4b1a-8CB5-79DECC07D182}.exe

Filesize
204KB

MD5
cf0205ad48c5d30760ffd1d218ef9e35

SHA1
6d3d486123b0238741772b82ca8a8ac5ec6b2e7f

SHA256
ab398916c0889f1feda01fe543beb759af0024ca61185e9d8898bedc92250c29

SHA512
b89dcbaed6636eeac5e72329c7e49151247cf71f09ceef2f6d91e9ad9da74533cebaa0fba5e3dd6ae3af2b6353bb2313e09a9811b2e62d9ed2d7e6b754f7dda7

Download Submit
C:\Windows\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe

Filesize
204KB

MD5
559751eed6358c6a185a6dd51385338a

SHA1
926d9b7191fb1c572926f835cfeb7121dbb325a3

SHA256
5d56181f708b3c3d7983761392ccfb10eb6504293e136febd642b84708947c34

SHA512
8f8a02b97337e48238ae6fe7c39ae2a133a14cd7f9f45d2c92c5f2e79988093ea28acaf9cacbff2920b2f203cae014db96c4b29a23a15f43b3ed3e46b4833049

Download Submit
C:\Windows\{58682CD1-6BE5-4788-BA16-4691562BDF04}.exe

Filesize
204KB

MD5
559751eed6358c6a185a6dd51385338a

SHA1
926d9b7191fb1c572926f835cfeb7121dbb325a3

SHA256
5d56181f708b3c3d7983761392ccfb10eb6504293e136febd642b84708947c34

SHA512
8f8a02b97337e48238ae6fe7c39ae2a133a14cd7f9f45d2c92c5f2e79988093ea28acaf9cacbff2920b2f203cae014db96c4b29a23a15f43b3ed3e46b4833049

Download Submit
C:\Windows\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe

Filesize
204KB

MD5
4839ab512ef59ecc186568929fea1b14

SHA1
8671b5ce1c0f46204119e6c1c6a64ca87a967c5f

SHA256
ce077dcf3b6116cab6dd67d6272a9f44ba86eb66f1fb7e0697ebb140aef8f57c

SHA512
acfdd878f8b6e0193db4ebb5fe8a3bfb2f41885e492226c8cc6a76b26c82360aa2cb308f5bc626794aa034fbe72801146df3c18f1736964bb11c765f41f29463

Download Submit
C:\Windows\{90D911D8-3AF1-48a7-BF0E-B0D78ADC1831}.exe

Filesize
204KB

MD5
4839ab512ef59ecc186568929fea1b14

SHA1
8671b5ce1c0f46204119e6c1c6a64ca87a967c5f

SHA256
ce077dcf3b6116cab6dd67d6272a9f44ba86eb66f1fb7e0697ebb140aef8f57c

SHA512
acfdd878f8b6e0193db4ebb5fe8a3bfb2f41885e492226c8cc6a76b26c82360aa2cb308f5bc626794aa034fbe72801146df3c18f1736964bb11c765f41f29463

Download Submit
C:\Windows\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe

Filesize
204KB

MD5
4ee6e6e9bf859fdf643a9c4c0c8202fa

SHA1
e4fa6dd8c61a06616657d41069b71c45c788c0f1

SHA256
99f1698ad31ad2b3d1a485cd8ad34a29aa2f50b7b53725c505d68854db7e154a

SHA512
42013775d24cd0d6cfa1a14c6436bda4221fa4fe6d25437f994c27f82d0acbcfcb9122b53ed1f1b0bb4576034684d1312591c3ab669f5a5ae4a99ccd10cb406a

Download Submit
C:\Windows\{9CAA090B-D194-4a86-B20B-2D705CAE7B8F}.exe

Filesize
204KB

MD5
4ee6e6e9bf859fdf643a9c4c0c8202fa

SHA1
e4fa6dd8c61a06616657d41069b71c45c788c0f1

SHA256
99f1698ad31ad2b3d1a485cd8ad34a29aa2f50b7b53725c505d68854db7e154a

SHA512
42013775d24cd0d6cfa1a14c6436bda4221fa4fe6d25437f994c27f82d0acbcfcb9122b53ed1f1b0bb4576034684d1312591c3ab669f5a5ae4a99ccd10cb406a

Download Submit
C:\Windows\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe

Filesize
204KB

MD5
6ab7aeaf2c4a9dc4608d0ed4f3b6b3f1

SHA1
2b9a5a5abca3eee124137c14b4477658e7786efe

SHA256
d29ebb38f347535cc9e800850871c5e72783ba12f21ad581f4c639a19c2c1172

SHA512
74c451d477944b504a0ffb48846efd8ec77db5760459c26914f2e3c7173f7e8b3726adbc091fe5da428468ec751b52115313fcfe0c909618d50e771c5878a8ca

Download Submit
C:\Windows\{9EA627E8-EE83-40f4-BE26-15F9D05F4113}.exe

Filesize
204KB

MD5
6ab7aeaf2c4a9dc4608d0ed4f3b6b3f1

SHA1
2b9a5a5abca3eee124137c14b4477658e7786efe

SHA256
d29ebb38f347535cc9e800850871c5e72783ba12f21ad581f4c639a19c2c1172

SHA512
74c451d477944b504a0ffb48846efd8ec77db5760459c26914f2e3c7173f7e8b3726adbc091fe5da428468ec751b52115313fcfe0c909618d50e771c5878a8ca

Download Submit
C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe

Filesize
204KB

MD5
c9a875dbb3d2aafa598ef02ebc6df16a

SHA1
ec9216b972e95f080da1d7a5d25cb0cbb54a8ea3

SHA256
e299d283597f2ab80369cee2f1abf0a2b7393b32728ae63e1e5366a46be18848

SHA512
7d2abb3d076607f3d05a328840591bf7d12471cbc97146c1130be9aa56afe5ba09a766a9a19bf6e614be9209d2a8b419f7b0812fae9a032151c8adcb12d272fa

Download Submit
C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe

Filesize
204KB

MD5
c9a875dbb3d2aafa598ef02ebc6df16a

SHA1
ec9216b972e95f080da1d7a5d25cb0cbb54a8ea3

SHA256
e299d283597f2ab80369cee2f1abf0a2b7393b32728ae63e1e5366a46be18848

SHA512
7d2abb3d076607f3d05a328840591bf7d12471cbc97146c1130be9aa56afe5ba09a766a9a19bf6e614be9209d2a8b419f7b0812fae9a032151c8adcb12d272fa

Download Submit
C:\Windows\{ADA05467-F428-4ab9-8164-B7C6D7A327B1}.exe

Filesize
204KB

MD5
c9a875dbb3d2aafa598ef02ebc6df16a

SHA1
ec9216b972e95f080da1d7a5d25cb0cbb54a8ea3

SHA256
e299d283597f2ab80369cee2f1abf0a2b7393b32728ae63e1e5366a46be18848

SHA512
7d2abb3d076607f3d05a328840591bf7d12471cbc97146c1130be9aa56afe5ba09a766a9a19bf6e614be9209d2a8b419f7b0812fae9a032151c8adcb12d272fa

Download Submit
C:\Windows\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe

Filesize
204KB

MD5
a72f497f1f4905b2920f6a9c31094107

SHA1
0ffa4490c285d2ae1d9338c3466d74042a47f778

SHA256
2e6bc2cf0430640661f5cfe448266a50178303db372f6762083c1b070bbd690f

SHA512
1561487bd985041f9eedfb70cd098caee33bc2f7bc4478f31f3eca41d59369f17b9d15a9041f1d4187573e60700f0f2f8ad23f90909ccb68c4e7ca22ffa9d570

Download Submit
C:\Windows\{E2851A71-D410-4dab-9C21-6B9AE1E56259}.exe

Filesize
204KB

MD5
a72f497f1f4905b2920f6a9c31094107

SHA1
0ffa4490c285d2ae1d9338c3466d74042a47f778

SHA256
2e6bc2cf0430640661f5cfe448266a50178303db372f6762083c1b070bbd690f

SHA512
1561487bd985041f9eedfb70cd098caee33bc2f7bc4478f31f3eca41d59369f17b9d15a9041f1d4187573e60700f0f2f8ad23f90909ccb68c4e7ca22ffa9d570

Download Submit
C:\Windows\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe

Filesize
204KB

MD5
a0657817a943e68891b08e980232722f

SHA1
b0d6bed415904e791de0339f06f680bb426a484a

SHA256
2cd2c4a3df3b4343fbd966d8cfe7e2b8bd9b5e7060335f2a6914fd0cdb7028ef

SHA512
fd3a215e470324bddea6b585b16a4225b3bf2ebb43db532cb787a2da5de79224793c4fcc53fadd12338982b59d6acb91d0b1a8239d60b80a01be005d47158fb5

Download Submit
C:\Windows\{F7A8E3B1-323D-46d7-829A-7CCAAE50C01F}.exe

Filesize
204KB

MD5
a0657817a943e68891b08e980232722f

SHA1
b0d6bed415904e791de0339f06f680bb426a484a

SHA256
2cd2c4a3df3b4343fbd966d8cfe7e2b8bd9b5e7060335f2a6914fd0cdb7028ef

SHA512
fd3a215e470324bddea6b585b16a4225b3bf2ebb43db532cb787a2da5de79224793c4fcc53fadd12338982b59d6acb91d0b1a8239d60b80a01be005d47158fb5

Download Submit
C:\Windows\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe

Filesize
204KB

MD5
0a9aeb8225daf796b6894c99fbefdc77

SHA1
a7fe45486d77ac441f485ff5e3779a43b8e43eec

SHA256
beeea91f8638f7acfaf858904ba2434bc101085d71267935985ffc59b953c01a

SHA512
b3516de72c07963b4a2a555508a1f5c203d6e217b3ba44ded2099dbc66eca2767421559aa22a6735ef1898f53e793913dadd5d026e046bd1c7d556bb4dd47752

Download Submit
C:\Windows\{FE636132-A4DA-4126-828C-B7FC33EBDE1A}.exe

Filesize
204KB

MD5
0a9aeb8225daf796b6894c99fbefdc77

SHA1
a7fe45486d77ac441f485ff5e3779a43b8e43eec

SHA256
beeea91f8638f7acfaf858904ba2434bc101085d71267935985ffc59b953c01a

SHA512
b3516de72c07963b4a2a555508a1f5c203d6e217b3ba44ded2099dbc66eca2767421559aa22a6735ef1898f53e793913dadd5d026e046bd1c7d556bb4dd47752

Download Submit