70244899ec73565901840e668aff5873373843d244edfdb2798f1e800f798125

Analysis

max time kernel
147s
max time network
35s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7e653dfc4aecexeexeexeex.exe
Size

168KB
MD5

0b7e653dfc4aec12c077dff8f68c5b1a
SHA1

111b58bfe998a32f67f7eaa22200d332aadc2937
SHA256

70244899ec73565901840e668aff5873373843d244edfdb2798f1e800f798125
SHA512

62f1c71c1a2aace0b2e52d4c86320ba2ea88f85e3ed96ff7e4d3f9fcca2a38fb5f801eee6948a9a9ccff75eb7a159750dace23a32b688bd99dbaead677c609b4
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}\stubpath = "C:\\Windows\\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe"	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2799D6B1-0E80-4d18-8641-288F12E04936}	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2799D6B1-0E80-4d18-8641-288F12E04936}\stubpath = "C:\\Windows\\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe"	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}	{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6735342-8197-4c05-BA0A-775E6B3E81CE}	{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6735342-8197-4c05-BA0A-775E6B3E81CE}\stubpath = "C:\\Windows\\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe"	{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F278D488-5DB3-4c01-862B-7678ED966684}	0b7e653dfc4aecexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}\stubpath = "C:\\Windows\\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe"	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2ADEF67-372D-4e36-B969-4F0814450BA8}	{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}\stubpath = "C:\\Windows\\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe"	{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88829825-9651-4f55-821E-1024793F03CD}\stubpath = "C:\\Windows\\{88829825-9651-4f55-821E-1024793F03CD}.exe"	{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}\stubpath = "C:\\Windows\\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe"	{88829825-9651-4f55-821E-1024793F03CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F278D488-5DB3-4c01-862B-7678ED966684}\stubpath = "C:\\Windows\\{F278D488-5DB3-4c01-862B-7678ED966684}.exe"	0b7e653dfc4aecexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}\stubpath = "C:\\Windows\\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe"	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}\stubpath = "C:\\Windows\\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe"	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2ADEF67-372D-4e36-B969-4F0814450BA8}\stubpath = "C:\\Windows\\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe"	{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}\stubpath = "C:\\Windows\\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe"	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}\stubpath = "C:\\Windows\\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe"	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88829825-9651-4f55-821E-1024793F03CD}	{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}	{88829825-9651-4f55-821E-1024793F03CD}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
1692	{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
2848	{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
3060	{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
2652	{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
2432	{88829825-9651-4f55-821E-1024793F03CD}.exe
2532	{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
File created	C:\Windows\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe	{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
File created	C:\Windows\{88829825-9651-4f55-821E-1024793F03CD}.exe	{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
File created	C:\Windows\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
File created	C:\Windows\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
File created	C:\Windows\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
File created	C:\Windows\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
File created	C:\Windows\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe	{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
File created	C:\Windows\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe	{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
File created	C:\Windows\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe	{88829825-9651-4f55-821E-1024793F03CD}.exe
File created	C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe	0b7e653dfc4aecexeexeexeex.exe
File created	C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
File created	C:\Windows\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	0b7e653dfc4aecexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Token: SeIncBasePriorityPrivilege	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Token: SeIncBasePriorityPrivilege	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
Token: SeIncBasePriorityPrivilege	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
Token: SeIncBasePriorityPrivilege	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
Token: SeIncBasePriorityPrivilege	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
Token: SeIncBasePriorityPrivilege	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
Token: SeIncBasePriorityPrivilege	1692	{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
Token: SeIncBasePriorityPrivilege	2848	{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
Token: SeIncBasePriorityPrivilege	3060	{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
Token: SeIncBasePriorityPrivilege	2652	{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
Token: SeIncBasePriorityPrivilege	2432	{88829825-9651-4f55-821E-1024793F03CD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 876	3044	0b7e653dfc4aecexeexeexeex.exe	27
PID 3044 wrote to memory of 876	3044	0b7e653dfc4aecexeexeexeex.exe	27
PID 3044 wrote to memory of 876	3044	0b7e653dfc4aecexeexeexeex.exe	27
PID 3044 wrote to memory of 876	3044	0b7e653dfc4aecexeexeexeex.exe	27
PID 3044 wrote to memory of 2920	3044	0b7e653dfc4aecexeexeexeex.exe	28
PID 3044 wrote to memory of 2920	3044	0b7e653dfc4aecexeexeexeex.exe	28
PID 3044 wrote to memory of 2920	3044	0b7e653dfc4aecexeexeexeex.exe	28
PID 3044 wrote to memory of 2920	3044	0b7e653dfc4aecexeexeexeex.exe	28
PID 876 wrote to memory of 2940	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 876 wrote to memory of 2940	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 876 wrote to memory of 2940	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 876 wrote to memory of 2940	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 876 wrote to memory of 3012	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 876 wrote to memory of 3012	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 876 wrote to memory of 3012	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 876 wrote to memory of 3012	876	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 2940 wrote to memory of 2796	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2940 wrote to memory of 2796	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2940 wrote to memory of 2796	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2940 wrote to memory of 2796	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2940 wrote to memory of 2808	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2940 wrote to memory of 2808	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2940 wrote to memory of 2808	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2940 wrote to memory of 2808	2940	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2796 wrote to memory of 2872	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	33
PID 2796 wrote to memory of 2872	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	33
PID 2796 wrote to memory of 2872	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	33
PID 2796 wrote to memory of 2872	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	33
PID 2796 wrote to memory of 2352	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	34
PID 2796 wrote to memory of 2352	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	34
PID 2796 wrote to memory of 2352	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	34
PID 2796 wrote to memory of 2352	2796	{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe	34
PID 2872 wrote to memory of 2336	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	35
PID 2872 wrote to memory of 2336	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	35
PID 2872 wrote to memory of 2336	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	35
PID 2872 wrote to memory of 2336	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	35
PID 2872 wrote to memory of 860	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	36
PID 2872 wrote to memory of 860	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	36
PID 2872 wrote to memory of 860	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	36
PID 2872 wrote to memory of 860	2872	{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe	36
PID 2336 wrote to memory of 2304	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	37
PID 2336 wrote to memory of 2304	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	37
PID 2336 wrote to memory of 2304	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	37
PID 2336 wrote to memory of 2304	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	37
PID 2336 wrote to memory of 2088	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	38
PID 2336 wrote to memory of 2088	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	38
PID 2336 wrote to memory of 2088	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	38
PID 2336 wrote to memory of 2088	2336	{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe	38
PID 2304 wrote to memory of 2216	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	39
PID 2304 wrote to memory of 2216	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	39
PID 2304 wrote to memory of 2216	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	39
PID 2304 wrote to memory of 2216	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	39
PID 2304 wrote to memory of 288	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	40
PID 2304 wrote to memory of 288	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	40
PID 2304 wrote to memory of 288	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	40
PID 2304 wrote to memory of 288	2304	{2799D6B1-0E80-4d18-8641-288F12E04936}.exe	40
PID 2216 wrote to memory of 1692	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	41
PID 2216 wrote to memory of 1692	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	41
PID 2216 wrote to memory of 1692	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	41
PID 2216 wrote to memory of 1692	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	41
PID 2216 wrote to memory of 1476	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	42
PID 2216 wrote to memory of 1476	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	42
PID 2216 wrote to memory of 1476	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	42
PID 2216 wrote to memory of 1476	2216	{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe	42

C:\Users\Admin\AppData\Local\Temp\0b7e653dfc4aecexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0b7e653dfc4aecexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe
  C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
    C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
      C:\Windows\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
        
        C:\Windows\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
        
        C:\Windows\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
        
        C:\Windows\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
        
        C:\Windows\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
        
        C:\Windows\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
        
        C:\Windows\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
        
        C:\Windows\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
        
        C:\Windows\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\{88829825-9651-4f55-821E-1024793F03CD}.exe
        
        C:\Windows\{88829825-9651-4f55-821E-1024793F03CD}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe
        
        C:\Windows\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe
        14⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88829~1.EXE > nul
        14⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6735~1.EXE > nul
        13⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B34B~1.EXE > nul
        12⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2ADE~1.EXE > nul
        11⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A94DB~1.EXE > nul
        10⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CDC~1.EXE > nul
        9⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2799D~1.EXE > nul
        8⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE5ED~1.EXE > nul
        7⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B761~1.EXE > nul
        6⤵
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E9DA~1.EXE > nul
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D647~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F278D~1.EXE > nul
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B7E65~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B63D7A3-88C0-4322-B8A2-8DC4D476FEF7}.exe

Filesize
168KB

MD5
ba192f2150e897a18881f0304ea8603a

SHA1
589d8818f90933fa0b3461078403cb575754657c

SHA256
3df2d89a44cc3c6d88e3f1b2fbe88962622b01a9f58c060cacdefbb57a60e543

SHA512
85b2c8b048fda3107dc7b066f7c9a5090a22d386ec422ff6c379f3d3ee0418abd6dfb702f67e61a689b4730d893f319a0d3427f6f01d154a8a51ef0c6602cb61

Download Submit
C:\Windows\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe

Filesize
168KB

MD5
f8fac94adee93f4393c1d8bddb020b6a

SHA1
239a0018cbd1b2492e083168c5aa0cab9623af83

SHA256
0ffa714c354d3ca1a726557c84e1580aaf31a95c73715e27a1181ed9a9abe398

SHA512
1f4264b543c6f1fbe8f078d58d1d8799c08695d250f559b2e95d2ddbcc240968936c28374c9acbbc277b614a7cab23140843fa05538a6f305de396fcbe1caaf7

Download Submit
C:\Windows\{2799D6B1-0E80-4d18-8641-288F12E04936}.exe

Filesize
168KB

MD5
f8fac94adee93f4393c1d8bddb020b6a

SHA1
239a0018cbd1b2492e083168c5aa0cab9623af83

SHA256
0ffa714c354d3ca1a726557c84e1580aaf31a95c73715e27a1181ed9a9abe398

SHA512
1f4264b543c6f1fbe8f078d58d1d8799c08695d250f559b2e95d2ddbcc240968936c28374c9acbbc277b614a7cab23140843fa05538a6f305de396fcbe1caaf7

Download Submit
C:\Windows\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe

Filesize
168KB

MD5
d8ef43b212fe89b52432287b269b9ad0

SHA1
ae6d5ad1f29fb972d7e6d7cebf5fce2090d05b8a

SHA256
2bdcae1e9a660e5a91e4461232333fde6f6b06621cb1206e824c34ec88b7e2a9

SHA512
e1f3fdbc93793d2ab0ed80212e9407573906b7353e4bddbddf958236ff3fd1c9ff3de4c0434832d36be697e35b33f5e69c10ed952ac3f0e1d775ca345457bed4

Download Submit
C:\Windows\{3B34B2A1-136A-481f-9AA9-6E7007B25B9A}.exe

Filesize
168KB

MD5
d8ef43b212fe89b52432287b269b9ad0

SHA1
ae6d5ad1f29fb972d7e6d7cebf5fce2090d05b8a

SHA256
2bdcae1e9a660e5a91e4461232333fde6f6b06621cb1206e824c34ec88b7e2a9

SHA512
e1f3fdbc93793d2ab0ed80212e9407573906b7353e4bddbddf958236ff3fd1c9ff3de4c0434832d36be697e35b33f5e69c10ed952ac3f0e1d775ca345457bed4

Download Submit
C:\Windows\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe

Filesize
168KB

MD5
b0361b56d38f4819f5c3631b52f50634

SHA1
3408b0f7198f7ad4c3e408f2f6983206d697b06b

SHA256
b9eec9b6686e504195c27036ea7b3d7286d5962b6c2c0401124d46271f4a46da

SHA512
89643c0e402305ac9caebd1663506e423fd0cf3fe5054f2638cb547fe511cf393662583a5f0dbe045dc9d77fdccaac177cc900d3a5a5eb3238696216d14f43d8

Download Submit
C:\Windows\{4B761FE0-F204-4260-9B2C-3AC3B4641ADE}.exe

Filesize
168KB

MD5
b0361b56d38f4819f5c3631b52f50634

SHA1
3408b0f7198f7ad4c3e408f2f6983206d697b06b

SHA256
b9eec9b6686e504195c27036ea7b3d7286d5962b6c2c0401124d46271f4a46da

SHA512
89643c0e402305ac9caebd1663506e423fd0cf3fe5054f2638cb547fe511cf393662583a5f0dbe045dc9d77fdccaac177cc900d3a5a5eb3238696216d14f43d8

Download Submit
C:\Windows\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe

Filesize
168KB

MD5
f2be024e1adce38fe10f68485fa5a84e

SHA1
521b761cb7cbb47692d5c706607b103a9802b22b

SHA256
fc4c934483170d4c7d650b0af5ffa0f09f74e8eea262378d7478242a038b2a1b

SHA512
5181a16f284ebcd28b40e08bbcec23059e1df2eac36d73450f406b30c9eefd48d4ef83d78951c0a4680158de1897fd5045fb7809b03eb6de07c32938705e43df

Download Submit
C:\Windows\{5E9DA6C2-FB2C-448b-AB29-4302ED8FE1E3}.exe

Filesize
168KB

MD5
f2be024e1adce38fe10f68485fa5a84e

SHA1
521b761cb7cbb47692d5c706607b103a9802b22b

SHA256
fc4c934483170d4c7d650b0af5ffa0f09f74e8eea262378d7478242a038b2a1b

SHA512
5181a16f284ebcd28b40e08bbcec23059e1df2eac36d73450f406b30c9eefd48d4ef83d78951c0a4680158de1897fd5045fb7809b03eb6de07c32938705e43df

Download Submit
C:\Windows\{88829825-9651-4f55-821E-1024793F03CD}.exe

Filesize
168KB

MD5
0a20254280dc36a02a1b560ba3a8e891

SHA1
20cb46a65f6b1f5a5a7bf85ca7f34bf8bf740a23

SHA256
2d9e5fa80493774d5be9f0d2481b336f746af17641cf0f1a0b6275e411e761d0

SHA512
a652e91abae497b540f6df277a10e34f7144eb5b995dbad10fa26eb20ad6662cb8eea2a532c3ec1cfb729b0bb17ef650c4e46d15ec9bb31d0972ee1949e7977a

Download Submit
C:\Windows\{88829825-9651-4f55-821E-1024793F03CD}.exe

Filesize
168KB

MD5
0a20254280dc36a02a1b560ba3a8e891

SHA1
20cb46a65f6b1f5a5a7bf85ca7f34bf8bf740a23

SHA256
2d9e5fa80493774d5be9f0d2481b336f746af17641cf0f1a0b6275e411e761d0

SHA512
a652e91abae497b540f6df277a10e34f7144eb5b995dbad10fa26eb20ad6662cb8eea2a532c3ec1cfb729b0bb17ef650c4e46d15ec9bb31d0972ee1949e7977a

Download Submit
C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe

Filesize
168KB

MD5
79f881e141fb10288a6bf8807e60f581

SHA1
6005d54406c3abb3f5f2b8bc2858c4fa2d05c524

SHA256
e4a606394d95e5e9d96aaef979ce81d64489b6f74b8ae2772da8d49c3b571c0e

SHA512
bab331067e9882a9954dc3fe35afe99d36d31261c605b026cf26451d1b6f0b76ab202b4d44ad83fcdcb784a7e6eb7600c9d771e0be6214071f5a24f2ebce1ccc

Download Submit
C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe

Filesize
168KB

MD5
79f881e141fb10288a6bf8807e60f581

SHA1
6005d54406c3abb3f5f2b8bc2858c4fa2d05c524

SHA256
e4a606394d95e5e9d96aaef979ce81d64489b6f74b8ae2772da8d49c3b571c0e

SHA512
bab331067e9882a9954dc3fe35afe99d36d31261c605b026cf26451d1b6f0b76ab202b4d44ad83fcdcb784a7e6eb7600c9d771e0be6214071f5a24f2ebce1ccc

Download Submit
C:\Windows\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe

Filesize
168KB

MD5
e1c407bfad8a74915b04d696216cb1fe

SHA1
6d2d2b422ea66583892dc337a1c2c7b5c1c0db2c

SHA256
c72d5911ab19e12893a00ebb762fb29b333c3584d28a8b2db0ccc7f5d02f048e

SHA512
976d581ca46b460d5afa8e404330e6faf644e0c0e95079064781fff6a37b9bab50b5812e63cedb5527d182d6b03fa8a2087378c1e7a0292b28cda69657076428

Download Submit
C:\Windows\{A94DBE4E-799B-48c5-AE35-96D14722A2E2}.exe

Filesize
168KB

MD5
e1c407bfad8a74915b04d696216cb1fe

SHA1
6d2d2b422ea66583892dc337a1c2c7b5c1c0db2c

SHA256
c72d5911ab19e12893a00ebb762fb29b333c3584d28a8b2db0ccc7f5d02f048e

SHA512
976d581ca46b460d5afa8e404330e6faf644e0c0e95079064781fff6a37b9bab50b5812e63cedb5527d182d6b03fa8a2087378c1e7a0292b28cda69657076428

Download Submit
C:\Windows\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe

Filesize
168KB

MD5
fe473cd608256a5905b353df21b12de9

SHA1
a37fdc235b6656831b861565a37b3e9f38875bb5

SHA256
249273f49efea1531e1b50ce3fc0f47c6cd603704c0d76cacf656ce59e04856b

SHA512
831a4eb7c22c5432da452d2e8f040b2cb3005e684ef615c76313026f8e4b057f3df457c102c5c7950c8c7b7d1cbf5a500389842bb38ec3f09c681fcd5db3b85a

Download Submit
C:\Windows\{B0CDCF60-398E-483a-8DBD-69A8A61A993E}.exe

Filesize
168KB

MD5
fe473cd608256a5905b353df21b12de9

SHA1
a37fdc235b6656831b861565a37b3e9f38875bb5

SHA256
249273f49efea1531e1b50ce3fc0f47c6cd603704c0d76cacf656ce59e04856b

SHA512
831a4eb7c22c5432da452d2e8f040b2cb3005e684ef615c76313026f8e4b057f3df457c102c5c7950c8c7b7d1cbf5a500389842bb38ec3f09c681fcd5db3b85a

Download Submit
C:\Windows\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe

Filesize
168KB

MD5
232fc9a3a15fc6026bfffea6a064ed7a

SHA1
03f54f9c78baaf6a6d264bbaa1c50a3f77bbe388

SHA256
33af961e6d58bcf3ca577d74ce25231523a7703f94ccdd55681db667c5ce9343

SHA512
960d779f5eca8847ef99e229b1f6fcc1f0a7904ea387b47735bdbb8b06d12b19941a491968946c75802a45c09d2dd9b1fe9bd703725a7708212ff6beea704d4b

Download Submit
C:\Windows\{B6735342-8197-4c05-BA0A-775E6B3E81CE}.exe

Filesize
168KB

MD5
232fc9a3a15fc6026bfffea6a064ed7a

SHA1
03f54f9c78baaf6a6d264bbaa1c50a3f77bbe388

SHA256
33af961e6d58bcf3ca577d74ce25231523a7703f94ccdd55681db667c5ce9343

SHA512
960d779f5eca8847ef99e229b1f6fcc1f0a7904ea387b47735bdbb8b06d12b19941a491968946c75802a45c09d2dd9b1fe9bd703725a7708212ff6beea704d4b

Download Submit
C:\Windows\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe

Filesize
168KB

MD5
d140471215d4d6683678663514158b7c

SHA1
9d6ec3d5df3470a7dec6f8d36a420b21e9fc1582

SHA256
f8e9c1b42112c5c8006ee325081a7d2901fbbd39422184a7ce54e49aa66fe566

SHA512
cace4e2da0255263103355336b59b3fcd4d8a4fe49e7d004ebed1979a186228cc945cfd4928c25e9364069f1bca0d27e9e73887940104312fca8c4b56c02afa2

Download Submit
C:\Windows\{DE5ED4B6-B980-42fd-901B-498C1B6607F8}.exe

Filesize
168KB

MD5
d140471215d4d6683678663514158b7c

SHA1
9d6ec3d5df3470a7dec6f8d36a420b21e9fc1582

SHA256
f8e9c1b42112c5c8006ee325081a7d2901fbbd39422184a7ce54e49aa66fe566

SHA512
cace4e2da0255263103355336b59b3fcd4d8a4fe49e7d004ebed1979a186228cc945cfd4928c25e9364069f1bca0d27e9e73887940104312fca8c4b56c02afa2

Download Submit
C:\Windows\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe

Filesize
168KB

MD5
2384dad62793febc7c37719313405c74

SHA1
6678f70568f2b156419572b6315e201f2cd87f3a

SHA256
9f7dcca899ab22cce510039681d2f87147096c0069372e158abf3d1e7e081ab5

SHA512
3964adcc88e45c6aad5d7dc0d7c3195908b3f2230c575552ee39994814ede702ade46faa63c89029e354cf8476adec3e1c51924cc42e1cdfde09a540ba0ba01e

Download Submit
C:\Windows\{E2ADEF67-372D-4e36-B969-4F0814450BA8}.exe

Filesize
168KB

MD5
2384dad62793febc7c37719313405c74

SHA1
6678f70568f2b156419572b6315e201f2cd87f3a

SHA256
9f7dcca899ab22cce510039681d2f87147096c0069372e158abf3d1e7e081ab5

SHA512
3964adcc88e45c6aad5d7dc0d7c3195908b3f2230c575552ee39994814ede702ade46faa63c89029e354cf8476adec3e1c51924cc42e1cdfde09a540ba0ba01e

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
168KB

MD5
3301dc6c719e2bbe0342f8feacafee7f

SHA1
c780462550f34c09058fb6d8138647c02680cc08

SHA256
deef7cf74a5292ec762c56c85bc7b805669dfb61235fc69d94518c27521d74f6

SHA512
8ba4d736e510c00c7cf5e7d8a0050e1f053be7b0e15a554d43137b1665dca3212c395a5ead07f07450a34cd66821991b78706787b12da00f34d78609135c7b75

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
168KB

MD5
3301dc6c719e2bbe0342f8feacafee7f

SHA1
c780462550f34c09058fb6d8138647c02680cc08

SHA256
deef7cf74a5292ec762c56c85bc7b805669dfb61235fc69d94518c27521d74f6

SHA512
8ba4d736e510c00c7cf5e7d8a0050e1f053be7b0e15a554d43137b1665dca3212c395a5ead07f07450a34cd66821991b78706787b12da00f34d78609135c7b75

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
168KB

MD5
3301dc6c719e2bbe0342f8feacafee7f

SHA1
c780462550f34c09058fb6d8138647c02680cc08

SHA256
deef7cf74a5292ec762c56c85bc7b805669dfb61235fc69d94518c27521d74f6

SHA512
8ba4d736e510c00c7cf5e7d8a0050e1f053be7b0e15a554d43137b1665dca3212c395a5ead07f07450a34cd66821991b78706787b12da00f34d78609135c7b75

Download Submit