5a6d5631ee5f20406b0159a11f5070e9b3b467d1ee562e4cccf9da9e5089bbec

Analysis

max time kernel
147s
max time network
33s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265d658aaf9592exeexeexeex.exe
Size

168KB
MD5

265d658aaf9592af1ee6cf45b09724d3
SHA1

e69b969541d6f95779d93ad332ab9c5e31f29779
SHA256

5a6d5631ee5f20406b0159a11f5070e9b3b467d1ee562e4cccf9da9e5089bbec
SHA512

e9761c7d5917ada1780812536966a686110261c2a1457f0f0db4c650aaef24a987c84dc3035c49d7a2cee804522846eb17332f736d31c72bb0e8505922492261
SSDEEP

1536:1EGh0o+lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o+lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95917545-9367-4b03-9BD4-90B21A31143F}\stubpath = "C:\\Windows\\{95917545-9367-4b03-9BD4-90B21A31143F}.exe"	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}\stubpath = "C:\\Windows\\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe"	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}\stubpath = "C:\\Windows\\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe"	{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDD9AC88-BD48-47a8-9E83-659602195748}	{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}	{67D9601F-AAF8-4962-9247-543E2380A380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}	265d658aaf9592exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873C8FEA-57B5-412b-853C-A27C23582F95}\stubpath = "C:\\Windows\\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe"	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}\stubpath = "C:\\Windows\\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe"	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}\stubpath = "C:\\Windows\\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe"	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDD9AC88-BD48-47a8-9E83-659602195748}\stubpath = "C:\\Windows\\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe"	{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7412F45C-75F9-4085-A2D5-AA2514EA6653}\stubpath = "C:\\Windows\\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe"	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}	{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}	{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}\stubpath = "C:\\Windows\\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe"	{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}\stubpath = "C:\\Windows\\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe"	265d658aaf9592exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}\stubpath = "C:\\Windows\\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe"	{95917545-9367-4b03-9BD4-90B21A31143F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7412F45C-75F9-4085-A2D5-AA2514EA6653}	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D9601F-AAF8-4962-9247-543E2380A380}	{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D9601F-AAF8-4962-9247-543E2380A380}\stubpath = "C:\\Windows\\{67D9601F-AAF8-4962-9247-543E2380A380}.exe"	{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}\stubpath = "C:\\Windows\\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe"	{67D9601F-AAF8-4962-9247-543E2380A380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873C8FEA-57B5-412b-853C-A27C23582F95}	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95917545-9367-4b03-9BD4-90B21A31143F}	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}	{95917545-9367-4b03-9BD4-90B21A31143F}.exe

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe
1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
2880	{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
2512	{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
2080	{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
2644	{67D9601F-AAF8-4962-9247-543E2380A380}.exe
2564	{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
2680	{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
File created	C:\Windows\{95917545-9367-4b03-9BD4-90B21A31143F}.exe	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
File created	C:\Windows\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
File created	C:\Windows\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
File created	C:\Windows\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe	{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
File created	C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	265d658aaf9592exeexeexeex.exe
File created	C:\Windows\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	{95917545-9367-4b03-9BD4-90B21A31143F}.exe
File created	C:\Windows\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
File created	C:\Windows\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe	{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
File created	C:\Windows\{67D9601F-AAF8-4962-9247-543E2380A380}.exe	{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
File created	C:\Windows\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe	{67D9601F-AAF8-4962-9247-543E2380A380}.exe
File created	C:\Windows\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe	{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
File created	C:\Windows\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	265d658aaf9592exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
Token: SeIncBasePriorityPrivilege	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
Token: SeIncBasePriorityPrivilege	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
Token: SeIncBasePriorityPrivilege	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe
Token: SeIncBasePriorityPrivilege	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
Token: SeIncBasePriorityPrivilege	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
Token: SeIncBasePriorityPrivilege	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
Token: SeIncBasePriorityPrivilege	2880	{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
Token: SeIncBasePriorityPrivilege	2512	{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
Token: SeIncBasePriorityPrivilege	2080	{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
Token: SeIncBasePriorityPrivilege	2644	{67D9601F-AAF8-4962-9247-543E2380A380}.exe
Token: SeIncBasePriorityPrivilege	2564	{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3052	3044	265d658aaf9592exeexeexeex.exe	27
PID 3044 wrote to memory of 3052	3044	265d658aaf9592exeexeexeex.exe	27
PID 3044 wrote to memory of 3052	3044	265d658aaf9592exeexeexeex.exe	27
PID 3044 wrote to memory of 3052	3044	265d658aaf9592exeexeexeex.exe	27
PID 3044 wrote to memory of 1760	3044	265d658aaf9592exeexeexeex.exe	28
PID 3044 wrote to memory of 1760	3044	265d658aaf9592exeexeexeex.exe	28
PID 3044 wrote to memory of 1760	3044	265d658aaf9592exeexeexeex.exe	28
PID 3044 wrote to memory of 1760	3044	265d658aaf9592exeexeexeex.exe	28
PID 3052 wrote to memory of 2980	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	29
PID 3052 wrote to memory of 2980	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	29
PID 3052 wrote to memory of 2980	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	29
PID 3052 wrote to memory of 2980	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	29
PID 3052 wrote to memory of 3016	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	30
PID 3052 wrote to memory of 3016	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	30
PID 3052 wrote to memory of 3016	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	30
PID 3052 wrote to memory of 3016	3052	{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe	30
PID 2980 wrote to memory of 1036	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	31
PID 2980 wrote to memory of 1036	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	31
PID 2980 wrote to memory of 1036	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	31
PID 2980 wrote to memory of 1036	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	31
PID 2980 wrote to memory of 2808	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	32
PID 2980 wrote to memory of 2808	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	32
PID 2980 wrote to memory of 2808	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	32
PID 2980 wrote to memory of 2808	2980	{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe	32
PID 1036 wrote to memory of 1728	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	33
PID 1036 wrote to memory of 1728	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	33
PID 1036 wrote to memory of 1728	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	33
PID 1036 wrote to memory of 1728	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	33
PID 1036 wrote to memory of 2352	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	34
PID 1036 wrote to memory of 2352	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	34
PID 1036 wrote to memory of 2352	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	34
PID 1036 wrote to memory of 2352	1036	{873C8FEA-57B5-412b-853C-A27C23582F95}.exe	34
PID 1728 wrote to memory of 1724	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	35
PID 1728 wrote to memory of 1724	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	35
PID 1728 wrote to memory of 1724	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	35
PID 1728 wrote to memory of 1724	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	35
PID 1728 wrote to memory of 2976	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	36
PID 1728 wrote to memory of 2976	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	36
PID 1728 wrote to memory of 2976	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	36
PID 1728 wrote to memory of 2976	1728	{95917545-9367-4b03-9BD4-90B21A31143F}.exe	36
PID 1724 wrote to memory of 2912	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	37
PID 1724 wrote to memory of 2912	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	37
PID 1724 wrote to memory of 2912	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	37
PID 1724 wrote to memory of 2912	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	37
PID 1724 wrote to memory of 2292	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	38
PID 1724 wrote to memory of 2292	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	38
PID 1724 wrote to memory of 2292	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	38
PID 1724 wrote to memory of 2292	1724	{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe	38
PID 2912 wrote to memory of 1232	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	39
PID 2912 wrote to memory of 1232	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	39
PID 2912 wrote to memory of 1232	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	39
PID 2912 wrote to memory of 1232	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	39
PID 2912 wrote to memory of 1028	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	40
PID 2912 wrote to memory of 1028	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	40
PID 2912 wrote to memory of 1028	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	40
PID 2912 wrote to memory of 1028	2912	{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe	40
PID 1232 wrote to memory of 2880	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	41
PID 1232 wrote to memory of 2880	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	41
PID 1232 wrote to memory of 2880	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	41
PID 1232 wrote to memory of 2880	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	41
PID 1232 wrote to memory of 2904	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	42
PID 1232 wrote to memory of 2904	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	42
PID 1232 wrote to memory of 2904	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	42
PID 1232 wrote to memory of 2904	1232	{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe	42

C:\Users\Admin\AppData\Local\Temp\265d658aaf9592exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\265d658aaf9592exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
  C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
    C:\Windows\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
      C:\Windows\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\{95917545-9367-4b03-9BD4-90B21A31143F}.exe
        
        C:\Windows\{95917545-9367-4b03-9BD4-90B21A31143F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
        
        C:\Windows\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
        
        C:\Windows\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
        
        C:\Windows\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
        
        C:\Windows\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
        
        C:\Windows\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
        
        C:\Windows\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{67D9601F-AAF8-4962-9247-543E2380A380}.exe
        
        C:\Windows\{67D9601F-AAF8-4962-9247-543E2380A380}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
        
        C:\Windows\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe
        
        C:\Windows\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe
        14⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8995F~1.EXE > nul
        14⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67D96~1.EXE > nul
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDD9A~1.EXE > nul
        12⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B98D~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD2FE~1.EXE > nul
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7412F~1.EXE > nul
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E70EA~1.EXE > nul
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9679D~1.EXE > nul
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95917~1.EXE > nul
        6⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873C8~1.EXE > nul
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E10D0~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B75~1.EXE > nul
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\265D65~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E6ECE5F-D1D0-4687-ABF6-32064429EF2E}.exe

Filesize
168KB

MD5
23306bc1ee5b37ee277aa69ad33997ec

SHA1
6fcd5bb6d00ceb2944caa9b4e53c748b97a381ae

SHA256
fa9bcf75655381ea56cbc848b608dfbde31d2a6a073a34d2061cba948654e669

SHA512
57a648c058cd33da36625d642adead17cb87bf5eb1c08e1af047252719bcc4ef7a0da2618e46c6587f21c463b688ea8751931542b101527847369ed754945c31

Download Submit
C:\Windows\{67D9601F-AAF8-4962-9247-543E2380A380}.exe

Filesize
168KB

MD5
51feb92f00ec8102740f8c730affb620

SHA1
87116db395cecebcf4362c3790e5af8dc18dfffa

SHA256
91578dbd57e79cda73d4738e54b6b690cea9191fbf37ecf7c1cee492272a7951

SHA512
a6d3ba9ee4cd2f35ae49c6c2dd3d8f497bda15c128568c5c4b03b965daff98a0c9d9802154fa0d8443405257129cc22a9f426552932e2c115a82125a6d26bbb9

Download Submit
C:\Windows\{67D9601F-AAF8-4962-9247-543E2380A380}.exe

Filesize
168KB

MD5
51feb92f00ec8102740f8c730affb620

SHA1
87116db395cecebcf4362c3790e5af8dc18dfffa

SHA256
91578dbd57e79cda73d4738e54b6b690cea9191fbf37ecf7c1cee492272a7951

SHA512
a6d3ba9ee4cd2f35ae49c6c2dd3d8f497bda15c128568c5c4b03b965daff98a0c9d9802154fa0d8443405257129cc22a9f426552932e2c115a82125a6d26bbb9

Download Submit
C:\Windows\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe

Filesize
168KB

MD5
fd3a5014b7c20e891b5832836e417c7f

SHA1
a35276b1fd7b060046fd5d68255d1a90b0e1e5a4

SHA256
a9f503f3d4cafddc0e98653ba8b505048f29739781e81fc68ddcd049b31857ae

SHA512
4dd803b4dbc3fe5d206befae120a32c55f1fce16b5623ac0e3c524a97e5532390320733919df3be449695860ea1b294c22afd87c93de190f0641a3b3476c0487

Download Submit
C:\Windows\{7412F45C-75F9-4085-A2D5-AA2514EA6653}.exe

Filesize
168KB

MD5
fd3a5014b7c20e891b5832836e417c7f

SHA1
a35276b1fd7b060046fd5d68255d1a90b0e1e5a4

SHA256
a9f503f3d4cafddc0e98653ba8b505048f29739781e81fc68ddcd049b31857ae

SHA512
4dd803b4dbc3fe5d206befae120a32c55f1fce16b5623ac0e3c524a97e5532390320733919df3be449695860ea1b294c22afd87c93de190f0641a3b3476c0487

Download Submit
C:\Windows\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe

Filesize
168KB

MD5
936adb9b80743147102c3194c03a044a

SHA1
caa23ae0ca43cca9e7fd129316aef1dfca753e6d

SHA256
7c0fb9f00b4fda31710d6b0fcf87c011538d0efca3f8d5d71771f714253ababe

SHA512
0112d8e6ede72d2a509f7ee6ce0af1b055b4dca1486da5cdfa9692295e80ecedf1b87a65bba491628d917379cebecc24ea8d272c643ca481db3e4f6dce1456e0

Download Submit
C:\Windows\{873C8FEA-57B5-412b-853C-A27C23582F95}.exe

Filesize
168KB

MD5
936adb9b80743147102c3194c03a044a

SHA1
caa23ae0ca43cca9e7fd129316aef1dfca753e6d

SHA256
7c0fb9f00b4fda31710d6b0fcf87c011538d0efca3f8d5d71771f714253ababe

SHA512
0112d8e6ede72d2a509f7ee6ce0af1b055b4dca1486da5cdfa9692295e80ecedf1b87a65bba491628d917379cebecc24ea8d272c643ca481db3e4f6dce1456e0

Download Submit
C:\Windows\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe

Filesize
168KB

MD5
9a1fafaaf9c299706d46de3afce64372

SHA1
a5c3039a7059ffcdbe4bb0d6a539f22ca7ecf2d6

SHA256
ded3cbfcbbe0238194b33278f540b206e82e14d37af25b900d3e9ae37c3ab51d

SHA512
b9cef807f28795072495e50b5c8f53b7fc725bffdc4d2648166a60070954638fa5dbc74a7e89bd4538c5f47b215fc6d319ceda2552ddad04cb30d60c759c8d2f

Download Submit
C:\Windows\{8995FFDF-1D50-409f-A169-BC80FF1DAA33}.exe

Filesize
168KB

MD5
9a1fafaaf9c299706d46de3afce64372

SHA1
a5c3039a7059ffcdbe4bb0d6a539f22ca7ecf2d6

SHA256
ded3cbfcbbe0238194b33278f540b206e82e14d37af25b900d3e9ae37c3ab51d

SHA512
b9cef807f28795072495e50b5c8f53b7fc725bffdc4d2648166a60070954638fa5dbc74a7e89bd4538c5f47b215fc6d319ceda2552ddad04cb30d60c759c8d2f

Download Submit
C:\Windows\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe

Filesize
168KB

MD5
8793a63fcb3fbabec272c27179f785cd

SHA1
5f4160dca6bff5c3feea6ce0a4d9a8fd042e851a

SHA256
0a94ca1602a7d1411fb000d39a0bc0788c83ea7419a6bda8f65a9f98874dd895

SHA512
da399099cf003f8a810770a8a4500af40b51041cfa6eec0a3f0ae9d844d72b3f0c48c8ffff91ea12a88ba8e89231cced713c227d69dcef7807621c6ee575067d

Download Submit
C:\Windows\{8B98D3F1-1876-4643-8BAD-FCE3262D309D}.exe

Filesize
168KB

MD5
8793a63fcb3fbabec272c27179f785cd

SHA1
5f4160dca6bff5c3feea6ce0a4d9a8fd042e851a

SHA256
0a94ca1602a7d1411fb000d39a0bc0788c83ea7419a6bda8f65a9f98874dd895

SHA512
da399099cf003f8a810770a8a4500af40b51041cfa6eec0a3f0ae9d844d72b3f0c48c8ffff91ea12a88ba8e89231cced713c227d69dcef7807621c6ee575067d

Download Submit
C:\Windows\{95917545-9367-4b03-9BD4-90B21A31143F}.exe

Filesize
168KB

MD5
1cc5394051f157e6cef5487da906d9e4

SHA1
9b7076ccc50ba9faf9a3c301b2b559d94214b00b

SHA256
756cd6e480669ee99aac6f289928cde27c5ee894871c8d767d13e6f062860ca5

SHA512
9061ca684011bf58858570ea90b7abd9cfaf7d252e182d32035cfa94521c00986668266bf80dbc132103e3249273c2b10333a60e6e24a9ce283ad751870876c7

Download Submit
C:\Windows\{95917545-9367-4b03-9BD4-90B21A31143F}.exe

Filesize
168KB

MD5
1cc5394051f157e6cef5487da906d9e4

SHA1
9b7076ccc50ba9faf9a3c301b2b559d94214b00b

SHA256
756cd6e480669ee99aac6f289928cde27c5ee894871c8d767d13e6f062860ca5

SHA512
9061ca684011bf58858570ea90b7abd9cfaf7d252e182d32035cfa94521c00986668266bf80dbc132103e3249273c2b10333a60e6e24a9ce283ad751870876c7

Download Submit
C:\Windows\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe

Filesize
168KB

MD5
bee8844bfc5cbd1b784586019198dc75

SHA1
aaf9b039d71818c5d3b3d989b014318717492670

SHA256
4972f13fd9419e23d4192c5db23009d0054566fffb0211d040c237d208a5c59b

SHA512
61a33b4aa0db461609f903fbf0e07298f1f363b1a74482053478972d19a7915029474d4843286e8cd96483116ebc7c2966ff15fd0f10fa60702af82fdadd0eb2

Download Submit
C:\Windows\{9679D946-ADCA-4f5c-A94E-AEB5D1E10E19}.exe

Filesize
168KB

MD5
bee8844bfc5cbd1b784586019198dc75

SHA1
aaf9b039d71818c5d3b3d989b014318717492670

SHA256
4972f13fd9419e23d4192c5db23009d0054566fffb0211d040c237d208a5c59b

SHA512
61a33b4aa0db461609f903fbf0e07298f1f363b1a74482053478972d19a7915029474d4843286e8cd96483116ebc7c2966ff15fd0f10fa60702af82fdadd0eb2

Download Submit
C:\Windows\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe

Filesize
168KB

MD5
0068ecb457a01999f146a1e0ed0f3d5e

SHA1
3743b32f2314eada4f181d6bd0cbc851fc570d38

SHA256
7e53f2685e50780fb5a62c4429096f482a6077ae58b6e298b4f232e5a8a73d31

SHA512
40ee570904baa28d3363bd4ecee19c030b499518207f19cd8a8b5c2452dfb409982332bc1537cb6ce00f39680b08190916fb898699d5936a73d0e3af0e5370df

Download Submit
C:\Windows\{AD2FE7D6-CA1B-4b3b-B6FB-5823093DBAA9}.exe

Filesize
168KB

MD5
0068ecb457a01999f146a1e0ed0f3d5e

SHA1
3743b32f2314eada4f181d6bd0cbc851fc570d38

SHA256
7e53f2685e50780fb5a62c4429096f482a6077ae58b6e298b4f232e5a8a73d31

SHA512
40ee570904baa28d3363bd4ecee19c030b499518207f19cd8a8b5c2452dfb409982332bc1537cb6ce00f39680b08190916fb898699d5936a73d0e3af0e5370df

Download Submit
C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe

Filesize
168KB

MD5
f87231a54838f498ad99e60f92d2cc27

SHA1
52dc57497d6f48c612bc31ef2bb1ab32af12188b

SHA256
3688585c39fa11685c0b4cab9c878c2ef1194bdc3958e8aad2d043fde4e9e8a1

SHA512
e4c559baee862277f2ecd367c0f6017b5cbe7bd07521781a41da03e80b6e9921c4ccd7d1af86f3e4a14b3c53a918f9ee65148f4830cf41e62c9daa7d607f43f5

Download Submit
C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe

Filesize
168KB

MD5
f87231a54838f498ad99e60f92d2cc27

SHA1
52dc57497d6f48c612bc31ef2bb1ab32af12188b

SHA256
3688585c39fa11685c0b4cab9c878c2ef1194bdc3958e8aad2d043fde4e9e8a1

SHA512
e4c559baee862277f2ecd367c0f6017b5cbe7bd07521781a41da03e80b6e9921c4ccd7d1af86f3e4a14b3c53a918f9ee65148f4830cf41e62c9daa7d607f43f5

Download Submit
C:\Windows\{D3B75E95-4B55-49e6-A57C-02EFB87D338C}.exe

Filesize
168KB

MD5
f87231a54838f498ad99e60f92d2cc27

SHA1
52dc57497d6f48c612bc31ef2bb1ab32af12188b

SHA256
3688585c39fa11685c0b4cab9c878c2ef1194bdc3958e8aad2d043fde4e9e8a1

SHA512
e4c559baee862277f2ecd367c0f6017b5cbe7bd07521781a41da03e80b6e9921c4ccd7d1af86f3e4a14b3c53a918f9ee65148f4830cf41e62c9daa7d607f43f5

Download Submit
C:\Windows\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe

Filesize
168KB

MD5
181b58597f399ee146595c26ff6db161

SHA1
425e8bee41e26b7e607a3855d3db0b792e7f7266

SHA256
e90c196fe0cd11599acb2c11b519db091afd09dc5e57b81f1459517910ea231a

SHA512
bca3981321a7abf131257cd8fdd3eec3f594f152502b0d7351cf6ee04a53e8054ed13cffbe15b79fc607e668c281af7aa7a60ffe6fa760c5784e25806a234e73

Download Submit
C:\Windows\{DDD9AC88-BD48-47a8-9E83-659602195748}.exe

Filesize
168KB

MD5
181b58597f399ee146595c26ff6db161

SHA1
425e8bee41e26b7e607a3855d3db0b792e7f7266

SHA256
e90c196fe0cd11599acb2c11b519db091afd09dc5e57b81f1459517910ea231a

SHA512
bca3981321a7abf131257cd8fdd3eec3f594f152502b0d7351cf6ee04a53e8054ed13cffbe15b79fc607e668c281af7aa7a60ffe6fa760c5784e25806a234e73

Download Submit
C:\Windows\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe

Filesize
168KB

MD5
8eebe686dace280b250da4356d09055c

SHA1
eba34fb554baf2464acf4db1918fa3e612460f86

SHA256
907830e156ad412debf91e15e2984aa2f536184d68477ff30ca60ced0f835d72

SHA512
d90acafc9e237e7906c01128a802fbab8607631ab92a3d3e8eccd970702c7bcfa75b38597a821d211e40e688fea08001567b5e8dcba5070d5b8d21c42e2907b0

Download Submit
C:\Windows\{E10D0484-F62B-4d6f-BBB2-45D1B59F711D}.exe

Filesize
168KB

MD5
8eebe686dace280b250da4356d09055c

SHA1
eba34fb554baf2464acf4db1918fa3e612460f86

SHA256
907830e156ad412debf91e15e2984aa2f536184d68477ff30ca60ced0f835d72

SHA512
d90acafc9e237e7906c01128a802fbab8607631ab92a3d3e8eccd970702c7bcfa75b38597a821d211e40e688fea08001567b5e8dcba5070d5b8d21c42e2907b0

Download Submit
C:\Windows\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe

Filesize
168KB

MD5
981686333acc3a9f66cb55cfb060e065

SHA1
6cf444bcef24d51ba788da527b9f13df0accc4b2

SHA256
267cba3624f29488f858cb417d324cb74de8f9ef42774e2640a0053205ba2095

SHA512
bccdcc103891a55b6f510915dac6e469d2c522ba858829912f7062af4021ecafadc289c09e7963a217cdc7ac68dce43da0d99b08b4ec0d241ffb6ebc74fbc0b4

Download Submit
C:\Windows\{E70EA39A-D79C-48d1-87F9-E4BC4F5C91BC}.exe

Filesize
168KB

MD5
981686333acc3a9f66cb55cfb060e065

SHA1
6cf444bcef24d51ba788da527b9f13df0accc4b2

SHA256
267cba3624f29488f858cb417d324cb74de8f9ef42774e2640a0053205ba2095

SHA512
bccdcc103891a55b6f510915dac6e469d2c522ba858829912f7062af4021ecafadc289c09e7963a217cdc7ac68dce43da0d99b08b4ec0d241ffb6ebc74fbc0b4

Download Submit