7cc1e2d47fd2b5135561e7ae6b94b3100fa2be23d75b45a7ab756b923b642ad0

Analysis

max time kernel
150s
max time network
37s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2efe6e2415c709exeexeexeex.exe
Size

192KB
MD5

2efe6e2415c709c627e85a50adaa228e
SHA1

984abe3d08a38d193cbe24a769bc72ab7db6f5e5
SHA256

7cc1e2d47fd2b5135561e7ae6b94b3100fa2be23d75b45a7ab756b923b642ad0
SHA512

22b5173eb4a58b5f62ed1bcb1111e8be86dd71db661d52cc869c1957e87bde8d28821421352b71bc9b2090ffc83af6554ba23e491eecf9921cc4cc80014fa26a
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oql1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6C1072A-615C-4e10-9256-6CE7255AC03A}	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6C1072A-615C-4e10-9256-6CE7255AC03A}\stubpath = "C:\\Windows\\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe"	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}\stubpath = "C:\\Windows\\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe"	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4694B52C-699B-44bf-9DA0-855C24B5964D}	{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}\stubpath = "C:\\Windows\\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe"	{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}\stubpath = "C:\\Windows\\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe"	{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}\stubpath = "C:\\Windows\\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe"	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5232E39-B874-41a0-8443-844FC33A97B4}	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5232E39-B874-41a0-8443-844FC33A97B4}\stubpath = "C:\\Windows\\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe"	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4694B52C-699B-44bf-9DA0-855C24B5964D}\stubpath = "C:\\Windows\\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe"	{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}	{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}\stubpath = "C:\\Windows\\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe"	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA088BB-C470-40a1-AA62-10950D21F333}	2efe6e2415c709exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA088BB-C470-40a1-AA62-10950D21F333}\stubpath = "C:\\Windows\\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe"	2efe6e2415c709exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7201251E-0433-4208-8170-E7EEFBB6B642}	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7201251E-0433-4208-8170-E7EEFBB6B642}\stubpath = "C:\\Windows\\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe"	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}\stubpath = "C:\\Windows\\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe"	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}	{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}	{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F15095-3F49-420f-BCF3-63D70164F2BB}	{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F15095-3F49-420f-BCF3-63D70164F2BB}\stubpath = "C:\\Windows\\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe"	{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}\stubpath = "C:\\Windows\\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe"	{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
1092	{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
3000	{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
2664	{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
2168	{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
2692	{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe
2632	{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
File created	C:\Windows\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
File created	C:\Windows\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe	{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
File created	C:\Windows\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
File created	C:\Windows\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe	{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
File created	C:\Windows\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe	{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
File created	C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	2efe6e2415c709exeexeexeex.exe
File created	C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
File created	C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
File created	C:\Windows\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
File created	C:\Windows\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
File created	C:\Windows\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe	{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
File created	C:\Windows\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe	{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3036	2efe6e2415c709exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Token: SeIncBasePriorityPrivilege	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Token: SeIncBasePriorityPrivilege	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Token: SeIncBasePriorityPrivilege	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Token: SeIncBasePriorityPrivilege	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
Token: SeIncBasePriorityPrivilege	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
Token: SeIncBasePriorityPrivilege	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
Token: SeIncBasePriorityPrivilege	1092	{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
Token: SeIncBasePriorityPrivilege	3000	{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
Token: SeIncBasePriorityPrivilege	2664	{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
Token: SeIncBasePriorityPrivilege	2168	{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
Token: SeIncBasePriorityPrivilege	2692	{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1356	3036	2efe6e2415c709exeexeexeex.exe	28
PID 3036 wrote to memory of 1356	3036	2efe6e2415c709exeexeexeex.exe	28
PID 3036 wrote to memory of 1356	3036	2efe6e2415c709exeexeexeex.exe	28
PID 3036 wrote to memory of 1356	3036	2efe6e2415c709exeexeexeex.exe	28
PID 3036 wrote to memory of 2184	3036	2efe6e2415c709exeexeexeex.exe	29
PID 3036 wrote to memory of 2184	3036	2efe6e2415c709exeexeexeex.exe	29
PID 3036 wrote to memory of 2184	3036	2efe6e2415c709exeexeexeex.exe	29
PID 3036 wrote to memory of 2184	3036	2efe6e2415c709exeexeexeex.exe	29
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2812 wrote to memory of 1212	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 1212	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 1212	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 1212	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 1756	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 1756	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 1756	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 1756	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 1212 wrote to memory of 1864	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 1212 wrote to memory of 1864	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 1212 wrote to memory of 1864	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 1212 wrote to memory of 1864	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 1212 wrote to memory of 856	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 1212 wrote to memory of 856	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 1212 wrote to memory of 856	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 1212 wrote to memory of 856	1212	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 1864 wrote to memory of 1872	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	38
PID 1864 wrote to memory of 1872	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	38
PID 1864 wrote to memory of 1872	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	38
PID 1864 wrote to memory of 1872	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	38
PID 1864 wrote to memory of 2848	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	39
PID 1864 wrote to memory of 2848	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	39
PID 1864 wrote to memory of 2848	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	39
PID 1864 wrote to memory of 2848	1864	{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe	39
PID 1872 wrote to memory of 2912	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	40
PID 1872 wrote to memory of 2912	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	40
PID 1872 wrote to memory of 2912	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	40
PID 1872 wrote to memory of 2912	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	40
PID 1872 wrote to memory of 2924	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	41
PID 1872 wrote to memory of 2924	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	41
PID 1872 wrote to memory of 2924	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	41
PID 1872 wrote to memory of 2924	1872	{F5232E39-B874-41a0-8443-844FC33A97B4}.exe	41
PID 2912 wrote to memory of 1092	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	42
PID 2912 wrote to memory of 1092	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	42
PID 2912 wrote to memory of 1092	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	42
PID 2912 wrote to memory of 1092	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	42
PID 2912 wrote to memory of 2080	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	43
PID 2912 wrote to memory of 2080	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	43
PID 2912 wrote to memory of 2080	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	43
PID 2912 wrote to memory of 2080	2912	{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe	43

C:\Users\Admin\AppData\Local\Temp\2efe6e2415c709exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2efe6e2415c709exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
  C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
    C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
      C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
        
        C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
        
        C:\Windows\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
        
        C:\Windows\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
        
        C:\Windows\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
        
        C:\Windows\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
        
        C:\Windows\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
        
        C:\Windows\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
        
        C:\Windows\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe
        
        C:\Windows\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe
        
        C:\Windows\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe
        14⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D6A~1.EXE > nul
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4694B~1.EXE > nul
        13⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E39B~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F15~1.EXE > nul
        11⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00A0F~1.EXE > nul
        10⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8373~1.EXE > nul
        9⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5232~1.EXE > nul
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C10~1.EXE > nul
        7⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A4D~1.EXE > nul
        6⤵
        
        PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFD6~1.EXE > nul
        5⤵
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72012~1.EXE > nul
      4⤵
      PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA08~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2EFE6E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe

Filesize
192KB

MD5
dac5e25439a1bc7f60a8c493281d2584

SHA1
af9155e07cc7afd90531f7b1d6e0cba2a9c18345

SHA256
81332fd2b7b9981f122f74e7de3d2a6d5b6996e260f0394113037b91b58eac58

SHA512
eca40675817da940c339dae259b521e43c2b3ac6dd57699944d6ab0199ede21f5e18e83501e8fc420e3dec2e95a522160f03539f0e89cd02ce6b0ababf064161

Download Submit
C:\Windows\{00A0F81A-57F0-40b4-A40F-5D68F93DA8F7}.exe

Filesize
192KB

MD5
dac5e25439a1bc7f60a8c493281d2584

SHA1
af9155e07cc7afd90531f7b1d6e0cba2a9c18345

SHA256
81332fd2b7b9981f122f74e7de3d2a6d5b6996e260f0394113037b91b58eac58

SHA512
eca40675817da940c339dae259b521e43c2b3ac6dd57699944d6ab0199ede21f5e18e83501e8fc420e3dec2e95a522160f03539f0e89cd02ce6b0ababf064161

Download Submit
C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe

Filesize
192KB

MD5
85e9460ba3901f25c404a05668a6ed1e

SHA1
4003f94f5598718cd420f59a6e928692a5128635

SHA256
b1015d96ac3ef38187e94331f627a59801c8416e5245bfe71b589604b3b15404

SHA512
c45e7f945dd0b052666d741bc3acdd948cc8bd32e64ae6f7d4870928fcb377dfaef58707b927ac565d7b9fae8712a2139f3b1c1592d6bdf84537550885b03023

Download Submit
C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe

Filesize
192KB

MD5
85e9460ba3901f25c404a05668a6ed1e

SHA1
4003f94f5598718cd420f59a6e928692a5128635

SHA256
b1015d96ac3ef38187e94331f627a59801c8416e5245bfe71b589604b3b15404

SHA512
c45e7f945dd0b052666d741bc3acdd948cc8bd32e64ae6f7d4870928fcb377dfaef58707b927ac565d7b9fae8712a2139f3b1c1592d6bdf84537550885b03023

Download Submit
C:\Windows\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe

Filesize
192KB

MD5
a0ecc483446afe1b7b412f984fa3ad4a

SHA1
dce5694dbcc986ef1dc11c017c7fb884ceb595f8

SHA256
fcaee750c4ba76e68ddc4ea21b4c60963e9e3f1886595e7fe25ffc2b1f100d38

SHA512
96e2c4a2da2bac7a36fbc57fdce294c1ec4d3a347973c40768ab5af6cb6c24930f76bdcb459047a3193bc8c69472f3b4a97cfedfd4b8072dfde4256adf232f8d

Download Submit
C:\Windows\{2E39B5DD-C892-4923-B7D2-EA0E0D2F140E}.exe

Filesize
192KB

MD5
a0ecc483446afe1b7b412f984fa3ad4a

SHA1
dce5694dbcc986ef1dc11c017c7fb884ceb595f8

SHA256
fcaee750c4ba76e68ddc4ea21b4c60963e9e3f1886595e7fe25ffc2b1f100d38

SHA512
96e2c4a2da2bac7a36fbc57fdce294c1ec4d3a347973c40768ab5af6cb6c24930f76bdcb459047a3193bc8c69472f3b4a97cfedfd4b8072dfde4256adf232f8d

Download Submit
C:\Windows\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe

Filesize
192KB

MD5
8fd31789fafc8b7adf49a5d47473e77b

SHA1
622a36d1909e85ac0861cedc7c2da5685e883a2c

SHA256
47503c9d134b7e5133b05fef506c1fa922615ee4fd4b35fe871e77df3f404834

SHA512
200311e8d3c3834f0151f781dec97ddd39a5f1f6b2705afb526d43a7a76db45d195f3539991925db65b8b3016dd27f0dd67621ba2e6dea0510f98cd08bba1da8

Download Submit
C:\Windows\{37F15095-3F49-420f-BCF3-63D70164F2BB}.exe

Filesize
192KB

MD5
8fd31789fafc8b7adf49a5d47473e77b

SHA1
622a36d1909e85ac0861cedc7c2da5685e883a2c

SHA256
47503c9d134b7e5133b05fef506c1fa922615ee4fd4b35fe871e77df3f404834

SHA512
200311e8d3c3834f0151f781dec97ddd39a5f1f6b2705afb526d43a7a76db45d195f3539991925db65b8b3016dd27f0dd67621ba2e6dea0510f98cd08bba1da8

Download Submit
C:\Windows\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe

Filesize
192KB

MD5
72cae070f4da8a081e8ba3273fb1e725

SHA1
1fc096e27abbce480a656fac23000c1c4a858924

SHA256
2c3e099b13c81e5d8e1ccb8cb2d85fc50b948483054787da099bf3fd63aa6788

SHA512
fec684f62c850aab9e973bdc25e7c466169339dd11d878f616ca0ef1e61d429c6a18b1e39226f8be6c1b64e393aa4da5189ab2fad72e8e6b14505ea84f441ba8

Download Submit
C:\Windows\{4694B52C-699B-44bf-9DA0-855C24B5964D}.exe

Filesize
192KB

MD5
72cae070f4da8a081e8ba3273fb1e725

SHA1
1fc096e27abbce480a656fac23000c1c4a858924

SHA256
2c3e099b13c81e5d8e1ccb8cb2d85fc50b948483054787da099bf3fd63aa6788

SHA512
fec684f62c850aab9e973bdc25e7c466169339dd11d878f616ca0ef1e61d429c6a18b1e39226f8be6c1b64e393aa4da5189ab2fad72e8e6b14505ea84f441ba8

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
192KB

MD5
4df576f420129569a4828475a174f616

SHA1
8010497b449360bd76654738d7a7832cc0b3cc8a

SHA256
1bd98b37fd2fb4f275a83e051e04a5a863102afa25878f208e10b1199b9077be

SHA512
fca4357a46f32863c6d1c956f68dc3cb5bb6071cd87f66140d996e135e3b5291e8da2bdaa2d4e5fc22aee84538a0892ea2dbd60658490a7ca823623ee2483c56

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
192KB

MD5
4df576f420129569a4828475a174f616

SHA1
8010497b449360bd76654738d7a7832cc0b3cc8a

SHA256
1bd98b37fd2fb4f275a83e051e04a5a863102afa25878f208e10b1199b9077be

SHA512
fca4357a46f32863c6d1c956f68dc3cb5bb6071cd87f66140d996e135e3b5291e8da2bdaa2d4e5fc22aee84538a0892ea2dbd60658490a7ca823623ee2483c56

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
192KB

MD5
4df576f420129569a4828475a174f616

SHA1
8010497b449360bd76654738d7a7832cc0b3cc8a

SHA256
1bd98b37fd2fb4f275a83e051e04a5a863102afa25878f208e10b1199b9077be

SHA512
fca4357a46f32863c6d1c956f68dc3cb5bb6071cd87f66140d996e135e3b5291e8da2bdaa2d4e5fc22aee84538a0892ea2dbd60658490a7ca823623ee2483c56

Download Submit
C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe

Filesize
192KB

MD5
5f257ebbd99223a8afdb5a23bebd1eee

SHA1
bc953108903625e2db14686c26ca47c986472cfd

SHA256
fff45d400a7d51dd83b9d3212f64b2ae79bdd299b629e892e4f59142e144e99e

SHA512
13444ce4632dab82a109c9fdfc26e0e00822afa1d610192bc9fba55fc4d355e82f2863163b4fc69b49bcb0ea692faf506e5c08670f0986bc55f77850a70a06f6

Download Submit
C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe

Filesize
192KB

MD5
5f257ebbd99223a8afdb5a23bebd1eee

SHA1
bc953108903625e2db14686c26ca47c986472cfd

SHA256
fff45d400a7d51dd83b9d3212f64b2ae79bdd299b629e892e4f59142e144e99e

SHA512
13444ce4632dab82a109c9fdfc26e0e00822afa1d610192bc9fba55fc4d355e82f2863163b4fc69b49bcb0ea692faf506e5c08670f0986bc55f77850a70a06f6

Download Submit
C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe

Filesize
192KB

MD5
814fd009047c1037a4b2a1d807280aef

SHA1
bf2068d4cebd7bfb6bebf716a2469765c8b85332

SHA256
d95eee806642feac6cf4585990026e363c876ce45dfb8cacdee95aafaf023f09

SHA512
131bed86752c0586699114933c5f65b13cbc1238bb7462e3379d1ee935bddba04fff9787c07da4f741ef6bc3352202906eb276b3b21add6a2e03c1648689041d

Download Submit
C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe

Filesize
192KB

MD5
814fd009047c1037a4b2a1d807280aef

SHA1
bf2068d4cebd7bfb6bebf716a2469765c8b85332

SHA256
d95eee806642feac6cf4585990026e363c876ce45dfb8cacdee95aafaf023f09

SHA512
131bed86752c0586699114933c5f65b13cbc1238bb7462e3379d1ee935bddba04fff9787c07da4f741ef6bc3352202906eb276b3b21add6a2e03c1648689041d

Download Submit
C:\Windows\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe

Filesize
192KB

MD5
83bceaf318858c8e3957cc029d74cad5

SHA1
efd4156017f7f1ab5c2787c47a1da1a17ea704a9

SHA256
b959cbdb045f6a1740f36aed0b11bbadc1f2a3dcef42d10bfadbf6792d6713fb

SHA512
db63399ad023d5dea56d5135884279b4fbe9a77333f48a3b9e51ca072812b1465e981d25dfe14a982725a776485eed872a02e9838c6189916443e7aabbca35bc

Download Submit
C:\Windows\{A6C1072A-615C-4e10-9256-6CE7255AC03A}.exe

Filesize
192KB

MD5
83bceaf318858c8e3957cc029d74cad5

SHA1
efd4156017f7f1ab5c2787c47a1da1a17ea704a9

SHA256
b959cbdb045f6a1740f36aed0b11bbadc1f2a3dcef42d10bfadbf6792d6713fb

SHA512
db63399ad023d5dea56d5135884279b4fbe9a77333f48a3b9e51ca072812b1465e981d25dfe14a982725a776485eed872a02e9838c6189916443e7aabbca35bc

Download Submit
C:\Windows\{D400D4EF-588F-4881-8EBD-AAF6CC96EFF6}.exe

Filesize
192KB

MD5
fade07fd256d09e8ec3fdf91c0b655ce

SHA1
66195cf2768516b355d7e041d9a8fc91d96622cc

SHA256
1af12392d5ab04891de00a5f903aafdc50df0af5c8a73cd71e82d4e5245e3653

SHA512
e22701d9d5cf3c1aaeca8c15c9cab4da4517b658638f57d4c1310dedae5e63fa2dd5905dcad4ed2fc002c84c718a0e3769e0fed147e226f5e58144b6df702219

Download Submit
C:\Windows\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe

Filesize
192KB

MD5
346c45939e21d65505437d1c9dd73176

SHA1
28ab293ebc26d8f1bc4ad9ba66000280a27b482c

SHA256
9abd4def2f10ecfa75bc9952e80e292b9da12890623ffd3906b2ab8e7cd3c9a8

SHA512
d2853070ec036b0a9c47138b0536e42a17f2c98bc10577013c6d173da8612e9d51fd8198502575636fe205414f07110cf96b1efd9a281a20ff7caa61cf0a6cb9

Download Submit
C:\Windows\{D7D6A18F-A709-4718-BA42-B66FA5FA776F}.exe

Filesize
192KB

MD5
346c45939e21d65505437d1c9dd73176

SHA1
28ab293ebc26d8f1bc4ad9ba66000280a27b482c

SHA256
9abd4def2f10ecfa75bc9952e80e292b9da12890623ffd3906b2ab8e7cd3c9a8

SHA512
d2853070ec036b0a9c47138b0536e42a17f2c98bc10577013c6d173da8612e9d51fd8198502575636fe205414f07110cf96b1efd9a281a20ff7caa61cf0a6cb9

Download Submit
C:\Windows\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe

Filesize
192KB

MD5
aa5a8fcefebdafa35002f4315a0697e1

SHA1
ca78bf928468ea8241cc68f880391ee4063439cd

SHA256
98065af76b561c6a1c0ae29a76cac433ca3ad48f2d4dcae1c1774ce54427441f

SHA512
6cca4a3f71219d4d33085e9d955f8abaf67ae05c79bea88526689ad8d8a9ceac596c44e45dc6f73c8b43c8de5de69e915aa9a1e91bdcaad3dd229d7772c27437

Download Submit
C:\Windows\{D83731CC-EFDD-4215-9CDE-9F335918A5F1}.exe

Filesize
192KB

MD5
aa5a8fcefebdafa35002f4315a0697e1

SHA1
ca78bf928468ea8241cc68f880391ee4063439cd

SHA256
98065af76b561c6a1c0ae29a76cac433ca3ad48f2d4dcae1c1774ce54427441f

SHA512
6cca4a3f71219d4d33085e9d955f8abaf67ae05c79bea88526689ad8d8a9ceac596c44e45dc6f73c8b43c8de5de69e915aa9a1e91bdcaad3dd229d7772c27437

Download Submit
C:\Windows\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe

Filesize
192KB

MD5
78d0730bec990406097c47c7ebf65ced

SHA1
8f6c362dac3243f014d0830b2e56a136426ac5ef

SHA256
a9339e320d3ea1e80cad7e14d5dbab41b4d4d377ec45c5410af74a3c8ed10ab5

SHA512
d2414709e0456fd60a63d9173550b659085fb37812cf5f4501c1cb4b0ffb9094abba8ea05b819b708f36db3f82712a9121fe160a3fabe6195f64bcd6ce303bcc

Download Submit
C:\Windows\{F5232E39-B874-41a0-8443-844FC33A97B4}.exe

Filesize
192KB

MD5
78d0730bec990406097c47c7ebf65ced

SHA1
8f6c362dac3243f014d0830b2e56a136426ac5ef

SHA256
a9339e320d3ea1e80cad7e14d5dbab41b4d4d377ec45c5410af74a3c8ed10ab5

SHA512
d2414709e0456fd60a63d9173550b659085fb37812cf5f4501c1cb4b0ffb9094abba8ea05b819b708f36db3f82712a9121fe160a3fabe6195f64bcd6ce303bcc

Download Submit