e31ee5407226bf1bc9d834092b67f7db87f4a7aeb15e7e9a85c89eafa2dbbd24

Analysis

max time kernel
147s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

657c028803a1c6exeexeexeex.exe
Size

168KB
MD5

657c028803a1c6fec233318442008401
SHA1

8b6212d6f701a45be472921832cb6d1a7c4a5f8e
SHA256

e31ee5407226bf1bc9d834092b67f7db87f4a7aeb15e7e9a85c89eafa2dbbd24
SHA512

12c2ecd9824b5dbcebad8014a14625a3eaf29c72ddd02f716dbbb4296c093f97e8f85126f4f96de6b329e4269b82da5114c126e4f361bb12d872aac690bb942a
SSDEEP

1536:1EGh0o13lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oFlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}\stubpath = "C:\\Windows\\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe"	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}	{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19445F61-923A-457a-89AD-35D9AB154136}\stubpath = "C:\\Windows\\{19445F61-923A-457a-89AD-35D9AB154136}.exe"	{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{076A5D61-C715-4f7e-AF01-6343C57D25F1}\stubpath = "C:\\Windows\\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe"	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB5C331-D188-46de-A44E-F83807FD12AE}\stubpath = "C:\\Windows\\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe"	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}\stubpath = "C:\\Windows\\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe"	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C7BB38-3D1E-4bab-89C6-42362EB11574}	{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19445F61-923A-457a-89AD-35D9AB154136}	{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB5C331-D188-46de-A44E-F83807FD12AE}	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0BA23F-3823-4664-BE17-0AE080942FDE}	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0BA23F-3823-4664-BE17-0AE080942FDE}\stubpath = "C:\\Windows\\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe"	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177BDB5A-C544-439c-B00E-97893FD8EBB1}\stubpath = "C:\\Windows\\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe"	{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}\stubpath = "C:\\Windows\\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe"	{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4D3053-407B-461d-B1CE-2797DB18F057}	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C7BB38-3D1E-4bab-89C6-42362EB11574}\stubpath = "C:\\Windows\\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe"	{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}\stubpath = "C:\\Windows\\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe"	657c028803a1c6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4D3053-407B-461d-B1CE-2797DB18F057}\stubpath = "C:\\Windows\\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe"	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{076A5D61-C715-4f7e-AF01-6343C57D25F1}	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}\stubpath = "C:\\Windows\\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe"	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177BDB5A-C544-439c-B00E-97893FD8EBB1}	{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}	{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}\stubpath = "C:\\Windows\\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe"	{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}	657c028803a1c6exeexeexeex.exe

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
340	{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
2400	{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
2944	{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
2936	{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
2232	{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe
2640	{19445F61-923A-457a-89AD-35D9AB154136}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	657c028803a1c6exeexeexeex.exe
File created	C:\Windows\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
File created	C:\Windows\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
File created	C:\Windows\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
File created	C:\Windows\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
File created	C:\Windows\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe	{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
File created	C:\Windows\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe	{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
File created	C:\Windows\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
File created	C:\Windows\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
File created	C:\Windows\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
File created	C:\Windows\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe	{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
File created	C:\Windows\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe	{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
File created	C:\Windows\{19445F61-923A-457a-89AD-35D9AB154136}.exe	{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	657c028803a1c6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
Token: SeIncBasePriorityPrivilege	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
Token: SeIncBasePriorityPrivilege	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
Token: SeIncBasePriorityPrivilege	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
Token: SeIncBasePriorityPrivilege	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
Token: SeIncBasePriorityPrivilege	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
Token: SeIncBasePriorityPrivilege	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
Token: SeIncBasePriorityPrivilege	340	{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
Token: SeIncBasePriorityPrivilege	2400	{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
Token: SeIncBasePriorityPrivilege	2944	{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
Token: SeIncBasePriorityPrivilege	2936	{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
Token: SeIncBasePriorityPrivilege	2232	{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1216	2372	657c028803a1c6exeexeexeex.exe	28
PID 2372 wrote to memory of 1216	2372	657c028803a1c6exeexeexeex.exe	28
PID 2372 wrote to memory of 1216	2372	657c028803a1c6exeexeexeex.exe	28
PID 2372 wrote to memory of 1216	2372	657c028803a1c6exeexeexeex.exe	28
PID 2372 wrote to memory of 2212	2372	657c028803a1c6exeexeexeex.exe	29
PID 2372 wrote to memory of 2212	2372	657c028803a1c6exeexeexeex.exe	29
PID 2372 wrote to memory of 2212	2372	657c028803a1c6exeexeexeex.exe	29
PID 2372 wrote to memory of 2212	2372	657c028803a1c6exeexeexeex.exe	29
PID 1216 wrote to memory of 2308	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	30
PID 1216 wrote to memory of 2308	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	30
PID 1216 wrote to memory of 2308	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	30
PID 1216 wrote to memory of 2308	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	30
PID 1216 wrote to memory of 2380	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	31
PID 1216 wrote to memory of 2380	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	31
PID 1216 wrote to memory of 2380	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	31
PID 1216 wrote to memory of 2380	1216	{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe	31
PID 2308 wrote to memory of 2144	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	32
PID 2308 wrote to memory of 2144	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	32
PID 2308 wrote to memory of 2144	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	32
PID 2308 wrote to memory of 2144	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	32
PID 2308 wrote to memory of 1468	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	33
PID 2308 wrote to memory of 1468	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	33
PID 2308 wrote to memory of 1468	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	33
PID 2308 wrote to memory of 1468	2308	{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe	33
PID 2144 wrote to memory of 2556	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	34
PID 2144 wrote to memory of 2556	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	34
PID 2144 wrote to memory of 2556	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	34
PID 2144 wrote to memory of 2556	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	34
PID 2144 wrote to memory of 880	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	35
PID 2144 wrote to memory of 880	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	35
PID 2144 wrote to memory of 880	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	35
PID 2144 wrote to memory of 880	2144	{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe	35
PID 2556 wrote to memory of 3000	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	36
PID 2556 wrote to memory of 3000	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	36
PID 2556 wrote to memory of 3000	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	36
PID 2556 wrote to memory of 3000	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	36
PID 2556 wrote to memory of 3064	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	37
PID 2556 wrote to memory of 3064	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	37
PID 2556 wrote to memory of 3064	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	37
PID 2556 wrote to memory of 3064	2556	{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe	37
PID 3000 wrote to memory of 2032	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	38
PID 3000 wrote to memory of 2032	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	38
PID 3000 wrote to memory of 2032	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	38
PID 3000 wrote to memory of 2032	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	38
PID 3000 wrote to memory of 1732	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	39
PID 3000 wrote to memory of 1732	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	39
PID 3000 wrote to memory of 1732	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	39
PID 3000 wrote to memory of 1732	3000	{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe	39
PID 2032 wrote to memory of 564	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	40
PID 2032 wrote to memory of 564	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	40
PID 2032 wrote to memory of 564	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	40
PID 2032 wrote to memory of 564	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	40
PID 2032 wrote to memory of 1012	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	41
PID 2032 wrote to memory of 1012	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	41
PID 2032 wrote to memory of 1012	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	41
PID 2032 wrote to memory of 1012	2032	{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe	41
PID 564 wrote to memory of 340	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	42
PID 564 wrote to memory of 340	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	42
PID 564 wrote to memory of 340	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	42
PID 564 wrote to memory of 340	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	42
PID 564 wrote to memory of 1164	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	43
PID 564 wrote to memory of 1164	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	43
PID 564 wrote to memory of 1164	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	43
PID 564 wrote to memory of 1164	564	{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe	43

C:\Users\Admin\AppData\Local\Temp\657c028803a1c6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\657c028803a1c6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
  C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
    C:\Windows\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
      C:\Windows\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
        
        C:\Windows\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
        
        C:\Windows\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
        
        C:\Windows\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
        
        C:\Windows\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
        
        C:\Windows\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
        
        C:\Windows\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{177BD~1.EXE > nul
        11⤵
        
        PID:2600
        
        C:\Windows\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
        
        C:\Windows\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
        
        C:\Windows\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26C7B~1.EXE > nul
        13⤵
        
        PID:2916
        
        C:\Windows\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe
        
        C:\Windows\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{19445F61-923A-457a-89AD-35D9AB154136}.exe
        
        C:\Windows\{19445F61-923A-457a-89AD-35D9AB154136}.exe
        14⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D366C~1.EXE > nul
        14⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44D4C~1.EXE > nul
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB17~1.EXE > nul
        10⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB0BA~1.EXE > nul
        9⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E13A2~1.EXE > nul
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DAE~1.EXE > nul
        7⤵
        
        PID:1732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{076A5~1.EXE > nul
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB5C~1.EXE > nul
        5⤵
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5D4D3~1.EXE > nul
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB99D~1.EXE > nul
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\657C02~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe

Filesize
168KB

MD5
f48680c804c90df9100a5e13a76e215c

SHA1
ea0ae57be2dd72dca90635895b0f63c4c0a85cbb

SHA256
5f79378c62220c0e940141f6670357e85f4f1eea786131a967482944d7291df2

SHA512
348fefaff052601b540568b0e89bfe5e6c1afbfe6ef740039cc82c36a7668724d058b8e6e197777139b963917c0bca1e2609ca399917dc6311d3418aac16c6a4

Download Submit
C:\Windows\{076A5D61-C715-4f7e-AF01-6343C57D25F1}.exe

Filesize
168KB

MD5
f48680c804c90df9100a5e13a76e215c

SHA1
ea0ae57be2dd72dca90635895b0f63c4c0a85cbb

SHA256
5f79378c62220c0e940141f6670357e85f4f1eea786131a967482944d7291df2

SHA512
348fefaff052601b540568b0e89bfe5e6c1afbfe6ef740039cc82c36a7668724d058b8e6e197777139b963917c0bca1e2609ca399917dc6311d3418aac16c6a4

Download Submit
C:\Windows\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe

Filesize
168KB

MD5
8257433c1fc7760c7d15c9b3765c418f

SHA1
2493c1eaf846c6c0f741816210e39b2fd705e74c

SHA256
25be97272fa240da2811937187658658b1d08009e1fb38e79c954ba7b6172657

SHA512
8f06e044ff457b313ac64a78e7954cdaee3eeefcd21691134052eecba25f24c4080feff93391c08536e4248942d04fb9f16879221255528ff3cc28a4f5270054

Download Submit
C:\Windows\{0BB17C5E-B2B6-4ec3-94C0-B083D1B8F9BE}.exe

Filesize
168KB

MD5
8257433c1fc7760c7d15c9b3765c418f

SHA1
2493c1eaf846c6c0f741816210e39b2fd705e74c

SHA256
25be97272fa240da2811937187658658b1d08009e1fb38e79c954ba7b6172657

SHA512
8f06e044ff457b313ac64a78e7954cdaee3eeefcd21691134052eecba25f24c4080feff93391c08536e4248942d04fb9f16879221255528ff3cc28a4f5270054

Download Submit
C:\Windows\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe

Filesize
168KB

MD5
a5051051cec6c734b7a560d00994d246

SHA1
efc5c10e205c54435a14892941405bd31bdb68b5

SHA256
49e621637295deecaac9afbfa620efb941a60d5f0487f802d032f1a30553f7ec

SHA512
975f1beef6d2ebcf93a58fd4e95eb6d93ff3771c98875449a2712b1f4db5036f4fe37c6a0cfeec3731c176f37b5fcd7c9d0856ba2daec47382258b97428d1ea9

Download Submit
C:\Windows\{177BDB5A-C544-439c-B00E-97893FD8EBB1}.exe

Filesize
168KB

MD5
a5051051cec6c734b7a560d00994d246

SHA1
efc5c10e205c54435a14892941405bd31bdb68b5

SHA256
49e621637295deecaac9afbfa620efb941a60d5f0487f802d032f1a30553f7ec

SHA512
975f1beef6d2ebcf93a58fd4e95eb6d93ff3771c98875449a2712b1f4db5036f4fe37c6a0cfeec3731c176f37b5fcd7c9d0856ba2daec47382258b97428d1ea9

Download Submit
C:\Windows\{19445F61-923A-457a-89AD-35D9AB154136}.exe

Filesize
168KB

MD5
829c025c7da50ff685711c8a54548689

SHA1
d3b9bcdfa7d7a2c11bdc1869bd8a223eb5d23471

SHA256
96cc878204412cd719be02f82722eed59b53d846802b8638117b91a23136c0cc

SHA512
dbacd0e9b0f9cea4924bc8cba480878a485f04a008cc4fe763fa4e92dce6976a382ab21d9e2db66ae9d556eb343ec71d670574452c21fbfc189fa12c126b67bd

Download Submit
C:\Windows\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe

Filesize
168KB

MD5
2af407e4809ea93486f4360d6b1fa0d9

SHA1
7f949cae4deee3a31e08e86c5f1b59f87851d005

SHA256
b4f1c2b174aa7ff374fb19b001997dcb1deaa69a4cbd394435abab30ca2cfbd6

SHA512
711a20a068cfd64a262f2e972d8ce462369b56ed567b248e06f01a69cbb8d490f9e236e077a8ce13c3c058982a81a60937e9209752be3a64a7b3d8c45e61d3a3

Download Submit
C:\Windows\{26C7BB38-3D1E-4bab-89C6-42362EB11574}.exe

Filesize
168KB

MD5
2af407e4809ea93486f4360d6b1fa0d9

SHA1
7f949cae4deee3a31e08e86c5f1b59f87851d005

SHA256
b4f1c2b174aa7ff374fb19b001997dcb1deaa69a4cbd394435abab30ca2cfbd6

SHA512
711a20a068cfd64a262f2e972d8ce462369b56ed567b248e06f01a69cbb8d490f9e236e077a8ce13c3c058982a81a60937e9209752be3a64a7b3d8c45e61d3a3

Download Submit
C:\Windows\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe

Filesize
168KB

MD5
691418a799609de1ad12797ac7cac45b

SHA1
bf6c1ec956d9f9a7594df9170a23d0a88540f9bb

SHA256
883acc11309e71b0adc1ac79660d95689576f8a1c0e51854bad8b2f64dcdc4e8

SHA512
a5bc4beb83b64dd7de2b7d266130ac191ef8fae486e608fcfb76b0952366e43ae9a46cf02f4da81372deaec1ebc4c1e58ba23fb707e16fc5791f37bce0d8f5ef

Download Submit
C:\Windows\{44D4C1FD-A38C-40ef-A95A-641CE7C2E2E7}.exe

Filesize
168KB

MD5
691418a799609de1ad12797ac7cac45b

SHA1
bf6c1ec956d9f9a7594df9170a23d0a88540f9bb

SHA256
883acc11309e71b0adc1ac79660d95689576f8a1c0e51854bad8b2f64dcdc4e8

SHA512
a5bc4beb83b64dd7de2b7d266130ac191ef8fae486e608fcfb76b0952366e43ae9a46cf02f4da81372deaec1ebc4c1e58ba23fb707e16fc5791f37bce0d8f5ef

Download Submit
C:\Windows\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe

Filesize
168KB

MD5
92eb922d51aa887d3aed6b10dbb40e34

SHA1
a9b0ec3734c9e08669c256281c90cfd144405f20

SHA256
f208fcb6c838465a9c00a7c2f3c5e45cc8124121c50adf1fd8babade387aaf95

SHA512
406a5df5d2c1f350f9ac36af4c2a788a110566aac47e0c3081823f7423104a5070211f3efaa701f79e3ea469f81ca84b5cb1ef4164f3a98e6c7dde3be4c6cf5a

Download Submit
C:\Windows\{5D4D3053-407B-461d-B1CE-2797DB18F057}.exe

Filesize
168KB

MD5
92eb922d51aa887d3aed6b10dbb40e34

SHA1
a9b0ec3734c9e08669c256281c90cfd144405f20

SHA256
f208fcb6c838465a9c00a7c2f3c5e45cc8124121c50adf1fd8babade387aaf95

SHA512
406a5df5d2c1f350f9ac36af4c2a788a110566aac47e0c3081823f7423104a5070211f3efaa701f79e3ea469f81ca84b5cb1ef4164f3a98e6c7dde3be4c6cf5a

Download Submit
C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe

Filesize
168KB

MD5
fd90cd189b6b3cf15860cfbb1c6690b1

SHA1
2c2e90f022b97a020e922a4d858da6f7289dc8f3

SHA256
b5f54a032d45718cb7270b50d3a8514f7924d510903e350dff8db0f20e1ad0f5

SHA512
e6e26dadb301faf922ece50a65d83f3299cd0cd3f61c01387c3fa0ffe2bcbd0001b951e881159b9290617b08979c8c3c75848934929b5e4c8ee4622d4eb91bda

Download Submit
C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe

Filesize
168KB

MD5
fd90cd189b6b3cf15860cfbb1c6690b1

SHA1
2c2e90f022b97a020e922a4d858da6f7289dc8f3

SHA256
b5f54a032d45718cb7270b50d3a8514f7924d510903e350dff8db0f20e1ad0f5

SHA512
e6e26dadb301faf922ece50a65d83f3299cd0cd3f61c01387c3fa0ffe2bcbd0001b951e881159b9290617b08979c8c3c75848934929b5e4c8ee4622d4eb91bda

Download Submit
C:\Windows\{CB99D5A4-FA50-467b-BCAD-C2653ACDE3AB}.exe

Filesize
168KB

MD5
fd90cd189b6b3cf15860cfbb1c6690b1

SHA1
2c2e90f022b97a020e922a4d858da6f7289dc8f3

SHA256
b5f54a032d45718cb7270b50d3a8514f7924d510903e350dff8db0f20e1ad0f5

SHA512
e6e26dadb301faf922ece50a65d83f3299cd0cd3f61c01387c3fa0ffe2bcbd0001b951e881159b9290617b08979c8c3c75848934929b5e4c8ee4622d4eb91bda

Download Submit
C:\Windows\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe

Filesize
168KB

MD5
3f2d754c8e68942b62f836880937a803

SHA1
238c61c96bbbab8e637aff09f2446a093c551a8f

SHA256
a6960d9cd989f536e9efa39368d517053778849671724a5020ba7dbb35f68f97

SHA512
66942d3b2b8cbf3764713ceedeea3533129fa3a6f92a5bc35212261fb18d355353cde5a24ba8b44e4b7b818d4625e47332af8cbcdf3707038f3eeb3333a3f9a6

Download Submit
C:\Windows\{D366CFC7-A1F1-4116-B9DA-13ACECDE2D15}.exe

Filesize
168KB

MD5
3f2d754c8e68942b62f836880937a803

SHA1
238c61c96bbbab8e637aff09f2446a093c551a8f

SHA256
a6960d9cd989f536e9efa39368d517053778849671724a5020ba7dbb35f68f97

SHA512
66942d3b2b8cbf3764713ceedeea3533129fa3a6f92a5bc35212261fb18d355353cde5a24ba8b44e4b7b818d4625e47332af8cbcdf3707038f3eeb3333a3f9a6

Download Submit
C:\Windows\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe

Filesize
168KB

MD5
a9727476e877cd72478462e8b463a822

SHA1
1bd8a76e20651e13c00f8f5bac0a30f40c67c7bf

SHA256
e4a5aae6bd82b55502ffaa9c9e323d144ef9c3a211f70ead521ca951bf82147e

SHA512
5dd39d28793ac6370475e3559266352fb961284a6b9556de62594d58df87dc5d6ec99639908f67f3a102d0275d9196dda14300d8c7b4dbc81bdae9b70e357448

Download Submit
C:\Windows\{D4DAE744-6D2A-4b6b-A07B-17CD6F6A2680}.exe

Filesize
168KB

MD5
a9727476e877cd72478462e8b463a822

SHA1
1bd8a76e20651e13c00f8f5bac0a30f40c67c7bf

SHA256
e4a5aae6bd82b55502ffaa9c9e323d144ef9c3a211f70ead521ca951bf82147e

SHA512
5dd39d28793ac6370475e3559266352fb961284a6b9556de62594d58df87dc5d6ec99639908f67f3a102d0275d9196dda14300d8c7b4dbc81bdae9b70e357448

Download Submit
C:\Windows\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe

Filesize
168KB

MD5
e673f261e883f8f45ecb3516641001db

SHA1
315877ee6bd4c4f6db806b93cf6efadb1d0031d6

SHA256
af4d7a46b8a305a7c6e70f5f9eb3237ac9105c0ee5b8d50a37bf9a851b2c36c9

SHA512
2c260326626086c00751aebb5944635002287dae47ed2a943919f92fe2400cf8ff52e264947241653a4f4e8923b73ca3c12f8a158b13d602f88cccfad477184c

Download Submit
C:\Windows\{DEB5C331-D188-46de-A44E-F83807FD12AE}.exe

Filesize
168KB

MD5
e673f261e883f8f45ecb3516641001db

SHA1
315877ee6bd4c4f6db806b93cf6efadb1d0031d6

SHA256
af4d7a46b8a305a7c6e70f5f9eb3237ac9105c0ee5b8d50a37bf9a851b2c36c9

SHA512
2c260326626086c00751aebb5944635002287dae47ed2a943919f92fe2400cf8ff52e264947241653a4f4e8923b73ca3c12f8a158b13d602f88cccfad477184c

Download Submit
C:\Windows\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe

Filesize
168KB

MD5
79e20bea10af7134d68b963ba674f7d2

SHA1
e6ef678b26a753c26cd46ff15ebfe97e7a40fdff

SHA256
1155be3903bac8bb8415833511583cf6ab92023176824ebd5457f6635dd5f4fd

SHA512
7c21881f75f16f50237d3cb523651bd705260eb7700d3249e3ec6d44357534ca0b09dbcfb9a7f020d0cdab0cef87a06fa19e49263a90111698894d43681bf1ef

Download Submit
C:\Windows\{E13A259D-CA69-4a3e-B0D3-2B8AA06CFFFE}.exe

Filesize
168KB

MD5
79e20bea10af7134d68b963ba674f7d2

SHA1
e6ef678b26a753c26cd46ff15ebfe97e7a40fdff

SHA256
1155be3903bac8bb8415833511583cf6ab92023176824ebd5457f6635dd5f4fd

SHA512
7c21881f75f16f50237d3cb523651bd705260eb7700d3249e3ec6d44357534ca0b09dbcfb9a7f020d0cdab0cef87a06fa19e49263a90111698894d43681bf1ef

Download Submit
C:\Windows\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe

Filesize
168KB

MD5
72425f9b34f883c024e122c33cbd3ff8

SHA1
7e962d0414095237fb9b913b11f7ebbff165f2c9

SHA256
682c4be54553cbc8f805b440bdb0ee7bcd61a94065a70ba93e7537ed7e18bc07

SHA512
80ce46cdab95662ca9d382a0edd0f0ec28c6e52d072c9714101bf60d29debf9826199f1edfb6339c4a12839c817f2c77bb395c5cc17598cf39f10a13e415033f

Download Submit
C:\Windows\{FB0BA23F-3823-4664-BE17-0AE080942FDE}.exe

Filesize
168KB

MD5
72425f9b34f883c024e122c33cbd3ff8

SHA1
7e962d0414095237fb9b913b11f7ebbff165f2c9

SHA256
682c4be54553cbc8f805b440bdb0ee7bcd61a94065a70ba93e7537ed7e18bc07

SHA512
80ce46cdab95662ca9d382a0edd0f0ec28c6e52d072c9714101bf60d29debf9826199f1edfb6339c4a12839c817f2c77bb395c5cc17598cf39f10a13e415033f

Download Submit