b16fbc4e21f58f65ffd6d3d2ca4ecc2be6b3a6c732e64e73fa2d8f706000e764

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5864b7995de03cexeexeexeex.exe
Size

372KB
MD5

5864b7995de03c7dc0928291eaf56a14
SHA1

bf07c09ad060edd3a215738eee03003040e25865
SHA256

b16fbc4e21f58f65ffd6d3d2ca4ecc2be6b3a6c732e64e73fa2d8f706000e764
SHA512

0e563db012ff20e3a92fa5f35d298029afa808d54174ca3a69b521885ae92e74783f98c9e2ea64e7a39834a10c8b07820d5a9b6cb08a09903f166b4b51a6d7ca
SSDEEP

3072:CEGh0oomlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38782E84-2EF1-4575-B083-1458BDAA9DA7}	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}\stubpath = "C:\\Windows\\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe"	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}\stubpath = "C:\\Windows\\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe"	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43300F82-53C8-4d09-9014-996A3264ACF8}	{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}	5864b7995de03cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD9D7C2-CABA-477e-934F-990540F93462}\stubpath = "C:\\Windows\\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe"	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}	{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}\stubpath = "C:\\Windows\\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe"	{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43300F82-53C8-4d09-9014-996A3264ACF8}\stubpath = "C:\\Windows\\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe"	{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}\stubpath = "C:\\Windows\\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe"	{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}\stubpath = "C:\\Windows\\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe"	{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD9D7C2-CABA-477e-934F-990540F93462}	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38782E84-2EF1-4575-B083-1458BDAA9DA7}\stubpath = "C:\\Windows\\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe"	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}\stubpath = "C:\\Windows\\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe"	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}	{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}\stubpath = "C:\\Windows\\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe"	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}	{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}	{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}\stubpath = "C:\\Windows\\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe"	{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}\stubpath = "C:\\Windows\\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe"	5864b7995de03cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}\stubpath = "C:\\Windows\\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe"	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
2232	{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
2400	{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
2768	{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
2764	{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
2628	{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe
2712	{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
File created	C:\Windows\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
File created	C:\Windows\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
File created	C:\Windows\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe	{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
File created	C:\Windows\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe	{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
File created	C:\Windows\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe	{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
File created	C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	5864b7995de03cexeexeexeex.exe
File created	C:\Windows\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
File created	C:\Windows\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
File created	C:\Windows\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
File created	C:\Windows\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
File created	C:\Windows\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe	{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
File created	C:\Windows\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe	{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	5864b7995de03cexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
Token: SeIncBasePriorityPrivilege	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
Token: SeIncBasePriorityPrivilege	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
Token: SeIncBasePriorityPrivilege	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
Token: SeIncBasePriorityPrivilege	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
Token: SeIncBasePriorityPrivilege	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
Token: SeIncBasePriorityPrivilege	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
Token: SeIncBasePriorityPrivilege	2232	{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
Token: SeIncBasePriorityPrivilege	2400	{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
Token: SeIncBasePriorityPrivilege	2768	{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
Token: SeIncBasePriorityPrivilege	2764	{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
Token: SeIncBasePriorityPrivilege	2628	{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1484	2052	5864b7995de03cexeexeexeex.exe	28
PID 2052 wrote to memory of 1484	2052	5864b7995de03cexeexeexeex.exe	28
PID 2052 wrote to memory of 1484	2052	5864b7995de03cexeexeexeex.exe	28
PID 2052 wrote to memory of 1484	2052	5864b7995de03cexeexeexeex.exe	28
PID 2052 wrote to memory of 2404	2052	5864b7995de03cexeexeexeex.exe	29
PID 2052 wrote to memory of 2404	2052	5864b7995de03cexeexeexeex.exe	29
PID 2052 wrote to memory of 2404	2052	5864b7995de03cexeexeexeex.exe	29
PID 2052 wrote to memory of 2404	2052	5864b7995de03cexeexeexeex.exe	29
PID 1484 wrote to memory of 2364	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	30
PID 1484 wrote to memory of 2364	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	30
PID 1484 wrote to memory of 2364	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	30
PID 1484 wrote to memory of 2364	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	30
PID 1484 wrote to memory of 2980	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	31
PID 1484 wrote to memory of 2980	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	31
PID 1484 wrote to memory of 2980	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	31
PID 1484 wrote to memory of 2980	1484	{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe	31
PID 2364 wrote to memory of 3056	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	32
PID 2364 wrote to memory of 3056	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	32
PID 2364 wrote to memory of 3056	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	32
PID 2364 wrote to memory of 3056	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	32
PID 2364 wrote to memory of 2228	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	33
PID 2364 wrote to memory of 2228	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	33
PID 2364 wrote to memory of 2228	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	33
PID 2364 wrote to memory of 2228	2364	{ABD9D7C2-CABA-477e-934F-990540F93462}.exe	33
PID 3056 wrote to memory of 1356	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	34
PID 3056 wrote to memory of 1356	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	34
PID 3056 wrote to memory of 1356	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	34
PID 3056 wrote to memory of 1356	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	34
PID 3056 wrote to memory of 2212	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	35
PID 3056 wrote to memory of 2212	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	35
PID 3056 wrote to memory of 2212	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	35
PID 3056 wrote to memory of 2212	3056	{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe	35
PID 1356 wrote to memory of 920	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	36
PID 1356 wrote to memory of 920	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	36
PID 1356 wrote to memory of 920	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	36
PID 1356 wrote to memory of 920	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	36
PID 1356 wrote to memory of 2216	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	37
PID 1356 wrote to memory of 2216	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	37
PID 1356 wrote to memory of 2216	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	37
PID 1356 wrote to memory of 2216	1356	{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe	37
PID 920 wrote to memory of 2376	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	38
PID 920 wrote to memory of 2376	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	38
PID 920 wrote to memory of 2376	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	38
PID 920 wrote to memory of 2376	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	38
PID 920 wrote to memory of 2552	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	39
PID 920 wrote to memory of 2552	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	39
PID 920 wrote to memory of 2552	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	39
PID 920 wrote to memory of 2552	920	{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe	39
PID 2376 wrote to memory of 904	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	40
PID 2376 wrote to memory of 904	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	40
PID 2376 wrote to memory of 904	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	40
PID 2376 wrote to memory of 904	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	40
PID 2376 wrote to memory of 2000	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	41
PID 2376 wrote to memory of 2000	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	41
PID 2376 wrote to memory of 2000	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	41
PID 2376 wrote to memory of 2000	2376	{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe	41
PID 904 wrote to memory of 2232	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	42
PID 904 wrote to memory of 2232	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	42
PID 904 wrote to memory of 2232	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	42
PID 904 wrote to memory of 2232	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	42
PID 904 wrote to memory of 1636	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	43
PID 904 wrote to memory of 1636	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	43
PID 904 wrote to memory of 1636	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	43
PID 904 wrote to memory of 1636	904	{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe	43

C:\Users\Admin\AppData\Local\Temp\5864b7995de03cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5864b7995de03cexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
  C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
    C:\Windows\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
      C:\Windows\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
        
        C:\Windows\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
        
        C:\Windows\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
        
        C:\Windows\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
        
        C:\Windows\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
        
        C:\Windows\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
        
        C:\Windows\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
        
        C:\Windows\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
        
        C:\Windows\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe
        
        C:\Windows\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe
        
        C:\Windows\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe
        14⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1535D~1.EXE > nul
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86D72~1.EXE > nul
        13⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79415~1.EXE > nul
        12⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43300~1.EXE > nul
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FECA7~1.EXE > nul
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFA0~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B12F0~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6DC4~1.EXE > nul
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E95~1.EXE > nul
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38782~1.EXE > nul
        5⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD9D~1.EXE > nul
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0CCC~1.EXE > nul
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5864B7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe

Filesize
372KB

MD5
bc6f9ac059122400641d5db568f73855

SHA1
474b26f822c9adae858942367c1807c16946e1b3

SHA256
0575ca3b03a3d75363f83f13e8bf647e643257b5fbb8bc2a737019ad6fff0c03

SHA512
1c9f6eb3f528dd76b56b50037756b582d231d0a7c69ad71dbc50db77028b14abb35d27eb82884f48ea8e65f4ddf4f1e4f8123103953e3807ef634098fb08c7b8

Download Submit
C:\Windows\{1535D2A2-6908-4b7d-B8D3-42E98ED7518A}.exe

Filesize
372KB

MD5
bc6f9ac059122400641d5db568f73855

SHA1
474b26f822c9adae858942367c1807c16946e1b3

SHA256
0575ca3b03a3d75363f83f13e8bf647e643257b5fbb8bc2a737019ad6fff0c03

SHA512
1c9f6eb3f528dd76b56b50037756b582d231d0a7c69ad71dbc50db77028b14abb35d27eb82884f48ea8e65f4ddf4f1e4f8123103953e3807ef634098fb08c7b8

Download Submit
C:\Windows\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe

Filesize
372KB

MD5
95cb862359746c4546e64545528b9115

SHA1
5b728f37ea4b67a5300873d390dc438e820762bc

SHA256
f9a713bded49791e71a8e51841d39a4030414eeda174400c35d7429f7dc3b19c

SHA512
30c9d7b3b5e8a6f99e235bf2dd279f43369114b54133135073d6201dac2a97e3577abe561a3b200f2b25330a2d56462c4d081b743aaafa9104a9c1e18124698b

Download Submit
C:\Windows\{1BFA008F-1052-40b1-99DE-C4164A2D11C0}.exe

Filesize
372KB

MD5
95cb862359746c4546e64545528b9115

SHA1
5b728f37ea4b67a5300873d390dc438e820762bc

SHA256
f9a713bded49791e71a8e51841d39a4030414eeda174400c35d7429f7dc3b19c

SHA512
30c9d7b3b5e8a6f99e235bf2dd279f43369114b54133135073d6201dac2a97e3577abe561a3b200f2b25330a2d56462c4d081b743aaafa9104a9c1e18124698b

Download Submit
C:\Windows\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe

Filesize
372KB

MD5
a8c0928194140f1b82d84471e39905cd

SHA1
a8b84dd30bd74cf7e1d62cafb9c49a3540046915

SHA256
ac3d41b198e0e81705a29776a95f038582fc8426e5000b41618eff05254e2ef5

SHA512
90a581a651e604b6aea8a9e739437103f031b1d5bbd47fa754b6ba1692a15e977fa20a4673fa8a68a0878296b739a242178fb7f25b5b275272e4255d72222524

Download Submit
C:\Windows\{38782E84-2EF1-4575-B083-1458BDAA9DA7}.exe

Filesize
372KB

MD5
a8c0928194140f1b82d84471e39905cd

SHA1
a8b84dd30bd74cf7e1d62cafb9c49a3540046915

SHA256
ac3d41b198e0e81705a29776a95f038582fc8426e5000b41618eff05254e2ef5

SHA512
90a581a651e604b6aea8a9e739437103f031b1d5bbd47fa754b6ba1692a15e977fa20a4673fa8a68a0878296b739a242178fb7f25b5b275272e4255d72222524

Download Submit
C:\Windows\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe

Filesize
372KB

MD5
ca2ec46207137d8133e0b1968811ba62

SHA1
5a4c2d80285a4c327f4b2a305130044233c24e69

SHA256
9b22fe2064b1bf05defef54b5bcc9191d6dc82852512af74deed128589bcf8ad

SHA512
66b8c8f0dc8ccebe7796a25ee090992f0e271f4be5d254ac4b41efeefd03c920712bbe0c52e9212af9dfffe023243a7041cd2f36af1ec932718631c578979aa2

Download Submit
C:\Windows\{43300F82-53C8-4d09-9014-996A3264ACF8}.exe

Filesize
372KB

MD5
ca2ec46207137d8133e0b1968811ba62

SHA1
5a4c2d80285a4c327f4b2a305130044233c24e69

SHA256
9b22fe2064b1bf05defef54b5bcc9191d6dc82852512af74deed128589bcf8ad

SHA512
66b8c8f0dc8ccebe7796a25ee090992f0e271f4be5d254ac4b41efeefd03c920712bbe0c52e9212af9dfffe023243a7041cd2f36af1ec932718631c578979aa2

Download Submit
C:\Windows\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe

Filesize
372KB

MD5
6e07ea15071ed740c94c79b9a16ca327

SHA1
2feaa7ae8ae413f6f749e4f3285262d3c0e92e52

SHA256
87a5c03b7e493fa77e30f0fe6f947bfc0d719bb2c59e91800355dcecd1baa51a

SHA512
643b78c828c06a22628c8963bbc9c8437f942baa0e4d8d2990ad89403f28190aa68e0adaf7c6ea883718cdfe1d1b7284075c5109204b454c08210bc9c599d942

Download Submit
C:\Windows\{7941593C-3ABB-41fd-AE3B-8D49AF33C997}.exe

Filesize
372KB

MD5
6e07ea15071ed740c94c79b9a16ca327

SHA1
2feaa7ae8ae413f6f749e4f3285262d3c0e92e52

SHA256
87a5c03b7e493fa77e30f0fe6f947bfc0d719bb2c59e91800355dcecd1baa51a

SHA512
643b78c828c06a22628c8963bbc9c8437f942baa0e4d8d2990ad89403f28190aa68e0adaf7c6ea883718cdfe1d1b7284075c5109204b454c08210bc9c599d942

Download Submit
C:\Windows\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe

Filesize
372KB

MD5
8a3e13fbbf2be4f8869595016f46bf15

SHA1
a06784e3f65f7da9d6b9c6e895a1db124443081a

SHA256
23f749d28e322177345e49864101d4fcf06ecf5bb45c7c25f20e18d8ee3f6a2d

SHA512
846a9d322ab94f25b037d79e8876c43d6b641f2dbad3cd201a21e512d4f4e35c58202b6f3f44cbbdeda13df9c370a3e0a7470f0629d422675e7320127968236e

Download Submit
C:\Windows\{86D72FD9-91C4-4e1a-A4F3-10B991DEDA67}.exe

Filesize
372KB

MD5
8a3e13fbbf2be4f8869595016f46bf15

SHA1
a06784e3f65f7da9d6b9c6e895a1db124443081a

SHA256
23f749d28e322177345e49864101d4fcf06ecf5bb45c7c25f20e18d8ee3f6a2d

SHA512
846a9d322ab94f25b037d79e8876c43d6b641f2dbad3cd201a21e512d4f4e35c58202b6f3f44cbbdeda13df9c370a3e0a7470f0629d422675e7320127968236e

Download Submit
C:\Windows\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe

Filesize
372KB

MD5
c83de08d5ef235e19d9e90122fed4b6d

SHA1
0b6de9446d07f05bec73a166514c6f26c2843178

SHA256
53b4c8d975e04d37dc7fb2ff27dd666afeb49e7747e5a3cf546a98c624b50ec1

SHA512
c43d6786eb444788979a2ff30d190234ff27aa940c314b62a9a5d52b315092e1fe4033f8f2b82bf442fb65ec8ce256c78bfcc0f8876072f3ddbe62174913ea56

Download Submit
C:\Windows\{A6DC45E5-083E-4092-AA3F-C6B3B03C5F50}.exe

Filesize
372KB

MD5
c83de08d5ef235e19d9e90122fed4b6d

SHA1
0b6de9446d07f05bec73a166514c6f26c2843178

SHA256
53b4c8d975e04d37dc7fb2ff27dd666afeb49e7747e5a3cf546a98c624b50ec1

SHA512
c43d6786eb444788979a2ff30d190234ff27aa940c314b62a9a5d52b315092e1fe4033f8f2b82bf442fb65ec8ce256c78bfcc0f8876072f3ddbe62174913ea56

Download Submit
C:\Windows\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe

Filesize
372KB

MD5
5f7c21ea94a0089be04fedb2f2151621

SHA1
2fbb619df884ef5d6173f879da4e11f14d20dd0c

SHA256
953dbb9c14f865bf78829522e7322dc3dd811737a1682fe9ced88bdadb09ce7f

SHA512
fef149e5d3be74fbb7640a600649c6d494b79de292a2297ce42194b2d0271ecc96114490657f29a7cd4c64d79725805400c03f1736a4e3fe9053a6144a4e4479

Download Submit
C:\Windows\{ABD9D7C2-CABA-477e-934F-990540F93462}.exe

Filesize
372KB

MD5
5f7c21ea94a0089be04fedb2f2151621

SHA1
2fbb619df884ef5d6173f879da4e11f14d20dd0c

SHA256
953dbb9c14f865bf78829522e7322dc3dd811737a1682fe9ced88bdadb09ce7f

SHA512
fef149e5d3be74fbb7640a600649c6d494b79de292a2297ce42194b2d0271ecc96114490657f29a7cd4c64d79725805400c03f1736a4e3fe9053a6144a4e4479

Download Submit
C:\Windows\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe

Filesize
372KB

MD5
75dbeee6719265512e47e3e72a6abc22

SHA1
a1757f23497fb0311e6adb09ce07daab5071b2f4

SHA256
5aa0818377e42aea9ed4ae1503dca7d19e16fce4fdb163e4752706068f842b9d

SHA512
997e123920591d85a186e57b321006cc608134187bec33c398ece04e98c95e380c161d430371373729a1a400fdffc653c71017be6ef3cb87627408b191009ef6

Download Submit
C:\Windows\{B12F0F8C-9FE6-4cfd-B71D-D0BA743422E1}.exe

Filesize
372KB

MD5
75dbeee6719265512e47e3e72a6abc22

SHA1
a1757f23497fb0311e6adb09ce07daab5071b2f4

SHA256
5aa0818377e42aea9ed4ae1503dca7d19e16fce4fdb163e4752706068f842b9d

SHA512
997e123920591d85a186e57b321006cc608134187bec33c398ece04e98c95e380c161d430371373729a1a400fdffc653c71017be6ef3cb87627408b191009ef6

Download Submit
C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe

Filesize
372KB

MD5
37ea45c0296d67768840e32a37a31b21

SHA1
ec5e29f450d0e822dd9c93893f450c6e2eb1ddeb

SHA256
151d8b64b5b471c3789f953b3da802e8280f7dc48270166b30785bc09745a67c

SHA512
8ec7a66cff84cdefc2954f21e66a8bf9b70cf3a4fbc9416502b018cf7c9ce4aea6ac08927b44bf402fbd7f8168bc8a9a5dc32c6da91c133252e32efb968a80a3

Download Submit
C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe

Filesize
372KB

MD5
37ea45c0296d67768840e32a37a31b21

SHA1
ec5e29f450d0e822dd9c93893f450c6e2eb1ddeb

SHA256
151d8b64b5b471c3789f953b3da802e8280f7dc48270166b30785bc09745a67c

SHA512
8ec7a66cff84cdefc2954f21e66a8bf9b70cf3a4fbc9416502b018cf7c9ce4aea6ac08927b44bf402fbd7f8168bc8a9a5dc32c6da91c133252e32efb968a80a3

Download Submit
C:\Windows\{C0CCC6A6-90E6-4d9d-BD14-111C80244F5A}.exe

Filesize
372KB

MD5
37ea45c0296d67768840e32a37a31b21

SHA1
ec5e29f450d0e822dd9c93893f450c6e2eb1ddeb

SHA256
151d8b64b5b471c3789f953b3da802e8280f7dc48270166b30785bc09745a67c

SHA512
8ec7a66cff84cdefc2954f21e66a8bf9b70cf3a4fbc9416502b018cf7c9ce4aea6ac08927b44bf402fbd7f8168bc8a9a5dc32c6da91c133252e32efb968a80a3

Download Submit
C:\Windows\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe

Filesize
372KB

MD5
cf5bbcc921c602db590b3b892bf9c8b1

SHA1
6f965a1ce24dfa2d35428e7a82eae1acdb2b8688

SHA256
44750fcb809596825bd6be36f752879dda8cd24756a36b09cfccd434b2967b7e

SHA512
3c99fd501714828c1a47d45742b4dc37b1b39971e7df8802f80894ea17af4084e33db4083ea3fdeaa3aac060e7151ce6c4a1f2307e554944f158dfdbba6657c2

Download Submit
C:\Windows\{C7E95338-EBC1-45b3-B264-0EAA96BC21FF}.exe

Filesize
372KB

MD5
cf5bbcc921c602db590b3b892bf9c8b1

SHA1
6f965a1ce24dfa2d35428e7a82eae1acdb2b8688

SHA256
44750fcb809596825bd6be36f752879dda8cd24756a36b09cfccd434b2967b7e

SHA512
3c99fd501714828c1a47d45742b4dc37b1b39971e7df8802f80894ea17af4084e33db4083ea3fdeaa3aac060e7151ce6c4a1f2307e554944f158dfdbba6657c2

Download Submit
C:\Windows\{E3496924-55B8-4a91-93DE-0319B1ABA5BE}.exe

Filesize
372KB

MD5
287bbb56d2067c42751271864ebbd387

SHA1
8d3e1cf9b942bde72146a7577ae2e5993fe9aa11

SHA256
b8abf219f1dfbf29eae4e7b479b96a5eaf79c0c70e5f8be0153ec85f29c6ce21

SHA512
1d912c5468e466466dc61b50deeeb2e244f5c13927d5c50236004701b218f2f38bd8ccc8d462a394744a1538832450e093fc2b902c569cd528f0447e91759fa5

Download Submit
C:\Windows\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe

Filesize
372KB

MD5
181ca3198870290ff06c4ce1dcb58b72

SHA1
6daac2636f70cfe39b5cf158acc0dcbe638c72a4

SHA256
0b1306c2d09a96d162a78c1acc4edd7110db756383c98d3e257d34c4e4a4a274

SHA512
bee682f9b5dad0a9999020c1d5a93244b7487ce7d632025fdce7b567e0882a94331ce70d6092316cca8a17140fb2adfd051a017e92ce8e9ed74a2820e08960db

Download Submit
C:\Windows\{FECA7F6B-AEBB-4921-A0DE-F132235394E2}.exe

Filesize
372KB

MD5
181ca3198870290ff06c4ce1dcb58b72

SHA1
6daac2636f70cfe39b5cf158acc0dcbe638c72a4

SHA256
0b1306c2d09a96d162a78c1acc4edd7110db756383c98d3e257d34c4e4a4a274

SHA512
bee682f9b5dad0a9999020c1d5a93244b7487ce7d632025fdce7b567e0882a94331ce70d6092316cca8a17140fb2adfd051a017e92ce8e9ed74a2820e08960db

Download Submit