b7c9b60bff9dfcf150ddfce1b96f0e2930c10d233115330cade9961c0fca5929

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55fe795044bb7bexeexeexeex.exe
Size

192KB
MD5

55fe795044bb7be8e796dbbe79456e32
SHA1

7564afaa02ede55fb8fb93c834d0c34edbc7a558
SHA256

b7c9b60bff9dfcf150ddfce1b96f0e2930c10d233115330cade9961c0fca5929
SHA512

dfe801100471c89c80934d416344d2f5e8f5361bd1725b2057a7aeb0becdb82fe6b0b6d71384858acfe51fe4058f3ccbe965e5e3e914c54d3d87ed6ca6915867
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}	55fe795044bb7bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{443C4D86-110A-419e-8914-A63553575C2D}	{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE2DF597-217F-44c1-A426-8410377A81FF}\stubpath = "C:\\Windows\\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe"	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B73F19-DF90-48a5-AB44-4169167EF5EE}\stubpath = "C:\\Windows\\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe"	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9CED56-EE4C-4b60-A429-926C96DCC262}	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9CED56-EE4C-4b60-A429-926C96DCC262}\stubpath = "C:\\Windows\\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe"	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F22182-593E-4fca-A263-7A42B849CD6D}	{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}\stubpath = "C:\\Windows\\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe"	55fe795044bb7bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}\stubpath = "C:\\Windows\\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe"	{498100A7-01F8-47f8-8512-B000A43E3424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB31549A-E045-457b-82E9-DD324EFCF558}\stubpath = "C:\\Windows\\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe"	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}	{443C4D86-110A-419e-8914-A63553575C2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}\stubpath = "C:\\Windows\\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe"	{443C4D86-110A-419e-8914-A63553575C2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{498100A7-01F8-47f8-8512-B000A43E3424}\stubpath = "C:\\Windows\\{498100A7-01F8-47f8-8512-B000A43E3424}.exe"	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}	{498100A7-01F8-47f8-8512-B000A43E3424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}\stubpath = "C:\\Windows\\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe"	{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25304B6E-317E-4233-A2CE-C54A7019B0BE}	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25304B6E-317E-4233-A2CE-C54A7019B0BE}\stubpath = "C:\\Windows\\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe"	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{498100A7-01F8-47f8-8512-B000A43E3424}	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}	{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F22182-593E-4fca-A263-7A42B849CD6D}\stubpath = "C:\\Windows\\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe"	{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{443C4D86-110A-419e-8914-A63553575C2D}\stubpath = "C:\\Windows\\{443C4D86-110A-419e-8914-A63553575C2D}.exe"	{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}	{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}\stubpath = "C:\\Windows\\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe"	{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB31549A-E045-457b-82E9-DD324EFCF558}	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE2DF597-217F-44c1-A426-8410377A81FF}	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B73F19-DF90-48a5-AB44-4169167EF5EE}	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe
2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
2124	{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
980	{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
2752	{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
2608	{443C4D86-110A-419e-8914-A63553575C2D}.exe
2612	{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
2924	{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
File created	C:\Windows\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe	{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
File created	C:\Windows\{443C4D86-110A-419e-8914-A63553575C2D}.exe	{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
File created	C:\Windows\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe	{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
File created	C:\Windows\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
File created	C:\Windows\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
File created	C:\Windows\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe	{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
File created	C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	55fe795044bb7bexeexeexeex.exe
File created	C:\Windows\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
File created	C:\Windows\{498100A7-01F8-47f8-8512-B000A43E3424}.exe	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
File created	C:\Windows\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	{498100A7-01F8-47f8-8512-B000A43E3424}.exe
File created	C:\Windows\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
File created	C:\Windows\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe	{443C4D86-110A-419e-8914-A63553575C2D}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	55fe795044bb7bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
Token: SeIncBasePriorityPrivilege	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
Token: SeIncBasePriorityPrivilege	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe
Token: SeIncBasePriorityPrivilege	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
Token: SeIncBasePriorityPrivilege	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
Token: SeIncBasePriorityPrivilege	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
Token: SeIncBasePriorityPrivilege	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
Token: SeIncBasePriorityPrivilege	2124	{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
Token: SeIncBasePriorityPrivilege	980	{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
Token: SeIncBasePriorityPrivilege	2752	{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
Token: SeIncBasePriorityPrivilege	2608	{443C4D86-110A-419e-8914-A63553575C2D}.exe
Token: SeIncBasePriorityPrivilege	2612	{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2260	2320	55fe795044bb7bexeexeexeex.exe	29
PID 2320 wrote to memory of 2260	2320	55fe795044bb7bexeexeexeex.exe	29
PID 2320 wrote to memory of 2260	2320	55fe795044bb7bexeexeexeex.exe	29
PID 2320 wrote to memory of 2260	2320	55fe795044bb7bexeexeexeex.exe	29
PID 2320 wrote to memory of 2372	2320	55fe795044bb7bexeexeexeex.exe	30
PID 2320 wrote to memory of 2372	2320	55fe795044bb7bexeexeexeex.exe	30
PID 2320 wrote to memory of 2372	2320	55fe795044bb7bexeexeexeex.exe	30
PID 2320 wrote to memory of 2372	2320	55fe795044bb7bexeexeexeex.exe	30
PID 2260 wrote to memory of 2948	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	31
PID 2260 wrote to memory of 2948	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	31
PID 2260 wrote to memory of 2948	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	31
PID 2260 wrote to memory of 2948	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	31
PID 2260 wrote to memory of 2564	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	32
PID 2260 wrote to memory of 2564	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	32
PID 2260 wrote to memory of 2564	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	32
PID 2260 wrote to memory of 2564	2260	{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe	32
PID 2948 wrote to memory of 2200	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	33
PID 2948 wrote to memory of 2200	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	33
PID 2948 wrote to memory of 2200	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	33
PID 2948 wrote to memory of 2200	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	33
PID 2948 wrote to memory of 1764	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	34
PID 2948 wrote to memory of 1764	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	34
PID 2948 wrote to memory of 1764	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	34
PID 2948 wrote to memory of 1764	2948	{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe	34
PID 2200 wrote to memory of 2936	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	35
PID 2200 wrote to memory of 2936	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	35
PID 2200 wrote to memory of 2936	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	35
PID 2200 wrote to memory of 2936	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	35
PID 2200 wrote to memory of 2068	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	36
PID 2200 wrote to memory of 2068	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	36
PID 2200 wrote to memory of 2068	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	36
PID 2200 wrote to memory of 2068	2200	{498100A7-01F8-47f8-8512-B000A43E3424}.exe	36
PID 2936 wrote to memory of 1960	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	37
PID 2936 wrote to memory of 1960	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	37
PID 2936 wrote to memory of 1960	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	37
PID 2936 wrote to memory of 1960	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	37
PID 2936 wrote to memory of 1324	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	38
PID 2936 wrote to memory of 1324	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	38
PID 2936 wrote to memory of 1324	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	38
PID 2936 wrote to memory of 1324	2936	{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe	38
PID 1960 wrote to memory of 2256	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	39
PID 1960 wrote to memory of 2256	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	39
PID 1960 wrote to memory of 2256	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	39
PID 1960 wrote to memory of 2256	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	39
PID 1960 wrote to memory of 1628	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	40
PID 1960 wrote to memory of 1628	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	40
PID 1960 wrote to memory of 1628	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	40
PID 1960 wrote to memory of 1628	1960	{AB31549A-E045-457b-82E9-DD324EFCF558}.exe	40
PID 2256 wrote to memory of 1352	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	41
PID 2256 wrote to memory of 1352	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	41
PID 2256 wrote to memory of 1352	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	41
PID 2256 wrote to memory of 1352	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	41
PID 2256 wrote to memory of 1176	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	42
PID 2256 wrote to memory of 1176	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	42
PID 2256 wrote to memory of 1176	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	42
PID 2256 wrote to memory of 1176	2256	{FE2DF597-217F-44c1-A426-8410377A81FF}.exe	42
PID 1352 wrote to memory of 2124	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	43
PID 1352 wrote to memory of 2124	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	43
PID 1352 wrote to memory of 2124	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	43
PID 1352 wrote to memory of 2124	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	43
PID 1352 wrote to memory of 2408	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	44
PID 1352 wrote to memory of 2408	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	44
PID 1352 wrote to memory of 2408	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	44
PID 1352 wrote to memory of 2408	1352	{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe	44

C:\Users\Admin\AppData\Local\Temp\55fe795044bb7bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\55fe795044bb7bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
  C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
    C:\Windows\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\{498100A7-01F8-47f8-8512-B000A43E3424}.exe
      C:\Windows\{498100A7-01F8-47f8-8512-B000A43E3424}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
        
        C:\Windows\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
        
        C:\Windows\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
        
        C:\Windows\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
        
        C:\Windows\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
        
        C:\Windows\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
        
        C:\Windows\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
        
        C:\Windows\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{443C4D86-110A-419e-8914-A63553575C2D}.exe
        
        C:\Windows\{443C4D86-110A-419e-8914-A63553575C2D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
        
        C:\Windows\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe
        
        C:\Windows\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe
        14⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0474D~1.EXE > nul
        14⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{443C4~1.EXE > nul
        13⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72F22~1.EXE > nul
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7492~1.EXE > nul
        11⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA9CE~1.EXE > nul
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B73~1.EXE > nul
        9⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE2DF~1.EXE > nul
        8⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB315~1.EXE > nul
        7⤵
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA30C~1.EXE > nul
        6⤵
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49810~1.EXE > nul
        5⤵
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25304~1.EXE > nul
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD0B~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\55FE79~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe

Filesize
192KB

MD5
f5ae68c30f234b8a77ac0825d6c2725c

SHA1
1a9e32e3ca9297b021f4caa18d91feddcdfdd554

SHA256
b99b2a91f29d9bfcb1d3c1c0f2064d09f7cfd3c1b070fea2ef70022149579a22

SHA512
b26e7210fc9d41714482f21860ce3b1f7e449ef5201d9bc438dc51f2795934cefde706afea573ac76f02deb53cc991258764f71bab113f9237f9b1c25cc4351e

Download Submit
C:\Windows\{0474DA4A-CB3E-4ee0-B4EE-BD7EC1AE846F}.exe

Filesize
192KB

MD5
f5ae68c30f234b8a77ac0825d6c2725c

SHA1
1a9e32e3ca9297b021f4caa18d91feddcdfdd554

SHA256
b99b2a91f29d9bfcb1d3c1c0f2064d09f7cfd3c1b070fea2ef70022149579a22

SHA512
b26e7210fc9d41714482f21860ce3b1f7e449ef5201d9bc438dc51f2795934cefde706afea573ac76f02deb53cc991258764f71bab113f9237f9b1c25cc4351e

Download Submit
C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe

Filesize
192KB

MD5
af942c7d4d3bb5826ad25743229fe4dc

SHA1
34dd01d2a62358515e05c00a3dc37627b71342ac

SHA256
8d02ddc27a781c268b54d91e800feb8fdbd731be5b35d35f65376c105decaaa9

SHA512
6d433807747e33154ef82703ce4c84c83d29dca89d74dc9b9483a6504fd55aa094c3e4da12467547608801a3a6fa25811958e45df06a66ec2ad6729f69d93b95

Download Submit
C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe

Filesize
192KB

MD5
af942c7d4d3bb5826ad25743229fe4dc

SHA1
34dd01d2a62358515e05c00a3dc37627b71342ac

SHA256
8d02ddc27a781c268b54d91e800feb8fdbd731be5b35d35f65376c105decaaa9

SHA512
6d433807747e33154ef82703ce4c84c83d29dca89d74dc9b9483a6504fd55aa094c3e4da12467547608801a3a6fa25811958e45df06a66ec2ad6729f69d93b95

Download Submit
C:\Windows\{0AD0B10D-2A2A-4726-B684-54AE36FC7861}.exe

Filesize
192KB

MD5
af942c7d4d3bb5826ad25743229fe4dc

SHA1
34dd01d2a62358515e05c00a3dc37627b71342ac

SHA256
8d02ddc27a781c268b54d91e800feb8fdbd731be5b35d35f65376c105decaaa9

SHA512
6d433807747e33154ef82703ce4c84c83d29dca89d74dc9b9483a6504fd55aa094c3e4da12467547608801a3a6fa25811958e45df06a66ec2ad6729f69d93b95

Download Submit
C:\Windows\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe

Filesize
192KB

MD5
3b8dcfc9579a5c4528ce95dd2531944c

SHA1
1db3763a17b5ece7d675894d4532006169aba914

SHA256
a4581141f980233cecbc28b7261e4835065f6eb9f4ad171242284c01a7fd4151

SHA512
295eebfae1db3b1e94cdc8b3bc7f9df9b7f0e32f59f444728347e5d9bf0769d75e1a76761ced75f5f5e44f39ef948fbb947ec0e2079a8d52e4999c65ce70e0bc

Download Submit
C:\Windows\{25304B6E-317E-4233-A2CE-C54A7019B0BE}.exe

Filesize
192KB

MD5
3b8dcfc9579a5c4528ce95dd2531944c

SHA1
1db3763a17b5ece7d675894d4532006169aba914

SHA256
a4581141f980233cecbc28b7261e4835065f6eb9f4ad171242284c01a7fd4151

SHA512
295eebfae1db3b1e94cdc8b3bc7f9df9b7f0e32f59f444728347e5d9bf0769d75e1a76761ced75f5f5e44f39ef948fbb947ec0e2079a8d52e4999c65ce70e0bc

Download Submit
C:\Windows\{443C4D86-110A-419e-8914-A63553575C2D}.exe

Filesize
192KB

MD5
a94d2df05af5bb6a85555724381493b0

SHA1
ab8cf56ca58e43772c388e5bbaba1bf5eaedfb0f

SHA256
f8a30a0abab0b7af05713903b4c2424d08340b25589056eb6641c7cdebb8f480

SHA512
d926a4ac4a05f7ec451437dc6361f841555107d1f2e6d209b5bbb1c8c3b956abf0063e409b571c6c70e46702f4c0b61b82a94d54657bd5136b6df48553d61976

Download Submit
C:\Windows\{443C4D86-110A-419e-8914-A63553575C2D}.exe

Filesize
192KB

MD5
a94d2df05af5bb6a85555724381493b0

SHA1
ab8cf56ca58e43772c388e5bbaba1bf5eaedfb0f

SHA256
f8a30a0abab0b7af05713903b4c2424d08340b25589056eb6641c7cdebb8f480

SHA512
d926a4ac4a05f7ec451437dc6361f841555107d1f2e6d209b5bbb1c8c3b956abf0063e409b571c6c70e46702f4c0b61b82a94d54657bd5136b6df48553d61976

Download Submit
C:\Windows\{498100A7-01F8-47f8-8512-B000A43E3424}.exe

Filesize
192KB

MD5
3ebcefd3db3bfa99ae2dce5fa0be534c

SHA1
12ee970f3c723c51331606a3449cd4bc7d7dccb6

SHA256
2aecded8bc22ac679bd4d19e1495dcbe15e513ec71354d08cbc2f44018528eb5

SHA512
e98816e5213c208c85510ecd236a27ab6f55fd6840e90b7fc9cd9891db77d9878c02aa5abd234a63c57ec9213aeb95138060088d6ce1a27d74a2913189e3fdfa

Download Submit
C:\Windows\{498100A7-01F8-47f8-8512-B000A43E3424}.exe

Filesize
192KB

MD5
3ebcefd3db3bfa99ae2dce5fa0be534c

SHA1
12ee970f3c723c51331606a3449cd4bc7d7dccb6

SHA256
2aecded8bc22ac679bd4d19e1495dcbe15e513ec71354d08cbc2f44018528eb5

SHA512
e98816e5213c208c85510ecd236a27ab6f55fd6840e90b7fc9cd9891db77d9878c02aa5abd234a63c57ec9213aeb95138060088d6ce1a27d74a2913189e3fdfa

Download Submit
C:\Windows\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe

Filesize
192KB

MD5
06111bc7dfaf5b6a6424060125e73588

SHA1
f432ff0128a5df6626e7099b4e25608e92fc04d8

SHA256
74d14cc9e18b31d2f786331a3ce8b34db6b499ddf583c38a6afe2b1bd7796563

SHA512
d0182c0ac7e1e6095c2bff059bebe7bd56863e67613205674f50dcf8b1790fc1bb68c5441a1367b5de7cb23c04287c6424c9f799afa3c85c567c8f699772754f

Download Submit
C:\Windows\{72F22182-593E-4fca-A263-7A42B849CD6D}.exe

Filesize
192KB

MD5
06111bc7dfaf5b6a6424060125e73588

SHA1
f432ff0128a5df6626e7099b4e25608e92fc04d8

SHA256
74d14cc9e18b31d2f786331a3ce8b34db6b499ddf583c38a6afe2b1bd7796563

SHA512
d0182c0ac7e1e6095c2bff059bebe7bd56863e67613205674f50dcf8b1790fc1bb68c5441a1367b5de7cb23c04287c6424c9f799afa3c85c567c8f699772754f

Download Submit
C:\Windows\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe

Filesize
192KB

MD5
cbc75797ec7e83c618f852364e410f66

SHA1
9ea636215240c00f2e59e2052c5c61e71b49b117

SHA256
bbc3435f7fc8a6c5e270d66666768794875da0b589e112491db7d4dd73787db6

SHA512
998f971d52b214060f1b6eb683ddb88d6212b0dd169cc58dbb255ce44250ec8920d4eb0d3b7c631a6c98b46c271cbf98a5e966272afd90fa0395ee7baa0daf25

Download Submit
C:\Windows\{92B73F19-DF90-48a5-AB44-4169167EF5EE}.exe

Filesize
192KB

MD5
cbc75797ec7e83c618f852364e410f66

SHA1
9ea636215240c00f2e59e2052c5c61e71b49b117

SHA256
bbc3435f7fc8a6c5e270d66666768794875da0b589e112491db7d4dd73787db6

SHA512
998f971d52b214060f1b6eb683ddb88d6212b0dd169cc58dbb255ce44250ec8920d4eb0d3b7c631a6c98b46c271cbf98a5e966272afd90fa0395ee7baa0daf25

Download Submit
C:\Windows\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe

Filesize
192KB

MD5
b75ce21224b0d755db8b1a5d56c3e645

SHA1
644f52520ed27cbdc21bc722793e3e022b842744

SHA256
ce258f0ef26dd95451c90d2cd19a01d12a33b7bc0c39c9d0bec7cc31d81225cf

SHA512
b77e4c4031758e372f9a74900fd3729a30ea40426ba78f5d54839cbec439fece03dcb9ed5bb1ca5202d46c1a8fb8c6e6d318cc1fe01822accfba39b229107cb7

Download Submit
C:\Windows\{AA30C89B-70A7-46a6-B83A-3E94806B6E3C}.exe

Filesize
192KB

MD5
b75ce21224b0d755db8b1a5d56c3e645

SHA1
644f52520ed27cbdc21bc722793e3e022b842744

SHA256
ce258f0ef26dd95451c90d2cd19a01d12a33b7bc0c39c9d0bec7cc31d81225cf

SHA512
b77e4c4031758e372f9a74900fd3729a30ea40426ba78f5d54839cbec439fece03dcb9ed5bb1ca5202d46c1a8fb8c6e6d318cc1fe01822accfba39b229107cb7

Download Submit
C:\Windows\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe

Filesize
192KB

MD5
fa344182fdd9fe555fc5bd7a32c177df

SHA1
dadf55d401943e1e0249c61e464b50706f47efb4

SHA256
bfc9c166fa6c0cf173d5719fea26e67b5b9cfc1eaeefb9f3622f64c3a61fc438

SHA512
712d4abae5b0b854cf40cf5bd3dc60487bf1197bcfacf681d7cb8c140647b66ac5c07d48630d2688f1810fc7a6d505a248005d7b160b726a0382a0951bda13d7

Download Submit
C:\Windows\{AB31549A-E045-457b-82E9-DD324EFCF558}.exe

Filesize
192KB

MD5
fa344182fdd9fe555fc5bd7a32c177df

SHA1
dadf55d401943e1e0249c61e464b50706f47efb4

SHA256
bfc9c166fa6c0cf173d5719fea26e67b5b9cfc1eaeefb9f3622f64c3a61fc438

SHA512
712d4abae5b0b854cf40cf5bd3dc60487bf1197bcfacf681d7cb8c140647b66ac5c07d48630d2688f1810fc7a6d505a248005d7b160b726a0382a0951bda13d7

Download Submit
C:\Windows\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe

Filesize
192KB

MD5
0c307c7dbf69e3ed5b09b4fd8eaff36d

SHA1
0d0badc0529baecce7612c5d577fdcc9623034a6

SHA256
c08a7545a43cdaf4740a77defa83652424c33d4a6d0e6f931ea1255ce2ad23e5

SHA512
a58cffdf7a7c050b8ecc91501a880248e99befe528a787fe345d02a5d2e40429f8a2a74fe7028481bc702cae1c396208b5ab1fc4cf6dfba1c2c9175c40f63946

Download Submit
C:\Windows\{E74926C8-09C3-46d3-B485-A090DBDFF9F3}.exe

Filesize
192KB

MD5
0c307c7dbf69e3ed5b09b4fd8eaff36d

SHA1
0d0badc0529baecce7612c5d577fdcc9623034a6

SHA256
c08a7545a43cdaf4740a77defa83652424c33d4a6d0e6f931ea1255ce2ad23e5

SHA512
a58cffdf7a7c050b8ecc91501a880248e99befe528a787fe345d02a5d2e40429f8a2a74fe7028481bc702cae1c396208b5ab1fc4cf6dfba1c2c9175c40f63946

Download Submit
C:\Windows\{EB0B8C88-56A2-4138-A418-3A9AEE40CC15}.exe

Filesize
192KB

MD5
35573e59a5e329a87755f4a3d464ab8b

SHA1
0003fb8219969d079d8b8962b2bdd68527af69a3

SHA256
ee750c184281975b1e9731f3a900d3c542cccd44f3c43092a28188d526e1bd56

SHA512
1714633f17d17347d8724be826c14d6d11510c08bc16af5bb217d225ff81fd46967ca0706337af22eff1aeab2aed5ec02df7719ab8b1fdb7798551231ee55176

Download Submit
C:\Windows\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe

Filesize
192KB

MD5
32ab6f93c039d17d7939e135610a9017

SHA1
ea8647c1316650e5ab61542cf26cda50bee315b7

SHA256
cced067a2085733a557313df8bfe6cfbe5ecea2614ab522ca9c75548a5b0aa39

SHA512
b7865b1023d20389354310a0dc8b25a8c8b3dc2e12fc57320a899513a5696be580929967cf6503ea6c6654106f96671df30175b9a66648a75d4d95e7b9577bdf

Download Submit
C:\Windows\{FA9CED56-EE4C-4b60-A429-926C96DCC262}.exe

Filesize
192KB

MD5
32ab6f93c039d17d7939e135610a9017

SHA1
ea8647c1316650e5ab61542cf26cda50bee315b7

SHA256
cced067a2085733a557313df8bfe6cfbe5ecea2614ab522ca9c75548a5b0aa39

SHA512
b7865b1023d20389354310a0dc8b25a8c8b3dc2e12fc57320a899513a5696be580929967cf6503ea6c6654106f96671df30175b9a66648a75d4d95e7b9577bdf

Download Submit
C:\Windows\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe

Filesize
192KB

MD5
25212bf256dc90cab50260ab478f7dac

SHA1
b0d443fd357152d3a5bfe635dce1944a3522c58c

SHA256
9977d850dc1ebd9d0c83be5b7f78ce14b51e2d933a2236434609f56b41a4d1f3

SHA512
e866aea31d83281a9d0fa2ee86bc22ce447b05014296ce297b372293ab4b18ebebbd1a6b91b657f16e87635209c7e84142330f83e7eb049b2e6dc366dac4a7dd

Download Submit
C:\Windows\{FE2DF597-217F-44c1-A426-8410377A81FF}.exe

Filesize
192KB

MD5
25212bf256dc90cab50260ab478f7dac

SHA1
b0d443fd357152d3a5bfe635dce1944a3522c58c

SHA256
9977d850dc1ebd9d0c83be5b7f78ce14b51e2d933a2236434609f56b41a4d1f3

SHA512
e866aea31d83281a9d0fa2ee86bc22ce447b05014296ce297b372293ab4b18ebebbd1a6b91b657f16e87635209c7e84142330f83e7eb049b2e6dc366dac4a7dd

Download Submit