0f8e0d27f6a67b4c17fd0b43e512ddbebbbd138b1aa0115c7d8017dc26285304

Analysis

max time kernel
146s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6641279509087dexeexeexeex.exe
Size

372KB
MD5

6641279509087da42e6e1ac4a1b6c096
SHA1

337df33c2805d2d61a08820e800d113260cf7d7f
SHA256

0f8e0d27f6a67b4c17fd0b43e512ddbebbbd138b1aa0115c7d8017dc26285304
SHA512

4841c5345a892e20d2aa304c52a574e7bf353d272636a4caef23be49d66359b518971a85b15e297704037442412211b91c3d7aef2188eee24e512af47dfe8bf4
SSDEEP

3072:CEGh0o3mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FB25BC-B033-4854-90BF-85343E66F8D5}	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BC5098A-1A45-4885-9DEF-FFD746D42559}	{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BC5098A-1A45-4885-9DEF-FFD746D42559}\stubpath = "C:\\Windows\\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe"	{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}	{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3E1050-F92F-416c-BC36-E24BB856EF60}\stubpath = "C:\\Windows\\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe"	6641279509087dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D474A288-5727-4324-ABC5-09B11A9A9E34}	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}\stubpath = "C:\\Windows\\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe"	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}\stubpath = "C:\\Windows\\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe"	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}\stubpath = "C:\\Windows\\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe"	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61B144E-E92B-4d1e-B6C9-C32507595568}\stubpath = "C:\\Windows\\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe"	{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}	{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}\stubpath = "C:\\Windows\\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe"	{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FB25BC-B033-4854-90BF-85343E66F8D5}\stubpath = "C:\\Windows\\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe"	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}\stubpath = "C:\\Windows\\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe"	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3E1050-F92F-416c-BC36-E24BB856EF60}	6641279509087dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}\stubpath = "C:\\Windows\\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe"	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D474A288-5727-4324-ABC5-09B11A9A9E34}\stubpath = "C:\\Windows\\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe"	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61B144E-E92B-4d1e-B6C9-C32507595568}	{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}	{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}\stubpath = "C:\\Windows\\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe"	{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}\stubpath = "C:\\Windows\\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe"	{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
1392	{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
2628	{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
2564	{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
2612	{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
2824	{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
2480	{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
File created	C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
File created	C:\Windows\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe	{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
File created	C:\Windows\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe	{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
File created	C:\Windows\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe	{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
File created	C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	6641279509087dexeexeexeex.exe
File created	C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
File created	C:\Windows\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
File created	C:\Windows\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
File created	C:\Windows\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
File created	C:\Windows\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe	{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
File created	C:\Windows\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe	{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
File created	C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1212	6641279509087dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Token: SeIncBasePriorityPrivilege	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Token: SeIncBasePriorityPrivilege	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Token: SeIncBasePriorityPrivilege	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Token: SeIncBasePriorityPrivilege	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Token: SeIncBasePriorityPrivilege	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
Token: SeIncBasePriorityPrivilege	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
Token: SeIncBasePriorityPrivilege	1392	{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
Token: SeIncBasePriorityPrivilege	2628	{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
Token: SeIncBasePriorityPrivilege	2564	{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
Token: SeIncBasePriorityPrivilege	2612	{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
Token: SeIncBasePriorityPrivilege	2824	{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2044	1212	6641279509087dexeexeexeex.exe	28
PID 1212 wrote to memory of 2044	1212	6641279509087dexeexeexeex.exe	28
PID 1212 wrote to memory of 2044	1212	6641279509087dexeexeexeex.exe	28
PID 1212 wrote to memory of 2044	1212	6641279509087dexeexeexeex.exe	28
PID 1212 wrote to memory of 2360	1212	6641279509087dexeexeexeex.exe	29
PID 1212 wrote to memory of 2360	1212	6641279509087dexeexeexeex.exe	29
PID 1212 wrote to memory of 2360	1212	6641279509087dexeexeexeex.exe	29
PID 1212 wrote to memory of 2360	1212	6641279509087dexeexeexeex.exe	29
PID 2044 wrote to memory of 2924	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 2044 wrote to memory of 2924	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 2044 wrote to memory of 2924	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 2044 wrote to memory of 2924	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 2044 wrote to memory of 2988	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 2044 wrote to memory of 2988	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 2044 wrote to memory of 2988	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 2044 wrote to memory of 2988	2044	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 2924 wrote to memory of 1328	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2924 wrote to memory of 1328	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2924 wrote to memory of 1328	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2924 wrote to memory of 1328	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2924 wrote to memory of 2112	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2924 wrote to memory of 2112	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2924 wrote to memory of 2112	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2924 wrote to memory of 2112	2924	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 1328 wrote to memory of 756	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1328 wrote to memory of 756	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1328 wrote to memory of 756	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1328 wrote to memory of 756	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1328 wrote to memory of 2080	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1328 wrote to memory of 2080	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1328 wrote to memory of 2080	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1328 wrote to memory of 2080	1328	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 756 wrote to memory of 908	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 756 wrote to memory of 908	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 756 wrote to memory of 908	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 756 wrote to memory of 908	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 756 wrote to memory of 656	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 756 wrote to memory of 656	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 756 wrote to memory of 656	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 756 wrote to memory of 656	756	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 908 wrote to memory of 2208	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 908 wrote to memory of 2208	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 908 wrote to memory of 2208	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 908 wrote to memory of 2208	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 908 wrote to memory of 2328	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 908 wrote to memory of 2328	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 908 wrote to memory of 2328	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 908 wrote to memory of 2328	908	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 2208 wrote to memory of 2200	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	41
PID 2208 wrote to memory of 2200	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	41
PID 2208 wrote to memory of 2200	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	41
PID 2208 wrote to memory of 2200	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	41
PID 2208 wrote to memory of 1656	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	40
PID 2208 wrote to memory of 1656	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	40
PID 2208 wrote to memory of 1656	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	40
PID 2208 wrote to memory of 1656	2208	{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe	40
PID 2200 wrote to memory of 1392	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	42
PID 2200 wrote to memory of 1392	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	42
PID 2200 wrote to memory of 1392	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	42
PID 2200 wrote to memory of 1392	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	42
PID 2200 wrote to memory of 2216	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	43
PID 2200 wrote to memory of 2216	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	43
PID 2200 wrote to memory of 2216	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	43
PID 2200 wrote to memory of 2216	2200	{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe	43

C:\Users\Admin\AppData\Local\Temp\6641279509087dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6641279509087dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
  C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
    C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75FB2~1.EXE > nul
      4⤵
      PID:2112
  - - C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
      C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32B22~1.EXE > nul
        5⤵
        
        PID:2080
    - - C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
        
        C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
        
        C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
        
        C:\Windows\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A357C~1.EXE > nul
        8⤵
        
        PID:1656
        
        C:\Windows\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
        
        C:\Windows\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
        
        C:\Windows\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
        
        C:\Windows\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
        
        C:\Windows\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
        
        C:\Windows\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
        
        C:\Windows\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe
        
        C:\Windows\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe
        14⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86B7B~1.EXE > nul
        14⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{579EA~1.EXE > nul
        13⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BC50~1.EXE > nul
        12⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D61B1~1.EXE > nul
        11⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39BF6~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F845~1.EXE > nul
        9⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D474A~1.EXE > nul
        7⤵
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BEAC~1.EXE > nul
        6⤵
        
        PID:656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3E1~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\664127~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe

Filesize
372KB

MD5
87aa8480397fd0d220211b28096a53d4

SHA1
44414931d1cd3a81396a9e57929c5895c71f453a

SHA256
d1cea7468a4c6dfbc73e34d8f291292947780750ac32ac7e60b091d2d435d038

SHA512
9e5cfeeca6a90a5193fb4ba8223d9a7b595191399ef5ed1c1397490ec207eed0c0603c9f7c0607dafb3f8ecd8bc1f92439f9f5abce24f48f26c503e18b4e5b4c

Download Submit
C:\Windows\{2F845E43-E78A-4368-88D1-BAAA8E2EE1A8}.exe

Filesize
372KB

MD5
87aa8480397fd0d220211b28096a53d4

SHA1
44414931d1cd3a81396a9e57929c5895c71f453a

SHA256
d1cea7468a4c6dfbc73e34d8f291292947780750ac32ac7e60b091d2d435d038

SHA512
9e5cfeeca6a90a5193fb4ba8223d9a7b595191399ef5ed1c1397490ec207eed0c0603c9f7c0607dafb3f8ecd8bc1f92439f9f5abce24f48f26c503e18b4e5b4c

Download Submit
C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Filesize
372KB

MD5
1e919b1d5f7b0812276cc671e6bffd68

SHA1
a24897b7fd809257ff50afbfc0525c77490762be

SHA256
70496f61160ebd96579c82480f885c1a58db830c5d0d3b2a4ebf0c482e66b3aa

SHA512
ff0a35f0bb476c90a5504de51d5dcbb241a8814dc7691b4672ae6af645ebafa63e6514b27f952c9ece472fdf3f682d2eeee0e484e6cb8f6ec7ccb4c3274bfaa4

Download Submit
C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Filesize
372KB

MD5
1e919b1d5f7b0812276cc671e6bffd68

SHA1
a24897b7fd809257ff50afbfc0525c77490762be

SHA256
70496f61160ebd96579c82480f885c1a58db830c5d0d3b2a4ebf0c482e66b3aa

SHA512
ff0a35f0bb476c90a5504de51d5dcbb241a8814dc7691b4672ae6af645ebafa63e6514b27f952c9ece472fdf3f682d2eeee0e484e6cb8f6ec7ccb4c3274bfaa4

Download Submit
C:\Windows\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe

Filesize
372KB

MD5
ac4a3df84a60290f80c0fe53f321544c

SHA1
33ae790cc9ed2cf53860e623814718985a45b734

SHA256
224da2d4f2690fdc02b9d97caef4043e5fee4c8135067e0b8d73e88ecf186a4a

SHA512
d670f17e189da0c996aa090ef4d259a59cfa60cb6f13d30d782bf817fa988fcd600c16f346c8b86d73a6df850d0a12997fc09028a39d288f94e01f13c71adad5

Download Submit
C:\Windows\{39BF6D20-2FF2-4123-A1F3-EC446BC63EE6}.exe

Filesize
372KB

MD5
ac4a3df84a60290f80c0fe53f321544c

SHA1
33ae790cc9ed2cf53860e623814718985a45b734

SHA256
224da2d4f2690fdc02b9d97caef4043e5fee4c8135067e0b8d73e88ecf186a4a

SHA512
d670f17e189da0c996aa090ef4d259a59cfa60cb6f13d30d782bf817fa988fcd600c16f346c8b86d73a6df850d0a12997fc09028a39d288f94e01f13c71adad5

Download Submit
C:\Windows\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe

Filesize
372KB

MD5
4597bf1284a95cce75462d71f6025ca1

SHA1
6cb609551653ab06c8ee50d6d29f34c6e116ce8a

SHA256
5749fc35ec8c24d4daad95edb54c75e5c7d9ee78f5fe98fe926a4b590c20c54b

SHA512
6d21b7455afb62e0ab9bcf8d9ed6885b6847246a248306cd16456e78ab7468e4ea3e909a8a9c73a8081616ee6abcbfafa4836c06ff6a9d8dd42ecaad6e2fc800

Download Submit
C:\Windows\{4BC5098A-1A45-4885-9DEF-FFD746D42559}.exe

Filesize
372KB

MD5
4597bf1284a95cce75462d71f6025ca1

SHA1
6cb609551653ab06c8ee50d6d29f34c6e116ce8a

SHA256
5749fc35ec8c24d4daad95edb54c75e5c7d9ee78f5fe98fe926a4b590c20c54b

SHA512
6d21b7455afb62e0ab9bcf8d9ed6885b6847246a248306cd16456e78ab7468e4ea3e909a8a9c73a8081616ee6abcbfafa4836c06ff6a9d8dd42ecaad6e2fc800

Download Submit
C:\Windows\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe

Filesize
372KB

MD5
1b2381f072f466be9b089a18fedea8d8

SHA1
ac1fb836a9483d83fcb3b7d2936943ae3257707d

SHA256
bc0621762d83cdae9390eed2fac9f50f74bda9a8687855b7871a9909f41f930e

SHA512
f1723d378ec95b25ac6412bb31aef921ddfa3a4da783332fe2a3719cde4c51c1d07278903fd47c61563819f9c50576db75c1fe4f66388b8ebd5e61439f7c6cb5

Download Submit
C:\Windows\{579EA271-8764-4b34-88F6-F2E2AAFFBEF5}.exe

Filesize
372KB

MD5
1b2381f072f466be9b089a18fedea8d8

SHA1
ac1fb836a9483d83fcb3b7d2936943ae3257707d

SHA256
bc0621762d83cdae9390eed2fac9f50f74bda9a8687855b7871a9909f41f930e

SHA512
f1723d378ec95b25ac6412bb31aef921ddfa3a4da783332fe2a3719cde4c51c1d07278903fd47c61563819f9c50576db75c1fe4f66388b8ebd5e61439f7c6cb5

Download Submit
C:\Windows\{616630C8-CC70-4def-BD51-AAE5C2DF2CFD}.exe

Filesize
372KB

MD5
6e3ba80a86661d4bb876fcc1a7c27e2e

SHA1
bf4611778ff6cd84d47e076459c34cde69e3f802

SHA256
ea341ee53ca18441ac840d13d424fed83caddcd9e2dabc37ec20c3a31f61e06a

SHA512
9a49c049e5dc9a4a751630fb3d4c5a6da93a7422b5dc805464c6f72a5ba69e2c03407f4eaeb5353b53ecc49f5272173ba32e6f0dfdafcc93c74a2ac7e6269e49

Download Submit
C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe

Filesize
372KB

MD5
8c215aba3d7b4545e841021ae841c132

SHA1
6a9ab286e0da1aa0258785478d1562652acb407a

SHA256
35325f8061eae0faf44bc5c5532164c3ad47d95f51a8621f05cfffa7af140c04

SHA512
5b42091a032881323af5cb46c5e7d2510b6da59996c320113cf590062ea770cce08e09752ff41d42ebcecd4b15151fd6172dbe6fb89f6153d18c7720ff3e19f4

Download Submit
C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe

Filesize
372KB

MD5
8c215aba3d7b4545e841021ae841c132

SHA1
6a9ab286e0da1aa0258785478d1562652acb407a

SHA256
35325f8061eae0faf44bc5c5532164c3ad47d95f51a8621f05cfffa7af140c04

SHA512
5b42091a032881323af5cb46c5e7d2510b6da59996c320113cf590062ea770cce08e09752ff41d42ebcecd4b15151fd6172dbe6fb89f6153d18c7720ff3e19f4

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
372KB

MD5
2dc1ee67a4f2d2470967b591040f80bb

SHA1
7a1087912fb4637328f4de6cfc731d14ac4cef82

SHA256
ec1b561f03a0a4c44cbc105b47850713a5b8c1f5551e390d68500e86863051b2

SHA512
ed163201df8567cf15e570cb3021f16e8c31d83daa9f8de5be643638fab470331bc85500b5e4a7ac94112a6d53b063ce62ea140c203ca16bcad61e250dc7bc92

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
372KB

MD5
2dc1ee67a4f2d2470967b591040f80bb

SHA1
7a1087912fb4637328f4de6cfc731d14ac4cef82

SHA256
ec1b561f03a0a4c44cbc105b47850713a5b8c1f5551e390d68500e86863051b2

SHA512
ed163201df8567cf15e570cb3021f16e8c31d83daa9f8de5be643638fab470331bc85500b5e4a7ac94112a6d53b063ce62ea140c203ca16bcad61e250dc7bc92

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
372KB

MD5
2dc1ee67a4f2d2470967b591040f80bb

SHA1
7a1087912fb4637328f4de6cfc731d14ac4cef82

SHA256
ec1b561f03a0a4c44cbc105b47850713a5b8c1f5551e390d68500e86863051b2

SHA512
ed163201df8567cf15e570cb3021f16e8c31d83daa9f8de5be643638fab470331bc85500b5e4a7ac94112a6d53b063ce62ea140c203ca16bcad61e250dc7bc92

Download Submit
C:\Windows\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe

Filesize
372KB

MD5
d747e569e2ac030900c7231d72f56d7c

SHA1
49ead665788077110e17f7af88a9f6461ae6396c

SHA256
067f0509178ab09d01274737348b915e28e09b3e2640a36ab77a4a90ce493f0e

SHA512
9b3ebfb6e272ebbbc260912b6db91dbb7a33e1e91cdc0c0327d3e7afc1e514dc201acd85afaa189d89a570f5b6adfe81a714289b21d6520fa5909d1fbd4a01fc

Download Submit
C:\Windows\{86B7B959-8305-4a90-9C58-76E79BF2E8DE}.exe

Filesize
372KB

MD5
d747e569e2ac030900c7231d72f56d7c

SHA1
49ead665788077110e17f7af88a9f6461ae6396c

SHA256
067f0509178ab09d01274737348b915e28e09b3e2640a36ab77a4a90ce493f0e

SHA512
9b3ebfb6e272ebbbc260912b6db91dbb7a33e1e91cdc0c0327d3e7afc1e514dc201acd85afaa189d89a570f5b6adfe81a714289b21d6520fa5909d1fbd4a01fc

Download Submit
C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe

Filesize
372KB

MD5
fbb2442794bc6d67c7101c01f97db999

SHA1
6e7a4a2f697b4318cc36aa15d45f59d06dc35158

SHA256
ecd8ab4141ab27ea4f5aece948addd82eae3f91a68f8508305a407792d9390ae

SHA512
9b7699af9ef35a79aed6101c23e7f74eec5f371d2aba0416759efb3f9ff62680d9ff3c0e54662620577ac9584c31a139c3e55d59200f0bee45ead87d75793891

Download Submit
C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe

Filesize
372KB

MD5
fbb2442794bc6d67c7101c01f97db999

SHA1
6e7a4a2f697b4318cc36aa15d45f59d06dc35158

SHA256
ecd8ab4141ab27ea4f5aece948addd82eae3f91a68f8508305a407792d9390ae

SHA512
9b7699af9ef35a79aed6101c23e7f74eec5f371d2aba0416759efb3f9ff62680d9ff3c0e54662620577ac9584c31a139c3e55d59200f0bee45ead87d75793891

Download Submit
C:\Windows\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe

Filesize
372KB

MD5
2461217b5e8ec4a5e176d4a74683572a

SHA1
333d711fc21a9a0f626e8eea16f6b0ee22d9357b

SHA256
5bd0eb6b5cdf67557dee6859f00e0242eedd4834b91028dd76644015e1104003

SHA512
be20da56e33198edd46abb1ee4249b5bedad85484bc88eba23f4d4a7f9e76f65c01e3d37d8ebe947c9f1c55df9bab207386ab32d9ef4c26c9954b395ad181999

Download Submit
C:\Windows\{A357C3B9-1DC3-42dc-AB2D-9EFE2A671259}.exe

Filesize
372KB

MD5
2461217b5e8ec4a5e176d4a74683572a

SHA1
333d711fc21a9a0f626e8eea16f6b0ee22d9357b

SHA256
5bd0eb6b5cdf67557dee6859f00e0242eedd4834b91028dd76644015e1104003

SHA512
be20da56e33198edd46abb1ee4249b5bedad85484bc88eba23f4d4a7f9e76f65c01e3d37d8ebe947c9f1c55df9bab207386ab32d9ef4c26c9954b395ad181999

Download Submit
C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe

Filesize
372KB

MD5
0cad37ade4907f77cb885d41785da322

SHA1
363dadc6d437f89da9f14bab99b99c35d59bc862

SHA256
c1fcc312d5b2193142f9a7e6a469cbf413c712d221dedc7a102612cf68345724

SHA512
9075a72c39ea073391877fafc4ce43df0477a8744465db456fcd1a592e85a3d93a074f82442bc80631890b536bb47cf73274dadf5b5f3f76c1f6d410871e3e1b

Download Submit
C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe

Filesize
372KB

MD5
0cad37ade4907f77cb885d41785da322

SHA1
363dadc6d437f89da9f14bab99b99c35d59bc862

SHA256
c1fcc312d5b2193142f9a7e6a469cbf413c712d221dedc7a102612cf68345724

SHA512
9075a72c39ea073391877fafc4ce43df0477a8744465db456fcd1a592e85a3d93a074f82442bc80631890b536bb47cf73274dadf5b5f3f76c1f6d410871e3e1b

Download Submit
C:\Windows\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe

Filesize
372KB

MD5
37b2bef695fe6f6a64e586ba0183018c

SHA1
782ac4c6d68a37863a6a582f46de3899797768d2

SHA256
0c09e41de4a403761cb1faea34b001e48c6a330aef53707fbb5c75cf7d0b5838

SHA512
9aeb8b412a2dc692d98b41b1b7985e3dd3c6ac2b9a620f24dc01c1ea766f87680fedd0fc414bc3d96db8e4f511c9591362014d19e14d26f2801c08a1be5f6ca3

Download Submit
C:\Windows\{D61B144E-E92B-4d1e-B6C9-C32507595568}.exe

Filesize
372KB

MD5
37b2bef695fe6f6a64e586ba0183018c

SHA1
782ac4c6d68a37863a6a582f46de3899797768d2

SHA256
0c09e41de4a403761cb1faea34b001e48c6a330aef53707fbb5c75cf7d0b5838

SHA512
9aeb8b412a2dc692d98b41b1b7985e3dd3c6ac2b9a620f24dc01c1ea766f87680fedd0fc414bc3d96db8e4f511c9591362014d19e14d26f2801c08a1be5f6ca3

Download Submit