582755448ca6b13c05d4c1f4f5d6aebbf7cae05a8f8c2f15ca031b4c8e92ba64

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69fd63ba7a784eexeexeexeex.exe
Size

168KB
MD5

69fd63ba7a784e689fde4b61fb311484
SHA1

25b9b48fdd9fb774ad61a6946a4fe5a2b5cd4e25
SHA256

582755448ca6b13c05d4c1f4f5d6aebbf7cae05a8f8c2f15ca031b4c8e92ba64
SHA512

693dbc886d39bbcf3cbdcb169269a0de8e7504d0dbd017740a9e812cb741ccd52e9e9cf0d7bc656b21c0595dc5285f6cb5dffaa263dbcf462bcd25cfb836b2c2
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}\stubpath = "C:\\Windows\\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe"	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9074F7-3113-4a8d-AED0-C784FA54F160}\stubpath = "C:\\Windows\\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe"	{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}\stubpath = "C:\\Windows\\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe"	{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}	{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293315B-518D-42ac-B38C-C17DD2A0A78D}	69fd63ba7a784eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E86B2FD-0360-4c5f-879B-7B281C571389}	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B73091-F26C-493d-87C6-CA04DF124ABB}	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9BC26FB-475F-47e7-A0FA-48E08D854833}\stubpath = "C:\\Windows\\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe"	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}	{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}\stubpath = "C:\\Windows\\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe"	{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}\stubpath = "C:\\Windows\\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe"	{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9BC26FB-475F-47e7-A0FA-48E08D854833}	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA136EBD-8E62-438b-9EB3-D6455A616446}	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA136EBD-8E62-438b-9EB3-D6455A616446}\stubpath = "C:\\Windows\\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe"	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}	{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293315B-518D-42ac-B38C-C17DD2A0A78D}\stubpath = "C:\\Windows\\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe"	69fd63ba7a784eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9272579-71E8-4c32-9F45-CBA428C07ADC}	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}\stubpath = "C:\\Windows\\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe"	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9074F7-3113-4a8d-AED0-C784FA54F160}	{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}	{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}\stubpath = "C:\\Windows\\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe"	{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E86B2FD-0360-4c5f-879B-7B281C571389}\stubpath = "C:\\Windows\\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe"	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9272579-71E8-4c32-9F45-CBA428C07ADC}\stubpath = "C:\\Windows\\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe"	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B73091-F26C-493d-87C6-CA04DF124ABB}\stubpath = "C:\\Windows\\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe"	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
1676	{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
2844	{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
2668	{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
2932	{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
2876	{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
2560	{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	69fd63ba7a784eexeexeexeex.exe
File created	C:\Windows\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
File created	C:\Windows\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
File created	C:\Windows\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
File created	C:\Windows\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe	{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
File created	C:\Windows\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe	{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
File created	C:\Windows\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
File created	C:\Windows\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
File created	C:\Windows\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
File created	C:\Windows\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
File created	C:\Windows\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe	{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
File created	C:\Windows\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe	{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
File created	C:\Windows\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe	{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	69fd63ba7a784eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
Token: SeIncBasePriorityPrivilege	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
Token: SeIncBasePriorityPrivilege	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
Token: SeIncBasePriorityPrivilege	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
Token: SeIncBasePriorityPrivilege	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
Token: SeIncBasePriorityPrivilege	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
Token: SeIncBasePriorityPrivilege	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
Token: SeIncBasePriorityPrivilege	1676	{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
Token: SeIncBasePriorityPrivilege	2844	{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
Token: SeIncBasePriorityPrivilege	2668	{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
Token: SeIncBasePriorityPrivilege	2932	{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
Token: SeIncBasePriorityPrivilege	2876	{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2364	2368	69fd63ba7a784eexeexeexeex.exe	28
PID 2368 wrote to memory of 2364	2368	69fd63ba7a784eexeexeexeex.exe	28
PID 2368 wrote to memory of 2364	2368	69fd63ba7a784eexeexeexeex.exe	28
PID 2368 wrote to memory of 2364	2368	69fd63ba7a784eexeexeexeex.exe	28
PID 2368 wrote to memory of 2384	2368	69fd63ba7a784eexeexeexeex.exe	29
PID 2368 wrote to memory of 2384	2368	69fd63ba7a784eexeexeexeex.exe	29
PID 2368 wrote to memory of 2384	2368	69fd63ba7a784eexeexeexeex.exe	29
PID 2368 wrote to memory of 2384	2368	69fd63ba7a784eexeexeexeex.exe	29
PID 2364 wrote to memory of 268	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	30
PID 2364 wrote to memory of 268	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	30
PID 2364 wrote to memory of 268	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	30
PID 2364 wrote to memory of 268	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	30
PID 2364 wrote to memory of 2972	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	31
PID 2364 wrote to memory of 2972	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	31
PID 2364 wrote to memory of 2972	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	31
PID 2364 wrote to memory of 2972	2364	{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe	31
PID 268 wrote to memory of 3020	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	32
PID 268 wrote to memory of 3020	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	32
PID 268 wrote to memory of 3020	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	32
PID 268 wrote to memory of 3020	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	32
PID 268 wrote to memory of 572	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	33
PID 268 wrote to memory of 572	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	33
PID 268 wrote to memory of 572	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	33
PID 268 wrote to memory of 572	268	{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe	33
PID 3020 wrote to memory of 2940	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	34
PID 3020 wrote to memory of 2940	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	34
PID 3020 wrote to memory of 2940	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	34
PID 3020 wrote to memory of 2940	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	34
PID 3020 wrote to memory of 520	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	35
PID 3020 wrote to memory of 520	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	35
PID 3020 wrote to memory of 520	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	35
PID 3020 wrote to memory of 520	3020	{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe	35
PID 2940 wrote to memory of 2160	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	36
PID 2940 wrote to memory of 2160	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	36
PID 2940 wrote to memory of 2160	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	36
PID 2940 wrote to memory of 2160	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	36
PID 2940 wrote to memory of 1276	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	37
PID 2940 wrote to memory of 1276	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	37
PID 2940 wrote to memory of 1276	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	37
PID 2940 wrote to memory of 1276	2940	{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe	37
PID 2160 wrote to memory of 284	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	38
PID 2160 wrote to memory of 284	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	38
PID 2160 wrote to memory of 284	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	38
PID 2160 wrote to memory of 284	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	38
PID 2160 wrote to memory of 2280	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	39
PID 2160 wrote to memory of 2280	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	39
PID 2160 wrote to memory of 2280	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	39
PID 2160 wrote to memory of 2280	2160	{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe	39
PID 284 wrote to memory of 1544	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	40
PID 284 wrote to memory of 1544	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	40
PID 284 wrote to memory of 1544	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	40
PID 284 wrote to memory of 1544	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	40
PID 284 wrote to memory of 2116	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	41
PID 284 wrote to memory of 2116	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	41
PID 284 wrote to memory of 2116	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	41
PID 284 wrote to memory of 2116	284	{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe	41
PID 1544 wrote to memory of 1676	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	42
PID 1544 wrote to memory of 1676	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	42
PID 1544 wrote to memory of 1676	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	42
PID 1544 wrote to memory of 1676	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	42
PID 1544 wrote to memory of 2912	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	43
PID 1544 wrote to memory of 2912	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	43
PID 1544 wrote to memory of 2912	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	43
PID 1544 wrote to memory of 2912	1544	{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe	43

C:\Users\Admin\AppData\Local\Temp\69fd63ba7a784eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\69fd63ba7a784eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
  C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
    C:\Windows\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
      C:\Windows\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
        
        C:\Windows\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
        
        C:\Windows\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
        
        C:\Windows\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
        
        C:\Windows\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
        
        C:\Windows\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
        
        C:\Windows\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
        
        C:\Windows\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
        
        C:\Windows\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
        
        C:\Windows\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe
        
        C:\Windows\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe
        14⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCAE1~1.EXE > nul
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5823C~1.EXE > nul
        13⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC283~1.EXE > nul
        12⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA907~1.EXE > nul
        11⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62CD3~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{698DD~1.EXE > nul
        9⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA136~1.EXE > nul
        8⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9BC2~1.EXE > nul
        7⤵
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B73~1.EXE > nul
        6⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9272~1.EXE > nul
        5⤵
        
        PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E86B~1.EXE > nul
      4⤵
      PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32933~1.EXE > nul
    3⤵
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\69FD63~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe

Filesize
168KB

MD5
8245cfcbd98fa5095b7fd4a9b566fd57

SHA1
9fef36b9c4237f068c8e5afc17d90dc186329c64

SHA256
43ae457585d699e72cf39d9a5c61c560c005b6dcb81d7011f1c2139ee7453d51

SHA512
1b744f36f1430c6f5908bcece081ef3ffaa8824fc354d06a98d79380dc6f89e6abe7a374d84de2cb15fa617e9a30e8159dc91ce0e7b944621aab539bf3491ad9

Download Submit
C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe

Filesize
168KB

MD5
8245cfcbd98fa5095b7fd4a9b566fd57

SHA1
9fef36b9c4237f068c8e5afc17d90dc186329c64

SHA256
43ae457585d699e72cf39d9a5c61c560c005b6dcb81d7011f1c2139ee7453d51

SHA512
1b744f36f1430c6f5908bcece081ef3ffaa8824fc354d06a98d79380dc6f89e6abe7a374d84de2cb15fa617e9a30e8159dc91ce0e7b944621aab539bf3491ad9

Download Submit
C:\Windows\{3293315B-518D-42ac-B38C-C17DD2A0A78D}.exe

Filesize
168KB

MD5
8245cfcbd98fa5095b7fd4a9b566fd57

SHA1
9fef36b9c4237f068c8e5afc17d90dc186329c64

SHA256
43ae457585d699e72cf39d9a5c61c560c005b6dcb81d7011f1c2139ee7453d51

SHA512
1b744f36f1430c6f5908bcece081ef3ffaa8824fc354d06a98d79380dc6f89e6abe7a374d84de2cb15fa617e9a30e8159dc91ce0e7b944621aab539bf3491ad9

Download Submit
C:\Windows\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe

Filesize
168KB

MD5
a8df18ee551cff21732bbadcc8cc04ae

SHA1
4e45e4eae8e9a5a80db0196b768a363e8a1ec65c

SHA256
1a3bfaef24699ce26a937370575d114ccec85f7f52b368828b2725c600f1fdbf

SHA512
b3ddfb20ca34df895c25e36d7ecd54bb7e27dd0cc50f8de15cae5a8b026a21588ed786347ab3591596321cbc58938ad491d01cfb4f4797342b6067cad1823487

Download Submit
C:\Windows\{55B73091-F26C-493d-87C6-CA04DF124ABB}.exe

Filesize
168KB

MD5
a8df18ee551cff21732bbadcc8cc04ae

SHA1
4e45e4eae8e9a5a80db0196b768a363e8a1ec65c

SHA256
1a3bfaef24699ce26a937370575d114ccec85f7f52b368828b2725c600f1fdbf

SHA512
b3ddfb20ca34df895c25e36d7ecd54bb7e27dd0cc50f8de15cae5a8b026a21588ed786347ab3591596321cbc58938ad491d01cfb4f4797342b6067cad1823487

Download Submit
C:\Windows\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe

Filesize
168KB

MD5
b4c977a8d8fba31b7110531d090b5b4b

SHA1
7a74fe23469f40f9323fcd6996e6b49c88a26206

SHA256
9aa0fd30483b004b92933e0a060044b777f0b60a839cc5b4eba6c2cd35bdc358

SHA512
51ec0fef375b1b50b3ea89a264832d0345e1b042aa07e0725403d7046319bf89736ce1c8fe44a7d2035e69b79eb341bb6a605e10aa1a22b5cabeb7b4e17f80bc

Download Submit
C:\Windows\{5823C6AF-16B7-402e-BBDF-77B36A1302CD}.exe

Filesize
168KB

MD5
b4c977a8d8fba31b7110531d090b5b4b

SHA1
7a74fe23469f40f9323fcd6996e6b49c88a26206

SHA256
9aa0fd30483b004b92933e0a060044b777f0b60a839cc5b4eba6c2cd35bdc358

SHA512
51ec0fef375b1b50b3ea89a264832d0345e1b042aa07e0725403d7046319bf89736ce1c8fe44a7d2035e69b79eb341bb6a605e10aa1a22b5cabeb7b4e17f80bc

Download Submit
C:\Windows\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe

Filesize
168KB

MD5
39a6814e3db7838135dbf3c8683445db

SHA1
49c0eddc7b19761a26ffb6e05c7d18945832c82c

SHA256
0a3cdcdf3fea17c09810365b4d312c589ca84b052d1e378d662249f92745c2c0

SHA512
b4e3dcff533d2e64439c4bd44b2fc1b8f0f0cb343bab3796792341a8da41790fd481ae68ff2f9c0b32bf37d1da08cca01a9e028bb6abfa79409f441d6d60510a

Download Submit
C:\Windows\{62CD3828-FDBB-4ba2-BDB8-9B01AB4E9302}.exe

Filesize
168KB

MD5
39a6814e3db7838135dbf3c8683445db

SHA1
49c0eddc7b19761a26ffb6e05c7d18945832c82c

SHA256
0a3cdcdf3fea17c09810365b4d312c589ca84b052d1e378d662249f92745c2c0

SHA512
b4e3dcff533d2e64439c4bd44b2fc1b8f0f0cb343bab3796792341a8da41790fd481ae68ff2f9c0b32bf37d1da08cca01a9e028bb6abfa79409f441d6d60510a

Download Submit
C:\Windows\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe

Filesize
168KB

MD5
1309e23485ca2469d06c9e7bfa587fca

SHA1
ae0afc0badcaae3ac9b62a57b99244d214639e3a

SHA256
2e3544faa94fda8c58480132d48b80e995f0384dc5833893bff31f6d1e66c644

SHA512
385862dbcdaee4c53008786e851a6afc668c37499cc8191871433503bf63b0e09d43b3157d53c2416fbb736633641d223f343b99b4799fd644982caf61fb48e8

Download Submit
C:\Windows\{698DD509-A70F-43f4-8C5C-8AD08F2BAAB4}.exe

Filesize
168KB

MD5
1309e23485ca2469d06c9e7bfa587fca

SHA1
ae0afc0badcaae3ac9b62a57b99244d214639e3a

SHA256
2e3544faa94fda8c58480132d48b80e995f0384dc5833893bff31f6d1e66c644

SHA512
385862dbcdaee4c53008786e851a6afc668c37499cc8191871433503bf63b0e09d43b3157d53c2416fbb736633641d223f343b99b4799fd644982caf61fb48e8

Download Submit
C:\Windows\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe

Filesize
168KB

MD5
95f9c2046fef5d20427cf5656f52d0f7

SHA1
8641f6514411d94cb91a676112d82dbe3a6932ec

SHA256
aee94640da6f847d1763edc19c079bfc0c5c06a65beb917ac81f5da7de1383af

SHA512
c61649bf78114c41f1136653e7dd37e2880bb27b6ca88a3cd77b4101b004d61d5f8e3be726452c0405a4ccd31e5adde1bb846b375d88834bc0279d0128e5c726

Download Submit
C:\Windows\{7E86B2FD-0360-4c5f-879B-7B281C571389}.exe

Filesize
168KB

MD5
95f9c2046fef5d20427cf5656f52d0f7

SHA1
8641f6514411d94cb91a676112d82dbe3a6932ec

SHA256
aee94640da6f847d1763edc19c079bfc0c5c06a65beb917ac81f5da7de1383af

SHA512
c61649bf78114c41f1136653e7dd37e2880bb27b6ca88a3cd77b4101b004d61d5f8e3be726452c0405a4ccd31e5adde1bb846b375d88834bc0279d0128e5c726

Download Submit
C:\Windows\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe

Filesize
168KB

MD5
44ce63f38e06ec108afa4bffad066453

SHA1
3b0ef8750db15026768fb726742f4f1b6a7ee874

SHA256
6bc6e3f4fbf09224fec87459546f9ad15b5555fe1a9c402d7ad1a625d838805a

SHA512
81aa84f6c1ca946255b54ce1214746e196f03c0fc24dc81bddf2103759d7d1ea298f99aea4b5756fb47cfb0e17615c048c63d85b660798e00bedc9337af8701a

Download Submit
C:\Windows\{AA136EBD-8E62-438b-9EB3-D6455A616446}.exe

Filesize
168KB

MD5
44ce63f38e06ec108afa4bffad066453

SHA1
3b0ef8750db15026768fb726742f4f1b6a7ee874

SHA256
6bc6e3f4fbf09224fec87459546f9ad15b5555fe1a9c402d7ad1a625d838805a

SHA512
81aa84f6c1ca946255b54ce1214746e196f03c0fc24dc81bddf2103759d7d1ea298f99aea4b5756fb47cfb0e17615c048c63d85b660798e00bedc9337af8701a

Download Submit
C:\Windows\{BAF3BC02-FB9A-4421-90B2-885BF12B2C73}.exe

Filesize
168KB

MD5
d289a40462aa8929d4c2e78a5573b364

SHA1
46cd2c556b3c02c0de24a1fa6ca5e0b94a7fbcc1

SHA256
7962023d81c3a8b60d2a9a41983ef6023d17656a78da327a88c04f83dfb19b7e

SHA512
c6f780e0beb7064f30b02fdce501920e598f214e6033b22fdf9ffa06572bfda60e8d5d3f6bcceb8fa18a2d3e62489feb1bad52f287b0dd4a09512a52fc63301d

Download Submit
C:\Windows\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe

Filesize
168KB

MD5
e5cf42bf4206656d570addb1f6db7a2e

SHA1
39ebd5d313f457810809acba491554e67547a556

SHA256
0ba949b96788951fc52c1550215518dca486f3618551cae286f6985e465f15a9

SHA512
019bb5686d52984420d489cf8ab9cfdf005b113b8be6295396052060800d7ca79aa25cf8311f17d20596ce03847f4adc9cca591bbb99874f633e1eeac951d27c

Download Submit
C:\Windows\{BCAE18A9-CA35-40ab-9CB9-EA75EA92203F}.exe

Filesize
168KB

MD5
e5cf42bf4206656d570addb1f6db7a2e

SHA1
39ebd5d313f457810809acba491554e67547a556

SHA256
0ba949b96788951fc52c1550215518dca486f3618551cae286f6985e465f15a9

SHA512
019bb5686d52984420d489cf8ab9cfdf005b113b8be6295396052060800d7ca79aa25cf8311f17d20596ce03847f4adc9cca591bbb99874f633e1eeac951d27c

Download Submit
C:\Windows\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe

Filesize
168KB

MD5
f861be43c29c66c3c170cee46665bf9c

SHA1
79e4465e8b7c777e31d7284d009fc8622d2e3e74

SHA256
4522270f90cfde4ef1c814d8ea9b22782d9ff200d87c59eaa7389e928e1884fd

SHA512
06aa4b53ebdc01440d86bbafc06e455ac5c174d787fee3f1b223d58b7a45cdaafe6b5787effb4b0fcc868475cd4c3959ffb4ab290be0421a2d757eee6ff1e94d

Download Submit
C:\Windows\{D9272579-71E8-4c32-9F45-CBA428C07ADC}.exe

Filesize
168KB

MD5
f861be43c29c66c3c170cee46665bf9c

SHA1
79e4465e8b7c777e31d7284d009fc8622d2e3e74

SHA256
4522270f90cfde4ef1c814d8ea9b22782d9ff200d87c59eaa7389e928e1884fd

SHA512
06aa4b53ebdc01440d86bbafc06e455ac5c174d787fee3f1b223d58b7a45cdaafe6b5787effb4b0fcc868475cd4c3959ffb4ab290be0421a2d757eee6ff1e94d

Download Submit
C:\Windows\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe

Filesize
168KB

MD5
3f0d4c382e928a30c92ae0a7b1ffc81e

SHA1
d728fc1db96b5c1e3ace5b12f1865a02521a8134

SHA256
a1511e44bd2237b2c454fb2cf1187e54ea0f5f181c5fb7b8cc54a15d251085a4

SHA512
1d681ad4cae85028b434d9e1f76158a8ab87a84adba3ba597c268d7061963ad8efcfa5e0057bae8b47943d57e9b57cd7b86eaadc2d48200e64162ead56840465

Download Submit
C:\Windows\{DA9074F7-3113-4a8d-AED0-C784FA54F160}.exe

Filesize
168KB

MD5
3f0d4c382e928a30c92ae0a7b1ffc81e

SHA1
d728fc1db96b5c1e3ace5b12f1865a02521a8134

SHA256
a1511e44bd2237b2c454fb2cf1187e54ea0f5f181c5fb7b8cc54a15d251085a4

SHA512
1d681ad4cae85028b434d9e1f76158a8ab87a84adba3ba597c268d7061963ad8efcfa5e0057bae8b47943d57e9b57cd7b86eaadc2d48200e64162ead56840465

Download Submit
C:\Windows\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe

Filesize
168KB

MD5
a2097896d3174cf6b5e9acab8e09a02c

SHA1
86b3bd2503d4e39995f69fd050ec3a9a815d5644

SHA256
1a8245584445c6daac9f78df52c5cdb6bd7a6ffba97c2acd70a7c47e72dee9d1

SHA512
0063c6fbba2c16abacd31f78bcbee919fcdba9d1c8bfeb683d0303149103e47e22da288b7f204785151f24db174c719d31de46ac42ed9d9e5f16bb18fe1ce15f

Download Submit
C:\Windows\{E9BC26FB-475F-47e7-A0FA-48E08D854833}.exe

Filesize
168KB

MD5
a2097896d3174cf6b5e9acab8e09a02c

SHA1
86b3bd2503d4e39995f69fd050ec3a9a815d5644

SHA256
1a8245584445c6daac9f78df52c5cdb6bd7a6ffba97c2acd70a7c47e72dee9d1

SHA512
0063c6fbba2c16abacd31f78bcbee919fcdba9d1c8bfeb683d0303149103e47e22da288b7f204785151f24db174c719d31de46ac42ed9d9e5f16bb18fe1ce15f

Download Submit
C:\Windows\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe

Filesize
168KB

MD5
656139d0f5d46bd69fba4d4cafffbe05

SHA1
aaee986794304669aa401e2cc571cd03e8a922da

SHA256
08c41adc2f414b7cd2ebe10260f5ad5bd74e454dbbc26428a17ccb73ce942834

SHA512
9fcd3babdef198bead2f35d3071073b0761985400206bdacd80eb1a7b8819cba6d5e4236b70ae33216b5e15ddaf1dcb5cb9a974392cea2af06910ca483c5f846

Download Submit
C:\Windows\{FC28320C-EEEF-4862-A730-F6CFBEDBE09E}.exe

Filesize
168KB

MD5
656139d0f5d46bd69fba4d4cafffbe05

SHA1
aaee986794304669aa401e2cc571cd03e8a922da

SHA256
08c41adc2f414b7cd2ebe10260f5ad5bd74e454dbbc26428a17ccb73ce942834

SHA512
9fcd3babdef198bead2f35d3071073b0761985400206bdacd80eb1a7b8819cba6d5e4236b70ae33216b5e15ddaf1dcb5cb9a974392cea2af06910ca483c5f846

Download Submit