174076edf4bdd126e2a8903466aecdacdfbfd2d66f24c718b20ff110cf2cb4b8

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a0b5ada268f1bexeexeexeex.exe
Size

216KB
MD5

6a0b5ada268f1baf18040233896bfcce
SHA1

0f624d8cc420fc58aa8715fb9632199383c4ea5f
SHA256

174076edf4bdd126e2a8903466aecdacdfbfd2d66f24c718b20ff110cf2cb4b8
SHA512

d6791fa36692e71754c45d88b6df0392145a00fb2e0a6417f206dc0554f77eec784760d89cfa96a5b86351ad14ed4ba0a152ea2168a0bb63a1da12490330dda4
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D38DD8-576C-4887-BCAB-BA583727B021}\stubpath = "C:\\Windows\\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe"	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B853BE8-A347-4716-A293-AA38BB69DFE7}\stubpath = "C:\\Windows\\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe"	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142B4A22-9188-4bb6-BC60-64BD929011E5}	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FAFF44-C682-430f-8B41-2253C4A30EEE}\stubpath = "C:\\Windows\\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe"	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DCFB7E8-243C-4157-B377-ED4C051B367B}	{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DCFB7E8-243C-4157-B377-ED4C051B367B}\stubpath = "C:\\Windows\\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe"	{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{538A3564-6204-4624-B75E-5FB3B35051AF}\stubpath = "C:\\Windows\\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe"	{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}	6a0b5ada268f1bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D38DD8-576C-4887-BCAB-BA583727B021}	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E425A6-16AF-4348-A57A-E85AB914054D}	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FAFF44-C682-430f-8B41-2253C4A30EEE}	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{538A3564-6204-4624-B75E-5FB3B35051AF}	{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10311FC2-CAAE-4f43-A786-30626424ED01}\stubpath = "C:\\Windows\\{10311FC2-CAAE-4f43-A786-30626424ED01}.exe"	{538A3564-6204-4624-B75E-5FB3B35051AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}\stubpath = "C:\\Windows\\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe"	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10311FC2-CAAE-4f43-A786-30626424ED01}	{538A3564-6204-4624-B75E-5FB3B35051AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}\stubpath = "C:\\Windows\\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe"	6a0b5ada268f1bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}\stubpath = "C:\\Windows\\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe"	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B853BE8-A347-4716-A293-AA38BB69DFE7}	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E425A6-16AF-4348-A57A-E85AB914054D}\stubpath = "C:\\Windows\\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe"	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142B4A22-9188-4bb6-BC60-64BD929011E5}\stubpath = "C:\\Windows\\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe"	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}	{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}\stubpath = "C:\\Windows\\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe"	{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32D2093-FC08-4398-A4D7-E1ABDF937898}	{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32D2093-FC08-4398-A4D7-E1ABDF937898}\stubpath = "C:\\Windows\\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe"	{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
808	{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
2572	{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
2692	{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
2916	{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
2596	{538A3564-6204-4624-B75E-5FB3B35051AF}.exe
3024	{10311FC2-CAAE-4f43-A786-30626424ED01}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	6a0b5ada268f1bexeexeexeex.exe
File created	C:\Windows\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
File created	C:\Windows\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
File created	C:\Windows\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
File created	C:\Windows\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
File created	C:\Windows\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
File created	C:\Windows\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe	{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
File created	C:\Windows\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe	{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
File created	C:\Windows\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
File created	C:\Windows\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
File created	C:\Windows\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe	{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
File created	C:\Windows\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe	{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
File created	C:\Windows\{10311FC2-CAAE-4f43-A786-30626424ED01}.exe	{538A3564-6204-4624-B75E-5FB3B35051AF}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	6a0b5ada268f1bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
Token: SeIncBasePriorityPrivilege	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
Token: SeIncBasePriorityPrivilege	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
Token: SeIncBasePriorityPrivilege	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
Token: SeIncBasePriorityPrivilege	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
Token: SeIncBasePriorityPrivilege	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
Token: SeIncBasePriorityPrivilege	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
Token: SeIncBasePriorityPrivilege	808	{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
Token: SeIncBasePriorityPrivilege	2572	{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
Token: SeIncBasePriorityPrivilege	2692	{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
Token: SeIncBasePriorityPrivilege	2916	{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
Token: SeIncBasePriorityPrivilege	2596	{538A3564-6204-4624-B75E-5FB3B35051AF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1360	1656	6a0b5ada268f1bexeexeexeex.exe	29
PID 1656 wrote to memory of 1360	1656	6a0b5ada268f1bexeexeexeex.exe	29
PID 1656 wrote to memory of 1360	1656	6a0b5ada268f1bexeexeexeex.exe	29
PID 1656 wrote to memory of 1360	1656	6a0b5ada268f1bexeexeexeex.exe	29
PID 1656 wrote to memory of 2216	1656	6a0b5ada268f1bexeexeexeex.exe	30
PID 1656 wrote to memory of 2216	1656	6a0b5ada268f1bexeexeexeex.exe	30
PID 1656 wrote to memory of 2216	1656	6a0b5ada268f1bexeexeexeex.exe	30
PID 1656 wrote to memory of 2216	1656	6a0b5ada268f1bexeexeexeex.exe	30
PID 1360 wrote to memory of 2356	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	31
PID 1360 wrote to memory of 2356	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	31
PID 1360 wrote to memory of 2356	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	31
PID 1360 wrote to memory of 2356	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	31
PID 1360 wrote to memory of 1212	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	32
PID 1360 wrote to memory of 1212	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	32
PID 1360 wrote to memory of 1212	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	32
PID 1360 wrote to memory of 1212	1360	{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe	32
PID 2356 wrote to memory of 2976	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	33
PID 2356 wrote to memory of 2976	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	33
PID 2356 wrote to memory of 2976	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	33
PID 2356 wrote to memory of 2976	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	33
PID 2356 wrote to memory of 3048	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	34
PID 2356 wrote to memory of 3048	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	34
PID 2356 wrote to memory of 3048	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	34
PID 2356 wrote to memory of 3048	2356	{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe	34
PID 2976 wrote to memory of 1284	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	35
PID 2976 wrote to memory of 1284	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	35
PID 2976 wrote to memory of 1284	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	35
PID 2976 wrote to memory of 1284	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	35
PID 2976 wrote to memory of 2072	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	36
PID 2976 wrote to memory of 2072	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	36
PID 2976 wrote to memory of 2072	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	36
PID 2976 wrote to memory of 2072	2976	{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe	36
PID 1284 wrote to memory of 2412	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	37
PID 1284 wrote to memory of 2412	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	37
PID 1284 wrote to memory of 2412	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	37
PID 1284 wrote to memory of 2412	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	37
PID 1284 wrote to memory of 1720	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	38
PID 1284 wrote to memory of 1720	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	38
PID 1284 wrote to memory of 1720	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	38
PID 1284 wrote to memory of 1720	1284	{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe	38
PID 2412 wrote to memory of 2164	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	39
PID 2412 wrote to memory of 2164	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	39
PID 2412 wrote to memory of 2164	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	39
PID 2412 wrote to memory of 2164	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	39
PID 2412 wrote to memory of 2128	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	40
PID 2412 wrote to memory of 2128	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	40
PID 2412 wrote to memory of 2128	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	40
PID 2412 wrote to memory of 2128	2412	{49E425A6-16AF-4348-A57A-E85AB914054D}.exe	40
PID 2164 wrote to memory of 1256	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	41
PID 2164 wrote to memory of 1256	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	41
PID 2164 wrote to memory of 1256	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	41
PID 2164 wrote to memory of 1256	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	41
PID 2164 wrote to memory of 2276	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	42
PID 2164 wrote to memory of 2276	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	42
PID 2164 wrote to memory of 2276	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	42
PID 2164 wrote to memory of 2276	2164	{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe	42
PID 1256 wrote to memory of 808	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	43
PID 1256 wrote to memory of 808	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	43
PID 1256 wrote to memory of 808	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	43
PID 1256 wrote to memory of 808	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	43
PID 1256 wrote to memory of 516	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	44
PID 1256 wrote to memory of 516	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	44
PID 1256 wrote to memory of 516	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	44
PID 1256 wrote to memory of 516	1256	{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe	44

C:\Users\Admin\AppData\Local\Temp\6a0b5ada268f1bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6a0b5ada268f1bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
  C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
    C:\Windows\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
      C:\Windows\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
        
        C:\Windows\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
        
        C:\Windows\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
        
        C:\Windows\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
        
        C:\Windows\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
        
        C:\Windows\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
        
        C:\Windows\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
        
        C:\Windows\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
        
        C:\Windows\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe
        
        C:\Windows\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{10311FC2-CAAE-4f43-A786-30626424ED01}.exe
        
        C:\Windows\{10311FC2-CAAE-4f43-A786-30626424ED01}.exe
        14⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{538A3~1.EXE > nul
        14⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DCFB~1.EXE > nul
        13⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D32D2~1.EXE > nul
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A80E1~1.EXE > nul
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7E2C~1.EXE > nul
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FAF~1.EXE > nul
        9⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{142B4~1.EXE > nul
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E42~1.EXE > nul
        7⤵
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B853~1.EXE > nul
        6⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5837~1.EXE > nul
        5⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D38~1.EXE > nul
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ECDCC~1.EXE > nul
    3⤵
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A0B5A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10311FC2-CAAE-4f43-A786-30626424ED01}.exe

Filesize
216KB

MD5
44a46fdf9cf4ba875000721fddf2c3c0

SHA1
bf2996ebd6231ecdff9ea46e384a3c4a4b18b81e

SHA256
f7e0f57469030107e79855879e45fb0e882db3c7474067237e229903136dc5a5

SHA512
4e0ea4e3c475d4ed797b4efe1e144477d6c3a54a34e43d3116ef04f7aaf080c627752d185a5f4f15cd0582075de80bedf832a3f22acc456146a88402aa8483d2

Download Submit
C:\Windows\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe

Filesize
216KB

MD5
17f499e777970c52fa9baf156a8d5b6e

SHA1
577ac4f3de9606b036b19be37e3031db9e0b8f30

SHA256
14c9c3031a6b51399badfde8aac10c829c6daa37595711e1f1d870d8e8726f2b

SHA512
1090912ba62d75f194d7a2f491316a10848777ad75e6576084f15848bfc49b702d1adb2172bf39affdb3388c520612d142a308b5e7f304dc68b078769a99e12d

Download Submit
C:\Windows\{142B4A22-9188-4bb6-BC60-64BD929011E5}.exe

Filesize
216KB

MD5
17f499e777970c52fa9baf156a8d5b6e

SHA1
577ac4f3de9606b036b19be37e3031db9e0b8f30

SHA256
14c9c3031a6b51399badfde8aac10c829c6daa37595711e1f1d870d8e8726f2b

SHA512
1090912ba62d75f194d7a2f491316a10848777ad75e6576084f15848bfc49b702d1adb2172bf39affdb3388c520612d142a308b5e7f304dc68b078769a99e12d

Download Submit
C:\Windows\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe

Filesize
216KB

MD5
951c08fb4dc6205aa06dd443632ccec6

SHA1
a7a3f19e96666536f2a60b361ab1f111e3895b35

SHA256
195215ae50ffa0861ae9182e79f848948951373d4cf09c302b3f34aa506ab1a4

SHA512
a855047302f7ad4dc944ae8e6f77daa2cf54f9e3cf16c7757f341726cb433a71d4a392e0c0e4ba1492884d52e39d6fa07ff82781e2e3c13c216afd2e9ddeb739

Download Submit
C:\Windows\{2B853BE8-A347-4716-A293-AA38BB69DFE7}.exe

Filesize
216KB

MD5
951c08fb4dc6205aa06dd443632ccec6

SHA1
a7a3f19e96666536f2a60b361ab1f111e3895b35

SHA256
195215ae50ffa0861ae9182e79f848948951373d4cf09c302b3f34aa506ab1a4

SHA512
a855047302f7ad4dc944ae8e6f77daa2cf54f9e3cf16c7757f341726cb433a71d4a392e0c0e4ba1492884d52e39d6fa07ff82781e2e3c13c216afd2e9ddeb739

Download Submit
C:\Windows\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe

Filesize
216KB

MD5
4af85237ad3ad2b02fd4bb7ff5e367a5

SHA1
2195446547d19bd332946a4f66472becc55fc694

SHA256
83e038985927c985f2e75afbaacf1e6ed4d68d9d6039178433a0825f795c500d

SHA512
8db19eac1fcfb920cfb1d21fa17ef4a3ddab42b5da5a0222aadb56e45b19f81d85bef9d7b264f48172d178da7e4487ce8dd8ee48649e9cc7891120258cec422c

Download Submit
C:\Windows\{49E425A6-16AF-4348-A57A-E85AB914054D}.exe

Filesize
216KB

MD5
4af85237ad3ad2b02fd4bb7ff5e367a5

SHA1
2195446547d19bd332946a4f66472becc55fc694

SHA256
83e038985927c985f2e75afbaacf1e6ed4d68d9d6039178433a0825f795c500d

SHA512
8db19eac1fcfb920cfb1d21fa17ef4a3ddab42b5da5a0222aadb56e45b19f81d85bef9d7b264f48172d178da7e4487ce8dd8ee48649e9cc7891120258cec422c

Download Submit
C:\Windows\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe

Filesize
216KB

MD5
5f1b2dffdafa89cd4c5e4b531dd029d3

SHA1
453d6766ef456631007e557bcdd5ea158705715b

SHA256
c09a4735bf669caaadbcd5f0240af1ee7b38317b9ccc13aec816aed601a6c7a7

SHA512
a9129e9d1285e1d84ac5689eb18d445ce3dbabe2ffa617510d341fa153438fcd83c47aa3169e77a1a369f35f643b2f0fd7fa188c5263b2d3629d4e19ef46b8d6

Download Submit
C:\Windows\{538A3564-6204-4624-B75E-5FB3B35051AF}.exe

Filesize
216KB

MD5
5f1b2dffdafa89cd4c5e4b531dd029d3

SHA1
453d6766ef456631007e557bcdd5ea158705715b

SHA256
c09a4735bf669caaadbcd5f0240af1ee7b38317b9ccc13aec816aed601a6c7a7

SHA512
a9129e9d1285e1d84ac5689eb18d445ce3dbabe2ffa617510d341fa153438fcd83c47aa3169e77a1a369f35f643b2f0fd7fa188c5263b2d3629d4e19ef46b8d6

Download Submit
C:\Windows\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe

Filesize
216KB

MD5
4153fe9621a87bd7ffaecb15799a18dd

SHA1
af5ee485eeed49d22b2fc109f207b7ddbfe60582

SHA256
efce6abf1c1b43d32093998acbc01860237632f07a3a89c729a52ed4a51fc5bc

SHA512
347fc091b9f0d25ace29151efcb6485ef8684da1abeda5de7893b62f57bd94cdb63a5976ef385d81935e8e97d1561640de1ab56d743c0d037a00b5dc847948e1

Download Submit
C:\Windows\{60FAFF44-C682-430f-8B41-2253C4A30EEE}.exe

Filesize
216KB

MD5
4153fe9621a87bd7ffaecb15799a18dd

SHA1
af5ee485eeed49d22b2fc109f207b7ddbfe60582

SHA256
efce6abf1c1b43d32093998acbc01860237632f07a3a89c729a52ed4a51fc5bc

SHA512
347fc091b9f0d25ace29151efcb6485ef8684da1abeda5de7893b62f57bd94cdb63a5976ef385d81935e8e97d1561640de1ab56d743c0d037a00b5dc847948e1

Download Submit
C:\Windows\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe

Filesize
216KB

MD5
d3dfd93fdc80bd8fd828660950f9c612

SHA1
06f3f275f9be927c613a64e042f7ace8588d9492

SHA256
a87a68a734f2fd69e8e4d9f613b9a2fcaf5a35a7f610aeea6783a8bd522b6ce2

SHA512
fd556e8bd38989e5a8432e006c7bf607f94c94e9ed8205520c464623712339c28931f1fe8f7f08844c3808212a08aa2b8f95b73331909f1b45f406a8ef9a75ac

Download Submit
C:\Windows\{8DCFB7E8-243C-4157-B377-ED4C051B367B}.exe

Filesize
216KB

MD5
d3dfd93fdc80bd8fd828660950f9c612

SHA1
06f3f275f9be927c613a64e042f7ace8588d9492

SHA256
a87a68a734f2fd69e8e4d9f613b9a2fcaf5a35a7f610aeea6783a8bd522b6ce2

SHA512
fd556e8bd38989e5a8432e006c7bf607f94c94e9ed8205520c464623712339c28931f1fe8f7f08844c3808212a08aa2b8f95b73331909f1b45f406a8ef9a75ac

Download Submit
C:\Windows\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe

Filesize
216KB

MD5
b5c407f8610e77097112c7532edcc4db

SHA1
3db4f70b7dcb8bc5e44b8a23d1a23b4782ebb284

SHA256
775811ac590d1cf2c9cc70edff9edaae597e89a98eeeec0713a5a494f852de47

SHA512
899a4c09cd237f374093c3330e19fa02f171350a087ea216a62b587cf63a9ba4d66d59ae4ccb5f78044bd5114bfae03ec26546aeb569e82fe71e1c3003b2e16c

Download Submit
C:\Windows\{A80E1EF5-02E0-4e0e-AF12-24977093F2E9}.exe

Filesize
216KB

MD5
b5c407f8610e77097112c7532edcc4db

SHA1
3db4f70b7dcb8bc5e44b8a23d1a23b4782ebb284

SHA256
775811ac590d1cf2c9cc70edff9edaae597e89a98eeeec0713a5a494f852de47

SHA512
899a4c09cd237f374093c3330e19fa02f171350a087ea216a62b587cf63a9ba4d66d59ae4ccb5f78044bd5114bfae03ec26546aeb569e82fe71e1c3003b2e16c

Download Submit
C:\Windows\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe

Filesize
216KB

MD5
c0a86afe2da97dc4fc696a061d4b9ecd

SHA1
2ece09839e79b625b621688f75876fa61d1f01d5

SHA256
4c0b94b236f36daf4432e1e9b0b8525d5bcc32c925faf86eae7c3c63113603c3

SHA512
97298f0d9f43547c4675fd0ec133b8f007f79db3c7bb1be04461f4eb8cec74048b356bddaac3be3f61a814ae3b744768a2182fc5ea03bf8c13a3cbe98e07e7ea

Download Submit
C:\Windows\{B7E2CC77-4A32-41e7-8C81-27E8641AEBDC}.exe

Filesize
216KB

MD5
c0a86afe2da97dc4fc696a061d4b9ecd

SHA1
2ece09839e79b625b621688f75876fa61d1f01d5

SHA256
4c0b94b236f36daf4432e1e9b0b8525d5bcc32c925faf86eae7c3c63113603c3

SHA512
97298f0d9f43547c4675fd0ec133b8f007f79db3c7bb1be04461f4eb8cec74048b356bddaac3be3f61a814ae3b744768a2182fc5ea03bf8c13a3cbe98e07e7ea

Download Submit
C:\Windows\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe

Filesize
216KB

MD5
477e0a46ec708ed48bfd19f0e6783e41

SHA1
2120f3baf9bcfd6a14432c6fc52ac3f55173d621

SHA256
00bdd52769a82a8ff863816201bcd4a385825e67373bd06e499f9e26cb41f3d4

SHA512
7cb1128326d71f8964287cc9630faf2478f42f4aca5fc844e337c3a184ec3e5a4613422ac7570898de885695709c9eaa37d8091d6cd166b07c3f531135e23f29

Download Submit
C:\Windows\{D32D2093-FC08-4398-A4D7-E1ABDF937898}.exe

Filesize
216KB

MD5
477e0a46ec708ed48bfd19f0e6783e41

SHA1
2120f3baf9bcfd6a14432c6fc52ac3f55173d621

SHA256
00bdd52769a82a8ff863816201bcd4a385825e67373bd06e499f9e26cb41f3d4

SHA512
7cb1128326d71f8964287cc9630faf2478f42f4aca5fc844e337c3a184ec3e5a4613422ac7570898de885695709c9eaa37d8091d6cd166b07c3f531135e23f29

Download Submit
C:\Windows\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe

Filesize
216KB

MD5
333923c07108abaa8ee2b28e9045a120

SHA1
c2c3b240631d3a879a54d8782406778e57208390

SHA256
ba708096d07f5b3a5586dc106e7997614a63351b01582166dfdd14b362c65b6a

SHA512
8aab7d4189cb86f0f1f83bb33696ef044f5694abecc620c8b107e6816b2658982ff3b29a497d9f4edf795bbb170f1da638163e6ee5f72840b79ef0470c089658

Download Submit
C:\Windows\{E5837BE4-4B3B-4362-B0BC-FFE47E1F3D95}.exe

Filesize
216KB

MD5
333923c07108abaa8ee2b28e9045a120

SHA1
c2c3b240631d3a879a54d8782406778e57208390

SHA256
ba708096d07f5b3a5586dc106e7997614a63351b01582166dfdd14b362c65b6a

SHA512
8aab7d4189cb86f0f1f83bb33696ef044f5694abecc620c8b107e6816b2658982ff3b29a497d9f4edf795bbb170f1da638163e6ee5f72840b79ef0470c089658

Download Submit
C:\Windows\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe

Filesize
216KB

MD5
323037c60b7e0b6685a858e41e15fb83

SHA1
bd71528a3ba3fcb7aaffe9fc8e8cb0e3c16a6ec1

SHA256
4d5dcc5755b6826c03fa5131fa48b09380b452eb94d2807525ab7ffe93f45e03

SHA512
69e1d5f971e1258a37cffb07b1006fca2f0918f7124eed046d15e0f90cc71a688438bfdce21da50da971856838ee871cdcf2d89627481c417242c2b852c186a5

Download Submit
C:\Windows\{E9D38DD8-576C-4887-BCAB-BA583727B021}.exe

Filesize
216KB

MD5
323037c60b7e0b6685a858e41e15fb83

SHA1
bd71528a3ba3fcb7aaffe9fc8e8cb0e3c16a6ec1

SHA256
4d5dcc5755b6826c03fa5131fa48b09380b452eb94d2807525ab7ffe93f45e03

SHA512
69e1d5f971e1258a37cffb07b1006fca2f0918f7124eed046d15e0f90cc71a688438bfdce21da50da971856838ee871cdcf2d89627481c417242c2b852c186a5

Download Submit
C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe

Filesize
216KB

MD5
b3b370c40fc40773d9f3fc168a5b31c2

SHA1
5901a5d079912ac99a024a9eaa04d5c2ad3c2d39

SHA256
2e7abd608caadf61488a70b93746f0d3f11bbd7fe8a25c43464c79cf3945e511

SHA512
8518c40bf83ed5e69b0cf74005d91f07309b2b02d3691296859c7dbc64a04226c2fce76894fb62913b9791611e76cbbb630df3493dea6c8f8c4f6b1cac2d7594

Download Submit
C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe

Filesize
216KB

MD5
b3b370c40fc40773d9f3fc168a5b31c2

SHA1
5901a5d079912ac99a024a9eaa04d5c2ad3c2d39

SHA256
2e7abd608caadf61488a70b93746f0d3f11bbd7fe8a25c43464c79cf3945e511

SHA512
8518c40bf83ed5e69b0cf74005d91f07309b2b02d3691296859c7dbc64a04226c2fce76894fb62913b9791611e76cbbb630df3493dea6c8f8c4f6b1cac2d7594

Download Submit
C:\Windows\{ECDCC0AB-FF18-431c-9DB9-6015302C84B6}.exe

Filesize
216KB

MD5
b3b370c40fc40773d9f3fc168a5b31c2

SHA1
5901a5d079912ac99a024a9eaa04d5c2ad3c2d39

SHA256
2e7abd608caadf61488a70b93746f0d3f11bbd7fe8a25c43464c79cf3945e511

SHA512
8518c40bf83ed5e69b0cf74005d91f07309b2b02d3691296859c7dbc64a04226c2fce76894fb62913b9791611e76cbbb630df3493dea6c8f8c4f6b1cac2d7594

Download Submit