25d15aa4fe3537ebb129b600e47ea82256fb73ae992e5255de9245b148ff04bb

Analysis

max time kernel
146s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a957c7ed0a4d5exeexeexeex.exe
Size

168KB
MD5

6a957c7ed0a4d537b2b71281635959c0
SHA1

d3259d3758aff4ed2ad921a365eb4b5de58543a8
SHA256

25d15aa4fe3537ebb129b600e47ea82256fb73ae992e5255de9245b148ff04bb
SHA512

f598b71a7a28740f3700f9e75b92f1655d139ab50230b2784cfd90767b4cd888158df2c2c677d65b3d81e1746f8847bac409a2024beb4ba6af9efbe4bc1b2145
SSDEEP

1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881DEE44-1B63-498b-A172-FCCBC3367AC9}	{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}\stubpath = "C:\\Windows\\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe"	{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0831FF0-EB27-4100-901F-629124A1D23F}\stubpath = "C:\\Windows\\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe"	{58C25812-23C1-4871-AD57-89FA329F5628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F205B94-5174-46f8-8310-15C8AD9007E7}	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}\stubpath = "C:\\Windows\\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe"	6a957c7ed0a4d5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4173010-E957-4e69-B3B3-384F5B5A30E3}	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458E2FAE-0428-49ee-8565-3780B96170F5}	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458E2FAE-0428-49ee-8565-3780B96170F5}\stubpath = "C:\\Windows\\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe"	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A1D420-022E-4f83-9F9B-D96278D6F087}	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C25812-23C1-4871-AD57-89FA329F5628}	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}	{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05558C88-F10A-48ec-ABDE-40BE5379A96C}	{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05558C88-F10A-48ec-ABDE-40BE5379A96C}\stubpath = "C:\\Windows\\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe"	{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA56131-AB48-4857-916B-1E85C64252FB}\stubpath = "C:\\Windows\\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe"	{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881DEE44-1B63-498b-A172-FCCBC3367AC9}\stubpath = "C:\\Windows\\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe"	{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}	6a957c7ed0a4d5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4173010-E957-4e69-B3B3-384F5B5A30E3}\stubpath = "C:\\Windows\\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe"	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}\stubpath = "C:\\Windows\\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe"	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C25812-23C1-4871-AD57-89FA329F5628}\stubpath = "C:\\Windows\\{58C25812-23C1-4871-AD57-89FA329F5628}.exe"	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F205B94-5174-46f8-8310-15C8AD9007E7}\stubpath = "C:\\Windows\\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe"	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}\stubpath = "C:\\Windows\\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe"	{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}	{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A1D420-022E-4f83-9F9B-D96278D6F087}\stubpath = "C:\\Windows\\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe"	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0831FF0-EB27-4100-901F-629124A1D23F}	{58C25812-23C1-4871-AD57-89FA329F5628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA56131-AB48-4857-916B-1E85C64252FB}	{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe
692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
2984	{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
2600	{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe
2772	{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
2864	{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
2500	{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
2640	{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
File created	C:\Windows\{58C25812-23C1-4871-AD57-89FA329F5628}.exe	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
File created	C:\Windows\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
File created	C:\Windows\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe	{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
File created	C:\Windows\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe	{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
File created	C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	6a957c7ed0a4d5exeexeexeex.exe
File created	C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
File created	C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
File created	C:\Windows\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe	{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
File created	C:\Windows\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe	{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
File created	C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
File created	C:\Windows\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	{58C25812-23C1-4871-AD57-89FA329F5628}.exe
File created	C:\Windows\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe	{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	6a957c7ed0a4d5exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Token: SeIncBasePriorityPrivilege	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Token: SeIncBasePriorityPrivilege	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Token: SeIncBasePriorityPrivilege	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Token: SeIncBasePriorityPrivilege	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
Token: SeIncBasePriorityPrivilege	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe
Token: SeIncBasePriorityPrivilege	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
Token: SeIncBasePriorityPrivilege	2984	{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
Token: SeIncBasePriorityPrivilege	2600	{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe
Token: SeIncBasePriorityPrivilege	2772	{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
Token: SeIncBasePriorityPrivilege	2864	{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
Token: SeIncBasePriorityPrivilege	2500	{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3064	2224	6a957c7ed0a4d5exeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	6a957c7ed0a4d5exeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	6a957c7ed0a4d5exeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	6a957c7ed0a4d5exeexeexeex.exe	29
PID 2224 wrote to memory of 2208	2224	6a957c7ed0a4d5exeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	6a957c7ed0a4d5exeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	6a957c7ed0a4d5exeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	6a957c7ed0a4d5exeexeexeex.exe	30
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 848 wrote to memory of 328	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 328	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 328	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 328	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 2872	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2872	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2872	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2872	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 328 wrote to memory of 2056	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 328 wrote to memory of 2056	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 328 wrote to memory of 2056	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 328 wrote to memory of 2056	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 328 wrote to memory of 2088	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 328 wrote to memory of 2088	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 328 wrote to memory of 2088	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 328 wrote to memory of 2088	328	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 2056 wrote to memory of 776	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 2056 wrote to memory of 776	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 2056 wrote to memory of 776	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 2056 wrote to memory of 776	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 2056 wrote to memory of 2852	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 2056 wrote to memory of 2852	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 2056 wrote to memory of 2852	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 2056 wrote to memory of 2852	2056	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 776 wrote to memory of 2232	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	39
PID 776 wrote to memory of 2232	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	39
PID 776 wrote to memory of 2232	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	39
PID 776 wrote to memory of 2232	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	39
PID 776 wrote to memory of 2236	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	40
PID 776 wrote to memory of 2236	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	40
PID 776 wrote to memory of 2236	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	40
PID 776 wrote to memory of 2236	776	{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe	40
PID 2232 wrote to memory of 692	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	41
PID 2232 wrote to memory of 692	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	41
PID 2232 wrote to memory of 692	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	41
PID 2232 wrote to memory of 692	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	41
PID 2232 wrote to memory of 2776	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	42
PID 2232 wrote to memory of 2776	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	42
PID 2232 wrote to memory of 2776	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	42
PID 2232 wrote to memory of 2776	2232	{58C25812-23C1-4871-AD57-89FA329F5628}.exe	42
PID 692 wrote to memory of 2984	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	43
PID 692 wrote to memory of 2984	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	43
PID 692 wrote to memory of 2984	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	43
PID 692 wrote to memory of 2984	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	43
PID 692 wrote to memory of 2996	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	44
PID 692 wrote to memory of 2996	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	44
PID 692 wrote to memory of 2996	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	44
PID 692 wrote to memory of 2996	692	{E0831FF0-EB27-4100-901F-629124A1D23F}.exe	44

C:\Users\Admin\AppData\Local\Temp\6a957c7ed0a4d5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6a957c7ed0a4d5exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
  C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
    C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
      C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
        
        C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
        
        C:\Windows\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{58C25812-23C1-4871-AD57-89FA329F5628}.exe
        
        C:\Windows\{58C25812-23C1-4871-AD57-89FA329F5628}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
        
        C:\Windows\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
        
        C:\Windows\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe
        
        C:\Windows\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
        
        C:\Windows\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
        
        C:\Windows\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
        
        C:\Windows\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe
        
        C:\Windows\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe
        14⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05558~1.EXE > nul
        14⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{881DE~1.EXE > nul
        13⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BA56~1.EXE > nul
        12⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4FD9~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F205~1.EXE > nul
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0831~1.EXE > nul
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58C25~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20A1D~1.EXE > nul
        7⤵
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{458E2~1.EXE > nul
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9E2~1.EXE > nul
        5⤵
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4173~1.EXE > nul
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F43B~1.EXE > nul
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A957C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe

Filesize
168KB

MD5
7a9afadde4fba46e10e280631fcc2a3d

SHA1
6c14320bbd3f13b780a2d051f24c7dd4f8f7a19c

SHA256
cbf50865e4c7efe488e7d6f17bcc1f0d5b849ede1a115c5f4f5b503b5ae9214e

SHA512
2b6628adabdc232e6ef6046c8793f3f626be2ca6b2e02743a4989e4cde80a0e795eedc110d70531bf274048016a35a63dc2ad2707a94720294a1877fd4a7ad68

Download Submit
C:\Windows\{05558C88-F10A-48ec-ABDE-40BE5379A96C}.exe

Filesize
168KB

MD5
7a9afadde4fba46e10e280631fcc2a3d

SHA1
6c14320bbd3f13b780a2d051f24c7dd4f8f7a19c

SHA256
cbf50865e4c7efe488e7d6f17bcc1f0d5b849ede1a115c5f4f5b503b5ae9214e

SHA512
2b6628adabdc232e6ef6046c8793f3f626be2ca6b2e02743a4989e4cde80a0e795eedc110d70531bf274048016a35a63dc2ad2707a94720294a1877fd4a7ad68

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
168KB

MD5
f6d9398f5ef742a8b0a707339633f87d

SHA1
b85181dfa887ecb06b98db7fea288bf4f5f3fc67

SHA256
a8d6e5bf772d69b30572f13af4d38693482d1d81c4d2a0ae4a142c66d3f0d5e3

SHA512
0fe4737bb27b5f6ca43ab9ce50de97092597218b40d45d6255b07c0d64f59437311e2823cac262a0578c2f83971767bef7b7eb248319a704cc33fc5b7d748e36

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
168KB

MD5
f6d9398f5ef742a8b0a707339633f87d

SHA1
b85181dfa887ecb06b98db7fea288bf4f5f3fc67

SHA256
a8d6e5bf772d69b30572f13af4d38693482d1d81c4d2a0ae4a142c66d3f0d5e3

SHA512
0fe4737bb27b5f6ca43ab9ce50de97092597218b40d45d6255b07c0d64f59437311e2823cac262a0578c2f83971767bef7b7eb248319a704cc33fc5b7d748e36

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
168KB

MD5
f6d9398f5ef742a8b0a707339633f87d

SHA1
b85181dfa887ecb06b98db7fea288bf4f5f3fc67

SHA256
a8d6e5bf772d69b30572f13af4d38693482d1d81c4d2a0ae4a142c66d3f0d5e3

SHA512
0fe4737bb27b5f6ca43ab9ce50de97092597218b40d45d6255b07c0d64f59437311e2823cac262a0578c2f83971767bef7b7eb248319a704cc33fc5b7d748e36

Download Submit
C:\Windows\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe

Filesize
168KB

MD5
de2e2eaff5a516a708a940788c5023bd

SHA1
23ad646f8e6714a0c5685d86af985c541cdf111b

SHA256
6dec15e935444c54ed2e4c6ada6dfcbb964ee3b90dc9d28dfc011f5c189cde2d

SHA512
43f529b886bfb3cfad6772ea9e1c1babe98ab19fe528314a21705b7c2257e9589f05322a83b96ea750326c4aa84eed1d5c7dac0cc82a0ed5548973135f9ef2e7

Download Submit
C:\Windows\{20A1D420-022E-4f83-9F9B-D96278D6F087}.exe

Filesize
168KB

MD5
de2e2eaff5a516a708a940788c5023bd

SHA1
23ad646f8e6714a0c5685d86af985c541cdf111b

SHA256
6dec15e935444c54ed2e4c6ada6dfcbb964ee3b90dc9d28dfc011f5c189cde2d

SHA512
43f529b886bfb3cfad6772ea9e1c1babe98ab19fe528314a21705b7c2257e9589f05322a83b96ea750326c4aa84eed1d5c7dac0cc82a0ed5548973135f9ef2e7

Download Submit
C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe

Filesize
168KB

MD5
da0fe7f7bf3ea2abfdb90d1a434c0e6a

SHA1
135193135b2794776429c343209aab42d1404705

SHA256
1034b76cecc8ead78c469cddbd8c778d874f7a9828b06dd89ed71b1652c53597

SHA512
53cc4697419852b77b331646aa4e455f2576ad26e734b859a448f8d600d36c8b29544c80e2e74cd0edae2a75907d91fd0b1584e89fd51935922dc9d61c595a40

Download Submit
C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe

Filesize
168KB

MD5
da0fe7f7bf3ea2abfdb90d1a434c0e6a

SHA1
135193135b2794776429c343209aab42d1404705

SHA256
1034b76cecc8ead78c469cddbd8c778d874f7a9828b06dd89ed71b1652c53597

SHA512
53cc4697419852b77b331646aa4e455f2576ad26e734b859a448f8d600d36c8b29544c80e2e74cd0edae2a75907d91fd0b1584e89fd51935922dc9d61c595a40

Download Submit
C:\Windows\{58C25812-23C1-4871-AD57-89FA329F5628}.exe

Filesize
168KB

MD5
63ec7aeb2758d4e62e7c270a490dcca2

SHA1
f28184f90557c8180c23eb11419a632849cebb76

SHA256
31b789f80d79f95ce9eb112cedfd73c91ca0f5f6642ec4650cd3af145d2c6acf

SHA512
35e14ce32e578c6c2cb5cbcaeb8cdae456ecdf1cd3bb43b72f17f5c7b4100029caa0fe9f43a86c2b8e69cbdac38ba40a89317abbad2d989e470e5534cd27897f

Download Submit
C:\Windows\{58C25812-23C1-4871-AD57-89FA329F5628}.exe

Filesize
168KB

MD5
63ec7aeb2758d4e62e7c270a490dcca2

SHA1
f28184f90557c8180c23eb11419a632849cebb76

SHA256
31b789f80d79f95ce9eb112cedfd73c91ca0f5f6642ec4650cd3af145d2c6acf

SHA512
35e14ce32e578c6c2cb5cbcaeb8cdae456ecdf1cd3bb43b72f17f5c7b4100029caa0fe9f43a86c2b8e69cbdac38ba40a89317abbad2d989e470e5534cd27897f

Download Submit
C:\Windows\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe

Filesize
168KB

MD5
718bc124640acbedcd16643ebacb4f96

SHA1
33cd107b40036545ffbdfcdc7e1cfca4a1ff0a03

SHA256
202f690805700dc7fc50725bf59d5ff21a0510bca351fbfad40e84fd80456bb1

SHA512
4a2938dd683f07f42537bc6fab70dc3689d3490c6fdf09f665a1b97f8d36561dbb0905aab61be248c9dd56caca6dca0583fe78e8a0d330ae12b321d47e3b40b3

Download Submit
C:\Windows\{5BA56131-AB48-4857-916B-1E85C64252FB}.exe

Filesize
168KB

MD5
718bc124640acbedcd16643ebacb4f96

SHA1
33cd107b40036545ffbdfcdc7e1cfca4a1ff0a03

SHA256
202f690805700dc7fc50725bf59d5ff21a0510bca351fbfad40e84fd80456bb1

SHA512
4a2938dd683f07f42537bc6fab70dc3689d3490c6fdf09f665a1b97f8d36561dbb0905aab61be248c9dd56caca6dca0583fe78e8a0d330ae12b321d47e3b40b3

Download Submit
C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe

Filesize
168KB

MD5
725229c90f8051e2a8e8a50531463ed6

SHA1
71c9bdf54ec81cb31773243f5adcafd70936de07

SHA256
2f7e4c9a77fefbd5d0e96d7db414324cf400d9a3152d56636957db2d6f955a24

SHA512
a2b188390f71d86ac6be445b01028e0d02763276c95caf40544ff608f11c9fb8d2897c8b05be4661e5c83dbd0ece90ad93a5dc20adaca823f60e1b9fa16076ea

Download Submit
C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe

Filesize
168KB

MD5
725229c90f8051e2a8e8a50531463ed6

SHA1
71c9bdf54ec81cb31773243f5adcafd70936de07

SHA256
2f7e4c9a77fefbd5d0e96d7db414324cf400d9a3152d56636957db2d6f955a24

SHA512
a2b188390f71d86ac6be445b01028e0d02763276c95caf40544ff608f11c9fb8d2897c8b05be4661e5c83dbd0ece90ad93a5dc20adaca823f60e1b9fa16076ea

Download Submit
C:\Windows\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe

Filesize
168KB

MD5
badf57c9ff78e33270070ac7bfcac334

SHA1
132185d62d2a5775ca9639e37b2d0b82c86d4e5e

SHA256
b5b2e3b69e3152d4d3299a90a0ee473d05eab07e728f0c497a3889989fd2478e

SHA512
b7f7ff8e1e55681fe23faa3eb9324901628d2d90dc25cd6f89388ddc9fdc5cf97cdd16f56d5b28dcc68da22bf1f3c7c3f5b489a0fa9dbf9c457fca3296553bb9

Download Submit
C:\Windows\{881DEE44-1B63-498b-A172-FCCBC3367AC9}.exe

Filesize
168KB

MD5
badf57c9ff78e33270070ac7bfcac334

SHA1
132185d62d2a5775ca9639e37b2d0b82c86d4e5e

SHA256
b5b2e3b69e3152d4d3299a90a0ee473d05eab07e728f0c497a3889989fd2478e

SHA512
b7f7ff8e1e55681fe23faa3eb9324901628d2d90dc25cd6f89388ddc9fdc5cf97cdd16f56d5b28dcc68da22bf1f3c7c3f5b489a0fa9dbf9c457fca3296553bb9

Download Submit
C:\Windows\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe

Filesize
168KB

MD5
88872040eabe0d37b0cae1e763190d97

SHA1
54fc28828ad64677c6a1a2dfcf9233e0eda97aca

SHA256
f00a78a75b3a728bbce21998627899f02b6c781ed928d8723963e8e94382eae6

SHA512
de01746d1e5886bc792399bc837c4f197d71494c36154c6eb0805109d72f1621bce2a450db857d589eca6672cd5a8f15841bbcf4471593719bdfd5759e83e2da

Download Submit
C:\Windows\{8F205B94-5174-46f8-8310-15C8AD9007E7}.exe

Filesize
168KB

MD5
88872040eabe0d37b0cae1e763190d97

SHA1
54fc28828ad64677c6a1a2dfcf9233e0eda97aca

SHA256
f00a78a75b3a728bbce21998627899f02b6c781ed928d8723963e8e94382eae6

SHA512
de01746d1e5886bc792399bc837c4f197d71494c36154c6eb0805109d72f1621bce2a450db857d589eca6672cd5a8f15841bbcf4471593719bdfd5759e83e2da

Download Submit
C:\Windows\{A1D7C092-F852-4643-9D6B-3ED4964E8C59}.exe

Filesize
168KB

MD5
2a6e9d8d089f041f29bb63584f5488d5

SHA1
53a108fea26a23e0d5ecab72ae33da28efb5a105

SHA256
7bbc9791f3774ac66aec02da5b9a6e217b0c4455e8d25c8b5a05275a9aae90e8

SHA512
ddcb8bb429d85c268e22fd28af4b8ba4177fc40fd50a9d38019f230ac33671e580e07555292d9192b2f36ced35f4218f33301dba7894da5e44e37ae352d67da5

Download Submit
C:\Windows\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe

Filesize
168KB

MD5
aaef79f8683db463547a45c3ce7ad218

SHA1
2cd2b1cf6d62b3179dcc6c86ef77f24389d7c34f

SHA256
259b88f252b9115b69dc9fa62fe51004e756cf32b046de73a63a307c046f2f35

SHA512
55edce1d800fda5da06f9da7531065f2a2a6996e0341435223034933576eadc5d1c11c6fbc9168a12e679923773f64b961888c69ea6f09cd95e4ed5967f79678

Download Submit
C:\Windows\{E0831FF0-EB27-4100-901F-629124A1D23F}.exe

Filesize
168KB

MD5
aaef79f8683db463547a45c3ce7ad218

SHA1
2cd2b1cf6d62b3179dcc6c86ef77f24389d7c34f

SHA256
259b88f252b9115b69dc9fa62fe51004e756cf32b046de73a63a307c046f2f35

SHA512
55edce1d800fda5da06f9da7531065f2a2a6996e0341435223034933576eadc5d1c11c6fbc9168a12e679923773f64b961888c69ea6f09cd95e4ed5967f79678

Download Submit
C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe

Filesize
168KB

MD5
c01e25af9635a07faaf76081d387068a

SHA1
c1059f1e4e02e3836150f65f2e9e691395cffc02

SHA256
dcd70b0e1fcb081c641b3ea02a1c2c19fc2312920845a25b42937d43fc7cb0cf

SHA512
62fdc29eca562c94640154a83c2461c67f8b0c13796e7f09fbd71565071c7c7699c172942b18fff73b29d31a2b080b0f76f0b7a122991568cac4777e240b869e

Download Submit
C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe

Filesize
168KB

MD5
c01e25af9635a07faaf76081d387068a

SHA1
c1059f1e4e02e3836150f65f2e9e691395cffc02

SHA256
dcd70b0e1fcb081c641b3ea02a1c2c19fc2312920845a25b42937d43fc7cb0cf

SHA512
62fdc29eca562c94640154a83c2461c67f8b0c13796e7f09fbd71565071c7c7699c172942b18fff73b29d31a2b080b0f76f0b7a122991568cac4777e240b869e

Download Submit
C:\Windows\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe

Filesize
168KB

MD5
b7c673e429ec21f32664acd5133c65f1

SHA1
edba983be007d6684f1eea10db8b8c6fefb466f7

SHA256
7cb38798f8c010eb820d17873c2ff8c94d20be335124470ed0b3ade10f5ec89d

SHA512
b5674dab5b66a644e1d9117456467b93b2b2a54f83ed3b5005efab4ee3d96b497d09ce9d42ffb5b09732f9e36e78528c5191397bcf0084d035495f471a0eb2f2

Download Submit
C:\Windows\{E4FD9970-D79A-4d38-9715-A0C7E4C881D6}.exe

Filesize
168KB

MD5
b7c673e429ec21f32664acd5133c65f1

SHA1
edba983be007d6684f1eea10db8b8c6fefb466f7

SHA256
7cb38798f8c010eb820d17873c2ff8c94d20be335124470ed0b3ade10f5ec89d

SHA512
b5674dab5b66a644e1d9117456467b93b2b2a54f83ed3b5005efab4ee3d96b497d09ce9d42ffb5b09732f9e36e78528c5191397bcf0084d035495f471a0eb2f2

Download Submit