ca8c58382a6a2d683a5a1349eb8a844af56778545afedcdd895a892d5ac50ba6

Analysis

max time kernel
146s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e9992d47dfb5cexeexeexeex.exe
Size

204KB
MD5

6e9992d47dfb5c063cb960becad5a1e1
SHA1

7aa7a74142271cedbd9a78828dc910e5a112cef2
SHA256

ca8c58382a6a2d683a5a1349eb8a844af56778545afedcdd895a892d5ac50ba6
SHA512

2101721d0d10e6e7ba4f3a485ca107f49a7e3df48e49e91759ab67a5250c460c7ef1b9d4c85b7aef667a0169fad46fd7d17e57cd4d5ee5bc8ee378b95e593426
SSDEEP

1536:1EGh0o0l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o0l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}	{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}	{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B994AAB4-35D2-4eee-871E-66E0218A9950}	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B994AAB4-35D2-4eee-871E-66E0218A9950}\stubpath = "C:\\Windows\\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe"	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}	{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}\stubpath = "C:\\Windows\\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe"	{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}\stubpath = "C:\\Windows\\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe"	{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}\stubpath = "C:\\Windows\\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe"	{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}	6e9992d47dfb5cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}\stubpath = "C:\\Windows\\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe"	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170EDD67-E464-481d-92FC-B734F18B0267}	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}	{170EDD67-E464-481d-92FC-B734F18B0267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}\stubpath = "C:\\Windows\\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe"	{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA574069-9295-4cbd-9D5A-F4891A735CFD}\stubpath = "C:\\Windows\\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe"	{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}	{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}\stubpath = "C:\\Windows\\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe"	6e9992d47dfb5cexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415CF993-774E-4cff-95C7-1347551453E3}	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96BD92E9-A062-4fdb-92D6-73F779D3207B}	{415CF993-774E-4cff-95C7-1347551453E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96BD92E9-A062-4fdb-92D6-73F779D3207B}\stubpath = "C:\\Windows\\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe"	{415CF993-774E-4cff-95C7-1347551453E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}\stubpath = "C:\\Windows\\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe"	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}\stubpath = "C:\\Windows\\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe"	{170EDD67-E464-481d-92FC-B734F18B0267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415CF993-774E-4cff-95C7-1347551453E3}\stubpath = "C:\\Windows\\{415CF993-774E-4cff-95C7-1347551453E3}.exe"	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170EDD67-E464-481d-92FC-B734F18B0267}\stubpath = "C:\\Windows\\{170EDD67-E464-481d-92FC-B734F18B0267}.exe"	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA574069-9295-4cbd-9D5A-F4891A735CFD}	{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe
296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe
2120	{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe
548	{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
2792	{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
1304	{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
2888	{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
3004	{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe	{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
File created	C:\Windows\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
File created	C:\Windows\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	{415CF993-774E-4cff-95C7-1347551453E3}.exe
File created	C:\Windows\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
File created	C:\Windows\{170EDD67-E464-481d-92FC-B734F18B0267}.exe	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
File created	C:\Windows\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe	{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
File created	C:\Windows\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe	{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
File created	C:\Windows\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe	{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
File created	C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	6e9992d47dfb5cexeexeexeex.exe
File created	C:\Windows\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
File created	C:\Windows\{415CF993-774E-4cff-95C7-1347551453E3}.exe	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
File created	C:\Windows\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe	{170EDD67-E464-481d-92FC-B734F18B0267}.exe
File created	C:\Windows\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe	{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	6e9992d47dfb5cexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
Token: SeIncBasePriorityPrivilege	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
Token: SeIncBasePriorityPrivilege	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
Token: SeIncBasePriorityPrivilege	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe
Token: SeIncBasePriorityPrivilege	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
Token: SeIncBasePriorityPrivilege	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
Token: SeIncBasePriorityPrivilege	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe
Token: SeIncBasePriorityPrivilege	2120	{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe
Token: SeIncBasePriorityPrivilege	548	{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
Token: SeIncBasePriorityPrivilege	2792	{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
Token: SeIncBasePriorityPrivilege	1304	{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
Token: SeIncBasePriorityPrivilege	2888	{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1104	2324	6e9992d47dfb5cexeexeexeex.exe	29
PID 2324 wrote to memory of 1104	2324	6e9992d47dfb5cexeexeexeex.exe	29
PID 2324 wrote to memory of 1104	2324	6e9992d47dfb5cexeexeexeex.exe	29
PID 2324 wrote to memory of 1104	2324	6e9992d47dfb5cexeexeexeex.exe	29
PID 2324 wrote to memory of 2312	2324	6e9992d47dfb5cexeexeexeex.exe	30
PID 2324 wrote to memory of 2312	2324	6e9992d47dfb5cexeexeexeex.exe	30
PID 2324 wrote to memory of 2312	2324	6e9992d47dfb5cexeexeexeex.exe	30
PID 2324 wrote to memory of 2312	2324	6e9992d47dfb5cexeexeexeex.exe	30
PID 1104 wrote to memory of 2320	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	31
PID 1104 wrote to memory of 2320	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	31
PID 1104 wrote to memory of 2320	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	31
PID 1104 wrote to memory of 2320	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	31
PID 1104 wrote to memory of 1492	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	32
PID 1104 wrote to memory of 1492	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	32
PID 1104 wrote to memory of 1492	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	32
PID 1104 wrote to memory of 1492	1104	{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe	32
PID 2320 wrote to memory of 292	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	33
PID 2320 wrote to memory of 292	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	33
PID 2320 wrote to memory of 292	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	33
PID 2320 wrote to memory of 292	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	33
PID 2320 wrote to memory of 2952	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	34
PID 2320 wrote to memory of 2952	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	34
PID 2320 wrote to memory of 2952	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	34
PID 2320 wrote to memory of 2952	2320	{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe	34
PID 292 wrote to memory of 2332	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	35
PID 292 wrote to memory of 2332	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	35
PID 292 wrote to memory of 2332	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	35
PID 292 wrote to memory of 2332	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	35
PID 292 wrote to memory of 2932	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	36
PID 292 wrote to memory of 2932	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	36
PID 292 wrote to memory of 2932	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	36
PID 292 wrote to memory of 2932	292	{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe	36
PID 2332 wrote to memory of 296	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	38
PID 2332 wrote to memory of 296	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	38
PID 2332 wrote to memory of 296	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	38
PID 2332 wrote to memory of 296	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	38
PID 2332 wrote to memory of 884	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	37
PID 2332 wrote to memory of 884	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	37
PID 2332 wrote to memory of 884	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	37
PID 2332 wrote to memory of 884	2332	{415CF993-774E-4cff-95C7-1347551453E3}.exe	37
PID 296 wrote to memory of 2232	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	40
PID 296 wrote to memory of 2232	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	40
PID 296 wrote to memory of 2232	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	40
PID 296 wrote to memory of 2232	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	40
PID 296 wrote to memory of 1392	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	39
PID 296 wrote to memory of 1392	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	39
PID 296 wrote to memory of 1392	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	39
PID 296 wrote to memory of 1392	296	{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe	39
PID 2232 wrote to memory of 2096	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	41
PID 2232 wrote to memory of 2096	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	41
PID 2232 wrote to memory of 2096	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	41
PID 2232 wrote to memory of 2096	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	41
PID 2232 wrote to memory of 2412	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	42
PID 2232 wrote to memory of 2412	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	42
PID 2232 wrote to memory of 2412	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	42
PID 2232 wrote to memory of 2412	2232	{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe	42
PID 2096 wrote to memory of 2120	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	43
PID 2096 wrote to memory of 2120	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	43
PID 2096 wrote to memory of 2120	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	43
PID 2096 wrote to memory of 2120	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	43
PID 2096 wrote to memory of 2212	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	44
PID 2096 wrote to memory of 2212	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	44
PID 2096 wrote to memory of 2212	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	44
PID 2096 wrote to memory of 2212	2096	{170EDD67-E464-481d-92FC-B734F18B0267}.exe	44

C:\Users\Admin\AppData\Local\Temp\6e9992d47dfb5cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6e9992d47dfb5cexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
  C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
    C:\Windows\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
      C:\Windows\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:292
    - - C:\Windows\{415CF993-774E-4cff-95C7-1347551453E3}.exe
        
        C:\Windows\{415CF993-774E-4cff-95C7-1347551453E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{415CF~1.EXE > nul
        6⤵
        
        PID:884
      - C:\Windows\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
        
        C:\Windows\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96BD9~1.EXE > nul
        7⤵
        
        PID:1392
        
        C:\Windows\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
        
        C:\Windows\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{170EDD67-E464-481d-92FC-B734F18B0267}.exe
        
        C:\Windows\{170EDD67-E464-481d-92FC-B734F18B0267}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe
        
        C:\Windows\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
        
        C:\Windows\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
        
        C:\Windows\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8747~1.EXE > nul
        12⤵
        
        PID:2732
        
        C:\Windows\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
        
        C:\Windows\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
        
        C:\Windows\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe
        
        C:\Windows\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe
        14⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0B51~1.EXE > nul
        14⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1888F~1.EXE > nul
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA574~1.EXE > nul
        11⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F98AB~1.EXE > nul
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{170ED~1.EXE > nul
        9⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD8F~1.EXE > nul
        8⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBEE0~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B994A~1.EXE > nul
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29A6F~1.EXE > nul
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6E9992~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{170EDD67-E464-481d-92FC-B734F18B0267}.exe

Filesize
204KB

MD5
ae37da9c600f389b240c8fb5521ac27b

SHA1
8ee0fab83273ebc618f0e782f370a605688b4409

SHA256
56718a10b438a3358f96eaad901507365c717c49b4a6a7e5d7d83743da45c778

SHA512
8a1723ebde8a2817d66614f45cfb3bfcdb939d7ffb356bbd63366c1211eff9262b67582d657336888b0a300dc518a2870f2f7a4a9885ae607b34a12ab28a0d69

Download Submit
C:\Windows\{170EDD67-E464-481d-92FC-B734F18B0267}.exe

Filesize
204KB

MD5
ae37da9c600f389b240c8fb5521ac27b

SHA1
8ee0fab83273ebc618f0e782f370a605688b4409

SHA256
56718a10b438a3358f96eaad901507365c717c49b4a6a7e5d7d83743da45c778

SHA512
8a1723ebde8a2817d66614f45cfb3bfcdb939d7ffb356bbd63366c1211eff9262b67582d657336888b0a300dc518a2870f2f7a4a9885ae607b34a12ab28a0d69

Download Submit
C:\Windows\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe

Filesize
204KB

MD5
85be2f3387167b132c82dbd336405103

SHA1
bfb4cc643c60c60559af0c46ea7d0709b760736b

SHA256
e88d717736028f2399ed982a15ebe6f25c3dfa3a9a0ba8eb71d1dc56c1fb10b6

SHA512
a8538db1ec48cddbf5c4a054d534c8393994dbc79e1d4755d86756fe3f230d6f51fd778c96c21788262910d1be57a43c9ccdfab6e96b3883e716b1a9848960fe

Download Submit
C:\Windows\{1888F552-F51B-49fe-BC5B-01D1E6B4BF7B}.exe

Filesize
204KB

MD5
85be2f3387167b132c82dbd336405103

SHA1
bfb4cc643c60c60559af0c46ea7d0709b760736b

SHA256
e88d717736028f2399ed982a15ebe6f25c3dfa3a9a0ba8eb71d1dc56c1fb10b6

SHA512
a8538db1ec48cddbf5c4a054d534c8393994dbc79e1d4755d86756fe3f230d6f51fd778c96c21788262910d1be57a43c9ccdfab6e96b3883e716b1a9848960fe

Download Submit
C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe

Filesize
204KB

MD5
9c1206b69ee0b3a6c5417a7e48a7140a

SHA1
56d684bf0ad362d00aac510d25284fbe9df410db

SHA256
6efd551cb851691433cf3d385c7c617375c57ba37ef6432fadf1496208fc0ec6

SHA512
6bf2db70b076cb27a9f06b8bb0561f7016247dcf4c8d7b58ceca0ec1f794abb693486ca714255516b382f6a64d8dcb9ef5c616168f7ad93a18161517b3ffd8bf

Download Submit
C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe

Filesize
204KB

MD5
9c1206b69ee0b3a6c5417a7e48a7140a

SHA1
56d684bf0ad362d00aac510d25284fbe9df410db

SHA256
6efd551cb851691433cf3d385c7c617375c57ba37ef6432fadf1496208fc0ec6

SHA512
6bf2db70b076cb27a9f06b8bb0561f7016247dcf4c8d7b58ceca0ec1f794abb693486ca714255516b382f6a64d8dcb9ef5c616168f7ad93a18161517b3ffd8bf

Download Submit
C:\Windows\{29A6F134-AEE8-4bd6-8440-4839D56DFEEE}.exe

Filesize
204KB

MD5
9c1206b69ee0b3a6c5417a7e48a7140a

SHA1
56d684bf0ad362d00aac510d25284fbe9df410db

SHA256
6efd551cb851691433cf3d385c7c617375c57ba37ef6432fadf1496208fc0ec6

SHA512
6bf2db70b076cb27a9f06b8bb0561f7016247dcf4c8d7b58ceca0ec1f794abb693486ca714255516b382f6a64d8dcb9ef5c616168f7ad93a18161517b3ffd8bf

Download Submit
C:\Windows\{415CF993-774E-4cff-95C7-1347551453E3}.exe

Filesize
204KB

MD5
662fd61d0e7d2b29bf8d9e034c8b09b3

SHA1
9ff133def6b60ae90a9a7553cd1db819c0a84c77

SHA256
f2c31c6b44bcc7935bfc0b5ba1575cbcb1996cbdfa96ded1a0ab9aab87c9ea09

SHA512
f36e3f4edc1e2d5159dcc339868f7e30cb22a4cd31a7615926c13658601198f90f8815b7c07f26766dd238c1b2b6d2a58d6c2d9438ac16e07b5f60ba2cd77bf5

Download Submit
C:\Windows\{415CF993-774E-4cff-95C7-1347551453E3}.exe

Filesize
204KB

MD5
662fd61d0e7d2b29bf8d9e034c8b09b3

SHA1
9ff133def6b60ae90a9a7553cd1db819c0a84c77

SHA256
f2c31c6b44bcc7935bfc0b5ba1575cbcb1996cbdfa96ded1a0ab9aab87c9ea09

SHA512
f36e3f4edc1e2d5159dcc339868f7e30cb22a4cd31a7615926c13658601198f90f8815b7c07f26766dd238c1b2b6d2a58d6c2d9438ac16e07b5f60ba2cd77bf5

Download Submit
C:\Windows\{6B780372-8003-47f9-82BD-BE04B5C2C1F1}.exe

Filesize
204KB

MD5
1dd8ff38eafc9c6adaa508ff9c98ba13

SHA1
e3354cfa2aecabf2c42f5850b8b0ff22d867c4db

SHA256
a0b2d1f3eda5957f308471b6b380edefe4bc6f5d8d095c9e27c390ef0f6710ed

SHA512
cb34945af2f6f8fb42cde2b4ba6c50c07af5d00de901097c2d8c995e67108a7f0d65f4043e3bd52f50d426dc8be494ed2499dc355092a43506dbb2d6d7205bd9

Download Submit
C:\Windows\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe

Filesize
204KB

MD5
25761ed5f4819ad95d7f92e207987a2d

SHA1
4de0d8f2981a8097fb072e9d9b2c6ac08e1dee13

SHA256
1f9475a6d6ef0abac1aa7816be0ad7d4c9f3c99e760aac22f796b11d7a6d5e3d

SHA512
97a84f2df39ea60cdc5fc61f92556bbe3ef813f2f141245e888d81387f9d64693bbf2349df637a9bdddac1d09f9c6dbda34930dcaf91a1097686d67bdf761ce5

Download Submit
C:\Windows\{96BD92E9-A062-4fdb-92D6-73F779D3207B}.exe

Filesize
204KB

MD5
25761ed5f4819ad95d7f92e207987a2d

SHA1
4de0d8f2981a8097fb072e9d9b2c6ac08e1dee13

SHA256
1f9475a6d6ef0abac1aa7816be0ad7d4c9f3c99e760aac22f796b11d7a6d5e3d

SHA512
97a84f2df39ea60cdc5fc61f92556bbe3ef813f2f141245e888d81387f9d64693bbf2349df637a9bdddac1d09f9c6dbda34930dcaf91a1097686d67bdf761ce5

Download Submit
C:\Windows\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe

Filesize
204KB

MD5
978adf58a97cb0bd7c855b168abcdef9

SHA1
8427e4b8d282df8eb2301e9388d6457c972de5d9

SHA256
0f9c1a9b86ad02c4864005505a718fd1edbe70c0348c1179827fd1da61dfc4be

SHA512
028fe488e40829299fcc7330fdb5de81a660cd83182a0f48fc0cb8c91bcdfa65731a2ed5ceafaa5d9fd47ce93f43ad7af6a80034f6f45b15269e72648bd751fd

Download Submit
C:\Windows\{A0B51F1B-C1EF-4c45-96F7-A4E082B30D75}.exe

Filesize
204KB

MD5
978adf58a97cb0bd7c855b168abcdef9

SHA1
8427e4b8d282df8eb2301e9388d6457c972de5d9

SHA256
0f9c1a9b86ad02c4864005505a718fd1edbe70c0348c1179827fd1da61dfc4be

SHA512
028fe488e40829299fcc7330fdb5de81a660cd83182a0f48fc0cb8c91bcdfa65731a2ed5ceafaa5d9fd47ce93f43ad7af6a80034f6f45b15269e72648bd751fd

Download Submit
C:\Windows\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe

Filesize
204KB

MD5
19d45a45e632c77c955283428152db39

SHA1
2084f6b1a0aa747460f8e68c34e704008874ede1

SHA256
ae227e1f805f2d3fd84edf1facc61bd87385b23975ca90093f96a01128c44c82

SHA512
b1bd723be046fbc4422a4801b819b282323e74d1c71445163dd63cbe144c7184b6eeccd0f1796c4189f821e4810fefd53f842a273652826ebc60efd3ec4988a4

Download Submit
C:\Windows\{AA574069-9295-4cbd-9D5A-F4891A735CFD}.exe

Filesize
204KB

MD5
19d45a45e632c77c955283428152db39

SHA1
2084f6b1a0aa747460f8e68c34e704008874ede1

SHA256
ae227e1f805f2d3fd84edf1facc61bd87385b23975ca90093f96a01128c44c82

SHA512
b1bd723be046fbc4422a4801b819b282323e74d1c71445163dd63cbe144c7184b6eeccd0f1796c4189f821e4810fefd53f842a273652826ebc60efd3ec4988a4

Download Submit
C:\Windows\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe

Filesize
204KB

MD5
54b2a5f1613914416e021600674c967a

SHA1
d0e241913e589544d96f2bad7d4af01117389515

SHA256
3ffe31440004afba08c727e771c4406e85417720e3a9ee2907d191c7db800b57

SHA512
023ab15a5dca367cd69064b212ca0f1f300c3f5d777ca3a6ab650cf0ac38adecf03e82534ef8d5d46afee9c589446e17ee5a62b50e37b0ca5bbb7c8bb8d71176

Download Submit
C:\Windows\{B994AAB4-35D2-4eee-871E-66E0218A9950}.exe

Filesize
204KB

MD5
54b2a5f1613914416e021600674c967a

SHA1
d0e241913e589544d96f2bad7d4af01117389515

SHA256
3ffe31440004afba08c727e771c4406e85417720e3a9ee2907d191c7db800b57

SHA512
023ab15a5dca367cd69064b212ca0f1f300c3f5d777ca3a6ab650cf0ac38adecf03e82534ef8d5d46afee9c589446e17ee5a62b50e37b0ca5bbb7c8bb8d71176

Download Submit
C:\Windows\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe

Filesize
204KB

MD5
0df77acdc1a5f20a54947ed8e2408178

SHA1
fc3773b43273b896a1ad6af732b2c65ef3cb0554

SHA256
8ef42741676f3c24cb029fbcf6331b121d6b272a592af42ec0731d89a3e3046c

SHA512
9263411894878a647a358500c0aa7aa4f70a7abf1d00fd780239ca92167a6c3c638c909017ae444160bf87d53c758518882d0a4f87fad5ebf61c3f222b2be921

Download Submit
C:\Windows\{CBEE07B8-2E83-4f5c-B2DC-C41817EAFE5E}.exe

Filesize
204KB

MD5
0df77acdc1a5f20a54947ed8e2408178

SHA1
fc3773b43273b896a1ad6af732b2c65ef3cb0554

SHA256
8ef42741676f3c24cb029fbcf6331b121d6b272a592af42ec0731d89a3e3046c

SHA512
9263411894878a647a358500c0aa7aa4f70a7abf1d00fd780239ca92167a6c3c638c909017ae444160bf87d53c758518882d0a4f87fad5ebf61c3f222b2be921

Download Submit
C:\Windows\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe

Filesize
204KB

MD5
c23748cf0700596330fe2c0d329bc18e

SHA1
d54cfacbd6bd792edd560064c074108f9fd92631

SHA256
1cd35ff9150fd9db929fd1f6861cb37ff7ecac528a245fd459d3e2d4d0c966ad

SHA512
469cbb710e60ed66f08f4758ca9277c231bd6eee6d05adb868d75788e064f7c7fa1ea497408c6c3e52edf505d125179f1368f28403b442a64ab9dd47f3f9240f

Download Submit
C:\Windows\{D874724E-48EA-4b81-A9FE-C4317EDDADEA}.exe

Filesize
204KB

MD5
c23748cf0700596330fe2c0d329bc18e

SHA1
d54cfacbd6bd792edd560064c074108f9fd92631

SHA256
1cd35ff9150fd9db929fd1f6861cb37ff7ecac528a245fd459d3e2d4d0c966ad

SHA512
469cbb710e60ed66f08f4758ca9277c231bd6eee6d05adb868d75788e064f7c7fa1ea497408c6c3e52edf505d125179f1368f28403b442a64ab9dd47f3f9240f

Download Submit
C:\Windows\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe

Filesize
204KB

MD5
f55d1b533ba6b13d11a768f0867663fc

SHA1
8c670a71d4bb251a4a24dd8301943beb3973d4e5

SHA256
80934b4be1900ca48d979709ec7345b7f6c5c0614f16b73ad742dbfe3eca6acb

SHA512
940d84632a69ca17128aee4bed5b4f4c6d3df19f3031d855734b570e644d23a619a59a544722e23de7add51a74a10feb0d8cf7997fc609340ab2dfa9c35d9fbf

Download Submit
C:\Windows\{EDD8FB7F-086E-4ff0-BC7A-BE8281AE4A83}.exe

Filesize
204KB

MD5
f55d1b533ba6b13d11a768f0867663fc

SHA1
8c670a71d4bb251a4a24dd8301943beb3973d4e5

SHA256
80934b4be1900ca48d979709ec7345b7f6c5c0614f16b73ad742dbfe3eca6acb

SHA512
940d84632a69ca17128aee4bed5b4f4c6d3df19f3031d855734b570e644d23a619a59a544722e23de7add51a74a10feb0d8cf7997fc609340ab2dfa9c35d9fbf

Download Submit
C:\Windows\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe

Filesize
204KB

MD5
d7effc91ade23c47eee4923712a04c6b

SHA1
01f190551571bbfcdb24cae08d7d3ef7d6cf8ae4

SHA256
c79e0274b44bfb097fc6abac14e8a7bd986fe9f5f9270f861432e9e94255ff18

SHA512
10d7052ad1d5ffb48a45c3a3511b95b322054bc39807497c1bb218054cb6b6d3c9614ba43c7697951647627e5466ccd26273a30bb088e7b7757621558e979fbb

Download Submit
C:\Windows\{F98ABDC2-8B81-43ab-8A92-F265E09CD315}.exe

Filesize
204KB

MD5
d7effc91ade23c47eee4923712a04c6b

SHA1
01f190551571bbfcdb24cae08d7d3ef7d6cf8ae4

SHA256
c79e0274b44bfb097fc6abac14e8a7bd986fe9f5f9270f861432e9e94255ff18

SHA512
10d7052ad1d5ffb48a45c3a3511b95b322054bc39807497c1bb218054cb6b6d3c9614ba43c7697951647627e5466ccd26273a30bb088e7b7757621558e979fbb

Download Submit