88e91fbe52ddf17199c5d96773552b73711e597189dcbbf584811fc0cfb8e74c

Analysis

max time kernel
148s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769a755cf3a6f6exeexeexeex.exe
Size

372KB
MD5

769a755cf3a6f689dfed65ab42820f95
SHA1

a92546b9829091c40ea7bc014446f5ec9459ca70
SHA256

88e91fbe52ddf17199c5d96773552b73711e597189dcbbf584811fc0cfb8e74c
SHA512

90b883fc3d4f88714e853a24e65a63256da5cee4fab2721642f05dfa85bd55d0f5fd5f124ba39f342bcc6f00d336c5c5ec4d2fb53a82cf0715dbcc6df6655a18
SSDEEP

3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG4l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}\stubpath = "C:\\Windows\\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe"	{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77C1A218-8AFE-4ab9-9319-1C238F29535D}\stubpath = "C:\\Windows\\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe"	{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C09DE92D-A991-47c1-980D-209F48AFE82F}\stubpath = "C:\\Windows\\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe"	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}\stubpath = "C:\\Windows\\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe"	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}	{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}\stubpath = "C:\\Windows\\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe"	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}	{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}	{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}\stubpath = "C:\\Windows\\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe"	769a755cf3a6f6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87967FA9-AB10-4489-B485-0B63E0C2AE31}	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}\stubpath = "C:\\Windows\\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe"	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}\stubpath = "C:\\Windows\\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe"	{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}\stubpath = "C:\\Windows\\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe"	{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14FF8744-3AA7-4208-9448-9C4450969AD4}\stubpath = "C:\\Windows\\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe"	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C09DE92D-A991-47c1-980D-209F48AFE82F}	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}\stubpath = "C:\\Windows\\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe"	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77C1A218-8AFE-4ab9-9319-1C238F29535D}	{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}	769a755cf3a6f6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87967FA9-AB10-4489-B485-0B63E0C2AE31}\stubpath = "C:\\Windows\\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe"	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14FF8744-3AA7-4208-9448-9C4450969AD4}	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}\stubpath = "C:\\Windows\\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe"	{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}	{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
1060	{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
2596	{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
2760	{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
2404	{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
2524	{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe
2660	{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
File created	C:\Windows\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
File created	C:\Windows\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe	{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
File created	C:\Windows\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
File created	C:\Windows\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe	{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
File created	C:\Windows\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe	{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
File created	C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	769a755cf3a6f6exeexeexeex.exe
File created	C:\Windows\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
File created	C:\Windows\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
File created	C:\Windows\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
File created	C:\Windows\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
File created	C:\Windows\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe	{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
File created	C:\Windows\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe	{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	769a755cf3a6f6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
Token: SeIncBasePriorityPrivilege	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
Token: SeIncBasePriorityPrivilege	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
Token: SeIncBasePriorityPrivilege	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
Token: SeIncBasePriorityPrivilege	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
Token: SeIncBasePriorityPrivilege	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
Token: SeIncBasePriorityPrivilege	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
Token: SeIncBasePriorityPrivilege	1060	{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
Token: SeIncBasePriorityPrivilege	2596	{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
Token: SeIncBasePriorityPrivilege	2760	{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
Token: SeIncBasePriorityPrivilege	2404	{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
Token: SeIncBasePriorityPrivilege	2524	{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2192	1684	769a755cf3a6f6exeexeexeex.exe	28
PID 1684 wrote to memory of 2192	1684	769a755cf3a6f6exeexeexeex.exe	28
PID 1684 wrote to memory of 2192	1684	769a755cf3a6f6exeexeexeex.exe	28
PID 1684 wrote to memory of 2192	1684	769a755cf3a6f6exeexeexeex.exe	28
PID 1684 wrote to memory of 2320	1684	769a755cf3a6f6exeexeexeex.exe	29
PID 1684 wrote to memory of 2320	1684	769a755cf3a6f6exeexeexeex.exe	29
PID 1684 wrote to memory of 2320	1684	769a755cf3a6f6exeexeexeex.exe	29
PID 1684 wrote to memory of 2320	1684	769a755cf3a6f6exeexeexeex.exe	29
PID 2192 wrote to memory of 2060	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	31
PID 2192 wrote to memory of 2060	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	31
PID 2192 wrote to memory of 2060	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	31
PID 2192 wrote to memory of 2060	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	31
PID 2192 wrote to memory of 2956	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	30
PID 2192 wrote to memory of 2956	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	30
PID 2192 wrote to memory of 2956	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	30
PID 2192 wrote to memory of 2956	2192	{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe	30
PID 2060 wrote to memory of 3004	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	33
PID 2060 wrote to memory of 3004	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	33
PID 2060 wrote to memory of 3004	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	33
PID 2060 wrote to memory of 3004	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	33
PID 2060 wrote to memory of 1132	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	32
PID 2060 wrote to memory of 1132	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	32
PID 2060 wrote to memory of 1132	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	32
PID 2060 wrote to memory of 1132	2060	{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe	32
PID 3004 wrote to memory of 1688	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	35
PID 3004 wrote to memory of 1688	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	35
PID 3004 wrote to memory of 1688	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	35
PID 3004 wrote to memory of 1688	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	35
PID 3004 wrote to memory of 1472	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	34
PID 3004 wrote to memory of 1472	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	34
PID 3004 wrote to memory of 1472	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	34
PID 3004 wrote to memory of 1472	3004	{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe	34
PID 1688 wrote to memory of 2208	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	37
PID 1688 wrote to memory of 2208	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	37
PID 1688 wrote to memory of 2208	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	37
PID 1688 wrote to memory of 2208	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	37
PID 1688 wrote to memory of 2244	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	36
PID 1688 wrote to memory of 2244	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	36
PID 1688 wrote to memory of 2244	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	36
PID 1688 wrote to memory of 2244	1688	{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe	36
PID 2208 wrote to memory of 2436	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	39
PID 2208 wrote to memory of 2436	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	39
PID 2208 wrote to memory of 2436	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	39
PID 2208 wrote to memory of 2436	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	39
PID 2208 wrote to memory of 1008	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	38
PID 2208 wrote to memory of 1008	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	38
PID 2208 wrote to memory of 1008	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	38
PID 2208 wrote to memory of 1008	2208	{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe	38
PID 2436 wrote to memory of 1116	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	41
PID 2436 wrote to memory of 1116	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	41
PID 2436 wrote to memory of 1116	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	41
PID 2436 wrote to memory of 1116	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	41
PID 2436 wrote to memory of 388	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	40
PID 2436 wrote to memory of 388	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	40
PID 2436 wrote to memory of 388	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	40
PID 2436 wrote to memory of 388	2436	{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe	40
PID 1116 wrote to memory of 1060	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	43
PID 1116 wrote to memory of 1060	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	43
PID 1116 wrote to memory of 1060	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	43
PID 1116 wrote to memory of 1060	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	43
PID 1116 wrote to memory of 2324	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	42
PID 1116 wrote to memory of 2324	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	42
PID 1116 wrote to memory of 2324	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	42
PID 1116 wrote to memory of 2324	1116	{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe	42

C:\Users\Admin\AppData\Local\Temp\769a755cf3a6f6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\769a755cf3a6f6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
  C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{408E5~1.EXE > nul
    3⤵
    PID:2956
- - C:\Windows\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
    C:\Windows\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{87967~1.EXE > nul
      4⤵
      PID:1132
  - - C:\Windows\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
      C:\Windows\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D8D~1.EXE > nul
        5⤵
        
        PID:1472
    - - C:\Windows\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
        
        C:\Windows\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF8A~1.EXE > nul
        6⤵
        
        PID:2244
      - C:\Windows\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
        
        C:\Windows\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14FF8~1.EXE > nul
        7⤵
        
        PID:1008
        
        C:\Windows\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
        
        C:\Windows\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C09DE~1.EXE > nul
        8⤵
        
        PID:388
        
        C:\Windows\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
        
        C:\Windows\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3729~1.EXE > nul
        9⤵
        
        PID:2324
        
        C:\Windows\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
        
        C:\Windows\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73A0B~1.EXE > nul
        10⤵
        
        PID:2640
        
        C:\Windows\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
        
        C:\Windows\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
        
        C:\Windows\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7469F~1.EXE > nul
        12⤵
        
        PID:2608
        
        C:\Windows\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
        
        C:\Windows\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77C1A~1.EXE > nul
        13⤵
        
        PID:2704
        
        C:\Windows\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe
        
        C:\Windows\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B679C~1.EXE > nul
        14⤵
        
        PID:2808
        
        C:\Windows\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe
        
        C:\Windows\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe
        14⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC853~1.EXE > nul
        11⤵
        
        PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\769A75~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe

Filesize
372KB

MD5
baebeff285d93880d495e7382851aef1

SHA1
ff58c802f7ae2188477d6bd079a5c7a515ba15c2

SHA256
4b5aad6c449b696fe75f9494462d8acd5ed202abb82efa7d84c8f58ef4329a8f

SHA512
b35d24dd2cf7cd30c6316893f71d3c32df58d7006a3a84665fc022f6cccc6c4d8d1b00a8d6979b486e807607ccab2752bd32ebb2865591fca06691ebf2f7eed3

Download Submit
C:\Windows\{14FF8744-3AA7-4208-9448-9C4450969AD4}.exe

Filesize
372KB

MD5
baebeff285d93880d495e7382851aef1

SHA1
ff58c802f7ae2188477d6bd079a5c7a515ba15c2

SHA256
4b5aad6c449b696fe75f9494462d8acd5ed202abb82efa7d84c8f58ef4329a8f

SHA512
b35d24dd2cf7cd30c6316893f71d3c32df58d7006a3a84665fc022f6cccc6c4d8d1b00a8d6979b486e807607ccab2752bd32ebb2865591fca06691ebf2f7eed3

Download Submit
C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe

Filesize
372KB

MD5
a487dc9a39fd664f73c7d1d1d0dc2a97

SHA1
88d13534143ca220848c65fd2f3dd3020ff23437

SHA256
8f5b48595f6a31efdb319c3f32be90b7bcae59e02f88c701a8a7e864976fcff6

SHA512
57358e0b62dbfef6386465e14795d8f9da71df968f5311e5b3fab1219195c3c40bb04c6d541c6d9cc40b970f44dbaffa1f9f473963d07e6f6b0ae38b469682e4

Download Submit
C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe

Filesize
372KB

MD5
a487dc9a39fd664f73c7d1d1d0dc2a97

SHA1
88d13534143ca220848c65fd2f3dd3020ff23437

SHA256
8f5b48595f6a31efdb319c3f32be90b7bcae59e02f88c701a8a7e864976fcff6

SHA512
57358e0b62dbfef6386465e14795d8f9da71df968f5311e5b3fab1219195c3c40bb04c6d541c6d9cc40b970f44dbaffa1f9f473963d07e6f6b0ae38b469682e4

Download Submit
C:\Windows\{408E5B9A-71B5-4e7b-9486-FF7C0B6DA30A}.exe

Filesize
372KB

MD5
a487dc9a39fd664f73c7d1d1d0dc2a97

SHA1
88d13534143ca220848c65fd2f3dd3020ff23437

SHA256
8f5b48595f6a31efdb319c3f32be90b7bcae59e02f88c701a8a7e864976fcff6

SHA512
57358e0b62dbfef6386465e14795d8f9da71df968f5311e5b3fab1219195c3c40bb04c6d541c6d9cc40b970f44dbaffa1f9f473963d07e6f6b0ae38b469682e4

Download Submit
C:\Windows\{61AB99DA-14AA-4ab0-9A9C-F468B5B92ADC}.exe

Filesize
372KB

MD5
5240530085df7db4a2f44af8fb1068d6

SHA1
2ffacc97fa0a811782e758417c438d0f6bf4b627

SHA256
d2e170fbd8046c34d8951c60a2eeac4593150e78699b9e09f1a0f1096e680408

SHA512
7c09292faff6fb4412aee30c6a8f289125ed1ccc72d1b3f46fdfa1a23e159b9f7d33e2de935c971d5b6ca76da0bec47c8216f62e7aca65425d1fc6512d6704f2

Download Submit
C:\Windows\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe

Filesize
372KB

MD5
329a535f60d55e4de12bdea8913fcd48

SHA1
1de5bfb1b79c96f38ea01165a3879869cfbafdb0

SHA256
41197a51fbfdb8f2e22ea9dc2ff68df896e0138c767969cc00268ad6948be8c1

SHA512
1acd16ed49a3fab363813064756b0090b38fc275c9f46182bfc315edb2ee80ecca2d30c146d450b6734f3c8822079ed6a0b69a56ab312f1d94bdd748ac0c9bb0

Download Submit
C:\Windows\{73A0B155-D0A7-4ef8-B813-23F2F2258F2E}.exe

Filesize
372KB

MD5
329a535f60d55e4de12bdea8913fcd48

SHA1
1de5bfb1b79c96f38ea01165a3879869cfbafdb0

SHA256
41197a51fbfdb8f2e22ea9dc2ff68df896e0138c767969cc00268ad6948be8c1

SHA512
1acd16ed49a3fab363813064756b0090b38fc275c9f46182bfc315edb2ee80ecca2d30c146d450b6734f3c8822079ed6a0b69a56ab312f1d94bdd748ac0c9bb0

Download Submit
C:\Windows\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe

Filesize
372KB

MD5
dd7eddb9e4417b7e7cb113e32bf87f56

SHA1
170667831b8a04165265e29c43fc21f4f8a0f9c0

SHA256
dee794b768de0080b132954800c491a60a8b692b5183366bf8bd6b60dbb997ac

SHA512
4b2928c2c2421be800c666f0b06cba86b0b064054ee43c2a773c5ac5f5e1ccdd57f4e89c9478245dc755703f189716d667089bb96827d8ca90f424fbcb7ed9d9

Download Submit
C:\Windows\{7469F0FC-1788-4cb4-ABBD-6EB6DC9992CE}.exe

Filesize
372KB

MD5
dd7eddb9e4417b7e7cb113e32bf87f56

SHA1
170667831b8a04165265e29c43fc21f4f8a0f9c0

SHA256
dee794b768de0080b132954800c491a60a8b692b5183366bf8bd6b60dbb997ac

SHA512
4b2928c2c2421be800c666f0b06cba86b0b064054ee43c2a773c5ac5f5e1ccdd57f4e89c9478245dc755703f189716d667089bb96827d8ca90f424fbcb7ed9d9

Download Submit
C:\Windows\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe

Filesize
372KB

MD5
ab3efd63be99de9f31f9aa4698d52c89

SHA1
3a26c0a32a420efc032caa4cbad6dd09b909b36f

SHA256
3bf651f4332352400de7b0358d9a8c8738da10fdd338da59c7355b484b84f5ad

SHA512
83667bfb886bd21dd1ee15bffb960f74a7cab83c372e2643716602aa1db9ccff04c8a44908355aa0140dd7951b0b9fbb5f78b9d9915323ca99ca6d5c7646f9aa

Download Submit
C:\Windows\{76D8DB28-1246-4a9a-B877-FD142D3F23A5}.exe

Filesize
372KB

MD5
ab3efd63be99de9f31f9aa4698d52c89

SHA1
3a26c0a32a420efc032caa4cbad6dd09b909b36f

SHA256
3bf651f4332352400de7b0358d9a8c8738da10fdd338da59c7355b484b84f5ad

SHA512
83667bfb886bd21dd1ee15bffb960f74a7cab83c372e2643716602aa1db9ccff04c8a44908355aa0140dd7951b0b9fbb5f78b9d9915323ca99ca6d5c7646f9aa

Download Submit
C:\Windows\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe

Filesize
372KB

MD5
7b0f3b80db182882b29c084e0ae6f865

SHA1
e3ea8e44825cd86e80835552533ae43ed76e153f

SHA256
cb50987e69a20d418f046a04a39785dad4d1ef9beaf280f78f8c2d0b99bd1030

SHA512
9c97f44742923c0f3e87bc99f2ca7b241e73d7da9fde3aa9034a64688da9a89380e1ed1da116f14b0f63f62196f5ee3d24df28515be0fae209b57a52477b41e8

Download Submit
C:\Windows\{77C1A218-8AFE-4ab9-9319-1C238F29535D}.exe

Filesize
372KB

MD5
7b0f3b80db182882b29c084e0ae6f865

SHA1
e3ea8e44825cd86e80835552533ae43ed76e153f

SHA256
cb50987e69a20d418f046a04a39785dad4d1ef9beaf280f78f8c2d0b99bd1030

SHA512
9c97f44742923c0f3e87bc99f2ca7b241e73d7da9fde3aa9034a64688da9a89380e1ed1da116f14b0f63f62196f5ee3d24df28515be0fae209b57a52477b41e8

Download Submit
C:\Windows\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe

Filesize
372KB

MD5
64b1f475dea20898e1442263e213b5a1

SHA1
5b1a340fc6a3783b76d91288d34c6994172bf727

SHA256
710f6d9122b854397b4e41db1105113ae7d7f3d5574f883310e524139018baba

SHA512
5e6535c1a469c64ce6a12ccf0b681ec24e3d32e2395b737c3ac0da6e2f51aa6ac8831995dccdeac12acb6554dd0231aff05c2ee159fab2360a4583f2fd73b2a2

Download Submit
C:\Windows\{87967FA9-AB10-4489-B485-0B63E0C2AE31}.exe

Filesize
372KB

MD5
64b1f475dea20898e1442263e213b5a1

SHA1
5b1a340fc6a3783b76d91288d34c6994172bf727

SHA256
710f6d9122b854397b4e41db1105113ae7d7f3d5574f883310e524139018baba

SHA512
5e6535c1a469c64ce6a12ccf0b681ec24e3d32e2395b737c3ac0da6e2f51aa6ac8831995dccdeac12acb6554dd0231aff05c2ee159fab2360a4583f2fd73b2a2

Download Submit
C:\Windows\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe

Filesize
372KB

MD5
6731697517f2d074d605766732ff3f46

SHA1
a4f68ce2cf15c5cc3927b2eb341932aeba268276

SHA256
da1cc8d25fb313ae5fe1414aac019da47cae647d70a432b43a70cc87b3b96e26

SHA512
b97448a7d2303e9637623a515acc24430f7e4b0b8e07042a0262e078b720d8d709640525acbc7f3c89b95347ae78776b032649866d46e045029fdeb497c27936

Download Submit
C:\Windows\{B679C2C7-54CB-40d3-AE15-C68E5CF4A24B}.exe

Filesize
372KB

MD5
6731697517f2d074d605766732ff3f46

SHA1
a4f68ce2cf15c5cc3927b2eb341932aeba268276

SHA256
da1cc8d25fb313ae5fe1414aac019da47cae647d70a432b43a70cc87b3b96e26

SHA512
b97448a7d2303e9637623a515acc24430f7e4b0b8e07042a0262e078b720d8d709640525acbc7f3c89b95347ae78776b032649866d46e045029fdeb497c27936

Download Submit
C:\Windows\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe

Filesize
372KB

MD5
9525fab87126f96cce742a9636dad17b

SHA1
51f6c7ee62186db17474f00c3d4665cc33e4fb52

SHA256
436da4bd4f0bdb6a8422212c2368e2ca2122f2f10be18afd2dea405272b0b727

SHA512
4a36dbd5e5d9ac100d8e652262c9ab8d5705a8016dc454462e038e2030bdc9226942570abd280195f11c658bdae94b41cecb326a96b89288ece4f49777cfd0bf

Download Submit
C:\Windows\{C09DE92D-A991-47c1-980D-209F48AFE82F}.exe

Filesize
372KB

MD5
9525fab87126f96cce742a9636dad17b

SHA1
51f6c7ee62186db17474f00c3d4665cc33e4fb52

SHA256
436da4bd4f0bdb6a8422212c2368e2ca2122f2f10be18afd2dea405272b0b727

SHA512
4a36dbd5e5d9ac100d8e652262c9ab8d5705a8016dc454462e038e2030bdc9226942570abd280195f11c658bdae94b41cecb326a96b89288ece4f49777cfd0bf

Download Submit
C:\Windows\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe

Filesize
372KB

MD5
9ba20fe89a49559d103d201aed39522d

SHA1
d920db12be8373dbc65f94f65cc4c75516e01bbe

SHA256
0f520f30a02a943413d477be95f4df6d68cc020d28d3e861fff6ecac90172fea

SHA512
fad0f08f5ff2f0c6278403f52f5ff498583d82c2c02df227823219e3cf43f5147b4c7daf8147bb8626d25bb36a4df6137174baff8996fbab873ee5c504367694

Download Submit
C:\Windows\{C3729C4C-B300-4ec4-B0D5-77586C4A901B}.exe

Filesize
372KB

MD5
9ba20fe89a49559d103d201aed39522d

SHA1
d920db12be8373dbc65f94f65cc4c75516e01bbe

SHA256
0f520f30a02a943413d477be95f4df6d68cc020d28d3e861fff6ecac90172fea

SHA512
fad0f08f5ff2f0c6278403f52f5ff498583d82c2c02df227823219e3cf43f5147b4c7daf8147bb8626d25bb36a4df6137174baff8996fbab873ee5c504367694

Download Submit
C:\Windows\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe

Filesize
372KB

MD5
5218fc039bcdce71184658ff664733f9

SHA1
45863c52f9fe01ea72715ae9a0ad56bcdbeb4b65

SHA256
7bd9ee7d06bbacf710d70054ecc63f87826ad11d57c07ea6c8958174884e77df

SHA512
f4fae8b2ef2ea6909c0226c3a7c7adb836435d2b6be901d3954e3c5f2c8b049ecbe7758cfa6e4adee423258ebaeb7fca18b42ff9a5388554ace34246fd653c17

Download Submit
C:\Windows\{EC85320F-B3C8-456f-97E3-F3C30D587CCB}.exe

Filesize
372KB

MD5
5218fc039bcdce71184658ff664733f9

SHA1
45863c52f9fe01ea72715ae9a0ad56bcdbeb4b65

SHA256
7bd9ee7d06bbacf710d70054ecc63f87826ad11d57c07ea6c8958174884e77df

SHA512
f4fae8b2ef2ea6909c0226c3a7c7adb836435d2b6be901d3954e3c5f2c8b049ecbe7758cfa6e4adee423258ebaeb7fca18b42ff9a5388554ace34246fd653c17

Download Submit
C:\Windows\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe

Filesize
372KB

MD5
c2c10da2802df6eb82e938a549f380cd

SHA1
98fefd1e4aa71171f1f17cf8046f64c05e35c7ac

SHA256
4017e27b06c1278dc7b9dac85897e7a962355d3d61ffdf1ff25308885c2c1386

SHA512
9c860137826612d1545d0e3ebd7c5d61372d479b15bd5b47087271057bd8de36766e2c2a673599ac8b08b5b366204782376d322a77f41519c4c5e00255d8af47

Download Submit
C:\Windows\{EEF8A4A5-2F15-41a0-9411-8C0B5DDBCCD0}.exe

Filesize
372KB

MD5
c2c10da2802df6eb82e938a549f380cd

SHA1
98fefd1e4aa71171f1f17cf8046f64c05e35c7ac

SHA256
4017e27b06c1278dc7b9dac85897e7a962355d3d61ffdf1ff25308885c2c1386

SHA512
9c860137826612d1545d0e3ebd7c5d61372d479b15bd5b47087271057bd8de36766e2c2a673599ac8b08b5b366204782376d322a77f41519c4c5e00255d8af47

Download Submit