c76477a3571f6be87e41f16c37ec781cc1e00270bf483834f04a2247a896ed46

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 09:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9b58eaf6b1cddexeexeexeex.exe
Size

372KB
MD5

a9b58eaf6b1cddbf27afa795cb64f2c4
SHA1

b250c9381cc007a80cdb5d6450e756933c1241ca
SHA256

c76477a3571f6be87e41f16c37ec781cc1e00270bf483834f04a2247a896ed46
SHA512

49801d0a6d3f73fcfbc2edfc1b7080e044d81e7fc2b4ecaa057a738dfd9260f8047486b7811d88658a4eee1ce1dd0bbbf4fbe4b4e89a36f3634c5886ccec7a44
SSDEEP

3072:CEGh0o1mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78223301-0669-44c9-BEA7-7D14E94E76A6}	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78223301-0669-44c9-BEA7-7D14E94E76A6}\stubpath = "C:\\Windows\\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe"	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80483B42-8D94-454d-B5AA-E90315132F52}	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80483B42-8D94-454d-B5AA-E90315132F52}\stubpath = "C:\\Windows\\{80483B42-8D94-454d-B5AA-E90315132F52}.exe"	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}\stubpath = "C:\\Windows\\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe"	{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}	{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}\stubpath = "C:\\Windows\\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe"	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}\stubpath = "C:\\Windows\\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe"	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}\stubpath = "C:\\Windows\\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe"	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}\stubpath = "C:\\Windows\\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe"	{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831DC236-DD0C-419d-8496-F1A969830BBA}	a9b58eaf6b1cddexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}	{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01739756-EBA4-459e-89D5-06F19E304E4F}	{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5093C190-4FDD-42c9-9395-2675D303C29A}	{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831DC236-DD0C-419d-8496-F1A969830BBA}\stubpath = "C:\\Windows\\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe"	a9b58eaf6b1cddexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37BC74B-8297-4d90-BF80-06B9055094BC}\stubpath = "C:\\Windows\\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe"	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}\stubpath = "C:\\Windows\\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe"	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01739756-EBA4-459e-89D5-06F19E304E4F}\stubpath = "C:\\Windows\\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe"	{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}	{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}\stubpath = "C:\\Windows\\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe"	{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5093C190-4FDD-42c9-9395-2675D303C29A}\stubpath = "C:\\Windows\\{5093C190-4FDD-42c9-9395-2675D303C29A}.exe"	{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37BC74B-8297-4d90-BF80-06B9055094BC}	{80483B42-8D94-454d-B5AA-E90315132F52}.exe

Deletes itself 1 IoCs

pid	Process
1260	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
3052	{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
2776	{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
2188	{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
2620	{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
2900	{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
1904	{5093C190-4FDD-42c9-9395-2675D303C29A}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	a9b58eaf6b1cddexeexeexeex.exe
File created	C:\Windows\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
File created	C:\Windows\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe	{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
File created	C:\Windows\{5093C190-4FDD-42c9-9395-2675D303C29A}.exe	{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
File created	C:\Windows\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe	{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
File created	C:\Windows\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe	{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
File created	C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
File created	C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
File created	C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
File created	C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
File created	C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
File created	C:\Windows\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
File created	C:\Windows\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe	{01739756-EBA4-459e-89D5-06F19E304E4F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	740	a9b58eaf6b1cddexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
Token: SeIncBasePriorityPrivilege	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
Token: SeIncBasePriorityPrivilege	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
Token: SeIncBasePriorityPrivilege	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe
Token: SeIncBasePriorityPrivilege	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
Token: SeIncBasePriorityPrivilege	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
Token: SeIncBasePriorityPrivilege	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
Token: SeIncBasePriorityPrivilege	3052	{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
Token: SeIncBasePriorityPrivilege	2776	{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
Token: SeIncBasePriorityPrivilege	2188	{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
Token: SeIncBasePriorityPrivilege	2620	{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
Token: SeIncBasePriorityPrivilege	2900	{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2060	740	a9b58eaf6b1cddexeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	a9b58eaf6b1cddexeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	a9b58eaf6b1cddexeexeexeex.exe	29
PID 740 wrote to memory of 2060	740	a9b58eaf6b1cddexeexeexeex.exe	29
PID 740 wrote to memory of 1260	740	a9b58eaf6b1cddexeexeexeex.exe	30
PID 740 wrote to memory of 1260	740	a9b58eaf6b1cddexeexeexeex.exe	30
PID 740 wrote to memory of 1260	740	a9b58eaf6b1cddexeexeexeex.exe	30
PID 740 wrote to memory of 1260	740	a9b58eaf6b1cddexeexeexeex.exe	30
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 1224	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	31
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 2060 wrote to memory of 2208	2060	{831DC236-DD0C-419d-8496-F1A969830BBA}.exe	32
PID 1224 wrote to memory of 656	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 656	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 656	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 656	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	33
PID 1224 wrote to memory of 2120	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 2120	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 2120	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 1224 wrote to memory of 2120	1224	{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe	34
PID 656 wrote to memory of 1108	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 656 wrote to memory of 1108	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 656 wrote to memory of 1108	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 656 wrote to memory of 1108	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	35
PID 656 wrote to memory of 2576	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 656 wrote to memory of 2576	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 656 wrote to memory of 2576	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 656 wrote to memory of 2576	656	{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe	36
PID 1108 wrote to memory of 2972	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1108 wrote to memory of 2972	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1108 wrote to memory of 2972	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1108 wrote to memory of 2972	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	38
PID 1108 wrote to memory of 2392	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1108 wrote to memory of 2392	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1108 wrote to memory of 2392	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 1108 wrote to memory of 2392	1108	{80483B42-8D94-454d-B5AA-E90315132F52}.exe	37
PID 2972 wrote to memory of 1552	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2972 wrote to memory of 1552	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2972 wrote to memory of 1552	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2972 wrote to memory of 1552	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	40
PID 2972 wrote to memory of 2140	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2972 wrote to memory of 2140	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2972 wrote to memory of 2140	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 2972 wrote to memory of 2140	2972	{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe	39
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2212	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	42
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 1552 wrote to memory of 2980	1552	{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe	41
PID 2212 wrote to memory of 3052	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	44
PID 2212 wrote to memory of 3052	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	44
PID 2212 wrote to memory of 3052	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	44
PID 2212 wrote to memory of 3052	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	44
PID 2212 wrote to memory of 2096	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	43
PID 2212 wrote to memory of 2096	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	43
PID 2212 wrote to memory of 2096	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	43
PID 2212 wrote to memory of 2096	2212	{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe	43

C:\Users\Admin\AppData\Local\Temp\a9b58eaf6b1cddexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a9b58eaf6b1cddexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
  C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
    C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
      C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe
        
        C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80483~1.EXE > nul
        6⤵
        
        PID:2392
      - C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
        
        C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E37BC~1.EXE > nul
        7⤵
        
        PID:2140
        
        C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
        
        C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42D5C~1.EXE > nul
        8⤵
        
        PID:2980
        
        C:\Windows\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
        
        C:\Windows\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C33C~1.EXE > nul
        9⤵
        
        PID:2096
        
        C:\Windows\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
        
        C:\Windows\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED5E9~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
        
        C:\Windows\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98085~1.EXE > nul
        11⤵
        
        PID:1428
        
        C:\Windows\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
        
        C:\Windows\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA404~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
        
        C:\Windows\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01739~1.EXE > nul
        13⤵
        
        PID:2624
        
        C:\Windows\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
        
        C:\Windows\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25A67~1.EXE > nul
        14⤵
        
        PID:2496
        
        C:\Windows\{5093C190-4FDD-42c9-9395-2675D303C29A}.exe
        
        C:\Windows\{5093C190-4FDD-42c9-9395-2675D303C29A}.exe
        14⤵
        Executes dropped EXE
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78223~1.EXE > nul
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE830~1.EXE > nul
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{831DC~1.EXE > nul
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A9B58E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe

Filesize
372KB

MD5
2ac87da1af3ca9ffec8ff7526a2b5126

SHA1
6a619a94c4ba200e441eb9bcdbf0aba7a5add573

SHA256
d2d58adf9802494850f8f2e59c1bcf90f9fa8ba2d01298bf54a5b10f6a2b7b77

SHA512
136421d7a3b29d92e5655761a852594cae057b1bbcf82b606814af07169760a24415ebc23007f6db6b2183778af00477a4df4105e6ce4c4b9994679c80b7260e

Download Submit
C:\Windows\{01739756-EBA4-459e-89D5-06F19E304E4F}.exe

Filesize
372KB

MD5
2ac87da1af3ca9ffec8ff7526a2b5126

SHA1
6a619a94c4ba200e441eb9bcdbf0aba7a5add573

SHA256
d2d58adf9802494850f8f2e59c1bcf90f9fa8ba2d01298bf54a5b10f6a2b7b77

SHA512
136421d7a3b29d92e5655761a852594cae057b1bbcf82b606814af07169760a24415ebc23007f6db6b2183778af00477a4df4105e6ce4c4b9994679c80b7260e

Download Submit
C:\Windows\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe

Filesize
372KB

MD5
475640c63334f8c3c4e818229faececa

SHA1
7cc4c17fca361bda1c74be1397a321e245d3fa69

SHA256
f9cb5679608dc8695b5664ef0aea5d78ae0718d2c1092dd38dcd11efd4374cfd

SHA512
592fced5e599326f09c5dd419f3c9316823891485bb67b6678f0c99516cd7e19affcf4fb424c0c7b7847f1dd4dfddc8d474836214a445a1bafdaf61a39733419

Download Submit
C:\Windows\{25A6770C-A19F-4280-BF0B-35E2DD79D20E}.exe

Filesize
372KB

MD5
475640c63334f8c3c4e818229faececa

SHA1
7cc4c17fca361bda1c74be1397a321e245d3fa69

SHA256
f9cb5679608dc8695b5664ef0aea5d78ae0718d2c1092dd38dcd11efd4374cfd

SHA512
592fced5e599326f09c5dd419f3c9316823891485bb67b6678f0c99516cd7e19affcf4fb424c0c7b7847f1dd4dfddc8d474836214a445a1bafdaf61a39733419

Download Submit
C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe

Filesize
372KB

MD5
ea7d3c8d8d9900be430f2ecd7f884d86

SHA1
3fbb9d3748e65b2bb344061cdc0dfa3a5b7adaec

SHA256
249504fac3ad65214ba9c0cd3e692647335383883517833476dd2cd69de673ff

SHA512
21dcf03be38b5262e003c3df01c56f4d7070161470070ad90ee230934a746eda3dc34c07ed3b72a9088b9cb05f988e16ef7cfa94cc1dc9f92c6fe455a3d42582

Download Submit
C:\Windows\{42D5C899-23F6-4310-97C9-A8C8EE35CA63}.exe

Filesize
372KB

MD5
ea7d3c8d8d9900be430f2ecd7f884d86

SHA1
3fbb9d3748e65b2bb344061cdc0dfa3a5b7adaec

SHA256
249504fac3ad65214ba9c0cd3e692647335383883517833476dd2cd69de673ff

SHA512
21dcf03be38b5262e003c3df01c56f4d7070161470070ad90ee230934a746eda3dc34c07ed3b72a9088b9cb05f988e16ef7cfa94cc1dc9f92c6fe455a3d42582

Download Submit
C:\Windows\{5093C190-4FDD-42c9-9395-2675D303C29A}.exe

Filesize
372KB

MD5
19d1ab895a23d4792fcec62415e08e1c

SHA1
95f98518f8551ee86e89d77d22d22430630708fb

SHA256
b9a3d09bddb943169c212123b4a15f4238f101acb56353c00d918033eda1c229

SHA512
63cf758349b9606bb92e840cfcc05c557283c230fe64900ad32ed44235e2bb73bdf1b37b8c054f2d7cb2a101ceff73dc4c76286f13da45e28bf0522d0d00cd69

Download Submit
C:\Windows\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe

Filesize
372KB

MD5
b98eab052670e69da643d0b217f3f496

SHA1
c894e92c15449c935c300acaccad7d55299a7a7b

SHA256
36a0e9f0cdb00cf7799892c3ea5354b7de11eab6d3aefd33ec0d82f789e51854

SHA512
da69b9516319075230d8eb071456be424cc2f8298a20fc65966ffca592a71e3312f3fa3a0297e6139765c706615361d7a1de4e4e8d5fe05135698dc0c8dea1a2

Download Submit
C:\Windows\{5C33C5AA-1C8B-4fe5-9E16-7DEFD84055E3}.exe

Filesize
372KB

MD5
b98eab052670e69da643d0b217f3f496

SHA1
c894e92c15449c935c300acaccad7d55299a7a7b

SHA256
36a0e9f0cdb00cf7799892c3ea5354b7de11eab6d3aefd33ec0d82f789e51854

SHA512
da69b9516319075230d8eb071456be424cc2f8298a20fc65966ffca592a71e3312f3fa3a0297e6139765c706615361d7a1de4e4e8d5fe05135698dc0c8dea1a2

Download Submit
C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe

Filesize
372KB

MD5
d9946b04819c93f93ebba0f21deee905

SHA1
a51421d641f157e4dd08f8bc5d8c96bf26b1500e

SHA256
e6fc8b124eec90c3de9805d9b342569f2e98741919afe1114c2d82d0152efdb7

SHA512
554e413713661bbe4200df7bcaeb2f83431236eb5e85981ea142c2da061791d89f7c361a7abca6c927d8074324bca0fcdde8adee62678d92a0c44d3cf00c7cd9

Download Submit
C:\Windows\{78223301-0669-44c9-BEA7-7D14E94E76A6}.exe

Filesize
372KB

MD5
d9946b04819c93f93ebba0f21deee905

SHA1
a51421d641f157e4dd08f8bc5d8c96bf26b1500e

SHA256
e6fc8b124eec90c3de9805d9b342569f2e98741919afe1114c2d82d0152efdb7

SHA512
554e413713661bbe4200df7bcaeb2f83431236eb5e85981ea142c2da061791d89f7c361a7abca6c927d8074324bca0fcdde8adee62678d92a0c44d3cf00c7cd9

Download Submit
C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe

Filesize
372KB

MD5
eb67e765e0f033598151e6a073ece408

SHA1
bcc489a9a17cdb88e15efb4aaa9cde7202c8ec58

SHA256
9b9f5b12f5e6789729ce12c77513e40e15fb465b9c891623c95b307cda017a43

SHA512
797960aee3f46202818b41276c035053ef0827bd67b4f65193dbd81dea889f50b53a1ffa3a71034a0c92e906b3f539617df5d65c7a4109280f0460a7af65d4ba

Download Submit
C:\Windows\{80483B42-8D94-454d-B5AA-E90315132F52}.exe

Filesize
372KB

MD5
eb67e765e0f033598151e6a073ece408

SHA1
bcc489a9a17cdb88e15efb4aaa9cde7202c8ec58

SHA256
9b9f5b12f5e6789729ce12c77513e40e15fb465b9c891623c95b307cda017a43

SHA512
797960aee3f46202818b41276c035053ef0827bd67b4f65193dbd81dea889f50b53a1ffa3a71034a0c92e906b3f539617df5d65c7a4109280f0460a7af65d4ba

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
372KB

MD5
97846cdeeadb3b84b8e25ac7fcff2cc0

SHA1
047d81eeab099f067aae0b66ef07e456a92f5138

SHA256
8420a71b6d05288c02965591da76a36754ca2a0c54aa8068bb65f5bf59adde96

SHA512
3e0a90bed2829ae7277a374dd0460cf9edf272f1ea1f25563d22dcfced08a0e07e0511ee503329cbe9495dc8842d6f892bfe77f4b889efa726a5d4b65b1ed710

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
372KB

MD5
97846cdeeadb3b84b8e25ac7fcff2cc0

SHA1
047d81eeab099f067aae0b66ef07e456a92f5138

SHA256
8420a71b6d05288c02965591da76a36754ca2a0c54aa8068bb65f5bf59adde96

SHA512
3e0a90bed2829ae7277a374dd0460cf9edf272f1ea1f25563d22dcfced08a0e07e0511ee503329cbe9495dc8842d6f892bfe77f4b889efa726a5d4b65b1ed710

Download Submit
C:\Windows\{831DC236-DD0C-419d-8496-F1A969830BBA}.exe

Filesize
372KB

MD5
97846cdeeadb3b84b8e25ac7fcff2cc0

SHA1
047d81eeab099f067aae0b66ef07e456a92f5138

SHA256
8420a71b6d05288c02965591da76a36754ca2a0c54aa8068bb65f5bf59adde96

SHA512
3e0a90bed2829ae7277a374dd0460cf9edf272f1ea1f25563d22dcfced08a0e07e0511ee503329cbe9495dc8842d6f892bfe77f4b889efa726a5d4b65b1ed710

Download Submit
C:\Windows\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe

Filesize
372KB

MD5
c630dfc7fba897ba1dec29813fc67394

SHA1
b37d818c8aba8c2aa92d2d1d534e0f8cf2592a36

SHA256
e2ff20f347cc9651ff042f79523598c895a4ab3d5a08be6c009ad1d6211d821b

SHA512
8d183e434d75a224be706bd97a4d766330a1808e31673d47c4aaecfe5e8b24adb85de91cc6ab6aab47259d838889a98ad72ceb79a15841fbde771ebd79d17056

Download Submit
C:\Windows\{98085561-8BF9-4d3a-9291-57A0E4BDF3B3}.exe

Filesize
372KB

MD5
c630dfc7fba897ba1dec29813fc67394

SHA1
b37d818c8aba8c2aa92d2d1d534e0f8cf2592a36

SHA256
e2ff20f347cc9651ff042f79523598c895a4ab3d5a08be6c009ad1d6211d821b

SHA512
8d183e434d75a224be706bd97a4d766330a1808e31673d47c4aaecfe5e8b24adb85de91cc6ab6aab47259d838889a98ad72ceb79a15841fbde771ebd79d17056

Download Submit
C:\Windows\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe

Filesize
372KB

MD5
beb2bbdc1bfc713a2db5a98929085df9

SHA1
0bc27ad68062afda54ccd104c83214cad8a5e29b

SHA256
0bfb18ac1c9afc640414f14895130ea606ac1b2f4fd796196b2e789ecafb6b0a

SHA512
6fbc4b65630f6fe4deaa9cc6a946564d8799ae31dedb1faf86b1f5ca632599d63e4a65bb11f31d0c5d36809b43d3e75ae11b4553d901249b2a06977b67befe84

Download Submit
C:\Windows\{AA4041A4-853F-4712-B8F5-14A1A77BCFC9}.exe

Filesize
372KB

MD5
beb2bbdc1bfc713a2db5a98929085df9

SHA1
0bc27ad68062afda54ccd104c83214cad8a5e29b

SHA256
0bfb18ac1c9afc640414f14895130ea606ac1b2f4fd796196b2e789ecafb6b0a

SHA512
6fbc4b65630f6fe4deaa9cc6a946564d8799ae31dedb1faf86b1f5ca632599d63e4a65bb11f31d0c5d36809b43d3e75ae11b4553d901249b2a06977b67befe84

Download Submit
C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe

Filesize
372KB

MD5
95b2ee609f3f69588a4776b7e72fcdab

SHA1
fab674bc1e06a417eeaeea85c8a70971e65dc4c2

SHA256
ce23d136c53a1d1fbecae5d0fb51dd3b77348cf464fbcfbbc5f8285237292016

SHA512
7abb9764df8e206e37d52b69270a2da9b8c1fc5950e1a82cddcf1cf5d72aded1b988467d9acc5e025e548349fe90e39701aff5718b328f515d27ae6063f6a38e

Download Submit
C:\Windows\{E37BC74B-8297-4d90-BF80-06B9055094BC}.exe

Filesize
372KB

MD5
95b2ee609f3f69588a4776b7e72fcdab

SHA1
fab674bc1e06a417eeaeea85c8a70971e65dc4c2

SHA256
ce23d136c53a1d1fbecae5d0fb51dd3b77348cf464fbcfbbc5f8285237292016

SHA512
7abb9764df8e206e37d52b69270a2da9b8c1fc5950e1a82cddcf1cf5d72aded1b988467d9acc5e025e548349fe90e39701aff5718b328f515d27ae6063f6a38e

Download Submit
C:\Windows\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe

Filesize
372KB

MD5
7b110b853c2c4932ecb985df268cfc2c

SHA1
41a89021a759f0ba3b7f3d1faf356399bdf5e559

SHA256
b17b952644f17a4f5b3da05e418af3725c82a8f622375774204487fc326deeec

SHA512
212e81320b12690b7299f040476b508291d85bf05dce0503c85f454707a4a14204aee0473060970e49412aa7122ed845c9c47710945b5ffe8c77f0095a493428

Download Submit
C:\Windows\{ED5E9E8F-0012-4fa4-A11D-64F3F5106AC8}.exe

Filesize
372KB

MD5
7b110b853c2c4932ecb985df268cfc2c

SHA1
41a89021a759f0ba3b7f3d1faf356399bdf5e559

SHA256
b17b952644f17a4f5b3da05e418af3725c82a8f622375774204487fc326deeec

SHA512
212e81320b12690b7299f040476b508291d85bf05dce0503c85f454707a4a14204aee0473060970e49412aa7122ed845c9c47710945b5ffe8c77f0095a493428

Download Submit
C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe

Filesize
372KB

MD5
9802fe3577e5f636ad3dbb3982bd1742

SHA1
a7c43c12bc1a22b51798efe709995d032c7ba8ce

SHA256
9cc5a3b1c83605ab7f8e5ee0c9f4ea79beb54be9a857d008d636ab76029309c1

SHA512
707530971563088ba2fb7a51199d1bf90a541ab16dbb6e441e22ba5647166e28aa0e49df64edbb3509fbbc5d680ab67d83dc35583cbc29eeca6177374eeebc28

Download Submit
C:\Windows\{EE830708-55CF-443d-ACDC-6F00C4C4D27D}.exe

Filesize
372KB

MD5
9802fe3577e5f636ad3dbb3982bd1742

SHA1
a7c43c12bc1a22b51798efe709995d032c7ba8ce

SHA256
9cc5a3b1c83605ab7f8e5ee0c9f4ea79beb54be9a857d008d636ab76029309c1

SHA512
707530971563088ba2fb7a51199d1bf90a541ab16dbb6e441e22ba5647166e28aa0e49df64edbb3509fbbc5d680ab67d83dc35583cbc29eeca6177374eeebc28

Download Submit