7ea5a92a61332c67e8d1538625279338c2b24329c8641c3fc32e7a288aa40ac6

Analysis

max time kernel
147s
max time network
75s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f24891f0c9dfexeexeexeex.exe
Size

168KB
MD5

b5f24891f0c9df028da67d28d6667813
SHA1

d95776c01550cb26261d0d66ef49bcb18e676e3a
SHA256

7ea5a92a61332c67e8d1538625279338c2b24329c8641c3fc32e7a288aa40ac6
SHA512

76c0e6f9cdeb54bd8a2d0ee269d0d71713f96c1552b6570035333aa1dc2c7850c895c05b44a8b4ae16eb46202cd2d7155d617cffd7501c7063ddba3d3eb20f74
SSDEEP

1536:1EGh0o4lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o4lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C481A91-24D0-43de-B74B-ED6D47C11D81}	{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}	{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CE98070-E25E-4937-9DB1-82D6BA33271C}	b5f24891f0c9dfexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8CE84A-D084-426e-9825-B23FDF6C0775}	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}\stubpath = "C:\\Windows\\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe"	{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4BF094-A66C-4a15-AA67-55F52B397336}\stubpath = "C:\\Windows\\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe"	{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{439FD58D-7371-43e8-9391-D5FE63336AD2}	{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}\stubpath = "C:\\Windows\\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe"	{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}\stubpath = "C:\\Windows\\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe"	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4201052-57C3-4264-8559-79BB8AF05A1C}\stubpath = "C:\\Windows\\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe"	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C013DE15-6794-4f08-A5DE-3A533053535A}\stubpath = "C:\\Windows\\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe"	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C013DE15-6794-4f08-A5DE-3A533053535A}	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4BF094-A66C-4a15-AA67-55F52B397336}	{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{439FD58D-7371-43e8-9391-D5FE63336AD2}\stubpath = "C:\\Windows\\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe"	{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4201052-57C3-4264-8559-79BB8AF05A1C}	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B73FB6-EE74-4665-8585-D676436D9ED1}\stubpath = "C:\\Windows\\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe"	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}\stubpath = "C:\\Windows\\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe"	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB8CE84A-D084-426e-9825-B23FDF6C0775}\stubpath = "C:\\Windows\\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe"	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}\stubpath = "C:\\Windows\\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe"	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}	{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C481A91-24D0-43de-B74B-ED6D47C11D81}\stubpath = "C:\\Windows\\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe"	{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CE98070-E25E-4937-9DB1-82D6BA33271C}\stubpath = "C:\\Windows\\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe"	b5f24891f0c9dfexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B73FB6-EE74-4665-8585-D676436D9ED1}	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
1408	{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
2728	{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
2644	{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
2608	{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
2800	{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
2440	{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe	{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
File created	C:\Windows\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe	{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
File created	C:\Windows\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
File created	C:\Windows\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
File created	C:\Windows\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
File created	C:\Windows\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe	{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
File created	C:\Windows\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe	{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
File created	C:\Windows\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe	{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
File created	C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	b5f24891f0c9dfexeexeexeex.exe
File created	C:\Windows\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
File created	C:\Windows\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
File created	C:\Windows\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
File created	C:\Windows\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2160	b5f24891f0c9dfexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
Token: SeIncBasePriorityPrivilege	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
Token: SeIncBasePriorityPrivilege	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
Token: SeIncBasePriorityPrivilege	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
Token: SeIncBasePriorityPrivilege	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
Token: SeIncBasePriorityPrivilege	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
Token: SeIncBasePriorityPrivilege	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
Token: SeIncBasePriorityPrivilege	1408	{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
Token: SeIncBasePriorityPrivilege	2728	{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
Token: SeIncBasePriorityPrivilege	2644	{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
Token: SeIncBasePriorityPrivilege	2608	{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
Token: SeIncBasePriorityPrivilege	2800	{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3004	2160	b5f24891f0c9dfexeexeexeex.exe	28
PID 2160 wrote to memory of 3004	2160	b5f24891f0c9dfexeexeexeex.exe	28
PID 2160 wrote to memory of 3004	2160	b5f24891f0c9dfexeexeexeex.exe	28
PID 2160 wrote to memory of 3004	2160	b5f24891f0c9dfexeexeexeex.exe	28
PID 2160 wrote to memory of 2204	2160	b5f24891f0c9dfexeexeexeex.exe	29
PID 2160 wrote to memory of 2204	2160	b5f24891f0c9dfexeexeexeex.exe	29
PID 2160 wrote to memory of 2204	2160	b5f24891f0c9dfexeexeexeex.exe	29
PID 2160 wrote to memory of 2204	2160	b5f24891f0c9dfexeexeexeex.exe	29
PID 3004 wrote to memory of 2168	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	30
PID 3004 wrote to memory of 2168	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	30
PID 3004 wrote to memory of 2168	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	30
PID 3004 wrote to memory of 2168	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	30
PID 3004 wrote to memory of 2404	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	31
PID 3004 wrote to memory of 2404	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	31
PID 3004 wrote to memory of 2404	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	31
PID 3004 wrote to memory of 2404	3004	{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe	31
PID 2168 wrote to memory of 1376	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	32
PID 2168 wrote to memory of 1376	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	32
PID 2168 wrote to memory of 1376	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	32
PID 2168 wrote to memory of 1376	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	32
PID 2168 wrote to memory of 1400	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	33
PID 2168 wrote to memory of 1400	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	33
PID 2168 wrote to memory of 1400	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	33
PID 2168 wrote to memory of 1400	2168	{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe	33
PID 1376 wrote to memory of 564	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	34
PID 1376 wrote to memory of 564	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	34
PID 1376 wrote to memory of 564	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	34
PID 1376 wrote to memory of 564	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	34
PID 1376 wrote to memory of 2084	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	35
PID 1376 wrote to memory of 2084	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	35
PID 1376 wrote to memory of 2084	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	35
PID 1376 wrote to memory of 2084	1376	{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe	35
PID 564 wrote to memory of 2928	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	36
PID 564 wrote to memory of 2928	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	36
PID 564 wrote to memory of 2928	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	36
PID 564 wrote to memory of 2928	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	36
PID 564 wrote to memory of 2244	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	37
PID 564 wrote to memory of 2244	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	37
PID 564 wrote to memory of 2244	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	37
PID 564 wrote to memory of 2244	564	{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe	37
PID 2928 wrote to memory of 2992	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	38
PID 2928 wrote to memory of 2992	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	38
PID 2928 wrote to memory of 2992	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	38
PID 2928 wrote to memory of 2992	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	38
PID 2928 wrote to memory of 2532	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	39
PID 2928 wrote to memory of 2532	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	39
PID 2928 wrote to memory of 2532	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	39
PID 2928 wrote to memory of 2532	2928	{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe	39
PID 2992 wrote to memory of 1308	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	40
PID 2992 wrote to memory of 1308	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	40
PID 2992 wrote to memory of 1308	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	40
PID 2992 wrote to memory of 1308	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	40
PID 2992 wrote to memory of 2188	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	41
PID 2992 wrote to memory of 2188	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	41
PID 2992 wrote to memory of 2188	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	41
PID 2992 wrote to memory of 2188	2992	{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe	41
PID 1308 wrote to memory of 1408	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	42
PID 1308 wrote to memory of 1408	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	42
PID 1308 wrote to memory of 1408	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	42
PID 1308 wrote to memory of 1408	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	42
PID 1308 wrote to memory of 3020	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	43
PID 1308 wrote to memory of 3020	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	43
PID 1308 wrote to memory of 3020	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	43
PID 1308 wrote to memory of 3020	1308	{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe	43

C:\Users\Admin\AppData\Local\Temp\b5f24891f0c9dfexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b5f24891f0c9dfexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
  C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
    C:\Windows\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
      C:\Windows\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
        
        C:\Windows\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
        
        C:\Windows\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
        
        C:\Windows\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
        
        C:\Windows\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
        
        C:\Windows\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
        
        C:\Windows\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9243C~1.EXE > nul
        11⤵
        
        PID:2580
        
        C:\Windows\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
        
        C:\Windows\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
        
        C:\Windows\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
        
        C:\Windows\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe
        
        C:\Windows\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe
        14⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{439FD~1.EXE > nul
        14⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C481~1.EXE > nul
        13⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF4BF~1.EXE > nul
        12⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C013D~1.EXE > nul
        10⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB8CE~1.EXE > nul
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AC31~1.EXE > nul
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D281~1.EXE > nul
        7⤵
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08B73~1.EXE > nul
        6⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4201~1.EXE > nul
        5⤵
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96C0F~1.EXE > nul
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE98~1.EXE > nul
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5F248~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B5837D-A0A5-4b02-9C00-47D1FFC7C0EC}.exe

Filesize
168KB

MD5
7a0caa9873474d43311b58cd74cd0e67

SHA1
2a41808d830bbf40d0b36289d4274cba5b6fe225

SHA256
07f8c7693f737f60e364b3548c5cf4e4705e0056f9e1b7b9c1768482fec301c7

SHA512
9179ee1836dd6fbd2c746ef72e656d8099237c3c9838f83b2be6f7410bb8a6ba14f8469d7d734c402588ad1683e60ea066212edf274bbde84bb2dd8520e40b08

Download Submit
C:\Windows\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe

Filesize
168KB

MD5
27b3f434cd25b7d8099b95d21bdd05cf

SHA1
ab423b51812ecabafb894bfd0bfac0069c37fe67

SHA256
313a9bd29ca10fdf1bedf0ca6c1fd52b8941e3fc0fe8d339dce0fa28267cbcc5

SHA512
8d34b50c1b56f1a64ea69abd201f77fa0afcc7883c5d1c14a8192a39cc17ad8bb55f83213a9fe534a5b7171fcbdc2a2515102b4739a199a36f2e7c7c941859d4

Download Submit
C:\Windows\{08B73FB6-EE74-4665-8585-D676436D9ED1}.exe

Filesize
168KB

MD5
27b3f434cd25b7d8099b95d21bdd05cf

SHA1
ab423b51812ecabafb894bfd0bfac0069c37fe67

SHA256
313a9bd29ca10fdf1bedf0ca6c1fd52b8941e3fc0fe8d339dce0fa28267cbcc5

SHA512
8d34b50c1b56f1a64ea69abd201f77fa0afcc7883c5d1c14a8192a39cc17ad8bb55f83213a9fe534a5b7171fcbdc2a2515102b4739a199a36f2e7c7c941859d4

Download Submit
C:\Windows\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe

Filesize
168KB

MD5
533570fc9cd4f4266a9f02cbfe4898b1

SHA1
8cf8f21ee9b4dcee2b4196048027981cac8fbbf0

SHA256
320e1ff2b3e4bb06e553b37c13a955fa656c1f87d86cdbc06133770847983d6a

SHA512
62dff9f15f35b9fc37a2a03479768c5ca931af7840684f37a012605ddbb10b53b516b6eb2becc5124d357f1b42c8ca1c507e4670344060473a8b3f32d48e8b2b

Download Submit
C:\Windows\{0D28196E-2AE9-44d9-8B35-FB03EBBF404B}.exe

Filesize
168KB

MD5
533570fc9cd4f4266a9f02cbfe4898b1

SHA1
8cf8f21ee9b4dcee2b4196048027981cac8fbbf0

SHA256
320e1ff2b3e4bb06e553b37c13a955fa656c1f87d86cdbc06133770847983d6a

SHA512
62dff9f15f35b9fc37a2a03479768c5ca931af7840684f37a012605ddbb10b53b516b6eb2becc5124d357f1b42c8ca1c507e4670344060473a8b3f32d48e8b2b

Download Submit
C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe

Filesize
168KB

MD5
1cf19700ae39fd16df76d68c50916e58

SHA1
fe65ffe291e2c9c653902d51aa07aa63227befae

SHA256
5fc297b02fd768b83d2fb47efa291b1094fcb865cb51b6633a4125e3d03ba2d0

SHA512
6067ce6ad1ff7b3906627cb96788bc79d359e0f5cc79768e1fdd15ec70c4c8c0a3a38b474cebbfda02eba3306057abd2a6adbfc88a2af3eecd33fef192f05438

Download Submit
C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe

Filesize
168KB

MD5
1cf19700ae39fd16df76d68c50916e58

SHA1
fe65ffe291e2c9c653902d51aa07aa63227befae

SHA256
5fc297b02fd768b83d2fb47efa291b1094fcb865cb51b6633a4125e3d03ba2d0

SHA512
6067ce6ad1ff7b3906627cb96788bc79d359e0f5cc79768e1fdd15ec70c4c8c0a3a38b474cebbfda02eba3306057abd2a6adbfc88a2af3eecd33fef192f05438

Download Submit
C:\Windows\{2CE98070-E25E-4937-9DB1-82D6BA33271C}.exe

Filesize
168KB

MD5
1cf19700ae39fd16df76d68c50916e58

SHA1
fe65ffe291e2c9c653902d51aa07aa63227befae

SHA256
5fc297b02fd768b83d2fb47efa291b1094fcb865cb51b6633a4125e3d03ba2d0

SHA512
6067ce6ad1ff7b3906627cb96788bc79d359e0f5cc79768e1fdd15ec70c4c8c0a3a38b474cebbfda02eba3306057abd2a6adbfc88a2af3eecd33fef192f05438

Download Submit
C:\Windows\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe

Filesize
168KB

MD5
1fd8f1bb1bd90032eeabbd3e7d7daff2

SHA1
4654b4310c6553d042f3d2c110047ab90c558b1d

SHA256
a0c536a34a509840894f2c2214ccdaacfb2338f0c698cac5ad036048fa1f01c8

SHA512
6e1c92ee64c9901675a31ae0445e96148643a6f361510e732c2ed7123f3eee6af2ff92ec9e0c470b9876b066027290f1e739a8293bea8d185bda035fe29db470

Download Submit
C:\Windows\{439FD58D-7371-43e8-9391-D5FE63336AD2}.exe

Filesize
168KB

MD5
1fd8f1bb1bd90032eeabbd3e7d7daff2

SHA1
4654b4310c6553d042f3d2c110047ab90c558b1d

SHA256
a0c536a34a509840894f2c2214ccdaacfb2338f0c698cac5ad036048fa1f01c8

SHA512
6e1c92ee64c9901675a31ae0445e96148643a6f361510e732c2ed7123f3eee6af2ff92ec9e0c470b9876b066027290f1e739a8293bea8d185bda035fe29db470

Download Submit
C:\Windows\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe

Filesize
168KB

MD5
1ad81d95bfe1a9ab328b00adfca0da1b

SHA1
acf8461f83aad8e2a67092a6bf6b1f4d4c088ff4

SHA256
85b4112268cfc31e99225159b4c238d23ba2603caf70a94ce7d1a5e5b040f79b

SHA512
3b2c2077260cd0c3d4ebc444ecf6cb679b81a66b04a703d91571bbf95eec72ad1c746bf9e68a8369000b707c0d91f6f6ad273ee4d8e78073d4c38014dc07b418

Download Submit
C:\Windows\{4C481A91-24D0-43de-B74B-ED6D47C11D81}.exe

Filesize
168KB

MD5
1ad81d95bfe1a9ab328b00adfca0da1b

SHA1
acf8461f83aad8e2a67092a6bf6b1f4d4c088ff4

SHA256
85b4112268cfc31e99225159b4c238d23ba2603caf70a94ce7d1a5e5b040f79b

SHA512
3b2c2077260cd0c3d4ebc444ecf6cb679b81a66b04a703d91571bbf95eec72ad1c746bf9e68a8369000b707c0d91f6f6ad273ee4d8e78073d4c38014dc07b418

Download Submit
C:\Windows\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe

Filesize
168KB

MD5
030411a85e2d85830bd1222f0719887f

SHA1
7a80d3b965b4b5dd8c5d9553ff49d6c2519481c8

SHA256
ee67538191d3a1816ea3488fe6247806c8b094703828264aadad1c76049b8e8f

SHA512
10dccbba0127af47f77cf082a9627ac5196b9d4337bd5dc57d8100749160514b14c8f526ee02a38ff4882a70ee0c38f2dc0205ea11050e8177350f672137466f

Download Submit
C:\Windows\{6AC319B0-10E2-458c-BBF3-F76A2EE45C58}.exe

Filesize
168KB

MD5
030411a85e2d85830bd1222f0719887f

SHA1
7a80d3b965b4b5dd8c5d9553ff49d6c2519481c8

SHA256
ee67538191d3a1816ea3488fe6247806c8b094703828264aadad1c76049b8e8f

SHA512
10dccbba0127af47f77cf082a9627ac5196b9d4337bd5dc57d8100749160514b14c8f526ee02a38ff4882a70ee0c38f2dc0205ea11050e8177350f672137466f

Download Submit
C:\Windows\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe

Filesize
168KB

MD5
cdbce30e5798ba6abe444203e74e75ac

SHA1
7ef42feae3b2bc70c119598d9194165794a1a41d

SHA256
df586bd04b9e5ee0204232c821c8f2a04d4c8db4d312b8da2330bed3a655cf2a

SHA512
7830e06ff389f94e4fadcb9298195a1ea5ef04e46f482661daa5d34d8a605237bf372af90abf7c2ba09ecb4a235df96963ab19d713c3d7b68939bd1847cda4e5

Download Submit
C:\Windows\{9243C8BB-ECF0-4ca4-8B63-2D3E4AACA9C1}.exe

Filesize
168KB

MD5
cdbce30e5798ba6abe444203e74e75ac

SHA1
7ef42feae3b2bc70c119598d9194165794a1a41d

SHA256
df586bd04b9e5ee0204232c821c8f2a04d4c8db4d312b8da2330bed3a655cf2a

SHA512
7830e06ff389f94e4fadcb9298195a1ea5ef04e46f482661daa5d34d8a605237bf372af90abf7c2ba09ecb4a235df96963ab19d713c3d7b68939bd1847cda4e5

Download Submit
C:\Windows\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe

Filesize
168KB

MD5
d34608bfc8fdaec6c2740dea15ff129b

SHA1
36dd9bbb1ad6500cc3680ba9d267f9dd25fb604e

SHA256
08054cdaf49f25980b021f5349bffffe39c5a8e87c9bae68ee6e20d95e69b3a2

SHA512
cb9f329e06db231e9b9cc9e8f074137d0a090ca14cdf8b838c560f41400cf246148d035c24ca57b8f4e9d57fce0a4c33866dc2bcbe3dea7a657f9005e9bf4fb8

Download Submit
C:\Windows\{96C0F55A-7F0B-4519-A435-379AB0ADCF79}.exe

Filesize
168KB

MD5
d34608bfc8fdaec6c2740dea15ff129b

SHA1
36dd9bbb1ad6500cc3680ba9d267f9dd25fb604e

SHA256
08054cdaf49f25980b021f5349bffffe39c5a8e87c9bae68ee6e20d95e69b3a2

SHA512
cb9f329e06db231e9b9cc9e8f074137d0a090ca14cdf8b838c560f41400cf246148d035c24ca57b8f4e9d57fce0a4c33866dc2bcbe3dea7a657f9005e9bf4fb8

Download Submit
C:\Windows\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe

Filesize
168KB

MD5
ab9e3417c17ef97cedd050a7356b0d8d

SHA1
c6e2545946881814c17279925b7c208fe58e8f9a

SHA256
ee3a8b1452d3dd3aa7dd5d414bcbe4dd72116ffa1777d561f6ed0999a17e7874

SHA512
b32c522a3c6b7c6976c00902d51b91e863ebe07184e7679333c5c5db77dbda9afe5d3bcab34811a3d15cb2f9ea9f8cfdc3bd5ac9f5c1a0bd1faa88cb7b37f713

Download Submit
C:\Windows\{C013DE15-6794-4f08-A5DE-3A533053535A}.exe

Filesize
168KB

MD5
ab9e3417c17ef97cedd050a7356b0d8d

SHA1
c6e2545946881814c17279925b7c208fe58e8f9a

SHA256
ee3a8b1452d3dd3aa7dd5d414bcbe4dd72116ffa1777d561f6ed0999a17e7874

SHA512
b32c522a3c6b7c6976c00902d51b91e863ebe07184e7679333c5c5db77dbda9afe5d3bcab34811a3d15cb2f9ea9f8cfdc3bd5ac9f5c1a0bd1faa88cb7b37f713

Download Submit
C:\Windows\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe

Filesize
168KB

MD5
4f97d7f128bbe67a5ece002edcda80b8

SHA1
555ebf641b8aff91f2df18b8c1921c86e25a3eec

SHA256
ffc7304d5ac9e4d433253bbeee9542788b3b52eb7093f04b8983cbc95fc513a1

SHA512
5c0ee94c05fc5e9c21f5a3586b5db840ccf5e8f757a0134f134351a8982923cb67472fb9fa920f4f2d214feb1631acb466c9bce58c70abd8c2c264661b46584b

Download Submit
C:\Windows\{CB8CE84A-D084-426e-9825-B23FDF6C0775}.exe

Filesize
168KB

MD5
4f97d7f128bbe67a5ece002edcda80b8

SHA1
555ebf641b8aff91f2df18b8c1921c86e25a3eec

SHA256
ffc7304d5ac9e4d433253bbeee9542788b3b52eb7093f04b8983cbc95fc513a1

SHA512
5c0ee94c05fc5e9c21f5a3586b5db840ccf5e8f757a0134f134351a8982923cb67472fb9fa920f4f2d214feb1631acb466c9bce58c70abd8c2c264661b46584b

Download Submit
C:\Windows\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe

Filesize
168KB

MD5
4c5929a77e33b7a98932d2d91f16fc6f

SHA1
0551676c0810a6c6387c3c3dfadb4d14d3e9917b

SHA256
4a047ae92967209877e5c79a84a8edbd755fe5a3e09a850eddf0f82dd3ed06c2

SHA512
3feb418bf66c3f2770683dd867fed52c2e607f8f4faa97e1eb3fdc1576261e98e0793c0f8800eb8584cf8bcbc0ee448ef5dfa57a9c5f6360f931ff3b2178b19e

Download Submit
C:\Windows\{F4201052-57C3-4264-8559-79BB8AF05A1C}.exe

Filesize
168KB

MD5
4c5929a77e33b7a98932d2d91f16fc6f

SHA1
0551676c0810a6c6387c3c3dfadb4d14d3e9917b

SHA256
4a047ae92967209877e5c79a84a8edbd755fe5a3e09a850eddf0f82dd3ed06c2

SHA512
3feb418bf66c3f2770683dd867fed52c2e607f8f4faa97e1eb3fdc1576261e98e0793c0f8800eb8584cf8bcbc0ee448ef5dfa57a9c5f6360f931ff3b2178b19e

Download Submit
C:\Windows\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe

Filesize
168KB

MD5
a2fce54a1b83823b69574a60e92c7dc0

SHA1
868cf99b9d8f715140166c390dcd140d34e096a9

SHA256
a490f84acb0821440c93d3d67d59a3c0310a76c64e48f90bcd777aa770b1cbd6

SHA512
22bf6de4b71cb6260296fe44018da7eafd81d95c53a21deaa56d9bdb20db58d0656af87b73df27ca61fe16cf87ac68645909562bc25dc2052c4b6338d1085ca8

Download Submit
C:\Windows\{FF4BF094-A66C-4a15-AA67-55F52B397336}.exe

Filesize
168KB

MD5
a2fce54a1b83823b69574a60e92c7dc0

SHA1
868cf99b9d8f715140166c390dcd140d34e096a9

SHA256
a490f84acb0821440c93d3d67d59a3c0310a76c64e48f90bcd777aa770b1cbd6

SHA512
22bf6de4b71cb6260296fe44018da7eafd81d95c53a21deaa56d9bdb20db58d0656af87b73df27ca61fe16cf87ac68645909562bc25dc2052c4b6338d1085ca8

Download Submit