81f0adf77ce1b104ec7e5bf44e015bbed81202706dbfe1ba54433534ef99c46f

Analysis

max time kernel
147s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b69f84aee06eedexeexeexeex.exe
Size

372KB
MD5

b69f84aee06eed96b933389472dcf77d
SHA1

214859f2b49127b4435ef7ce52d897ece28eca76
SHA256

81f0adf77ce1b104ec7e5bf44e015bbed81202706dbfe1ba54433534ef99c46f
SHA512

0f88e374d19e9f8dcbb5617497506dddc0e53bb743e2abb074e6ddcd9e8c8510cf4bfbd86aea47c503388552f71495ae0be03f9faa02b0b7e6c43f9367753922
SSDEEP

3072:CEGh0olmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGWl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{485BF217-482A-45c7-AEA8-5641182C89DA}\stubpath = "C:\\Windows\\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe"	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}\stubpath = "C:\\Windows\\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe"	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}\stubpath = "C:\\Windows\\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe"	{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366151F5-82A3-4f8d-9F10-26BD458064B6}	{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}\stubpath = "C:\\Windows\\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe"	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{485BF217-482A-45c7-AEA8-5641182C89DA}	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF5736F-388D-4970-BBA7-9927A5349FBE}	{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF5736F-388D-4970-BBA7-9927A5349FBE}\stubpath = "C:\\Windows\\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe"	{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}	{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FA22BE0-F60E-4f21-8655-97609F17E179}\stubpath = "C:\\Windows\\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe"	{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D487AA0E-A105-4ef9-BFD3-844369D38143}	b69f84aee06eedexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}\stubpath = "C:\\Windows\\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe"	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}	{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7145B474-8B00-4f3f-85AF-D1974A987B7B}\stubpath = "C:\\Windows\\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe"	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}\stubpath = "C:\\Windows\\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe"	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}\stubpath = "C:\\Windows\\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe"	{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FA22BE0-F60E-4f21-8655-97609F17E179}	{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366151F5-82A3-4f8d-9F10-26BD458064B6}\stubpath = "C:\\Windows\\{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe"	{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D487AA0E-A105-4ef9-BFD3-844369D38143}\stubpath = "C:\\Windows\\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe"	b69f84aee06eedexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7145B474-8B00-4f3f-85AF-D1974A987B7B}	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}\stubpath = "C:\\Windows\\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe"	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
2972	{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
2072	{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
2696	{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
2744	{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
2752	{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe
2496	{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
File created	C:\Windows\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
File created	C:\Windows\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe	{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
File created	C:\Windows\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
File created	C:\Windows\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
File created	C:\Windows\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe	{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
File created	C:\Windows\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe	{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
File created	C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	b69f84aee06eedexeexeexeex.exe
File created	C:\Windows\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
File created	C:\Windows\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
File created	C:\Windows\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
File created	C:\Windows\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe	{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
File created	C:\Windows\{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe	{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3016	b69f84aee06eedexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
Token: SeIncBasePriorityPrivilege	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
Token: SeIncBasePriorityPrivilege	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
Token: SeIncBasePriorityPrivilege	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
Token: SeIncBasePriorityPrivilege	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
Token: SeIncBasePriorityPrivilege	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
Token: SeIncBasePriorityPrivilege	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
Token: SeIncBasePriorityPrivilege	2972	{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
Token: SeIncBasePriorityPrivilege	2072	{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
Token: SeIncBasePriorityPrivilege	2696	{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
Token: SeIncBasePriorityPrivilege	2744	{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
Token: SeIncBasePriorityPrivilege	2752	{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2940	3016	b69f84aee06eedexeexeexeex.exe	28
PID 3016 wrote to memory of 2940	3016	b69f84aee06eedexeexeexeex.exe	28
PID 3016 wrote to memory of 2940	3016	b69f84aee06eedexeexeexeex.exe	28
PID 3016 wrote to memory of 2940	3016	b69f84aee06eedexeexeexeex.exe	28
PID 3016 wrote to memory of 2404	3016	b69f84aee06eedexeexeexeex.exe	29
PID 3016 wrote to memory of 2404	3016	b69f84aee06eedexeexeexeex.exe	29
PID 3016 wrote to memory of 2404	3016	b69f84aee06eedexeexeexeex.exe	29
PID 3016 wrote to memory of 2404	3016	b69f84aee06eedexeexeexeex.exe	29
PID 2940 wrote to memory of 2292	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	30
PID 2940 wrote to memory of 2292	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	30
PID 2940 wrote to memory of 2292	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	30
PID 2940 wrote to memory of 2292	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	30
PID 2940 wrote to memory of 2104	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	31
PID 2940 wrote to memory of 2104	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	31
PID 2940 wrote to memory of 2104	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	31
PID 2940 wrote to memory of 2104	2940	{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe	31
PID 2292 wrote to memory of 2424	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	33
PID 2292 wrote to memory of 2424	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	33
PID 2292 wrote to memory of 2424	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	33
PID 2292 wrote to memory of 2424	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	33
PID 2292 wrote to memory of 2848	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	32
PID 2292 wrote to memory of 2848	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	32
PID 2292 wrote to memory of 2848	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	32
PID 2292 wrote to memory of 2848	2292	{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe	32
PID 2424 wrote to memory of 2936	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	34
PID 2424 wrote to memory of 2936	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	34
PID 2424 wrote to memory of 2936	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	34
PID 2424 wrote to memory of 2936	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	34
PID 2424 wrote to memory of 2256	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	35
PID 2424 wrote to memory of 2256	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	35
PID 2424 wrote to memory of 2256	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	35
PID 2424 wrote to memory of 2256	2424	{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe	35
PID 2936 wrote to memory of 2124	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	36
PID 2936 wrote to memory of 2124	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	36
PID 2936 wrote to memory of 2124	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	36
PID 2936 wrote to memory of 2124	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	36
PID 2936 wrote to memory of 2320	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	37
PID 2936 wrote to memory of 2320	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	37
PID 2936 wrote to memory of 2320	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	37
PID 2936 wrote to memory of 2320	2936	{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe	37
PID 2124 wrote to memory of 760	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	39
PID 2124 wrote to memory of 760	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	39
PID 2124 wrote to memory of 760	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	39
PID 2124 wrote to memory of 760	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	39
PID 2124 wrote to memory of 944	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	38
PID 2124 wrote to memory of 944	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	38
PID 2124 wrote to memory of 944	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	38
PID 2124 wrote to memory of 944	2124	{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe	38
PID 760 wrote to memory of 2004	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	40
PID 760 wrote to memory of 2004	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	40
PID 760 wrote to memory of 2004	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	40
PID 760 wrote to memory of 2004	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	40
PID 760 wrote to memory of 2560	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	41
PID 760 wrote to memory of 2560	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	41
PID 760 wrote to memory of 2560	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	41
PID 760 wrote to memory of 2560	760	{485BF217-482A-45c7-AEA8-5641182C89DA}.exe	41
PID 2004 wrote to memory of 2972	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	43
PID 2004 wrote to memory of 2972	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	43
PID 2004 wrote to memory of 2972	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	43
PID 2004 wrote to memory of 2972	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	43
PID 2004 wrote to memory of 2992	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	42
PID 2004 wrote to memory of 2992	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	42
PID 2004 wrote to memory of 2992	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	42
PID 2004 wrote to memory of 2992	2004	{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe	42

C:\Users\Admin\AppData\Local\Temp\b69f84aee06eedexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b69f84aee06eedexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
  C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
    C:\Windows\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7145B~1.EXE > nul
      4⤵
      PID:2848
  - - C:\Windows\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
      C:\Windows\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
        
        C:\Windows\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
        
        C:\Windows\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBC1D~1.EXE > nul
        7⤵
        
        PID:944
        
        C:\Windows\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
        
        C:\Windows\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
        
        C:\Windows\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59C54~1.EXE > nul
        9⤵
        
        PID:2992
        
        C:\Windows\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
        
        C:\Windows\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97570~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
        
        C:\Windows\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF57~1.EXE > nul
        11⤵
        
        PID:2816
        
        C:\Windows\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
        
        C:\Windows\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
        
        C:\Windows\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe
        
        C:\Windows\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe
        
        C:\Windows\{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe
        14⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FA22~1.EXE > nul
        14⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA175~1.EXE > nul
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC31~1.EXE > nul
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{485BF~1.EXE > nul
        8⤵
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC69~1.EXE > nul
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3EC4~1.EXE > nul
        5⤵
        
        PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D487A~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B69F84~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{366151F5-82A3-4f8d-9F10-26BD458064B6}.exe

Filesize
372KB

MD5
a0de6fd07e24498e01a7739ddbbf068b

SHA1
e53b57bdef0f01c41d74072f8533da7c9fd730a1

SHA256
cd1476a8c01d284b4c367d70f5e0170dfb8da4c8bd932f9db039800b8850b187

SHA512
e362b8a0aef74fb9c8ee6a1e5bfe4c5f2b07fe9c073aa469bd5feb8a8d8f8a2fea25af98e7fcccdbe845531a8cd7fe589956ef4793fd0de648f87fb99b223926

Download Submit
C:\Windows\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe

Filesize
372KB

MD5
2ead0f0adfdf454d527c01f457483177

SHA1
cbd8c085a591d8101f7d6c03a180831bfad9c97e

SHA256
8ab5bedfd9c598be8c0cb6144f31e81a5d11e0217f197bc7d09e614218fd7dd2

SHA512
a05c4bd1807176d9dd11ca60e8217ae175ed96b81d8220657013a58d1a02adfb2d1bffafea0503e2f6e599ef2cb1c559ac79f8c82277d0f8e540d864398ac542

Download Submit
C:\Windows\{485BF217-482A-45c7-AEA8-5641182C89DA}.exe

Filesize
372KB

MD5
2ead0f0adfdf454d527c01f457483177

SHA1
cbd8c085a591d8101f7d6c03a180831bfad9c97e

SHA256
8ab5bedfd9c598be8c0cb6144f31e81a5d11e0217f197bc7d09e614218fd7dd2

SHA512
a05c4bd1807176d9dd11ca60e8217ae175ed96b81d8220657013a58d1a02adfb2d1bffafea0503e2f6e599ef2cb1c559ac79f8c82277d0f8e540d864398ac542

Download Submit
C:\Windows\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe

Filesize
372KB

MD5
76c12f39e5f98cc6c67afb334e6d1b7d

SHA1
f218821f02e7cc1811ce79f274cbb4ba078c9210

SHA256
c56cfbbd4c3af08b8b17e9e562693475750175d0dd8a945ee647835bc6a4fb42

SHA512
6bd59fbd250a0c3e39e99627e7fc2032c4c71914000758828dbe52595b17669faa0a46d851a703f9aa8f800eb5cf95293e06ddd4ffd40cdfd1a963b256407333

Download Submit
C:\Windows\{59C54FAC-3DED-41d5-AB0A-6CFE3D4E6793}.exe

Filesize
372KB

MD5
76c12f39e5f98cc6c67afb334e6d1b7d

SHA1
f218821f02e7cc1811ce79f274cbb4ba078c9210

SHA256
c56cfbbd4c3af08b8b17e9e562693475750175d0dd8a945ee647835bc6a4fb42

SHA512
6bd59fbd250a0c3e39e99627e7fc2032c4c71914000758828dbe52595b17669faa0a46d851a703f9aa8f800eb5cf95293e06ddd4ffd40cdfd1a963b256407333

Download Submit
C:\Windows\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe

Filesize
372KB

MD5
c8a97d148833d0164931afb2342d4e6a

SHA1
85a4b8e7b6a2e4d0032538bb8b469b343ac0ab7b

SHA256
41568025485c1fd1abd53c48849cc1273a4a53f5003bace5b6e3f5acc91f6dbe

SHA512
cbee5ab402bd47f081789f7f0810f7d1f9b6bdc06bea0a1c8243d4539f30060af96faffedbdc5e105e114600b24513510795a845203fd122eeff31ff6dbcb8f9

Download Submit
C:\Windows\{5FF5736F-388D-4970-BBA7-9927A5349FBE}.exe

Filesize
372KB

MD5
c8a97d148833d0164931afb2342d4e6a

SHA1
85a4b8e7b6a2e4d0032538bb8b469b343ac0ab7b

SHA256
41568025485c1fd1abd53c48849cc1273a4a53f5003bace5b6e3f5acc91f6dbe

SHA512
cbee5ab402bd47f081789f7f0810f7d1f9b6bdc06bea0a1c8243d4539f30060af96faffedbdc5e105e114600b24513510795a845203fd122eeff31ff6dbcb8f9

Download Submit
C:\Windows\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe

Filesize
372KB

MD5
f578c0d370c688208c99fb40f85468fc

SHA1
6fec511772b26fddb75904451496b5955be87931

SHA256
34453b104e34eac0be28919e67b85e86c453540e83db6cdb2e6ecfb075c3b7da

SHA512
8c9ab3dafa9ab7c07eaba7a2ffa712ffd60e943aaea8748eef49cfbdcd6f9b6b2394f6560eb0602dea54191200eb3d849360981b2d7a712141818c99b217e7ff

Download Submit
C:\Windows\{7145B474-8B00-4f3f-85AF-D1974A987B7B}.exe

Filesize
372KB

MD5
f578c0d370c688208c99fb40f85468fc

SHA1
6fec511772b26fddb75904451496b5955be87931

SHA256
34453b104e34eac0be28919e67b85e86c453540e83db6cdb2e6ecfb075c3b7da

SHA512
8c9ab3dafa9ab7c07eaba7a2ffa712ffd60e943aaea8748eef49cfbdcd6f9b6b2394f6560eb0602dea54191200eb3d849360981b2d7a712141818c99b217e7ff

Download Submit
C:\Windows\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe

Filesize
372KB

MD5
d327ad4ce57a09b2a3ceb7e422caeaeb

SHA1
bf2b9917c53bb23ae00be6cea536a4d021c4dd4e

SHA256
0fcb91977969aaa231e6109835e7fc3344011c555303b30ff5a60e3927e3d40c

SHA512
769260d874a7e7f8acca7e4b9c66f1a417a0c90c87df8f1a44f7d69a0ed0a6f137e32130b1cb6517cbc5b3397aa75c0122e623e7acbe4bd9ac1835855398bc24

Download Submit
C:\Windows\{8FA22BE0-F60E-4f21-8655-97609F17E179}.exe

Filesize
372KB

MD5
d327ad4ce57a09b2a3ceb7e422caeaeb

SHA1
bf2b9917c53bb23ae00be6cea536a4d021c4dd4e

SHA256
0fcb91977969aaa231e6109835e7fc3344011c555303b30ff5a60e3927e3d40c

SHA512
769260d874a7e7f8acca7e4b9c66f1a417a0c90c87df8f1a44f7d69a0ed0a6f137e32130b1cb6517cbc5b3397aa75c0122e623e7acbe4bd9ac1835855398bc24

Download Submit
C:\Windows\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe

Filesize
372KB

MD5
69dada4daf15e8901f22e7b6ef51c8b0

SHA1
a78e0c98c26706e9a365b866921271559149855c

SHA256
c61979f1634c07e4e8e6412abada6eb3cb5a17b7b78c91e44b340fcd2e922ecd

SHA512
bb5118a8bc917c2da8832eef10c677a4c5dd87776d2f3edd319b3c0d26ce555ccf166759ab08685322907ea0ac9de7432558b00e193fb13f94687e6172a93cde

Download Submit
C:\Windows\{9757005A-FC29-425b-B917-F4C6CA7BA2AC}.exe

Filesize
372KB

MD5
69dada4daf15e8901f22e7b6ef51c8b0

SHA1
a78e0c98c26706e9a365b866921271559149855c

SHA256
c61979f1634c07e4e8e6412abada6eb3cb5a17b7b78c91e44b340fcd2e922ecd

SHA512
bb5118a8bc917c2da8832eef10c677a4c5dd87776d2f3edd319b3c0d26ce555ccf166759ab08685322907ea0ac9de7432558b00e193fb13f94687e6172a93cde

Download Submit
C:\Windows\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe

Filesize
372KB

MD5
0ecf71e74c2fc0f3cd425fa0b3abd7ba

SHA1
a6da35a46d7f85aada5c7cf1acdfb53456af7835

SHA256
fa81b7ec24de908ddc3708e8aae23731c41a4f4a2786f1f3eca48d904c91cd35

SHA512
dfabdd8576ebe5ba3af9ce2bad21cb79e4568f69e56bef6fbf5511e84de7ced341c6c7629def1b3195c3ee279abc6e3ab3451f1c4eb70f84c268f22579427ff3

Download Submit
C:\Windows\{BBC1DCAF-4452-461b-9C53-1D7460F1C2E9}.exe

Filesize
372KB

MD5
0ecf71e74c2fc0f3cd425fa0b3abd7ba

SHA1
a6da35a46d7f85aada5c7cf1acdfb53456af7835

SHA256
fa81b7ec24de908ddc3708e8aae23731c41a4f4a2786f1f3eca48d904c91cd35

SHA512
dfabdd8576ebe5ba3af9ce2bad21cb79e4568f69e56bef6fbf5511e84de7ced341c6c7629def1b3195c3ee279abc6e3ab3451f1c4eb70f84c268f22579427ff3

Download Submit
C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe

Filesize
372KB

MD5
14da1c1327c9144c6ff343d2261b32c2

SHA1
24814c2d3c4ea68cd1b24e32e8588d99959e8ba0

SHA256
38a7da785ccf60b7a2ab658f0c13e842c45d29bcbf7c8bf624e190cbf32db92c

SHA512
abfc676405015f1c8601905c12766f77001615f83d8b889ac0730908e7b6c1f8a4ab0c3e40e35b04eefc36945b2ec96104f0ac13d98f40ccae57480601c5ed78

Download Submit
C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe

Filesize
372KB

MD5
14da1c1327c9144c6ff343d2261b32c2

SHA1
24814c2d3c4ea68cd1b24e32e8588d99959e8ba0

SHA256
38a7da785ccf60b7a2ab658f0c13e842c45d29bcbf7c8bf624e190cbf32db92c

SHA512
abfc676405015f1c8601905c12766f77001615f83d8b889ac0730908e7b6c1f8a4ab0c3e40e35b04eefc36945b2ec96104f0ac13d98f40ccae57480601c5ed78

Download Submit
C:\Windows\{D487AA0E-A105-4ef9-BFD3-844369D38143}.exe

Filesize
372KB

MD5
14da1c1327c9144c6ff343d2261b32c2

SHA1
24814c2d3c4ea68cd1b24e32e8588d99959e8ba0

SHA256
38a7da785ccf60b7a2ab658f0c13e842c45d29bcbf7c8bf624e190cbf32db92c

SHA512
abfc676405015f1c8601905c12766f77001615f83d8b889ac0730908e7b6c1f8a4ab0c3e40e35b04eefc36945b2ec96104f0ac13d98f40ccae57480601c5ed78

Download Submit
C:\Windows\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe

Filesize
372KB

MD5
aef0dfd5f23bfc376594375dab2f36ee

SHA1
6b87f301e598bc4b2527d22008ff2e2e46880616

SHA256
a03eb18090f4ee125ca4592b2cb4dc745a70841c2dd1f4418ebb26350f289917

SHA512
f3e8f48cd4ada9f7f32af4aedbd2c39d0ea041883d373b288f80b03985e0ac8e9764616bdc9a5636560bfda488faafd47b9a07f937fcdce91e4da58bc2f926de

Download Submit
C:\Windows\{E3EC4CE6-07C4-4f61-823E-80E835F842DD}.exe

Filesize
372KB

MD5
aef0dfd5f23bfc376594375dab2f36ee

SHA1
6b87f301e598bc4b2527d22008ff2e2e46880616

SHA256
a03eb18090f4ee125ca4592b2cb4dc745a70841c2dd1f4418ebb26350f289917

SHA512
f3e8f48cd4ada9f7f32af4aedbd2c39d0ea041883d373b288f80b03985e0ac8e9764616bdc9a5636560bfda488faafd47b9a07f937fcdce91e4da58bc2f926de

Download Submit
C:\Windows\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe

Filesize
372KB

MD5
e83c407f5afeb7d23e554b591d321156

SHA1
ee4c8c085ee1e0a87fac6c69ee89774cc4bc0ca8

SHA256
e25530032d12301ff366ef4df3eb60a2cf86f436be553034a685fdd3431f74bd

SHA512
5b62f9f3e89979342859b273a6a00cd2dcfc6d5d51599c9f87e50ad3bcb984ba4d8bf0136945ccda801e6c7ed81d95308f3d2b087f0843ecc7c2826ff4fdb893

Download Submit
C:\Windows\{ECC31DCC-DB29-42c2-BCDC-90BD7D0C145A}.exe

Filesize
372KB

MD5
e83c407f5afeb7d23e554b591d321156

SHA1
ee4c8c085ee1e0a87fac6c69ee89774cc4bc0ca8

SHA256
e25530032d12301ff366ef4df3eb60a2cf86f436be553034a685fdd3431f74bd

SHA512
5b62f9f3e89979342859b273a6a00cd2dcfc6d5d51599c9f87e50ad3bcb984ba4d8bf0136945ccda801e6c7ed81d95308f3d2b087f0843ecc7c2826ff4fdb893

Download Submit
C:\Windows\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe

Filesize
372KB

MD5
0bffe7e6c365091eb2a00b64dea99197

SHA1
6d7726c2dfba1e8bd088a7b76bdef5257ae0e15e

SHA256
149dac2a96d4220a91d2a0e2b3ad7b81d87240bdfb6b2064b8e6d4dbf80f799c

SHA512
54fe787bfdfed4650e6c13266d94c80f21d20959b40c89421f9e20770c8fad5f0ea959bacd91461729c6ae7124c26e5e2a4a5a0466a5dff3dc1c599f24d49cdd

Download Submit
C:\Windows\{EFC6963C-8C27-46a8-A98D-65AD5C2E3A64}.exe

Filesize
372KB

MD5
0bffe7e6c365091eb2a00b64dea99197

SHA1
6d7726c2dfba1e8bd088a7b76bdef5257ae0e15e

SHA256
149dac2a96d4220a91d2a0e2b3ad7b81d87240bdfb6b2064b8e6d4dbf80f799c

SHA512
54fe787bfdfed4650e6c13266d94c80f21d20959b40c89421f9e20770c8fad5f0ea959bacd91461729c6ae7124c26e5e2a4a5a0466a5dff3dc1c599f24d49cdd

Download Submit
C:\Windows\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe

Filesize
372KB

MD5
40972eb0291df3ab3c78a2894e1add00

SHA1
b062602c617876863f8e7ab3dfcc975a4d4c249b

SHA256
2d365b18deee2d26f2a333d9b6d4e8b1ba9032f63a9dec03e6cbf146ee12066f

SHA512
064bcb913d49eb21d0174076a4d485355ad4d92c691e66854c071fee0196624d39085d55c51de56db00aa9709e39f7c7dbdf0055ff1581d167e45fec6b0628e8

Download Submit
C:\Windows\{FA175105-260C-4d7e-B9FB-1B79EFCA6450}.exe

Filesize
372KB

MD5
40972eb0291df3ab3c78a2894e1add00

SHA1
b062602c617876863f8e7ab3dfcc975a4d4c249b

SHA256
2d365b18deee2d26f2a333d9b6d4e8b1ba9032f63a9dec03e6cbf146ee12066f

SHA512
064bcb913d49eb21d0174076a4d485355ad4d92c691e66854c071fee0196624d39085d55c51de56db00aa9709e39f7c7dbdf0055ff1581d167e45fec6b0628e8

Download Submit