1b402a42738b6fef10126c116c7870c138d876ed43d878bb47b31ec40add691f

Analysis

max time kernel
146s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd793c66e1a45aexeexeexeex.exe
Size

372KB
MD5

bd793c66e1a45ad813696e928e72cf1c
SHA1

84823c6c138871de5bc265a52c2a8a3ad75e98ca
SHA256

1b402a42738b6fef10126c116c7870c138d876ed43d878bb47b31ec40add691f
SHA512

f0b93b33e980d1ec91f14ddf2d60ab54f6c0d3e4ba897a673e1d68e8c16e81686dfe6f156e662b9b8d1f3a4dd17d279f8dbb976b5317f5b165f0c667542d2e86
SSDEEP

3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGOl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4173010-E957-4e69-B3B3-384F5B5A30E3}\stubpath = "C:\\Windows\\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe"	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}\stubpath = "C:\\Windows\\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe"	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458E2FAE-0428-49ee-8565-3780B96170F5}\stubpath = "C:\\Windows\\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe"	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}	{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}\stubpath = "C:\\Windows\\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe"	{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0486B14B-B135-4509-8D1F-689FE2417D1D}\stubpath = "C:\\Windows\\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe"	{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}	{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}\stubpath = "C:\\Windows\\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe"	{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}\stubpath = "C:\\Windows\\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe"	bd793c66e1a45aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458E2FAE-0428-49ee-8565-3780B96170F5}	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BC8AFA-C889-4812-B388-31F78A6D586E}	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BC8AFA-C889-4812-B388-31F78A6D586E}\stubpath = "C:\\Windows\\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe"	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}\stubpath = "C:\\Windows\\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe"	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76204D8E-4EC4-47db-BF45-5F15085A34EF}\stubpath = "C:\\Windows\\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe"	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}\stubpath = "C:\\Windows\\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe"	{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76204D8E-4EC4-47db-BF45-5F15085A34EF}	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D375FB55-B461-487e-A89B-2CC872C4462A}	{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}	{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}	bd793c66e1a45aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4173010-E957-4e69-B3B3-384F5B5A30E3}	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}\stubpath = "C:\\Windows\\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe"	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0486B14B-B135-4509-8D1F-689FE2417D1D}	{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D375FB55-B461-487e-A89B-2CC872C4462A}\stubpath = "C:\\Windows\\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe"	{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
1128	{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
2724	{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
2876	{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
2632	{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
2788	{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
2476	{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
File created	C:\Windows\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe	{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
File created	C:\Windows\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe	{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
File created	C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	bd793c66e1a45aexeexeexeex.exe
File created	C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
File created	C:\Windows\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
File created	C:\Windows\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
File created	C:\Windows\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe	{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
File created	C:\Windows\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe	{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
File created	C:\Windows\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe	{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
File created	C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
File created	C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
File created	C:\Windows\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	bd793c66e1a45aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
Token: SeIncBasePriorityPrivilege	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
Token: SeIncBasePriorityPrivilege	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
Token: SeIncBasePriorityPrivilege	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
Token: SeIncBasePriorityPrivilege	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
Token: SeIncBasePriorityPrivilege	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
Token: SeIncBasePriorityPrivilege	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
Token: SeIncBasePriorityPrivilege	1128	{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
Token: SeIncBasePriorityPrivilege	2724	{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
Token: SeIncBasePriorityPrivilege	2876	{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
Token: SeIncBasePriorityPrivilege	2632	{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
Token: SeIncBasePriorityPrivilege	2788	{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3064	2224	bd793c66e1a45aexeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	bd793c66e1a45aexeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	bd793c66e1a45aexeexeexeex.exe	29
PID 2224 wrote to memory of 3064	2224	bd793c66e1a45aexeexeexeex.exe	29
PID 2224 wrote to memory of 2208	2224	bd793c66e1a45aexeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	bd793c66e1a45aexeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	bd793c66e1a45aexeexeexeex.exe	30
PID 2224 wrote to memory of 2208	2224	bd793c66e1a45aexeexeexeex.exe	30
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 848	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	31
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 3064 wrote to memory of 1216	3064	{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe	32
PID 848 wrote to memory of 300	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 300	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 300	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 300	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	33
PID 848 wrote to memory of 2304	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2304	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2304	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 848 wrote to memory of 2304	848	{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe	34
PID 300 wrote to memory of 1312	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 300 wrote to memory of 1312	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 300 wrote to memory of 1312	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 300 wrote to memory of 1312	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	35
PID 300 wrote to memory of 2076	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 300 wrote to memory of 2076	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 300 wrote to memory of 2076	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 300 wrote to memory of 2076	300	{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe	36
PID 1312 wrote to memory of 2860	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 1312 wrote to memory of 2860	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 1312 wrote to memory of 2860	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 1312 wrote to memory of 2860	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	37
PID 1312 wrote to memory of 1492	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 1312 wrote to memory of 1492	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 1312 wrote to memory of 1492	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 1312 wrote to memory of 1492	1312	{458E2FAE-0428-49ee-8565-3780B96170F5}.exe	38
PID 2860 wrote to memory of 980	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	39
PID 2860 wrote to memory of 980	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	39
PID 2860 wrote to memory of 980	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	39
PID 2860 wrote to memory of 980	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	39
PID 2860 wrote to memory of 1636	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	40
PID 2860 wrote to memory of 1636	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	40
PID 2860 wrote to memory of 1636	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	40
PID 2860 wrote to memory of 1636	2860	{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe	40
PID 980 wrote to memory of 680	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	41
PID 980 wrote to memory of 680	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	41
PID 980 wrote to memory of 680	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	41
PID 980 wrote to memory of 680	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	41
PID 980 wrote to memory of 2924	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	42
PID 980 wrote to memory of 2924	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	42
PID 980 wrote to memory of 2924	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	42
PID 980 wrote to memory of 2924	980	{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe	42
PID 680 wrote to memory of 1128	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	43
PID 680 wrote to memory of 1128	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	43
PID 680 wrote to memory of 1128	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	43
PID 680 wrote to memory of 1128	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	43
PID 680 wrote to memory of 2972	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	44
PID 680 wrote to memory of 2972	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	44
PID 680 wrote to memory of 2972	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	44
PID 680 wrote to memory of 2972	680	{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe	44

C:\Users\Admin\AppData\Local\Temp\bd793c66e1a45aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\bd793c66e1a45aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
  C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
    C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
      C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
        
        C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
        
        C:\Windows\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
        
        C:\Windows\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
        
        C:\Windows\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
        
        C:\Windows\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
        
        C:\Windows\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
        
        C:\Windows\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
        
        C:\Windows\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
        
        C:\Windows\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe
        
        C:\Windows\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe
        14⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E21AB~1.EXE > nul
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D375F~1.EXE > nul
        13⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0486B~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD39~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76204~1.EXE > nul
        10⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42360~1.EXE > nul
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF814~1.EXE > nul
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87BC8~1.EXE > nul
        7⤵
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{458E2~1.EXE > nul
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9E2~1.EXE > nul
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4173~1.EXE > nul
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F43B~1.EXE > nul
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BD793C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe

Filesize
372KB

MD5
91791b7373a7b8556c2faf52c6a27785

SHA1
2a42436b0d1ec38eaf90434a3a1ab184f990dccc

SHA256
3e10d4fa713a8457131ada90c97e9fb4afc3890341e2cb816a5072ce44341a26

SHA512
18b168bc2b14710d0927ed77dbdc0c9c099739293b24bbf097abf98cfc42a3e686fb78d614c147d8a687f5d93e76725ea5e3d13678c039f41c0852e2ed9da5ae

Download Submit
C:\Windows\{0486B14B-B135-4509-8D1F-689FE2417D1D}.exe

Filesize
372KB

MD5
91791b7373a7b8556c2faf52c6a27785

SHA1
2a42436b0d1ec38eaf90434a3a1ab184f990dccc

SHA256
3e10d4fa713a8457131ada90c97e9fb4afc3890341e2cb816a5072ce44341a26

SHA512
18b168bc2b14710d0927ed77dbdc0c9c099739293b24bbf097abf98cfc42a3e686fb78d614c147d8a687f5d93e76725ea5e3d13678c039f41c0852e2ed9da5ae

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
372KB

MD5
ec6f89b864fecdfae730658ee376926b

SHA1
dfaa85553267953f94b3a03104695c3e2fb27557

SHA256
40dcab7c0779721bd65cb5ad8582b5becab52c88e51cfc2c93adec7b3a8686fe

SHA512
b0e8af06791677e21aeea90e37c18df7bb1f59a3c8bf79db93bfdadcfb47dea09a9a726de9ced0dec255ff258e9518fe3b08ffc251e0a4325ef1edad593d54f6

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
372KB

MD5
ec6f89b864fecdfae730658ee376926b

SHA1
dfaa85553267953f94b3a03104695c3e2fb27557

SHA256
40dcab7c0779721bd65cb5ad8582b5becab52c88e51cfc2c93adec7b3a8686fe

SHA512
b0e8af06791677e21aeea90e37c18df7bb1f59a3c8bf79db93bfdadcfb47dea09a9a726de9ced0dec255ff258e9518fe3b08ffc251e0a4325ef1edad593d54f6

Download Submit
C:\Windows\{0F43BABE-1B89-4b31-94C1-F59DBE716DD3}.exe

Filesize
372KB

MD5
ec6f89b864fecdfae730658ee376926b

SHA1
dfaa85553267953f94b3a03104695c3e2fb27557

SHA256
40dcab7c0779721bd65cb5ad8582b5becab52c88e51cfc2c93adec7b3a8686fe

SHA512
b0e8af06791677e21aeea90e37c18df7bb1f59a3c8bf79db93bfdadcfb47dea09a9a726de9ced0dec255ff258e9518fe3b08ffc251e0a4325ef1edad593d54f6

Download Submit
C:\Windows\{1D368317-1AF3-4832-A05F-FAA3CFE5C1DE}.exe

Filesize
372KB

MD5
5a1ae2e91654505ce76b214b6b684d40

SHA1
1a498b3cb14e7dd285705dfb44250efa3e286c08

SHA256
3242404bfca8bdcf2d129b27edc0a81b17d5ac702ca5f7e59da291272dfd3dee

SHA512
5971e18ce227c928b79245e70092041ea6768f2214772cda0bf1e114201d1294a3ec1c4e621b7ef4d066093a46d0e2204fb3fea71b16a71d6c52deed5cac1b77

Download Submit
C:\Windows\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe

Filesize
372KB

MD5
153b7f262ab739e5734c7c069493c4d9

SHA1
bb1d5b27bb0ee2af0a9dcea9e8754430931f6f4c

SHA256
9e56309a511956294b03e8bf744265793bb38d45da7608b4b8672987b6c4414b

SHA512
cadf68dcaffa265ec6148b4164b4d4792d6dd7a5e673538c678e7724f3d66068918fb88fbc4509db7f750b7a6409c628e4dd3c2d7e933cf504b3db35db065239

Download Submit
C:\Windows\{4236005C-275C-4c00-BC19-3EF51DD6FCC2}.exe

Filesize
372KB

MD5
153b7f262ab739e5734c7c069493c4d9

SHA1
bb1d5b27bb0ee2af0a9dcea9e8754430931f6f4c

SHA256
9e56309a511956294b03e8bf744265793bb38d45da7608b4b8672987b6c4414b

SHA512
cadf68dcaffa265ec6148b4164b4d4792d6dd7a5e673538c678e7724f3d66068918fb88fbc4509db7f750b7a6409c628e4dd3c2d7e933cf504b3db35db065239

Download Submit
C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe

Filesize
372KB

MD5
a8eae8b6560bc9555d9d12bf27e1d9a8

SHA1
208ea300f80b5e34f779f9bfb312193b6022b71a

SHA256
28a4bafe2381babe0764da36e5f0ee31513427c5dbe274306a649229f4d535bc

SHA512
96db79db464834ed7a2cc58929e27031f293f751b5f128e3d0bc1ccbcbc070c95f374419081837f94a46f3819319757e960ad2f50776e549fbc2f86d3c4b5ee4

Download Submit
C:\Windows\{458E2FAE-0428-49ee-8565-3780B96170F5}.exe

Filesize
372KB

MD5
a8eae8b6560bc9555d9d12bf27e1d9a8

SHA1
208ea300f80b5e34f779f9bfb312193b6022b71a

SHA256
28a4bafe2381babe0764da36e5f0ee31513427c5dbe274306a649229f4d535bc

SHA512
96db79db464834ed7a2cc58929e27031f293f751b5f128e3d0bc1ccbcbc070c95f374419081837f94a46f3819319757e960ad2f50776e549fbc2f86d3c4b5ee4

Download Submit
C:\Windows\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe

Filesize
372KB

MD5
c2ff736536fccd772debb462f683df12

SHA1
1771e71332de800f16afb38c60898c79f9ca9a63

SHA256
85bd702c265034ac19b748f5fc42c464e388a0d1796ab678c6439e82c2990bdf

SHA512
006beb54224c81b416c72d895d1d901c8e5df679ad9d87c6c477e1ded41ae48b617b9f0aebbe1332465d6588f6a475c28968d2a31c9aba1ca3d38b34e0c0c08f

Download Submit
C:\Windows\{76204D8E-4EC4-47db-BF45-5F15085A34EF}.exe

Filesize
372KB

MD5
c2ff736536fccd772debb462f683df12

SHA1
1771e71332de800f16afb38c60898c79f9ca9a63

SHA256
85bd702c265034ac19b748f5fc42c464e388a0d1796ab678c6439e82c2990bdf

SHA512
006beb54224c81b416c72d895d1d901c8e5df679ad9d87c6c477e1ded41ae48b617b9f0aebbe1332465d6588f6a475c28968d2a31c9aba1ca3d38b34e0c0c08f

Download Submit
C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe

Filesize
372KB

MD5
187f30ce4a017f191b972dacf6ec1f98

SHA1
788a9b2b5e5379d0e01ed52a1f104cc8859fa083

SHA256
64743e3f72cfba7cecab1a5071871a029c095bb94bc83421cadf8d55f8eca04d

SHA512
b68f407294d3c033150db4d97056a818f6e577ec937fb1169e75e06b910b095af12f56856051a94041fd827de219382dd63bb625f9686ec5d2bd8fca77d73531

Download Submit
C:\Windows\{7D9E2CB7-D9EE-434e-A687-5F92009DD344}.exe

Filesize
372KB

MD5
187f30ce4a017f191b972dacf6ec1f98

SHA1
788a9b2b5e5379d0e01ed52a1f104cc8859fa083

SHA256
64743e3f72cfba7cecab1a5071871a029c095bb94bc83421cadf8d55f8eca04d

SHA512
b68f407294d3c033150db4d97056a818f6e577ec937fb1169e75e06b910b095af12f56856051a94041fd827de219382dd63bb625f9686ec5d2bd8fca77d73531

Download Submit
C:\Windows\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe

Filesize
372KB

MD5
bba8b755d2e570bec990ba7162d32261

SHA1
19ac7f91b7c1fc53b0553990dbc0520d35ab52ea

SHA256
ac9ebb06a51c7da94e44c5e77fdb74571ee132b26b262a34dca1cf2da27a9c4c

SHA512
add98f2798cd855805a97a6a25d2710958cd7392fd0208976c96ef3201013a0dff9959e20e24d8ff8e2bd7fda5d2b9a4b0bcd3d2b0f2cb8257bf6a6d31580aa7

Download Submit
C:\Windows\{87BC8AFA-C889-4812-B388-31F78A6D586E}.exe

Filesize
372KB

MD5
bba8b755d2e570bec990ba7162d32261

SHA1
19ac7f91b7c1fc53b0553990dbc0520d35ab52ea

SHA256
ac9ebb06a51c7da94e44c5e77fdb74571ee132b26b262a34dca1cf2da27a9c4c

SHA512
add98f2798cd855805a97a6a25d2710958cd7392fd0208976c96ef3201013a0dff9959e20e24d8ff8e2bd7fda5d2b9a4b0bcd3d2b0f2cb8257bf6a6d31580aa7

Download Submit
C:\Windows\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe

Filesize
372KB

MD5
4e267647fbd9e7305c7b6539e34f6aa5

SHA1
78cfb6cfe1b5c2d2fc9e7a8eeaed122772de16e0

SHA256
a91427ffa832c3edd33375bef15208ec80fa7364c29e5486ec1047d88721ba06

SHA512
05f9a3b062256e13f4eb56cf354e573656b4a5f8a6fc10591df4a874a1fe96b78e83484153eadaff48c3c54627a121091bed4123986be8a216ab696fe92ae7f6

Download Submit
C:\Windows\{8DD39555-7C08-4f70-8DE8-E861548DB2FE}.exe

Filesize
372KB

MD5
4e267647fbd9e7305c7b6539e34f6aa5

SHA1
78cfb6cfe1b5c2d2fc9e7a8eeaed122772de16e0

SHA256
a91427ffa832c3edd33375bef15208ec80fa7364c29e5486ec1047d88721ba06

SHA512
05f9a3b062256e13f4eb56cf354e573656b4a5f8a6fc10591df4a874a1fe96b78e83484153eadaff48c3c54627a121091bed4123986be8a216ab696fe92ae7f6

Download Submit
C:\Windows\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe

Filesize
372KB

MD5
a598437f2a8b2a702f9a8013ed2e1917

SHA1
941e036919dba2c8fc57d55ff68bf85014ac63e4

SHA256
257cb065079785b158524f0ab64c368e89fbce250311f3d5475503facd7d527f

SHA512
a0486bb0fd252550d096ee8b837bd42a489e9c9e816e567b9f8efd24ca29ba1ccbad32ed9f6a8859a8345d9ddd6fe0904810d03f115f8358302973f1761582aa

Download Submit
C:\Windows\{D375FB55-B461-487e-A89B-2CC872C4462A}.exe

Filesize
372KB

MD5
a598437f2a8b2a702f9a8013ed2e1917

SHA1
941e036919dba2c8fc57d55ff68bf85014ac63e4

SHA256
257cb065079785b158524f0ab64c368e89fbce250311f3d5475503facd7d527f

SHA512
a0486bb0fd252550d096ee8b837bd42a489e9c9e816e567b9f8efd24ca29ba1ccbad32ed9f6a8859a8345d9ddd6fe0904810d03f115f8358302973f1761582aa

Download Submit
C:\Windows\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe

Filesize
372KB

MD5
648ab000605efefbe6c3056a182aa82c

SHA1
5b00695d7b878175a91117109e703c291e99cd5f

SHA256
05b85f57285a2ce1cb0fe59949dc67f67aa740ab88410df7dc71e690eb14f757

SHA512
9410a5abb7e34609b757c759600c7e5616c0c2001fabcbffaacdafcacf3df6bf4ca382f6994f13f64539637c86a5c1d6f7da3e79546fbfa35490783424d2a732

Download Submit
C:\Windows\{E21ABE8D-9AB6-491b-9649-483D9072A1B5}.exe

Filesize
372KB

MD5
648ab000605efefbe6c3056a182aa82c

SHA1
5b00695d7b878175a91117109e703c291e99cd5f

SHA256
05b85f57285a2ce1cb0fe59949dc67f67aa740ab88410df7dc71e690eb14f757

SHA512
9410a5abb7e34609b757c759600c7e5616c0c2001fabcbffaacdafcacf3df6bf4ca382f6994f13f64539637c86a5c1d6f7da3e79546fbfa35490783424d2a732

Download Submit
C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe

Filesize
372KB

MD5
20be85a9d04cefe3404ca1c04c13d551

SHA1
bf78f7791895f69d3729857ffebe11c0fa963153

SHA256
97c9b41d61e4981c11d5a761e51afbb8870a4898299fe6da98c71be4e7f4ba91

SHA512
03db507e54671c9a4a79c793c71977bd676ceb9480acb68c05f1615baf06ba76906655ae742cf1ba7d5624d01140440e286c69ab21125c061fec62c97e486cbf

Download Submit
C:\Windows\{E4173010-E957-4e69-B3B3-384F5B5A30E3}.exe

Filesize
372KB

MD5
20be85a9d04cefe3404ca1c04c13d551

SHA1
bf78f7791895f69d3729857ffebe11c0fa963153

SHA256
97c9b41d61e4981c11d5a761e51afbb8870a4898299fe6da98c71be4e7f4ba91

SHA512
03db507e54671c9a4a79c793c71977bd676ceb9480acb68c05f1615baf06ba76906655ae742cf1ba7d5624d01140440e286c69ab21125c061fec62c97e486cbf

Download Submit
C:\Windows\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe

Filesize
372KB

MD5
7be8ff25d92aa384ee278d25207a90fc

SHA1
476090edba57c47b4513fc74263e4faad60eed86

SHA256
6603fac856e8e1bb41f389e8a9ba79c533f59d7ae72416e9bfef721f34c9977d

SHA512
010c40fee9cb7dc372060817e391745be0de22840a00d1f4717f21ee2b43c6268a2422ac6b083ced83fdfae92edd2b2e8213fef9aa0fadb8fe31e57014cb2801

Download Submit
C:\Windows\{FF814F39-9EAC-40dd-977A-98BD8D4FA2D8}.exe

Filesize
372KB

MD5
7be8ff25d92aa384ee278d25207a90fc

SHA1
476090edba57c47b4513fc74263e4faad60eed86

SHA256
6603fac856e8e1bb41f389e8a9ba79c533f59d7ae72416e9bfef721f34c9977d

SHA512
010c40fee9cb7dc372060817e391745be0de22840a00d1f4717f21ee2b43c6268a2422ac6b083ced83fdfae92edd2b2e8213fef9aa0fadb8fe31e57014cb2801

Download Submit