a0e45aaec6832e911bf31344478131d69e40275fad8e103e95c66a5d844167c1

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6aa47bca15ec9exeexeexeex.exe
Size

372KB
MD5

c6aa47bca15ec9eebb38cc4e74e8c801
SHA1

3aca2f4bec871a484d39019876bdc4876b92e98d
SHA256

a0e45aaec6832e911bf31344478131d69e40275fad8e103e95c66a5d844167c1
SHA512

4b2b90f2a93db7ccf65250388453d97fde32cced094be6e31a4fc8efc4353a9c43a94fc8d61fb7bf9fc5c23a8a4a45d1240e869d8fb9ac6e461f84e3244ed910
SSDEEP

3072:CEGh0okmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG3l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C93451-488F-474a-84AB-CE030832E653}\stubpath = "C:\\Windows\\{73C93451-488F-474a-84AB-CE030832E653}.exe"	{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}	{73C93451-488F-474a-84AB-CE030832E653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}\stubpath = "C:\\Windows\\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe"	c6aa47bca15ec9exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE5317A-5851-4f91-949B-D0EB41F446DF}\stubpath = "C:\\Windows\\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe"	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}\stubpath = "C:\\Windows\\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe"	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120B595E-7758-47ab-A68F-41C27180E286}	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{250E7475-0BFE-440f-B691-BE97D39A71EF}	{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{083777A4-ECBD-4a1e-960C-A89E173C0640}	{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}\stubpath = "C:\\Windows\\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe"	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB725E7F-0259-402c-9587-0013EC5C9AC6}\stubpath = "C:\\Windows\\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe"	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE5317A-5851-4f91-949B-D0EB41F446DF}	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{083777A4-ECBD-4a1e-960C-A89E173C0640}\stubpath = "C:\\Windows\\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe"	{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}\stubpath = "C:\\Windows\\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe"	{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}\stubpath = "C:\\Windows\\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe"	{73C93451-488F-474a-84AB-CE030832E653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}	{120B595E-7758-47ab-A68F-41C27180E286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}\stubpath = "C:\\Windows\\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe"	{120B595E-7758-47ab-A68F-41C27180E286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{250E7475-0BFE-440f-B691-BE97D39A71EF}\stubpath = "C:\\Windows\\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe"	{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120B595E-7758-47ab-A68F-41C27180E286}\stubpath = "C:\\Windows\\{120B595E-7758-47ab-A68F-41C27180E286}.exe"	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}	{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C93451-488F-474a-84AB-CE030832E653}	{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}	c6aa47bca15ec9exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB725E7F-0259-402c-9587-0013EC5C9AC6}	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}\stubpath = "C:\\Windows\\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe"	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe
1076	{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
3068	{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
2760	{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
2348	{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
2508	{73C93451-488F-474a-84AB-CE030832E653}.exe
2776	{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	c6aa47bca15ec9exeexeexeex.exe
File created	C:\Windows\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
File created	C:\Windows\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
File created	C:\Windows\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
File created	C:\Windows\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
File created	C:\Windows\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe	{120B595E-7758-47ab-A68F-41C27180E286}.exe
File created	C:\Windows\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe	{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
File created	C:\Windows\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe	{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
File created	C:\Windows\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe	{73C93451-488F-474a-84AB-CE030832E653}.exe
File created	C:\Windows\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
File created	C:\Windows\{120B595E-7758-47ab-A68F-41C27180E286}.exe	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
File created	C:\Windows\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe	{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
File created	C:\Windows\{73C93451-488F-474a-84AB-CE030832E653}.exe	{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	c6aa47bca15ec9exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
Token: SeIncBasePriorityPrivilege	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
Token: SeIncBasePriorityPrivilege	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
Token: SeIncBasePriorityPrivilege	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
Token: SeIncBasePriorityPrivilege	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
Token: SeIncBasePriorityPrivilege	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
Token: SeIncBasePriorityPrivilege	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe
Token: SeIncBasePriorityPrivilege	1076	{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
Token: SeIncBasePriorityPrivilege	3068	{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
Token: SeIncBasePriorityPrivilege	2760	{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
Token: SeIncBasePriorityPrivilege	2348	{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
Token: SeIncBasePriorityPrivilege	2508	{73C93451-488F-474a-84AB-CE030832E653}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2328	2304	c6aa47bca15ec9exeexeexeex.exe	29
PID 2304 wrote to memory of 2328	2304	c6aa47bca15ec9exeexeexeex.exe	29
PID 2304 wrote to memory of 2328	2304	c6aa47bca15ec9exeexeexeex.exe	29
PID 2304 wrote to memory of 2328	2304	c6aa47bca15ec9exeexeexeex.exe	29
PID 2304 wrote to memory of 2720	2304	c6aa47bca15ec9exeexeexeex.exe	30
PID 2304 wrote to memory of 2720	2304	c6aa47bca15ec9exeexeexeex.exe	30
PID 2304 wrote to memory of 2720	2304	c6aa47bca15ec9exeexeexeex.exe	30
PID 2304 wrote to memory of 2720	2304	c6aa47bca15ec9exeexeexeex.exe	30
PID 2328 wrote to memory of 2280	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	31
PID 2328 wrote to memory of 2280	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	31
PID 2328 wrote to memory of 2280	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	31
PID 2328 wrote to memory of 2280	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	31
PID 2328 wrote to memory of 2060	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	32
PID 2328 wrote to memory of 2060	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	32
PID 2328 wrote to memory of 2060	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	32
PID 2328 wrote to memory of 2060	2328	{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe	32
PID 2280 wrote to memory of 1320	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	34
PID 2280 wrote to memory of 1320	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	34
PID 2280 wrote to memory of 1320	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	34
PID 2280 wrote to memory of 1320	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	34
PID 2280 wrote to memory of 2928	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	33
PID 2280 wrote to memory of 2928	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	33
PID 2280 wrote to memory of 2928	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	33
PID 2280 wrote to memory of 2928	2280	{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe	33
PID 1320 wrote to memory of 2996	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	36
PID 1320 wrote to memory of 2996	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	36
PID 1320 wrote to memory of 2996	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	36
PID 1320 wrote to memory of 2996	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	36
PID 1320 wrote to memory of 2556	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	35
PID 1320 wrote to memory of 2556	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	35
PID 1320 wrote to memory of 2556	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	35
PID 1320 wrote to memory of 2556	1320	{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe	35
PID 2996 wrote to memory of 1608	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	37
PID 2996 wrote to memory of 1608	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	37
PID 2996 wrote to memory of 1608	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	37
PID 2996 wrote to memory of 1608	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	37
PID 2996 wrote to memory of 1668	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	38
PID 2996 wrote to memory of 1668	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	38
PID 2996 wrote to memory of 1668	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	38
PID 2996 wrote to memory of 1668	2996	{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe	38
PID 1608 wrote to memory of 1784	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	39
PID 1608 wrote to memory of 1784	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	39
PID 1608 wrote to memory of 1784	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	39
PID 1608 wrote to memory of 1784	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	39
PID 1608 wrote to memory of 2072	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	40
PID 1608 wrote to memory of 2072	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	40
PID 1608 wrote to memory of 2072	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	40
PID 1608 wrote to memory of 2072	1608	{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe	40
PID 1784 wrote to memory of 1632	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	41
PID 1784 wrote to memory of 1632	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	41
PID 1784 wrote to memory of 1632	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	41
PID 1784 wrote to memory of 1632	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	41
PID 1784 wrote to memory of 2144	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	42
PID 1784 wrote to memory of 2144	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	42
PID 1784 wrote to memory of 2144	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	42
PID 1784 wrote to memory of 2144	1784	{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe	42
PID 1632 wrote to memory of 1076	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	43
PID 1632 wrote to memory of 1076	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	43
PID 1632 wrote to memory of 1076	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	43
PID 1632 wrote to memory of 1076	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	43
PID 1632 wrote to memory of 1384	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	44
PID 1632 wrote to memory of 1384	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	44
PID 1632 wrote to memory of 1384	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	44
PID 1632 wrote to memory of 1384	1632	{120B595E-7758-47ab-A68F-41C27180E286}.exe	44

C:\Users\Admin\AppData\Local\Temp\c6aa47bca15ec9exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c6aa47bca15ec9exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
  C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
    C:\Windows\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBBF0~1.EXE > nul
      4⤵
      PID:2928
  - - C:\Windows\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
      C:\Windows\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB725~1.EXE > nul
        5⤵
        
        PID:2556
    - - C:\Windows\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
        
        C:\Windows\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
        
        C:\Windows\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
        
        C:\Windows\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{120B595E-7758-47ab-A68F-41C27180E286}.exe
        
        C:\Windows\{120B595E-7758-47ab-A68F-41C27180E286}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
        
        C:\Windows\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B83AB~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
        
        C:\Windows\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
        
        C:\Windows\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
        
        C:\Windows\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{73C93451-488F-474a-84AB-CE030832E653}.exe
        
        C:\Windows\{73C93451-488F-474a-84AB-CE030832E653}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe
        
        C:\Windows\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe
        14⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73C93~1.EXE > nul
        14⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F956~1.EXE > nul
        13⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08377~1.EXE > nul
        12⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{250E7~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{120B5~1.EXE > nul
        9⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B66AD~1.EXE > nul
        8⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE53~1.EXE > nul
        7⤵
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E290~1.EXE > nul
        6⤵
        
        PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4AC~1.EXE > nul
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C6AA47~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe

Filesize
372KB

MD5
e5690e6865ae60087baa8a19914fd722

SHA1
61ac0daf275406dc2dcea07f3615465e4fcd593e

SHA256
76720af5a4fcbc5e94386ecb2f00a367664561d3a95b1e1874d55bfb61e156e8

SHA512
3348f041a77c8cda83e64a2bcdd60a01c917a76b11c50f591c1f3c33edd5a47078f3d4f046a16e639caa5d7a0e748719e193d3dc31a60afeb56f748fd23b214c

Download Submit
C:\Windows\{083777A4-ECBD-4a1e-960C-A89E173C0640}.exe

Filesize
372KB

MD5
e5690e6865ae60087baa8a19914fd722

SHA1
61ac0daf275406dc2dcea07f3615465e4fcd593e

SHA256
76720af5a4fcbc5e94386ecb2f00a367664561d3a95b1e1874d55bfb61e156e8

SHA512
3348f041a77c8cda83e64a2bcdd60a01c917a76b11c50f591c1f3c33edd5a47078f3d4f046a16e639caa5d7a0e748719e193d3dc31a60afeb56f748fd23b214c

Download Submit
C:\Windows\{120B595E-7758-47ab-A68F-41C27180E286}.exe

Filesize
372KB

MD5
e3c03e90309d01fd8954d8d717cb971d

SHA1
af9f577dcf18ee0c1870bb10578d5ab92bc3ffeb

SHA256
8ce3c54af372a08ef5ac99c74bb55b7302ea88c938bf8db3eb9f49b5a4541094

SHA512
1da570d4f5d5891f56d9c83d019dd7bfea38d0805f049af3c0f6d833bfb79af369740e35c1ec2542c1ca03b2b4a4a0e57c4f3335582b7b4903e217e226bbe31f

Download Submit
C:\Windows\{120B595E-7758-47ab-A68F-41C27180E286}.exe

Filesize
372KB

MD5
e3c03e90309d01fd8954d8d717cb971d

SHA1
af9f577dcf18ee0c1870bb10578d5ab92bc3ffeb

SHA256
8ce3c54af372a08ef5ac99c74bb55b7302ea88c938bf8db3eb9f49b5a4541094

SHA512
1da570d4f5d5891f56d9c83d019dd7bfea38d0805f049af3c0f6d833bfb79af369740e35c1ec2542c1ca03b2b4a4a0e57c4f3335582b7b4903e217e226bbe31f

Download Submit
C:\Windows\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe

Filesize
372KB

MD5
96ce7960aa66fe4518495f97cd88aba0

SHA1
f15ae0a5a5e2bdcfc4689e27cd3789287db5c686

SHA256
ae2c87a3cb95c42f4a69dff30e811c4f5204c135af58037923affba8dc6c940f

SHA512
7274f7939ad769bd658866eedc946e204f55c550f9e37e37189081b17961536ef65a04230255b235bbf396477319ecd67980039ce5950d51bca29a3cfb4a929a

Download Submit
C:\Windows\{250E7475-0BFE-440f-B691-BE97D39A71EF}.exe

Filesize
372KB

MD5
96ce7960aa66fe4518495f97cd88aba0

SHA1
f15ae0a5a5e2bdcfc4689e27cd3789287db5c686

SHA256
ae2c87a3cb95c42f4a69dff30e811c4f5204c135af58037923affba8dc6c940f

SHA512
7274f7939ad769bd658866eedc946e204f55c550f9e37e37189081b17961536ef65a04230255b235bbf396477319ecd67980039ce5950d51bca29a3cfb4a929a

Download Submit
C:\Windows\{73C93451-488F-474a-84AB-CE030832E653}.exe

Filesize
372KB

MD5
4a8aadd6bac438a5e0b88488b3d48081

SHA1
1d34e13e3dc26543f035cd4f65c28c502be5186b

SHA256
646bd89c8a21987ec96d7314cabb7d45da4a8e65872839805ed7104927e2283c

SHA512
9de61ea4615a627f2db1f0f791c547cd3d7c480e315423ffc6f6657dfa2a64749ee951a4eb9b4038ae8ee8a9c6e18ca0d3f2d9426a4afc6d106d66cd0b50a3cd

Download Submit
C:\Windows\{73C93451-488F-474a-84AB-CE030832E653}.exe

Filesize
372KB

MD5
4a8aadd6bac438a5e0b88488b3d48081

SHA1
1d34e13e3dc26543f035cd4f65c28c502be5186b

SHA256
646bd89c8a21987ec96d7314cabb7d45da4a8e65872839805ed7104927e2283c

SHA512
9de61ea4615a627f2db1f0f791c547cd3d7c480e315423ffc6f6657dfa2a64749ee951a4eb9b4038ae8ee8a9c6e18ca0d3f2d9426a4afc6d106d66cd0b50a3cd

Download Submit
C:\Windows\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe

Filesize
372KB

MD5
ddc9b87b4900a2bf1ab8c2ed919b2a71

SHA1
ca1d9ea6e4e33755926baa20f982a23ae1cd01b3

SHA256
18060ea6158aa933715e6c82d7d6670cf3633b46e95ea4e7f6abb0e206bdf0b9

SHA512
014eecb3cb0bba84ca14ad738a11ffb988a961613c26d69d3e39766360108c36f131d404393d5f6ea9e11f306edaddcb01645ef77de3cf20423eafdd89426a83

Download Submit
C:\Windows\{8E290F1B-AE7A-400a-ADC5-8C3AA0E7BDEE}.exe

Filesize
372KB

MD5
ddc9b87b4900a2bf1ab8c2ed919b2a71

SHA1
ca1d9ea6e4e33755926baa20f982a23ae1cd01b3

SHA256
18060ea6158aa933715e6c82d7d6670cf3633b46e95ea4e7f6abb0e206bdf0b9

SHA512
014eecb3cb0bba84ca14ad738a11ffb988a961613c26d69d3e39766360108c36f131d404393d5f6ea9e11f306edaddcb01645ef77de3cf20423eafdd89426a83

Download Submit
C:\Windows\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe

Filesize
372KB

MD5
b85ce5f5fd938dcfe3eb7054f0d1fd15

SHA1
080a416c969130f0b12e2c466ac48e5ad13bffdd

SHA256
13bdd177b735d2dda0fd99e025211e001e7cce2c008f24c12aabf2fcdef768da

SHA512
05d29c1ed1dbaab6cb19c274d2e20dc7a9be816f8c674aad179972dbd1011be84ac9ea353b7c7e9c3e80930f7e12d199a94f500c8f491bf88f8dde936ed07e2e

Download Submit
C:\Windows\{8F956877-D0B8-42c7-9643-FD1A2D2CA098}.exe

Filesize
372KB

MD5
b85ce5f5fd938dcfe3eb7054f0d1fd15

SHA1
080a416c969130f0b12e2c466ac48e5ad13bffdd

SHA256
13bdd177b735d2dda0fd99e025211e001e7cce2c008f24c12aabf2fcdef768da

SHA512
05d29c1ed1dbaab6cb19c274d2e20dc7a9be816f8c674aad179972dbd1011be84ac9ea353b7c7e9c3e80930f7e12d199a94f500c8f491bf88f8dde936ed07e2e

Download Submit
C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe

Filesize
372KB

MD5
ad4023921e6a6289d6ea67085612b94f

SHA1
20f01061e06d09a11eb26effd108f7eaaa2e59a6

SHA256
70f118e577acce38356d20d006513d62b9b127cff5db126155666e8609537e43

SHA512
3b4aca3b70512ae9c146a0069efc2ef6203c214691233a2a48ee5c2f56315d2c498f9149e0c34c5b5d5ecf8463949509770a6f9a842d953d4312d39d6682f5aa

Download Submit
C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe

Filesize
372KB

MD5
ad4023921e6a6289d6ea67085612b94f

SHA1
20f01061e06d09a11eb26effd108f7eaaa2e59a6

SHA256
70f118e577acce38356d20d006513d62b9b127cff5db126155666e8609537e43

SHA512
3b4aca3b70512ae9c146a0069efc2ef6203c214691233a2a48ee5c2f56315d2c498f9149e0c34c5b5d5ecf8463949509770a6f9a842d953d4312d39d6682f5aa

Download Submit
C:\Windows\{9F4ACE14-E35B-49f1-8583-5A6C11DB8980}.exe

Filesize
372KB

MD5
ad4023921e6a6289d6ea67085612b94f

SHA1
20f01061e06d09a11eb26effd108f7eaaa2e59a6

SHA256
70f118e577acce38356d20d006513d62b9b127cff5db126155666e8609537e43

SHA512
3b4aca3b70512ae9c146a0069efc2ef6203c214691233a2a48ee5c2f56315d2c498f9149e0c34c5b5d5ecf8463949509770a6f9a842d953d4312d39d6682f5aa

Download Submit
C:\Windows\{A02752BF-8685-4d4f-B6C3-F9D729BCB181}.exe

Filesize
372KB

MD5
bddf98da9389a21867d68ef82f02370e

SHA1
00da9bd0ecec892c8fac8468f71e63dde93234ea

SHA256
95916ef7dec074884e83b632e04867a278c848938f4a0d5da762db9f7ece1b84

SHA512
f8a335477ee6611af2c3a3ee619244d059fd2d8a63132bc0525f5c1bb7fdaaf75353a9bacee29cf9347dfbb55bda06f9dfd06e3b68e3e689b23c4e9215531ea9

Download Submit
C:\Windows\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe

Filesize
372KB

MD5
012ea9ac2a34ff25a25c0717c41d050e

SHA1
e29d71b009b7997fa6f5dea487c6dc28c281fd3b

SHA256
84a9ffc5cf8375a2d413b68fd05a17de6e4efc6e7a1b5ea0405b8c1e976fea72

SHA512
ef0a07c8b6f7e3d6c95cafc69506b9e188acd6045dbe58ff104c514cd10cf7818b8dc5373c9f569d4ab846faa9669788e1c1a31b6d1de3e5fd9eb98c98c4c67a

Download Submit
C:\Windows\{B66AD770-2432-42e9-A5F0-9DEC72D3F949}.exe

Filesize
372KB

MD5
012ea9ac2a34ff25a25c0717c41d050e

SHA1
e29d71b009b7997fa6f5dea487c6dc28c281fd3b

SHA256
84a9ffc5cf8375a2d413b68fd05a17de6e4efc6e7a1b5ea0405b8c1e976fea72

SHA512
ef0a07c8b6f7e3d6c95cafc69506b9e188acd6045dbe58ff104c514cd10cf7818b8dc5373c9f569d4ab846faa9669788e1c1a31b6d1de3e5fd9eb98c98c4c67a

Download Submit
C:\Windows\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe

Filesize
372KB

MD5
261b90523410f1a26b820f9363c48c79

SHA1
2ae37faf37b2a726747121d253ab161f986b2d2a

SHA256
20e7452a172dd970174bfadd7c04a70ea5680ee60c86f52d153abeea5ed2947c

SHA512
7afed00a2d6b5b1aeddfb684c9bb976de566e372e10b5eecf30865b3382b340ad0e07d8270ed8c7b5881c2d95d5b505c35f003a5c61e7ff9ef9afce61be7259c

Download Submit
C:\Windows\{B83AB5C5-6915-4bc9-A280-CE96481E1F83}.exe

Filesize
372KB

MD5
261b90523410f1a26b820f9363c48c79

SHA1
2ae37faf37b2a726747121d253ab161f986b2d2a

SHA256
20e7452a172dd970174bfadd7c04a70ea5680ee60c86f52d153abeea5ed2947c

SHA512
7afed00a2d6b5b1aeddfb684c9bb976de566e372e10b5eecf30865b3382b340ad0e07d8270ed8c7b5881c2d95d5b505c35f003a5c61e7ff9ef9afce61be7259c

Download Submit
C:\Windows\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe

Filesize
372KB

MD5
e32036b1fcf3965cbb2846340e83b713

SHA1
edc497f4739d3edba7aef0416742b28b85c4752d

SHA256
ad7caa0c6e107439a135b6e2a36ad8d1e68039c6a91dd74b910b2166f4cb01bd

SHA512
56ee418d16dc60b353d03766e6137dcaa3af3b8159588006d47976e11086cdc10915df2f9024a5491d3dceb6c599d2344c7b0e8c630e042ca1b560e067d2ffbd

Download Submit
C:\Windows\{DB725E7F-0259-402c-9587-0013EC5C9AC6}.exe

Filesize
372KB

MD5
e32036b1fcf3965cbb2846340e83b713

SHA1
edc497f4739d3edba7aef0416742b28b85c4752d

SHA256
ad7caa0c6e107439a135b6e2a36ad8d1e68039c6a91dd74b910b2166f4cb01bd

SHA512
56ee418d16dc60b353d03766e6137dcaa3af3b8159588006d47976e11086cdc10915df2f9024a5491d3dceb6c599d2344c7b0e8c630e042ca1b560e067d2ffbd

Download Submit
C:\Windows\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe

Filesize
372KB

MD5
ae5d4cddc2576936a39ab8341625ef43

SHA1
d02f9e7ca12f29d6e475a9064444ffd77d560f00

SHA256
474418e513133e454a407b4940b2e252977986592869c93846bc1a1c624af81c

SHA512
410373d5a8992796625ae73d15b260deb47e17f3ca2aa3928501ea50f9360dd0a77fb0546b208df863fb378089a2f43800176b78c07f702b962fe569e056b404

Download Submit
C:\Windows\{FBBF06A0-EC37-490b-AFC2-9EBE8ACB153D}.exe

Filesize
372KB

MD5
ae5d4cddc2576936a39ab8341625ef43

SHA1
d02f9e7ca12f29d6e475a9064444ffd77d560f00

SHA256
474418e513133e454a407b4940b2e252977986592869c93846bc1a1c624af81c

SHA512
410373d5a8992796625ae73d15b260deb47e17f3ca2aa3928501ea50f9360dd0a77fb0546b208df863fb378089a2f43800176b78c07f702b962fe569e056b404

Download Submit
C:\Windows\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe

Filesize
372KB

MD5
173680e98935ac81db914e1bd7a18d76

SHA1
0bf9fbd6075a67e8938f4f736d8016fd8df1a9ff

SHA256
71e403c59e59e61556978b8012f8f6c1272e0ae62d1f1bb2116a24286cba46e6

SHA512
1babda873d4ce564b03f381ee0671b6830a48dc39dbb4dfc5f09e36b4e9cf01f75472eeca3d4914c79941723c67663a89fb2cdbca95cee99b3888f25a921ec59

Download Submit
C:\Windows\{FBE5317A-5851-4f91-949B-D0EB41F446DF}.exe

Filesize
372KB

MD5
173680e98935ac81db914e1bd7a18d76

SHA1
0bf9fbd6075a67e8938f4f736d8016fd8df1a9ff

SHA256
71e403c59e59e61556978b8012f8f6c1272e0ae62d1f1bb2116a24286cba46e6

SHA512
1babda873d4ce564b03f381ee0671b6830a48dc39dbb4dfc5f09e36b4e9cf01f75472eeca3d4914c79941723c67663a89fb2cdbca95cee99b3888f25a921ec59

Download Submit