93326b2f982873a3e84648fa7bf25ff3bb2e9a76b95640a416aec4a0ebdf8fb3

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db0e5d22decc23exeexeexeex.exe
Size

204KB
MD5

db0e5d22decc23a8ee593762d13672ac
SHA1

8f577bb0f878aeb24d26e6dd7e759a08afc2b894
SHA256

93326b2f982873a3e84648fa7bf25ff3bb2e9a76b95640a416aec4a0ebdf8fb3
SHA512

7c4da83ef6ff4922badb2fdb5100fad1cc11c97679045aec1ab2b447452ae05a5be3930ef406108b8fa452cb12483958f9dccbcbb0f5fd0d28c3b1ba272f94ce
SSDEEP

1536:1EGh0opl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0opl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}\stubpath = "C:\\Windows\\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe"	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981FD831-5594-49a5-B4FB-0F3A082205C7}	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981FD831-5594-49a5-B4FB-0F3A082205C7}\stubpath = "C:\\Windows\\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe"	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FB852A-A219-4c07-9547-8F13B9F4A103}	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252CE084-3661-4737-847C-D89DC85DEB0E}	{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A39E7D61-ED08-46a4-93E2-A691173A667B}\stubpath = "C:\\Windows\\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe"	{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}	{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}	db0e5d22decc23exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}\stubpath = "C:\\Windows\\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe"	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FB852A-A219-4c07-9547-8F13B9F4A103}\stubpath = "C:\\Windows\\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe"	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}\stubpath = "C:\\Windows\\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe"	{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A39E7D61-ED08-46a4-93E2-A691173A667B}	{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}	{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17EF74C-AF0B-424c-966B-D768169AE32B}	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}\stubpath = "C:\\Windows\\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe"	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}\stubpath = "C:\\Windows\\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe"	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252CE084-3661-4737-847C-D89DC85DEB0E}\stubpath = "C:\\Windows\\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe"	{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}\stubpath = "C:\\Windows\\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe"	{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}\stubpath = "C:\\Windows\\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe"	{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}\stubpath = "C:\\Windows\\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe"	db0e5d22decc23exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17EF74C-AF0B-424c-966B-D768169AE32B}\stubpath = "C:\\Windows\\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe"	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}	{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
2296	{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
108	{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
2592	{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
2940	{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
2604	{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
3048	{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
File created	C:\Windows\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe	{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
File created	C:\Windows\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe	{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
File created	C:\Windows\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe	{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
File created	C:\Windows\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
File created	C:\Windows\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
File created	C:\Windows\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
File created	C:\Windows\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
File created	C:\Windows\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe	{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
File created	C:\Windows\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe	{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
File created	C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	db0e5d22decc23exeexeexeex.exe
File created	C:\Windows\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
File created	C:\Windows\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1140	db0e5d22decc23exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
Token: SeIncBasePriorityPrivilege	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
Token: SeIncBasePriorityPrivilege	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
Token: SeIncBasePriorityPrivilege	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
Token: SeIncBasePriorityPrivilege	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
Token: SeIncBasePriorityPrivilege	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
Token: SeIncBasePriorityPrivilege	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
Token: SeIncBasePriorityPrivilege	2296	{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
Token: SeIncBasePriorityPrivilege	108	{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
Token: SeIncBasePriorityPrivilege	2592	{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
Token: SeIncBasePriorityPrivilege	2940	{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
Token: SeIncBasePriorityPrivilege	2604	{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1100	1140	db0e5d22decc23exeexeexeex.exe	29
PID 1140 wrote to memory of 1100	1140	db0e5d22decc23exeexeexeex.exe	29
PID 1140 wrote to memory of 1100	1140	db0e5d22decc23exeexeexeex.exe	29
PID 1140 wrote to memory of 1100	1140	db0e5d22decc23exeexeexeex.exe	29
PID 1140 wrote to memory of 2972	1140	db0e5d22decc23exeexeexeex.exe	30
PID 1140 wrote to memory of 2972	1140	db0e5d22decc23exeexeexeex.exe	30
PID 1140 wrote to memory of 2972	1140	db0e5d22decc23exeexeexeex.exe	30
PID 1140 wrote to memory of 2972	1140	db0e5d22decc23exeexeexeex.exe	30
PID 1100 wrote to memory of 920	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	31
PID 1100 wrote to memory of 920	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	31
PID 1100 wrote to memory of 920	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	31
PID 1100 wrote to memory of 920	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	31
PID 1100 wrote to memory of 2988	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	32
PID 1100 wrote to memory of 2988	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	32
PID 1100 wrote to memory of 2988	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	32
PID 1100 wrote to memory of 2988	1100	{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe	32
PID 920 wrote to memory of 1284	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	34
PID 920 wrote to memory of 1284	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	34
PID 920 wrote to memory of 1284	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	34
PID 920 wrote to memory of 1284	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	34
PID 920 wrote to memory of 1368	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	33
PID 920 wrote to memory of 1368	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	33
PID 920 wrote to memory of 1368	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	33
PID 920 wrote to memory of 1368	920	{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe	33
PID 1284 wrote to memory of 2240	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	35
PID 1284 wrote to memory of 2240	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	35
PID 1284 wrote to memory of 2240	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	35
PID 1284 wrote to memory of 2240	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	35
PID 1284 wrote to memory of 2260	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	36
PID 1284 wrote to memory of 2260	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	36
PID 1284 wrote to memory of 2260	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	36
PID 1284 wrote to memory of 2260	1284	{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe	36
PID 2240 wrote to memory of 2980	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	37
PID 2240 wrote to memory of 2980	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	37
PID 2240 wrote to memory of 2980	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	37
PID 2240 wrote to memory of 2980	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	37
PID 2240 wrote to memory of 2184	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	38
PID 2240 wrote to memory of 2184	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	38
PID 2240 wrote to memory of 2184	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	38
PID 2240 wrote to memory of 2184	2240	{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe	38
PID 2980 wrote to memory of 2312	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	39
PID 2980 wrote to memory of 2312	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	39
PID 2980 wrote to memory of 2312	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	39
PID 2980 wrote to memory of 2312	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	39
PID 2980 wrote to memory of 2052	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	40
PID 2980 wrote to memory of 2052	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	40
PID 2980 wrote to memory of 2052	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	40
PID 2980 wrote to memory of 2052	2980	{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe	40
PID 2312 wrote to memory of 268	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	42
PID 2312 wrote to memory of 268	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	42
PID 2312 wrote to memory of 268	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	42
PID 2312 wrote to memory of 268	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	42
PID 2312 wrote to memory of 2264	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	41
PID 2312 wrote to memory of 2264	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	41
PID 2312 wrote to memory of 2264	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	41
PID 2312 wrote to memory of 2264	2312	{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe	41
PID 268 wrote to memory of 2296	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	44
PID 268 wrote to memory of 2296	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	44
PID 268 wrote to memory of 2296	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	44
PID 268 wrote to memory of 2296	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	44
PID 268 wrote to memory of 1772	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	43
PID 268 wrote to memory of 1772	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	43
PID 268 wrote to memory of 1772	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	43
PID 268 wrote to memory of 1772	268	{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe	43

C:\Users\Admin\AppData\Local\Temp\db0e5d22decc23exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\db0e5d22decc23exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
  C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
    C:\Windows\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A91FA~1.EXE > nul
      4⤵
      PID:1368
  - - C:\Windows\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
      C:\Windows\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
        
        C:\Windows\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
        
        C:\Windows\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
        
        C:\Windows\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92FB8~1.EXE > nul
        8⤵
        
        PID:2264
        
        C:\Windows\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
        
        C:\Windows\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41ECB~1.EXE > nul
        9⤵
        
        PID:1772
        
        C:\Windows\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
        
        C:\Windows\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DC0~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
        
        C:\Windows\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
        
        C:\Windows\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
        
        C:\Windows\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
        
        C:\Windows\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88EA9~1.EXE > nul
        14⤵
        
        PID:2540
        
        C:\Windows\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe
        
        C:\Windows\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe
        14⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A39E7~1.EXE > nul
        13⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{252CE~1.EXE > nul
        12⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{693D8~1.EXE > nul
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C17EF~1.EXE > nul
        7⤵
        
        PID:2052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{981FD~1.EXE > nul
        6⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD6B~1.EXE > nul
        5⤵
        
        PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA68~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DB0E5D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe

Filesize
204KB

MD5
edc0ab841d86505cea5f52ec16ad19e3

SHA1
e6e7d33a094ec4939ef803385f5ae301faafb0c6

SHA256
e035841022778ef309b41c6e3e8583df936b19eefda46302bbd0161fc1853d0e

SHA512
09a157990b95ca8391d45b749320d942d16ea8e9a6c9ddea64160b6cc2ff657ff0fb4248e267858a10b9ef7b5a2ed3859f9ed991738ed0bfbb8baf426e4d022c

Download Submit
C:\Windows\{252CE084-3661-4737-847C-D89DC85DEB0E}.exe

Filesize
204KB

MD5
edc0ab841d86505cea5f52ec16ad19e3

SHA1
e6e7d33a094ec4939ef803385f5ae301faafb0c6

SHA256
e035841022778ef309b41c6e3e8583df936b19eefda46302bbd0161fc1853d0e

SHA512
09a157990b95ca8391d45b749320d942d16ea8e9a6c9ddea64160b6cc2ff657ff0fb4248e267858a10b9ef7b5a2ed3859f9ed991738ed0bfbb8baf426e4d022c

Download Submit
C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe

Filesize
204KB

MD5
2539064235494785c2f92ddadb4b6f5c

SHA1
318342b9dba5e4b018e71f822e081bd6984f3ac8

SHA256
f54ae9497a80758bcd7b9ac4d07d525121fff111575ceb83799b956f921cee6e

SHA512
6acb18b91e852af7f36549633c2d2cf0f757aadd96fc8991f81134c50e827e4044a4d1b4c3bffd5d78b726130bf536e07d5938997e5445911731dc5d55b686ba

Download Submit
C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe

Filesize
204KB

MD5
2539064235494785c2f92ddadb4b6f5c

SHA1
318342b9dba5e4b018e71f822e081bd6984f3ac8

SHA256
f54ae9497a80758bcd7b9ac4d07d525121fff111575ceb83799b956f921cee6e

SHA512
6acb18b91e852af7f36549633c2d2cf0f757aadd96fc8991f81134c50e827e4044a4d1b4c3bffd5d78b726130bf536e07d5938997e5445911731dc5d55b686ba

Download Submit
C:\Windows\{3CA68F47-4C4C-4a2b-924F-D95768F58F7A}.exe

Filesize
204KB

MD5
2539064235494785c2f92ddadb4b6f5c

SHA1
318342b9dba5e4b018e71f822e081bd6984f3ac8

SHA256
f54ae9497a80758bcd7b9ac4d07d525121fff111575ceb83799b956f921cee6e

SHA512
6acb18b91e852af7f36549633c2d2cf0f757aadd96fc8991f81134c50e827e4044a4d1b4c3bffd5d78b726130bf536e07d5938997e5445911731dc5d55b686ba

Download Submit
C:\Windows\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe

Filesize
204KB

MD5
3c78dd1cede5c8a926031d8f0a5395eb

SHA1
fbb5bc2cf9b9f9b40e5513b823d5f7524acc4890

SHA256
a6c71c57e1ef07a70e57a566ccd5e53267cb0d0dad027d8df033c99fa141de69

SHA512
ad6d989a621163fe232611883645b3a9fdcb913d9881063fdebc85a2bd6e5e312b93a661ed1b22b576301ac971e64c00c789ad7ec9c7047234c0dc45dc848ce0

Download Submit
C:\Windows\{41ECBFAE-CDA7-4410-84AE-0DDEA0086815}.exe

Filesize
204KB

MD5
3c78dd1cede5c8a926031d8f0a5395eb

SHA1
fbb5bc2cf9b9f9b40e5513b823d5f7524acc4890

SHA256
a6c71c57e1ef07a70e57a566ccd5e53267cb0d0dad027d8df033c99fa141de69

SHA512
ad6d989a621163fe232611883645b3a9fdcb913d9881063fdebc85a2bd6e5e312b93a661ed1b22b576301ac971e64c00c789ad7ec9c7047234c0dc45dc848ce0

Download Submit
C:\Windows\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe

Filesize
204KB

MD5
193a8cee229cfaecbc6503e4a9aea75b

SHA1
183147bb9b6e00dceef0fe7e6303b49f800cb763

SHA256
8dfc59f47f67cdf675920d2a285bf2a8d764c5d67e4036b6daab16c67abe1aba

SHA512
ee6e6da279ae49805f33c5c8868e2eaf4342f16e4a897456d756a54ebe2f52a3bb1328fbdd4f17d22801fa2dafb8482c78866f01f0b7b117a69879b36fffa865

Download Submit
C:\Windows\{693D88B6-01CC-467d-8FE0-DDC2DC6515DF}.exe

Filesize
204KB

MD5
193a8cee229cfaecbc6503e4a9aea75b

SHA1
183147bb9b6e00dceef0fe7e6303b49f800cb763

SHA256
8dfc59f47f67cdf675920d2a285bf2a8d764c5d67e4036b6daab16c67abe1aba

SHA512
ee6e6da279ae49805f33c5c8868e2eaf4342f16e4a897456d756a54ebe2f52a3bb1328fbdd4f17d22801fa2dafb8482c78866f01f0b7b117a69879b36fffa865

Download Submit
C:\Windows\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe

Filesize
204KB

MD5
daa93dc56594d2f7b062810ea26e162a

SHA1
1898295c9be6272e9c1cbe015ff49378213e6a1c

SHA256
f422f32f3fbef51e5a4d4bc18164dce64177f59be13f1553df0b05ef90dcfe91

SHA512
bf1729af5ca1c76bd1100bc4436692f536536e4b5b76955a21c18bbbcdbcc4c26dcbbda1db6489acbc7cd2cfbf1b942c15dfe84811f81091f6c55bbb2478faa2

Download Submit
C:\Windows\{6AD6B626-A68F-48a4-A389-4E1ACB826B2D}.exe

Filesize
204KB

MD5
daa93dc56594d2f7b062810ea26e162a

SHA1
1898295c9be6272e9c1cbe015ff49378213e6a1c

SHA256
f422f32f3fbef51e5a4d4bc18164dce64177f59be13f1553df0b05ef90dcfe91

SHA512
bf1729af5ca1c76bd1100bc4436692f536536e4b5b76955a21c18bbbcdbcc4c26dcbbda1db6489acbc7cd2cfbf1b942c15dfe84811f81091f6c55bbb2478faa2

Download Submit
C:\Windows\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe

Filesize
204KB

MD5
69b498ea7ca3ff106e2c0e1cf8197f51

SHA1
debb90edbf405ab60ca35effae69184fb19032ce

SHA256
63d5bd69acce54ccdc3c0973c15202cb57b1c3f17fb09930a89b899cb4db41f1

SHA512
20f913c76f658b66207d63408a82da9505e9f930b14947bb5774515a1de19e8fe9c114c443c755a2050996bd60855e709884cd66e272d7b3c7d19e2e666dd4cb

Download Submit
C:\Windows\{88EA9DAD-1E26-45ae-9635-ABEC23822BC4}.exe

Filesize
204KB

MD5
69b498ea7ca3ff106e2c0e1cf8197f51

SHA1
debb90edbf405ab60ca35effae69184fb19032ce

SHA256
63d5bd69acce54ccdc3c0973c15202cb57b1c3f17fb09930a89b899cb4db41f1

SHA512
20f913c76f658b66207d63408a82da9505e9f930b14947bb5774515a1de19e8fe9c114c443c755a2050996bd60855e709884cd66e272d7b3c7d19e2e666dd4cb

Download Submit
C:\Windows\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe

Filesize
204KB

MD5
2cec26eaaa17d5a275ff1835a120d319

SHA1
c60d88eede4703958d1dd1df4289000ffc427b7b

SHA256
b680743d50bf5d8eda1837fb0374403a201e2586016bad1783f1d1f8a84ac376

SHA512
2d5f7a9ab7271fc0892d953350f003d1f7234d7e0ad7aae3d033e84e5f8b0377d957e8f73cff1b6d6d9a846c8c8e60d47655ee7c65a69ccbd7f3b5a526917a6a

Download Submit
C:\Windows\{92FB852A-A219-4c07-9547-8F13B9F4A103}.exe

Filesize
204KB

MD5
2cec26eaaa17d5a275ff1835a120d319

SHA1
c60d88eede4703958d1dd1df4289000ffc427b7b

SHA256
b680743d50bf5d8eda1837fb0374403a201e2586016bad1783f1d1f8a84ac376

SHA512
2d5f7a9ab7271fc0892d953350f003d1f7234d7e0ad7aae3d033e84e5f8b0377d957e8f73cff1b6d6d9a846c8c8e60d47655ee7c65a69ccbd7f3b5a526917a6a

Download Submit
C:\Windows\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe

Filesize
204KB

MD5
ce071397cd514fb0c911f832de344bd6

SHA1
e134ae3f06d4f4a2441ced58ea5bd4e7d23bab2e

SHA256
d183594b6c03fa2e1778681f7b0bc87b63e4c20c4747b259780210843fd34fbd

SHA512
c7705171ff94ad91e96d2704423c5c1ec459d67298f0650d348a9fe525262a1ea26dbe768274c26d3d65ad3446cfbc1986e0bf2884190ed31578eaedb5909f83

Download Submit
C:\Windows\{981FD831-5594-49a5-B4FB-0F3A082205C7}.exe

Filesize
204KB

MD5
ce071397cd514fb0c911f832de344bd6

SHA1
e134ae3f06d4f4a2441ced58ea5bd4e7d23bab2e

SHA256
d183594b6c03fa2e1778681f7b0bc87b63e4c20c4747b259780210843fd34fbd

SHA512
c7705171ff94ad91e96d2704423c5c1ec459d67298f0650d348a9fe525262a1ea26dbe768274c26d3d65ad3446cfbc1986e0bf2884190ed31578eaedb5909f83

Download Submit
C:\Windows\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe

Filesize
204KB

MD5
9c0dc684e3762ce86e284f8fa836f343

SHA1
2b4357644b8f9498adb242b0f38314006add44af

SHA256
5cc3503ed8752ccbaa5a42336556f3ee0efb4cbaa7c447725b539c829a50f247

SHA512
22e52c965e7eb24c5ed811ac50e9ac695f11ac3c15ea22648ee7cd3e2a578d8e53afe5235806ec5541d4bd0be63a03cd63b34289ce75d4657bc1228b94089ce2

Download Submit
C:\Windows\{A39E7D61-ED08-46a4-93E2-A691173A667B}.exe

Filesize
204KB

MD5
9c0dc684e3762ce86e284f8fa836f343

SHA1
2b4357644b8f9498adb242b0f38314006add44af

SHA256
5cc3503ed8752ccbaa5a42336556f3ee0efb4cbaa7c447725b539c829a50f247

SHA512
22e52c965e7eb24c5ed811ac50e9ac695f11ac3c15ea22648ee7cd3e2a578d8e53afe5235806ec5541d4bd0be63a03cd63b34289ce75d4657bc1228b94089ce2

Download Submit
C:\Windows\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe

Filesize
204KB

MD5
49f4c218976bb468ebfd1e7479aff719

SHA1
1e3b791d132b889d25e13fb2013ddac0e5b3e2e8

SHA256
8dff0bd17f6849be24a3c82c979e1acf734915038217ff84419c11731d4dab70

SHA512
14bb06669200987ed156d5254c235a79e18ec01f8deb5f1da07b5322e3a89b81b1095f1aec566026af729c7ec4ee8d51d43cf4c5f968476adcb18f1fc5726213

Download Submit
C:\Windows\{A91FA508-3C84-4c4e-A4BA-DA4024646A67}.exe

Filesize
204KB

MD5
49f4c218976bb468ebfd1e7479aff719

SHA1
1e3b791d132b889d25e13fb2013ddac0e5b3e2e8

SHA256
8dff0bd17f6849be24a3c82c979e1acf734915038217ff84419c11731d4dab70

SHA512
14bb06669200987ed156d5254c235a79e18ec01f8deb5f1da07b5322e3a89b81b1095f1aec566026af729c7ec4ee8d51d43cf4c5f968476adcb18f1fc5726213

Download Submit
C:\Windows\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe

Filesize
204KB

MD5
bf2f38b74c5b3ab1670058b333503da9

SHA1
5fce17a6311baef40025e32c4c08208a4401a94e

SHA256
ca40d0708ed5b8e2704d9403b854a0898d1d262b13a6a48d4a425ea36ac4a701

SHA512
9a83571a8fb72641e78db41533989a2a595a6af0fa2fb89890d974853a83d069bde722fbcf5ad6cf96c92ba7f786c94a57c6b5fd608b13a6ce154ab4964a9818

Download Submit
C:\Windows\{C17EF74C-AF0B-424c-966B-D768169AE32B}.exe

Filesize
204KB

MD5
bf2f38b74c5b3ab1670058b333503da9

SHA1
5fce17a6311baef40025e32c4c08208a4401a94e

SHA256
ca40d0708ed5b8e2704d9403b854a0898d1d262b13a6a48d4a425ea36ac4a701

SHA512
9a83571a8fb72641e78db41533989a2a595a6af0fa2fb89890d974853a83d069bde722fbcf5ad6cf96c92ba7f786c94a57c6b5fd608b13a6ce154ab4964a9818

Download Submit
C:\Windows\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe

Filesize
204KB

MD5
a3ccf65d14277befa4186bb1d91fe4f0

SHA1
e0b865c7f3f5f0368375e89e8d3008a040e29353

SHA256
51de9acf8cbfed7cddc6a464881c6256472d77b16f89c9db6847ff88a1ce0572

SHA512
b543f83652696adc781851706a0be75da71c34d936ca0c006140c2a2acc84afd1fa036be5f5fd8a9c2877abf2549bb9b2fc1bd51c2e8d7af41b23343e80fbdc3

Download Submit
C:\Windows\{D4DC0D93-9F38-4cf8-9F17-90D2FCBB3E4B}.exe

Filesize
204KB

MD5
a3ccf65d14277befa4186bb1d91fe4f0

SHA1
e0b865c7f3f5f0368375e89e8d3008a040e29353

SHA256
51de9acf8cbfed7cddc6a464881c6256472d77b16f89c9db6847ff88a1ce0572

SHA512
b543f83652696adc781851706a0be75da71c34d936ca0c006140c2a2acc84afd1fa036be5f5fd8a9c2877abf2549bb9b2fc1bd51c2e8d7af41b23343e80fbdc3

Download Submit
C:\Windows\{F6C7AA9B-1474-4844-8545-F1E671CAD7B4}.exe

Filesize
204KB

MD5
934f8fab71863701ef43dd2e636e99ec

SHA1
9313f7f8952ad41faadfa97de898caed52520f00

SHA256
2f486d0729c0f554b3b0e4938e642f1e9db08ecbf60b519c5368a0e5ff3c027d

SHA512
b4a9c6bda2370015426079bddb372616624294e950e2152b183726abd6d3846bad24e04eb36f6d2aaecdd8d48a6bbca18ff9b2710f1d9258df1578206045984b

Download Submit