22fba7712b76af301f61b588c9fd0efa4472f577c401f5d6a58bc72e6af9b720

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee45be30e1db34exeexeexeex.exe
Size

168KB
MD5

ee45be30e1db34aeaa7030c3011332b9
SHA1

a6871d0f16983eedb2370adf096faa6cb3285c93
SHA256

22fba7712b76af301f61b588c9fd0efa4472f577c401f5d6a58bc72e6af9b720
SHA512

778ac38c101228733bcf7be385d8a43ed9ae7d590a78eeb822bb78aaf71e2fc815194d1f1684c37500e73956b5e9099b3b730ebc136fedd5c51a4ee83c500de9
SSDEEP

1536:1EGh0oClq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oClqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE05A18-6B32-42a3-9205-85145C28DE80}\stubpath = "C:\\Windows\\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe"	{12739592-42ED-42d2-9889-188CB4557F40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}	{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}\stubpath = "C:\\Windows\\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe"	{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}\stubpath = "C:\\Windows\\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe"	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC7BA11-07C4-4959-9924-A303BE9D079A}	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B201F07-963A-4934-91A3-024A7CFC4902}\stubpath = "C:\\Windows\\{8B201F07-963A-4934-91A3-024A7CFC4902}.exe"	{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}	ee45be30e1db34exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B201F07-963A-4934-91A3-024A7CFC4902}	{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}	{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}\stubpath = "C:\\Windows\\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe"	{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}	{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}\stubpath = "C:\\Windows\\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe"	{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}\stubpath = "C:\\Windows\\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe"	{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC7BA11-07C4-4959-9924-A303BE9D079A}\stubpath = "C:\\Windows\\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe"	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE05A18-6B32-42a3-9205-85145C28DE80}	{12739592-42ED-42d2-9889-188CB4557F40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}\stubpath = "C:\\Windows\\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe"	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}\stubpath = "C:\\Windows\\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe"	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12739592-42ED-42d2-9889-188CB4557F40}	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12739592-42ED-42d2-9889-188CB4557F40}\stubpath = "C:\\Windows\\{12739592-42ED-42d2-9889-188CB4557F40}.exe"	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}	{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}\stubpath = "C:\\Windows\\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe"	ee45be30e1db34exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}\stubpath = "C:\\Windows\\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe"	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe
1472	{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
2784	{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
2600	{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
2532	{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
616	{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
2500	{8B201F07-963A-4934-91A3-024A7CFC4902}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{8B201F07-963A-4934-91A3-024A7CFC4902}.exe	{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
File created	C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	ee45be30e1db34exeexeexeex.exe
File created	C:\Windows\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
File created	C:\Windows\{12739592-42ED-42d2-9889-188CB4557F40}.exe	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
File created	C:\Windows\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe	{12739592-42ED-42d2-9889-188CB4557F40}.exe
File created	C:\Windows\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe	{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
File created	C:\Windows\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe	{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
File created	C:\Windows\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe	{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
File created	C:\Windows\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
File created	C:\Windows\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
File created	C:\Windows\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
File created	C:\Windows\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
File created	C:\Windows\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe	{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	ee45be30e1db34exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
Token: SeIncBasePriorityPrivilege	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
Token: SeIncBasePriorityPrivilege	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
Token: SeIncBasePriorityPrivilege	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
Token: SeIncBasePriorityPrivilege	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
Token: SeIncBasePriorityPrivilege	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
Token: SeIncBasePriorityPrivilege	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe
Token: SeIncBasePriorityPrivilege	1472	{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
Token: SeIncBasePriorityPrivilege	2784	{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
Token: SeIncBasePriorityPrivilege	2600	{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
Token: SeIncBasePriorityPrivilege	2532	{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
Token: SeIncBasePriorityPrivilege	616	{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1840	2320	ee45be30e1db34exeexeexeex.exe	28
PID 2320 wrote to memory of 1840	2320	ee45be30e1db34exeexeexeex.exe	28
PID 2320 wrote to memory of 1840	2320	ee45be30e1db34exeexeexeex.exe	28
PID 2320 wrote to memory of 1840	2320	ee45be30e1db34exeexeexeex.exe	28
PID 2320 wrote to memory of 2996	2320	ee45be30e1db34exeexeexeex.exe	29
PID 2320 wrote to memory of 2996	2320	ee45be30e1db34exeexeexeex.exe	29
PID 2320 wrote to memory of 2996	2320	ee45be30e1db34exeexeexeex.exe	29
PID 2320 wrote to memory of 2996	2320	ee45be30e1db34exeexeexeex.exe	29
PID 1840 wrote to memory of 3032	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	30
PID 1840 wrote to memory of 3032	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	30
PID 1840 wrote to memory of 3032	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	30
PID 1840 wrote to memory of 3032	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	30
PID 1840 wrote to memory of 1000	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	31
PID 1840 wrote to memory of 1000	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	31
PID 1840 wrote to memory of 1000	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	31
PID 1840 wrote to memory of 1000	1840	{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe	31
PID 3032 wrote to memory of 2988	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	33
PID 3032 wrote to memory of 2988	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	33
PID 3032 wrote to memory of 2988	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	33
PID 3032 wrote to memory of 2988	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	33
PID 3032 wrote to memory of 560	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	32
PID 3032 wrote to memory of 560	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	32
PID 3032 wrote to memory of 560	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	32
PID 3032 wrote to memory of 560	3032	{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe	32
PID 2988 wrote to memory of 2244	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	34
PID 2988 wrote to memory of 2244	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	34
PID 2988 wrote to memory of 2244	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	34
PID 2988 wrote to memory of 2244	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	34
PID 2988 wrote to memory of 1992	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	35
PID 2988 wrote to memory of 1992	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	35
PID 2988 wrote to memory of 1992	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	35
PID 2988 wrote to memory of 1992	2988	{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe	35
PID 2244 wrote to memory of 1700	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	36
PID 2244 wrote to memory of 1700	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	36
PID 2244 wrote to memory of 1700	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	36
PID 2244 wrote to memory of 1700	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	36
PID 2244 wrote to memory of 2880	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	37
PID 2244 wrote to memory of 2880	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	37
PID 2244 wrote to memory of 2880	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	37
PID 2244 wrote to memory of 2880	2244	{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe	37
PID 1700 wrote to memory of 916	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	39
PID 1700 wrote to memory of 916	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	39
PID 1700 wrote to memory of 916	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	39
PID 1700 wrote to memory of 916	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	39
PID 1700 wrote to memory of 2252	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	38
PID 1700 wrote to memory of 2252	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	38
PID 1700 wrote to memory of 2252	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	38
PID 1700 wrote to memory of 2252	1700	{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe	38
PID 916 wrote to memory of 2276	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	40
PID 916 wrote to memory of 2276	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	40
PID 916 wrote to memory of 2276	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	40
PID 916 wrote to memory of 2276	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	40
PID 916 wrote to memory of 1140	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	41
PID 916 wrote to memory of 1140	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	41
PID 916 wrote to memory of 1140	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	41
PID 916 wrote to memory of 1140	916	{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe	41
PID 2276 wrote to memory of 1472	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	43
PID 2276 wrote to memory of 1472	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	43
PID 2276 wrote to memory of 1472	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	43
PID 2276 wrote to memory of 1472	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	43
PID 2276 wrote to memory of 2692	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	42
PID 2276 wrote to memory of 2692	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	42
PID 2276 wrote to memory of 2692	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	42
PID 2276 wrote to memory of 2692	2276	{12739592-42ED-42d2-9889-188CB4557F40}.exe	42

C:\Users\Admin\AppData\Local\Temp\ee45be30e1db34exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ee45be30e1db34exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
  C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
    C:\Windows\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC2D~1.EXE > nul
      4⤵
      PID:560
  - - C:\Windows\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
      C:\Windows\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
        
        C:\Windows\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
        
        C:\Windows\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B467~1.EXE > nul
        7⤵
        
        PID:2252
        
        C:\Windows\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
        
        C:\Windows\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\{12739592-42ED-42d2-9889-188CB4557F40}.exe
        
        C:\Windows\{12739592-42ED-42d2-9889-188CB4557F40}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12739~1.EXE > nul
        9⤵
        
        PID:2692
        
        C:\Windows\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
        
        C:\Windows\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
        
        C:\Windows\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
        
        C:\Windows\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FE7~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
        
        C:\Windows\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C76~1.EXE > nul
        13⤵
        
        PID:2552
        
        C:\Windows\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
        
        C:\Windows\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D6B2~1.EXE > nul
        14⤵
        
        PID:2540
        
        C:\Windows\{8B201F07-963A-4934-91A3-024A7CFC4902}.exe
        
        C:\Windows\{8B201F07-963A-4934-91A3-024A7CFC4902}.exe
        14⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF989~1.EXE > nul
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE05~1.EXE > nul
        10⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9034B~1.EXE > nul
        8⤵
        
        PID:1140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C01~1.EXE > nul
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC7B~1.EXE > nul
        5⤵
        
        PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6CE5~1.EXE > nul
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EE45BE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe

Filesize
168KB

MD5
a3d5c05cb85fa84b02b264943044b1d7

SHA1
a88e2b47ac670d60ff72fe66f59a96b540af5668

SHA256
0d786f85305d2daff74b726da9f5bef30c8395f1630c4a266bd33c3704048955

SHA512
58cbc1a4669f1c10cdb8000b04520f4f386065aa6835fbfc01ba5804e943c7e001e9f23953f07020a02243caebe904bdc1f8d085fe9075e6968c53d98f7d88bf

Download Submit
C:\Windows\{0D6B2B4F-F6FE-4942-91A1-2BE38162DF08}.exe

Filesize
168KB

MD5
a3d5c05cb85fa84b02b264943044b1d7

SHA1
a88e2b47ac670d60ff72fe66f59a96b540af5668

SHA256
0d786f85305d2daff74b726da9f5bef30c8395f1630c4a266bd33c3704048955

SHA512
58cbc1a4669f1c10cdb8000b04520f4f386065aa6835fbfc01ba5804e943c7e001e9f23953f07020a02243caebe904bdc1f8d085fe9075e6968c53d98f7d88bf

Download Submit
C:\Windows\{12739592-42ED-42d2-9889-188CB4557F40}.exe

Filesize
168KB

MD5
af7223a42692864f95ff3057b0101a3c

SHA1
27efc9e755b9ca235a65b30ecc8ec34e9554db23

SHA256
43237400af347eab29cbde2128e8dd200065968505b24ebdd44cb5ee61a20d1d

SHA512
0b47d7887c874fcfdae4a6575809686c763efce9ecf1e1710b38f3994df4b80cb0b285e398807960692d5ca925b219961185d1cad09866bfb8e8fcb735583530

Download Submit
C:\Windows\{12739592-42ED-42d2-9889-188CB4557F40}.exe

Filesize
168KB

MD5
af7223a42692864f95ff3057b0101a3c

SHA1
27efc9e755b9ca235a65b30ecc8ec34e9554db23

SHA256
43237400af347eab29cbde2128e8dd200065968505b24ebdd44cb5ee61a20d1d

SHA512
0b47d7887c874fcfdae4a6575809686c763efce9ecf1e1710b38f3994df4b80cb0b285e398807960692d5ca925b219961185d1cad09866bfb8e8fcb735583530

Download Submit
C:\Windows\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe

Filesize
168KB

MD5
af22c4c997e68db66833c4c7410cbb8d

SHA1
21074fb2cb5a2191a09e1f712f8d60f3bbcfedd2

SHA256
aa0b7dc7e01fdc7d236f695483f87dee30f9c6ac0fb34b4ceced356ea33dcdba

SHA512
d5aed5a2ba699e510308c9d9656517487bf6a0767c4e2cc3d17b4d42f875a5c54bf95a8778a7e051c850ba2c20623c5cf6939e1f2bb53474d2e4fe83437c551e

Download Submit
C:\Windows\{1DC2D713-DD84-4587-A8A8-A5DF173DD484}.exe

Filesize
168KB

MD5
af22c4c997e68db66833c4c7410cbb8d

SHA1
21074fb2cb5a2191a09e1f712f8d60f3bbcfedd2

SHA256
aa0b7dc7e01fdc7d236f695483f87dee30f9c6ac0fb34b4ceced356ea33dcdba

SHA512
d5aed5a2ba699e510308c9d9656517487bf6a0767c4e2cc3d17b4d42f875a5c54bf95a8778a7e051c850ba2c20623c5cf6939e1f2bb53474d2e4fe83437c551e

Download Submit
C:\Windows\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe

Filesize
168KB

MD5
43e017383436c7fd967961f3f5f7cf96

SHA1
b9f84a626ea66c427ec75bc3937c5528b49a77e7

SHA256
b8d4975ae8196bbd675872ca171e77a8b2649e17f20c3de54473b26e8985c847

SHA512
e290300e2843d96033b94d4ae74653d2240637c9b4abf455f68244d5f6f81a61d645ac511bce5c32bee56f1d39d1aa8bcf0bf92c6712cd475fb7eee7d23c0000

Download Submit
C:\Windows\{29C765B7-9DCD-46fa-BC44-EDF929E0F066}.exe

Filesize
168KB

MD5
43e017383436c7fd967961f3f5f7cf96

SHA1
b9f84a626ea66c427ec75bc3937c5528b49a77e7

SHA256
b8d4975ae8196bbd675872ca171e77a8b2649e17f20c3de54473b26e8985c847

SHA512
e290300e2843d96033b94d4ae74653d2240637c9b4abf455f68244d5f6f81a61d645ac511bce5c32bee56f1d39d1aa8bcf0bf92c6712cd475fb7eee7d23c0000

Download Submit
C:\Windows\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe

Filesize
168KB

MD5
a45b4f027bbfecbeb48f6f61bcecacf7

SHA1
e23643d7d7419bb189d8686eb6f8425727e1a36b

SHA256
3c16a1a111cd37ac5e1f30213b4bb2f5dbc4c2b13157c8700d7970c0b4542848

SHA512
ce3983b25d8bd8d1f82e4425e0f85bccb630b4931763d308c24766aacfc949889b867f6b6990210493235b11b897152e6956eacf2827d5bfc85c20ec14438f6e

Download Submit
C:\Windows\{3EE05A18-6B32-42a3-9205-85145C28DE80}.exe

Filesize
168KB

MD5
a45b4f027bbfecbeb48f6f61bcecacf7

SHA1
e23643d7d7419bb189d8686eb6f8425727e1a36b

SHA256
3c16a1a111cd37ac5e1f30213b4bb2f5dbc4c2b13157c8700d7970c0b4542848

SHA512
ce3983b25d8bd8d1f82e4425e0f85bccb630b4931763d308c24766aacfc949889b867f6b6990210493235b11b897152e6956eacf2827d5bfc85c20ec14438f6e

Download Submit
C:\Windows\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe

Filesize
168KB

MD5
b66370c8d8a666f4f94b7699e3bd4c10

SHA1
550f0e8c8f5e4cee7da971f6e063f591eb2bd502

SHA256
8b83e7102c1a3e38c2fa8f9a1029997ff7618356241db9502757b8de07950f15

SHA512
fbc699db53babfa681dab7ad52f49b524d0dc5d97a049fcf8154a323713f92c52c85f865533d6f9471bcad48fb8e5e93d4bf7cb03b66e56233606e7dca872f4f

Download Submit
C:\Windows\{52C01A75-FF2C-4548-A10D-2DBC8A9453DC}.exe

Filesize
168KB

MD5
b66370c8d8a666f4f94b7699e3bd4c10

SHA1
550f0e8c8f5e4cee7da971f6e063f591eb2bd502

SHA256
8b83e7102c1a3e38c2fa8f9a1029997ff7618356241db9502757b8de07950f15

SHA512
fbc699db53babfa681dab7ad52f49b524d0dc5d97a049fcf8154a323713f92c52c85f865533d6f9471bcad48fb8e5e93d4bf7cb03b66e56233606e7dca872f4f

Download Submit
C:\Windows\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe

Filesize
168KB

MD5
a884daeb2f7e579c8024eed44b4061a1

SHA1
0edeb98deb92c4e0e2137f858007e0a1674fb8b4

SHA256
4d4da1b2f7c8266b741e53f602a1caeed1be9e32b752d1e9c9563ca1670af185

SHA512
2b5951fb351affdc0edab5d5e1c9a8fcec022c8f977f7d9d4cc23c9e2995e97129596e31a19114972558d1323bdc131687b975276059e8020521136f6ec53636

Download Submit
C:\Windows\{5B46767B-18BA-47e0-BC13-BE149A8C22E7}.exe

Filesize
168KB

MD5
a884daeb2f7e579c8024eed44b4061a1

SHA1
0edeb98deb92c4e0e2137f858007e0a1674fb8b4

SHA256
4d4da1b2f7c8266b741e53f602a1caeed1be9e32b752d1e9c9563ca1670af185

SHA512
2b5951fb351affdc0edab5d5e1c9a8fcec022c8f977f7d9d4cc23c9e2995e97129596e31a19114972558d1323bdc131687b975276059e8020521136f6ec53636

Download Submit
C:\Windows\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe

Filesize
168KB

MD5
fb71ee43ca593457600093f6bd683173

SHA1
e4173d37b13ffb03c0ef83af58f6e36d600e9219

SHA256
72e3c6b13c697bd8ba8d042af79aed6b88fd667c07e683bcd86bee8adcf9cc4e

SHA512
97c7688b228ff0f27651249692fecf85256b471bbc8743d2b13b4a3d44b3c77485f0b5c0d6360de6ed40501bc254ab14a2ce8c93deba417c7ad05e51289109e7

Download Submit
C:\Windows\{5BC7BA11-07C4-4959-9924-A303BE9D079A}.exe

Filesize
168KB

MD5
fb71ee43ca593457600093f6bd683173

SHA1
e4173d37b13ffb03c0ef83af58f6e36d600e9219

SHA256
72e3c6b13c697bd8ba8d042af79aed6b88fd667c07e683bcd86bee8adcf9cc4e

SHA512
97c7688b228ff0f27651249692fecf85256b471bbc8743d2b13b4a3d44b3c77485f0b5c0d6360de6ed40501bc254ab14a2ce8c93deba417c7ad05e51289109e7

Download Submit
C:\Windows\{8B201F07-963A-4934-91A3-024A7CFC4902}.exe

Filesize
168KB

MD5
76511634f3daa14a99e4a5aa0266cbff

SHA1
b0c15efc52cd7f94b871c7a09edf0a75eef36565

SHA256
fbea5ab55c8f1b9afcd0234a9e66c9ddd697b967244545ca01c44a26988d9f47

SHA512
a2ad0176c61657d4ecc596f0ec7dc92e204857c8ab09a53ea15ff660e4e337cc12d6f7cb03de862153360a2ee90494052efcfe3b1b34741a5ea18da418371d0d

Download Submit
C:\Windows\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe

Filesize
168KB

MD5
88daef0d06bfacb1e13e9458061b953e

SHA1
346fec6025c0d5416a61810c4ef7944417d80042

SHA256
e7a808a602e6de995fd08238829fc08290c5e73a49ca2b8534487a225c47d826

SHA512
024849ab4275db100985e7c93b713fbee1f4da164a3da59a2b9de21d83cf6051fc2de72c6b55703956343fe87c3fa5c9672d344f7672140d5f5741867f01ff68

Download Submit
C:\Windows\{9034BA1F-691D-4066-B3C4-1BAC2874D53B}.exe

Filesize
168KB

MD5
88daef0d06bfacb1e13e9458061b953e

SHA1
346fec6025c0d5416a61810c4ef7944417d80042

SHA256
e7a808a602e6de995fd08238829fc08290c5e73a49ca2b8534487a225c47d826

SHA512
024849ab4275db100985e7c93b713fbee1f4da164a3da59a2b9de21d83cf6051fc2de72c6b55703956343fe87c3fa5c9672d344f7672140d5f5741867f01ff68

Download Submit
C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe

Filesize
168KB

MD5
8cef461de234cf075a000249e702414a

SHA1
91edff0c0bef147a7af2ebd5f3d87e036cadbd05

SHA256
55a35ba9e7693debdf4849b10013557f32a203e6e27808ad29fd72e43f3fd7ad

SHA512
906880540a3e119a800eced674c1b5ff5b80e59891003f036916953aa62f35096b4aba8916bf67427270abc4e4aca182b7f7b8442284325e0b8965a85f813cc8

Download Submit
C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe

Filesize
168KB

MD5
8cef461de234cf075a000249e702414a

SHA1
91edff0c0bef147a7af2ebd5f3d87e036cadbd05

SHA256
55a35ba9e7693debdf4849b10013557f32a203e6e27808ad29fd72e43f3fd7ad

SHA512
906880540a3e119a800eced674c1b5ff5b80e59891003f036916953aa62f35096b4aba8916bf67427270abc4e4aca182b7f7b8442284325e0b8965a85f813cc8

Download Submit
C:\Windows\{A6CE5429-9562-4525-A4D3-570ECCA7CE08}.exe

Filesize
168KB

MD5
8cef461de234cf075a000249e702414a

SHA1
91edff0c0bef147a7af2ebd5f3d87e036cadbd05

SHA256
55a35ba9e7693debdf4849b10013557f32a203e6e27808ad29fd72e43f3fd7ad

SHA512
906880540a3e119a800eced674c1b5ff5b80e59891003f036916953aa62f35096b4aba8916bf67427270abc4e4aca182b7f7b8442284325e0b8965a85f813cc8

Download Submit
C:\Windows\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe

Filesize
168KB

MD5
da34e08de0cdc4d49ae672ba113f0095

SHA1
54c9cb662e043301345df100266dafff594b6bea

SHA256
3abe1a01568a0df1551d2fed94e019ab46398dcf693754decc1989ac8106aa2f

SHA512
a8e0b0153d6c1538d953818e23da9feb43456b5afb11ef283dccae46810494e21c81e935cded87632f5601fe276de3628648135cfef1208a213f20308a94ccb9

Download Submit
C:\Windows\{AF9892FA-A823-428a-AF38-E7CD3F3445FC}.exe

Filesize
168KB

MD5
da34e08de0cdc4d49ae672ba113f0095

SHA1
54c9cb662e043301345df100266dafff594b6bea

SHA256
3abe1a01568a0df1551d2fed94e019ab46398dcf693754decc1989ac8106aa2f

SHA512
a8e0b0153d6c1538d953818e23da9feb43456b5afb11ef283dccae46810494e21c81e935cded87632f5601fe276de3628648135cfef1208a213f20308a94ccb9

Download Submit
C:\Windows\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe

Filesize
168KB

MD5
0877102d8cc3453dd3a99c6e39e71262

SHA1
5771dce9e641dc79a8204f3178df2cd4e320466b

SHA256
da87909ad4dadd434cdee0f7eb2d27aa28f8cfd4abf156e6dcd470e09103d68f

SHA512
185e14bf532e88c73219a2a4c9b3da84529ff5bdb20330147debd5578b2732a02f3f51073a2e73af9449be5606c5fc8369f11d26126df47a95c1868afff658dc

Download Submit
C:\Windows\{C5FE7AF3-8ADC-40c8-9085-B6BA6E781CF6}.exe

Filesize
168KB

MD5
0877102d8cc3453dd3a99c6e39e71262

SHA1
5771dce9e641dc79a8204f3178df2cd4e320466b

SHA256
da87909ad4dadd434cdee0f7eb2d27aa28f8cfd4abf156e6dcd470e09103d68f

SHA512
185e14bf532e88c73219a2a4c9b3da84529ff5bdb20330147debd5578b2732a02f3f51073a2e73af9449be5606c5fc8369f11d26126df47a95c1868afff658dc

Download Submit