d30b8875818def7ab2fa60da6ab4d097942a6a5cff04b686b75f6af005a3a019

Analysis

max time kernel
145s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e97973938dd306exeexeexeex.exe
Size

372KB
MD5

e97973938dd30697278fa4dc9ceac12e
SHA1

29503bf5b47f5f27ddca9f605d4fafd19fc7dd90
SHA256

d30b8875818def7ab2fa60da6ab4d097942a6a5cff04b686b75f6af005a3a019
SHA512

f4e8a9045ff9bd7c0fc1d4501b3c15b3b4ca8af848f2c19517e8aac9939020eef2eb134e6e3089582ff0a29eafab1043699b564efe63cf48638f8d15852afe9e
SSDEEP

3072:CEGh0oAmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGDl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392156EF-86F2-4575-805E-890B2E3D9AA4}	{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6394C549-F55B-4c71-9A46-A2DB192085C8}\stubpath = "C:\\Windows\\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe"	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F14E2A56-D783-4556-959E-8CE14BEAC90A}\stubpath = "C:\\Windows\\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe"	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7060B450-4130-4b9d-B640-57D6C1D0E643}	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60529530-7A6A-4c57-8486-193B47AE742E}\stubpath = "C:\\Windows\\{60529530-7A6A-4c57-8486-193B47AE742E}.exe"	{25510399-F9CE-4318-9C2B-92F42045362A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B5617C8-9412-48e2-A532-0BBF61269023}	{60529530-7A6A-4c57-8486-193B47AE742E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}	{0713181B-FEBE-4515-9178-872440CF93CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25510399-F9CE-4318-9C2B-92F42045362A}\stubpath = "C:\\Windows\\{25510399-F9CE-4318-9C2B-92F42045362A}.exe"	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60529530-7A6A-4c57-8486-193B47AE742E}	{25510399-F9CE-4318-9C2B-92F42045362A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}	e97973938dd306exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}\stubpath = "C:\\Windows\\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe"	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7060B450-4130-4b9d-B640-57D6C1D0E643}\stubpath = "C:\\Windows\\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe"	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0713181B-FEBE-4515-9178-872440CF93CD}\stubpath = "C:\\Windows\\{0713181B-FEBE-4515-9178-872440CF93CD}.exe"	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B5617C8-9412-48e2-A532-0BBF61269023}\stubpath = "C:\\Windows\\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe"	{60529530-7A6A-4c57-8486-193B47AE742E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE7D916-716C-41b6-9ECE-B655158F476D}	{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{270C4251-EC03-490d-A34D-E3A80C9D427A}\stubpath = "C:\\Windows\\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe"	{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6394C549-F55B-4c71-9A46-A2DB192085C8}	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F14E2A56-D783-4556-959E-8CE14BEAC90A}	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}\stubpath = "C:\\Windows\\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe"	{0713181B-FEBE-4515-9178-872440CF93CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25510399-F9CE-4318-9C2B-92F42045362A}	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{270C4251-EC03-490d-A34D-E3A80C9D427A}	{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}\stubpath = "C:\\Windows\\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe"	e97973938dd306exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0713181B-FEBE-4515-9178-872440CF93CD}	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392156EF-86F2-4575-805E-890B2E3D9AA4}\stubpath = "C:\\Windows\\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe"	{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE7D916-716C-41b6-9ECE-B655158F476D}\stubpath = "C:\\Windows\\{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe"	{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe

Deletes itself 1 IoCs

pid	Process
2136	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe
3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
588	{25510399-F9CE-4318-9C2B-92F42045362A}.exe
1852	{60529530-7A6A-4c57-8486-193B47AE742E}.exe
2680	{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
2848	{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
2632	{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe
328	{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{25510399-F9CE-4318-9C2B-92F42045362A}.exe	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
File created	C:\Windows\{60529530-7A6A-4c57-8486-193B47AE742E}.exe	{25510399-F9CE-4318-9C2B-92F42045362A}.exe
File created	C:\Windows\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe	{60529530-7A6A-4c57-8486-193B47AE742E}.exe
File created	C:\Windows\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe	{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
File created	C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	e97973938dd306exeexeexeex.exe
File created	C:\Windows\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
File created	C:\Windows\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
File created	C:\Windows\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	{0713181B-FEBE-4515-9178-872440CF93CD}.exe
File created	C:\Windows\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe	{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
File created	C:\Windows\{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe	{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe
File created	C:\Windows\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
File created	C:\Windows\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
File created	C:\Windows\{0713181B-FEBE-4515-9178-872440CF93CD}.exe	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	e97973938dd306exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
Token: SeIncBasePriorityPrivilege	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
Token: SeIncBasePriorityPrivilege	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
Token: SeIncBasePriorityPrivilege	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
Token: SeIncBasePriorityPrivilege	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
Token: SeIncBasePriorityPrivilege	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe
Token: SeIncBasePriorityPrivilege	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
Token: SeIncBasePriorityPrivilege	588	{25510399-F9CE-4318-9C2B-92F42045362A}.exe
Token: SeIncBasePriorityPrivilege	1852	{60529530-7A6A-4c57-8486-193B47AE742E}.exe
Token: SeIncBasePriorityPrivilege	2680	{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
Token: SeIncBasePriorityPrivilege	2848	{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
Token: SeIncBasePriorityPrivilege	2632	{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2104	2116	e97973938dd306exeexeexeex.exe	29
PID 2116 wrote to memory of 2104	2116	e97973938dd306exeexeexeex.exe	29
PID 2116 wrote to memory of 2104	2116	e97973938dd306exeexeexeex.exe	29
PID 2116 wrote to memory of 2104	2116	e97973938dd306exeexeexeex.exe	29
PID 2116 wrote to memory of 2136	2116	e97973938dd306exeexeexeex.exe	30
PID 2116 wrote to memory of 2136	2116	e97973938dd306exeexeexeex.exe	30
PID 2116 wrote to memory of 2136	2116	e97973938dd306exeexeexeex.exe	30
PID 2116 wrote to memory of 2136	2116	e97973938dd306exeexeexeex.exe	30
PID 2104 wrote to memory of 2988	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	31
PID 2104 wrote to memory of 2988	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	31
PID 2104 wrote to memory of 2988	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	31
PID 2104 wrote to memory of 2988	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	31
PID 2104 wrote to memory of 2896	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	32
PID 2104 wrote to memory of 2896	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	32
PID 2104 wrote to memory of 2896	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	32
PID 2104 wrote to memory of 2896	2104	{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe	32
PID 2988 wrote to memory of 2976	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	33
PID 2988 wrote to memory of 2976	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	33
PID 2988 wrote to memory of 2976	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	33
PID 2988 wrote to memory of 2976	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	33
PID 2988 wrote to memory of 1152	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	34
PID 2988 wrote to memory of 1152	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	34
PID 2988 wrote to memory of 1152	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	34
PID 2988 wrote to memory of 1152	2988	{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe	34
PID 2976 wrote to memory of 1120	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	35
PID 2976 wrote to memory of 1120	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	35
PID 2976 wrote to memory of 1120	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	35
PID 2976 wrote to memory of 1120	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	35
PID 2976 wrote to memory of 632	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	36
PID 2976 wrote to memory of 632	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	36
PID 2976 wrote to memory of 632	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	36
PID 2976 wrote to memory of 632	2976	{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe	36
PID 1120 wrote to memory of 2432	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	37
PID 1120 wrote to memory of 2432	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	37
PID 1120 wrote to memory of 2432	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	37
PID 1120 wrote to memory of 2432	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	37
PID 1120 wrote to memory of 1188	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	38
PID 1120 wrote to memory of 1188	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	38
PID 1120 wrote to memory of 1188	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	38
PID 1120 wrote to memory of 1188	1120	{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe	38
PID 2432 wrote to memory of 2388	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	39
PID 2432 wrote to memory of 2388	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	39
PID 2432 wrote to memory of 2388	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	39
PID 2432 wrote to memory of 2388	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	39
PID 2432 wrote to memory of 2064	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	40
PID 2432 wrote to memory of 2064	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	40
PID 2432 wrote to memory of 2064	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	40
PID 2432 wrote to memory of 2064	2432	{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe	40
PID 2388 wrote to memory of 3060	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	41
PID 2388 wrote to memory of 3060	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	41
PID 2388 wrote to memory of 3060	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	41
PID 2388 wrote to memory of 3060	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	41
PID 2388 wrote to memory of 2820	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	42
PID 2388 wrote to memory of 2820	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	42
PID 2388 wrote to memory of 2820	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	42
PID 2388 wrote to memory of 2820	2388	{0713181B-FEBE-4515-9178-872440CF93CD}.exe	42
PID 3060 wrote to memory of 588	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	43
PID 3060 wrote to memory of 588	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	43
PID 3060 wrote to memory of 588	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	43
PID 3060 wrote to memory of 588	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	43
PID 3060 wrote to memory of 2208	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	44
PID 3060 wrote to memory of 2208	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	44
PID 3060 wrote to memory of 2208	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	44
PID 3060 wrote to memory of 2208	3060	{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe	44

C:\Users\Admin\AppData\Local\Temp\e97973938dd306exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e97973938dd306exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
  C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
    C:\Windows\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
      C:\Windows\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
        
        C:\Windows\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
        
        C:\Windows\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{0713181B-FEBE-4515-9178-872440CF93CD}.exe
        
        C:\Windows\{0713181B-FEBE-4515-9178-872440CF93CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
        
        C:\Windows\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{25510399-F9CE-4318-9C2B-92F42045362A}.exe
        
        C:\Windows\{25510399-F9CE-4318-9C2B-92F42045362A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{60529530-7A6A-4c57-8486-193B47AE742E}.exe
        
        C:\Windows\{60529530-7A6A-4c57-8486-193B47AE742E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
        
        C:\Windows\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
        
        C:\Windows\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe
        
        C:\Windows\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe
        
        C:\Windows\{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe
        14⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{270C4~1.EXE > nul
        14⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39215~1.EXE > nul
        13⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B561~1.EXE > nul
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60529~1.EXE > nul
        11⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25510~1.EXE > nul
        10⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B76F4~1.EXE > nul
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07131~1.EXE > nul
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7060B~1.EXE > nul
        7⤵
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4C8D~1.EXE > nul
        6⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F14E2~1.EXE > nul
        5⤵
        
        PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6394C~1.EXE > nul
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7289~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E97973~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0713181B-FEBE-4515-9178-872440CF93CD}.exe

Filesize
372KB

MD5
105825d4dc94654a609cdbdc71d9b499

SHA1
b3d132d7dc80244120ce07b65038ebd928abe413

SHA256
63204e7d0f55a50b15c80fe2a5491a2ec23b80ac54e13b50a1b2bac77dcdc9d2

SHA512
29ca28914cb301e4259f8528783d0b0dafd330f92456bb2eddef6b780c0f40eba9a672ed6862f1f73faba8b0c587763c1408de6d0809d1b582c4b6da6f317576

Download Submit
C:\Windows\{0713181B-FEBE-4515-9178-872440CF93CD}.exe

Filesize
372KB

MD5
105825d4dc94654a609cdbdc71d9b499

SHA1
b3d132d7dc80244120ce07b65038ebd928abe413

SHA256
63204e7d0f55a50b15c80fe2a5491a2ec23b80ac54e13b50a1b2bac77dcdc9d2

SHA512
29ca28914cb301e4259f8528783d0b0dafd330f92456bb2eddef6b780c0f40eba9a672ed6862f1f73faba8b0c587763c1408de6d0809d1b582c4b6da6f317576

Download Submit
C:\Windows\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe

Filesize
372KB

MD5
ed7ec4d0b9fd5370caf77199cae597e8

SHA1
81750760d0be9c0280746d8be296051e462b44c6

SHA256
7fd88d370b2249dadf432aae802aabde290bf11593da7f02e05e61cdeb8be01c

SHA512
2547c8a389ecbd37dca8a2336feddb9d978d19d20ba83c8b71c12723e5c8285004a1443cdac54dd050faf2b24b97291891ec854ab9e73e32565cc3d34b79e3cc

Download Submit
C:\Windows\{0B5617C8-9412-48e2-A532-0BBF61269023}.exe

Filesize
372KB

MD5
ed7ec4d0b9fd5370caf77199cae597e8

SHA1
81750760d0be9c0280746d8be296051e462b44c6

SHA256
7fd88d370b2249dadf432aae802aabde290bf11593da7f02e05e61cdeb8be01c

SHA512
2547c8a389ecbd37dca8a2336feddb9d978d19d20ba83c8b71c12723e5c8285004a1443cdac54dd050faf2b24b97291891ec854ab9e73e32565cc3d34b79e3cc

Download Submit
C:\Windows\{25510399-F9CE-4318-9C2B-92F42045362A}.exe

Filesize
372KB

MD5
f883852798d9bc102444eb74e8676c88

SHA1
4790ed9d4cdf5f6d2776f035ca54b378a109c805

SHA256
6d00d629e80e04d2fa133d2258a4b33622275967021bc8cce8764f74ba16c2f4

SHA512
710897eddb54ba8436859c7ec7e92325c2c896511fe4ffc02a4e7e6930d046cf91d7a5bef35e6f7fc203dd3301b6bc87467f48599d44c183c43346afdba424ae

Download Submit
C:\Windows\{25510399-F9CE-4318-9C2B-92F42045362A}.exe

Filesize
372KB

MD5
f883852798d9bc102444eb74e8676c88

SHA1
4790ed9d4cdf5f6d2776f035ca54b378a109c805

SHA256
6d00d629e80e04d2fa133d2258a4b33622275967021bc8cce8764f74ba16c2f4

SHA512
710897eddb54ba8436859c7ec7e92325c2c896511fe4ffc02a4e7e6930d046cf91d7a5bef35e6f7fc203dd3301b6bc87467f48599d44c183c43346afdba424ae

Download Submit
C:\Windows\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe

Filesize
372KB

MD5
10c8c8d53dc89263ad6e24a673773410

SHA1
a02c6ece509df3dfef7b06c9319b53de489840c2

SHA256
53194b66c0bd256fb741e3860e5e40eb364e6f20eff03652309ea016f25f8a91

SHA512
3a172a75d56e35bf7c58fd684db3e1a59904738375b096b4442653043c25d9cd98bfd94aaa2a1d0263bd184d43fc1ed19e78eee2250f36045dd1805ee03d5d5b

Download Submit
C:\Windows\{270C4251-EC03-490d-A34D-E3A80C9D427A}.exe

Filesize
372KB

MD5
10c8c8d53dc89263ad6e24a673773410

SHA1
a02c6ece509df3dfef7b06c9319b53de489840c2

SHA256
53194b66c0bd256fb741e3860e5e40eb364e6f20eff03652309ea016f25f8a91

SHA512
3a172a75d56e35bf7c58fd684db3e1a59904738375b096b4442653043c25d9cd98bfd94aaa2a1d0263bd184d43fc1ed19e78eee2250f36045dd1805ee03d5d5b

Download Submit
C:\Windows\{2AE7D916-716C-41b6-9ECE-B655158F476D}.exe

Filesize
372KB

MD5
457b48941feb10e444aab3d2d5614f2e

SHA1
cc11d22506b5bb181a80befef7d73b3714997de4

SHA256
a833e6dbcfbf67677a477fe710043c9da9e3ea0db77d7054f0d1c393422e837e

SHA512
218f4613826e1a97645e5af2795522d7e67dcdfe9f9d7d8cb0cd24b03a072ee9745a5f8255dfc140cc700f41cecf406b04f1011736e61ba51ea32acd61f9631e

Download Submit
C:\Windows\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe

Filesize
372KB

MD5
f86d3e4b89b510fde27fdd4ef5b5baab

SHA1
d0c9225e7d6b0ee3b1d55406a520f5c01dce2ce3

SHA256
2f0abfbb049b288e9357509b9dd36dfbb5f5057925db987253f2c3813d0a737d

SHA512
6f84b405afe567b6c13f700810956b1141fa1631e00d4b03c42bee9ae13293a4b5fae0a2db3e01e4b1ac3cfbff5f50e56607628aa3100251e5bd385e3dc6b7fe

Download Submit
C:\Windows\{392156EF-86F2-4575-805E-890B2E3D9AA4}.exe

Filesize
372KB

MD5
f86d3e4b89b510fde27fdd4ef5b5baab

SHA1
d0c9225e7d6b0ee3b1d55406a520f5c01dce2ce3

SHA256
2f0abfbb049b288e9357509b9dd36dfbb5f5057925db987253f2c3813d0a737d

SHA512
6f84b405afe567b6c13f700810956b1141fa1631e00d4b03c42bee9ae13293a4b5fae0a2db3e01e4b1ac3cfbff5f50e56607628aa3100251e5bd385e3dc6b7fe

Download Submit
C:\Windows\{60529530-7A6A-4c57-8486-193B47AE742E}.exe

Filesize
372KB

MD5
d77ea2a9b81dbf0e896f5788ea37e472

SHA1
bf4451ae959962e6b9cf0014cf90f6f40b103670

SHA256
55dda1e4755254f064c708dbde6fd0f59e097c1969f83ddd9cac6275c93542db

SHA512
40816f38314facc8121dd75f8f7b1dd9ef198d19b65c96da641867b446797126505aac226cc1b2e6c1d9c371648cd07e451d8c32fae10fc748fc253381bde33f

Download Submit
C:\Windows\{60529530-7A6A-4c57-8486-193B47AE742E}.exe

Filesize
372KB

MD5
d77ea2a9b81dbf0e896f5788ea37e472

SHA1
bf4451ae959962e6b9cf0014cf90f6f40b103670

SHA256
55dda1e4755254f064c708dbde6fd0f59e097c1969f83ddd9cac6275c93542db

SHA512
40816f38314facc8121dd75f8f7b1dd9ef198d19b65c96da641867b446797126505aac226cc1b2e6c1d9c371648cd07e451d8c32fae10fc748fc253381bde33f

Download Submit
C:\Windows\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe

Filesize
372KB

MD5
a87304c081b6753748f2be956984aaaa

SHA1
0ff60e1b2a2529b5820380d9a2a5c4cf2c062f7b

SHA256
af6fea557da331b49e1118a2b9bcd4879a154d16c19c03944ec2e860ae621785

SHA512
f76b806b964cb75cfbacc40bff84fd151eb6f65bc4f966d54cbbc6051e342d33db2fa396a84c8389d5b5b60e0caee12c8ee65debada368c8dc2aa8136b5d912e

Download Submit
C:\Windows\{6394C549-F55B-4c71-9A46-A2DB192085C8}.exe

Filesize
372KB

MD5
a87304c081b6753748f2be956984aaaa

SHA1
0ff60e1b2a2529b5820380d9a2a5c4cf2c062f7b

SHA256
af6fea557da331b49e1118a2b9bcd4879a154d16c19c03944ec2e860ae621785

SHA512
f76b806b964cb75cfbacc40bff84fd151eb6f65bc4f966d54cbbc6051e342d33db2fa396a84c8389d5b5b60e0caee12c8ee65debada368c8dc2aa8136b5d912e

Download Submit
C:\Windows\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe

Filesize
372KB

MD5
81aec2dd6476bfd89c357266fa9935e8

SHA1
cc9c98b47c98bde327bee92925bdf527abd538c1

SHA256
707a117ecbc3344a84dede527b2c0698d31fd0a97e945dbd5e6dce9afa7599ca

SHA512
c43ed2b0224e1aeb44669ef0802290529ed5b0f326f89c50b31bc28f8c2602a7d8f1289e94468667020b91b88038ae987b6e01195ac6d124810abca0e0cbcb24

Download Submit
C:\Windows\{7060B450-4130-4b9d-B640-57D6C1D0E643}.exe

Filesize
372KB

MD5
81aec2dd6476bfd89c357266fa9935e8

SHA1
cc9c98b47c98bde327bee92925bdf527abd538c1

SHA256
707a117ecbc3344a84dede527b2c0698d31fd0a97e945dbd5e6dce9afa7599ca

SHA512
c43ed2b0224e1aeb44669ef0802290529ed5b0f326f89c50b31bc28f8c2602a7d8f1289e94468667020b91b88038ae987b6e01195ac6d124810abca0e0cbcb24

Download Submit
C:\Windows\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe

Filesize
372KB

MD5
6590d7323ee67816eeaaa2efccdad597

SHA1
35ee332f11ce7c4b8bc3d1a8853f13bc722f89d6

SHA256
f8b80259840240cb02e3b8194bb0631c8797bf253eff6cefeac869fd7e3eb62b

SHA512
edae90242fa37906dd4f3aebe918df90a262206ea6cc1a1a11b0f484eaf88f22c96ef4016e11d32dc83e45f6d272cba7d186cc9949c4b5911356698cf23036db

Download Submit
C:\Windows\{B4C8D23C-5116-4cd8-8A07-EEC13E368495}.exe

Filesize
372KB

MD5
6590d7323ee67816eeaaa2efccdad597

SHA1
35ee332f11ce7c4b8bc3d1a8853f13bc722f89d6

SHA256
f8b80259840240cb02e3b8194bb0631c8797bf253eff6cefeac869fd7e3eb62b

SHA512
edae90242fa37906dd4f3aebe918df90a262206ea6cc1a1a11b0f484eaf88f22c96ef4016e11d32dc83e45f6d272cba7d186cc9949c4b5911356698cf23036db

Download Submit
C:\Windows\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe

Filesize
372KB

MD5
00c1f6e80dd13944423575b9a0d57887

SHA1
07e8ec2e51a0be26ee90ba90dfed65d228f68b13

SHA256
1671d14018e042b1040ae9035640af0640f6b9d45a68b594899779f92d8229f1

SHA512
187ab71bcc9ad7b3ad57feb9582f4a01bd09907e071d3465cdebe5771763cbbff137fac0dd74dcb539e5ae8c97211e881f8cd5b653c2a7a245d09162f4df98b8

Download Submit
C:\Windows\{B76F48DC-FD30-4b31-8F1B-ED9E3C90EAF5}.exe

Filesize
372KB

MD5
00c1f6e80dd13944423575b9a0d57887

SHA1
07e8ec2e51a0be26ee90ba90dfed65d228f68b13

SHA256
1671d14018e042b1040ae9035640af0640f6b9d45a68b594899779f92d8229f1

SHA512
187ab71bcc9ad7b3ad57feb9582f4a01bd09907e071d3465cdebe5771763cbbff137fac0dd74dcb539e5ae8c97211e881f8cd5b653c2a7a245d09162f4df98b8

Download Submit
C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe

Filesize
372KB

MD5
d0fe5ca396503738a5e8a0f6420be984

SHA1
f16cec55f4915871c29803a465b97a6bcda6734c

SHA256
4386fca61f248f6432fb58ed8a23a80bcc1ac40a7614272fa63329b0bd9cf753

SHA512
6b9ff278923d9f0bd9a795662596a8a245e84be2908421bf135b46d1b86322f77715c2e62ab4105f872ff4c7c6f4159edd6b6994f12fe589a0a9a2f5f4bbd95a

Download Submit
C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe

Filesize
372KB

MD5
d0fe5ca396503738a5e8a0f6420be984

SHA1
f16cec55f4915871c29803a465b97a6bcda6734c

SHA256
4386fca61f248f6432fb58ed8a23a80bcc1ac40a7614272fa63329b0bd9cf753

SHA512
6b9ff278923d9f0bd9a795662596a8a245e84be2908421bf135b46d1b86322f77715c2e62ab4105f872ff4c7c6f4159edd6b6994f12fe589a0a9a2f5f4bbd95a

Download Submit
C:\Windows\{D7289E8D-9CFF-4b78-AF49-F75274EDF3BA}.exe

Filesize
372KB

MD5
d0fe5ca396503738a5e8a0f6420be984

SHA1
f16cec55f4915871c29803a465b97a6bcda6734c

SHA256
4386fca61f248f6432fb58ed8a23a80bcc1ac40a7614272fa63329b0bd9cf753

SHA512
6b9ff278923d9f0bd9a795662596a8a245e84be2908421bf135b46d1b86322f77715c2e62ab4105f872ff4c7c6f4159edd6b6994f12fe589a0a9a2f5f4bbd95a

Download Submit
C:\Windows\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe

Filesize
372KB

MD5
4a5f3c5d9fefbfeb2099a72c174676e7

SHA1
04c2b87b1c9e0072098c7140db8b85c110d9532f

SHA256
d397f809607210d8fabf5c0dcdfbc6863fe539f0a127b1983ffafa17209a7ac9

SHA512
1ba55f07fe0293b8fd2733b8927e36852b314d1619648d373d50f16472423567fd8857be216ea92b8f0e99ff61c4278679f1242e21ba15da9ebd92cbbf0ce012

Download Submit
C:\Windows\{F14E2A56-D783-4556-959E-8CE14BEAC90A}.exe

Filesize
372KB

MD5
4a5f3c5d9fefbfeb2099a72c174676e7

SHA1
04c2b87b1c9e0072098c7140db8b85c110d9532f

SHA256
d397f809607210d8fabf5c0dcdfbc6863fe539f0a127b1983ffafa17209a7ac9

SHA512
1ba55f07fe0293b8fd2733b8927e36852b314d1619648d373d50f16472423567fd8857be216ea92b8f0e99ff61c4278679f1242e21ba15da9ebd92cbbf0ce012

Download Submit