006ea7f53b28260aad3b5106c5666e641287329c86a11079932dbdc97ddf460d

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e805a890e76dexeexeexeex.exe
Size

168KB
MD5

e9e805a890e76d93c951642e25260d9e
SHA1

5e43dc46db2061640cbaa14f50cce15afc027813
SHA256

006ea7f53b28260aad3b5106c5666e641287329c86a11079932dbdc97ddf460d
SHA512

642905268ba0f5f00b11477ce1ad990228996ee2be861305161c412bdfc0b0adb5a8478f9f8ab18153a3432106d146bb749f257e84be9993f098d83e0ebc5257
SSDEEP

1536:1EGh0oilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oilqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}\stubpath = "C:\\Windows\\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe"	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}\stubpath = "C:\\Windows\\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe"	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}\stubpath = "C:\\Windows\\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe"	{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}	{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}	{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5947F77-B932-4d3f-AB30-B6808604C100}	e9e805a890e76dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5947F77-B932-4d3f-AB30-B6808604C100}\stubpath = "C:\\Windows\\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe"	e9e805a890e76dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}\stubpath = "C:\\Windows\\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe"	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}\stubpath = "C:\\Windows\\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe"	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}\stubpath = "C:\\Windows\\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe"	{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}	{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}\stubpath = "C:\\Windows\\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe"	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}	{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}\stubpath = "C:\\Windows\\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe"	{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C41C7F-B637-4a31-BC64-89FDF696DC40}	{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C41C7F-B637-4a31-BC64-89FDF696DC40}\stubpath = "C:\\Windows\\{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe"	{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}\stubpath = "C:\\Windows\\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe"	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}\stubpath = "C:\\Windows\\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe"	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}\stubpath = "C:\\Windows\\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe"	{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe

Deletes itself 1 IoCs

pid	Process
932	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
3052	{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
2644	{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
548	{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
2576	{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
2760	{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
2956	{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
File created	C:\Windows\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
File created	C:\Windows\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
File created	C:\Windows\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe	{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
File created	C:\Windows\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe	{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
File created	C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	e9e805a890e76dexeexeexeex.exe
File created	C:\Windows\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
File created	C:\Windows\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
File created	C:\Windows\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe	{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
File created	C:\Windows\{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe	{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
File created	C:\Windows\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
File created	C:\Windows\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
File created	C:\Windows\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe	{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	e9e805a890e76dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
Token: SeIncBasePriorityPrivilege	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
Token: SeIncBasePriorityPrivilege	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
Token: SeIncBasePriorityPrivilege	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
Token: SeIncBasePriorityPrivilege	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
Token: SeIncBasePriorityPrivilege	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
Token: SeIncBasePriorityPrivilege	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
Token: SeIncBasePriorityPrivilege	3052	{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
Token: SeIncBasePriorityPrivilege	2644	{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
Token: SeIncBasePriorityPrivilege	548	{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
Token: SeIncBasePriorityPrivilege	2576	{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
Token: SeIncBasePriorityPrivilege	2760	{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1332	2840	e9e805a890e76dexeexeexeex.exe	29
PID 2840 wrote to memory of 1332	2840	e9e805a890e76dexeexeexeex.exe	29
PID 2840 wrote to memory of 1332	2840	e9e805a890e76dexeexeexeex.exe	29
PID 2840 wrote to memory of 1332	2840	e9e805a890e76dexeexeexeex.exe	29
PID 2840 wrote to memory of 932	2840	e9e805a890e76dexeexeexeex.exe	30
PID 2840 wrote to memory of 932	2840	e9e805a890e76dexeexeexeex.exe	30
PID 2840 wrote to memory of 932	2840	e9e805a890e76dexeexeexeex.exe	30
PID 2840 wrote to memory of 932	2840	e9e805a890e76dexeexeexeex.exe	30
PID 1332 wrote to memory of 2968	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	31
PID 1332 wrote to memory of 2968	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	31
PID 1332 wrote to memory of 2968	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	31
PID 1332 wrote to memory of 2968	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	31
PID 1332 wrote to memory of 2204	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	32
PID 1332 wrote to memory of 2204	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	32
PID 1332 wrote to memory of 2204	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	32
PID 1332 wrote to memory of 2204	1332	{A5947F77-B932-4d3f-AB30-B6808604C100}.exe	32
PID 2968 wrote to memory of 2360	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	33
PID 2968 wrote to memory of 2360	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	33
PID 2968 wrote to memory of 2360	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	33
PID 2968 wrote to memory of 2360	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	33
PID 2968 wrote to memory of 2296	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	34
PID 2968 wrote to memory of 2296	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	34
PID 2968 wrote to memory of 2296	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	34
PID 2968 wrote to memory of 2296	2968	{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe	34
PID 2360 wrote to memory of 276	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	35
PID 2360 wrote to memory of 276	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	35
PID 2360 wrote to memory of 276	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	35
PID 2360 wrote to memory of 276	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	35
PID 2360 wrote to memory of 2420	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	36
PID 2360 wrote to memory of 2420	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	36
PID 2360 wrote to memory of 2420	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	36
PID 2360 wrote to memory of 2420	2360	{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe	36
PID 276 wrote to memory of 1352	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	37
PID 276 wrote to memory of 1352	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	37
PID 276 wrote to memory of 1352	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	37
PID 276 wrote to memory of 1352	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	37
PID 276 wrote to memory of 2536	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	38
PID 276 wrote to memory of 2536	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	38
PID 276 wrote to memory of 2536	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	38
PID 276 wrote to memory of 2536	276	{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe	38
PID 1352 wrote to memory of 1260	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	40
PID 1352 wrote to memory of 1260	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	40
PID 1352 wrote to memory of 1260	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	40
PID 1352 wrote to memory of 1260	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	40
PID 1352 wrote to memory of 2236	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	39
PID 1352 wrote to memory of 2236	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	39
PID 1352 wrote to memory of 2236	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	39
PID 1352 wrote to memory of 2236	1352	{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe	39
PID 1260 wrote to memory of 1920	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	41
PID 1260 wrote to memory of 1920	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	41
PID 1260 wrote to memory of 1920	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	41
PID 1260 wrote to memory of 1920	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	41
PID 1260 wrote to memory of 2216	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	42
PID 1260 wrote to memory of 2216	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	42
PID 1260 wrote to memory of 2216	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	42
PID 1260 wrote to memory of 2216	1260	{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe	42
PID 1920 wrote to memory of 3052	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	44
PID 1920 wrote to memory of 3052	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	44
PID 1920 wrote to memory of 3052	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	44
PID 1920 wrote to memory of 3052	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	44
PID 1920 wrote to memory of 2156	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	43
PID 1920 wrote to memory of 2156	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	43
PID 1920 wrote to memory of 2156	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	43
PID 1920 wrote to memory of 2156	1920	{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe	43

C:\Users\Admin\AppData\Local\Temp\e9e805a890e76dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e9e805a890e76dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
  C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
    C:\Windows\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
      C:\Windows\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
        
        C:\Windows\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
      - C:\Windows\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
        
        C:\Windows\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6681~1.EXE > nul
        7⤵
        
        PID:2236
        
        C:\Windows\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
        
        C:\Windows\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
        
        C:\Windows\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A32A~1.EXE > nul
        9⤵
        
        PID:2156
        
        C:\Windows\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
        
        C:\Windows\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
        
        C:\Windows\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5ABF~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
        
        C:\Windows\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
        
        C:\Windows\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
        
        C:\Windows\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECF9~1.EXE > nul
        14⤵
        
        PID:2616
        
        C:\Windows\{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe
        
        C:\Windows\{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe
        14⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EB45~1.EXE > nul
        13⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BCA9~1.EXE > nul
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0764C~1.EXE > nul
        10⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41C90~1.EXE > nul
        8⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD79~1.EXE > nul
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8470E~1.EXE > nul
        5⤵
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB8EB~1.EXE > nul
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A5947~1.EXE > nul
    3⤵
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E9E805~1.EXE > nul
  2⤵
  - Deletes itself
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe

Filesize
168KB

MD5
848fc8e91b48510cf24f52bf41eda60c

SHA1
9cea308a31eb28a911863f915b9c2191ead08cc4

SHA256
ac95e93960fb81ea39b1d3f2808020e67bb09a34e9db3891e260340e66d5dec5

SHA512
e137d6e2ac96ef93ad2b7b7e448d2e34f83f882f159a6c5bda4cbdb955ec9d3c22df5430ef6dd2596017b675a6662bcf51c2952041960597715fa28dd252f1d1

Download Submit
C:\Windows\{0764C7C4-3E56-4e27-AFC5-CBBD32F2C4C7}.exe

Filesize
168KB

MD5
848fc8e91b48510cf24f52bf41eda60c

SHA1
9cea308a31eb28a911863f915b9c2191ead08cc4

SHA256
ac95e93960fb81ea39b1d3f2808020e67bb09a34e9db3891e260340e66d5dec5

SHA512
e137d6e2ac96ef93ad2b7b7e448d2e34f83f882f159a6c5bda4cbdb955ec9d3c22df5430ef6dd2596017b675a6662bcf51c2952041960597715fa28dd252f1d1

Download Submit
C:\Windows\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe

Filesize
168KB

MD5
328aae17c8ba611f85a6011688642763

SHA1
9a6adee3639cbe1efe7817d517e11364d8debd27

SHA256
acf4f4a1520d4a84986954b34fa51a433ff0aa1003fd041cf5cbe806e6cc6398

SHA512
ff33b94058212577b6a66617520c59c749979e17897ed6dfec9d09470f92744d8e83e6e2035858aed05be5a217f6b62546708e972ffa964b2f4bce7a16b57255

Download Submit
C:\Windows\{3BCA949C-F091-4ce0-B0C1-48D573AD18C4}.exe

Filesize
168KB

MD5
328aae17c8ba611f85a6011688642763

SHA1
9a6adee3639cbe1efe7817d517e11364d8debd27

SHA256
acf4f4a1520d4a84986954b34fa51a433ff0aa1003fd041cf5cbe806e6cc6398

SHA512
ff33b94058212577b6a66617520c59c749979e17897ed6dfec9d09470f92744d8e83e6e2035858aed05be5a217f6b62546708e972ffa964b2f4bce7a16b57255

Download Submit
C:\Windows\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe

Filesize
168KB

MD5
341ccd154991ab026d1a60411c4803d2

SHA1
483cc01dfc4da3ea8cebda9fd422be0df68d46ce

SHA256
168222d92ad40b3b0bba307b092108195c679bd91319c542508085bedc9fb0c7

SHA512
c8f1c75a05fcacbe76d4cb2c7b01a174d61ddf05d40f3715c04da8bd4beac10b7e55c67c67e6a445efd9aa7767c5ebe1602152113226b5367295e0bcde6a6f51

Download Submit
C:\Windows\{41C907B3-0110-47f6-A6C1-59B069DEDFF7}.exe

Filesize
168KB

MD5
341ccd154991ab026d1a60411c4803d2

SHA1
483cc01dfc4da3ea8cebda9fd422be0df68d46ce

SHA256
168222d92ad40b3b0bba307b092108195c679bd91319c542508085bedc9fb0c7

SHA512
c8f1c75a05fcacbe76d4cb2c7b01a174d61ddf05d40f3715c04da8bd4beac10b7e55c67c67e6a445efd9aa7767c5ebe1602152113226b5367295e0bcde6a6f51

Download Submit
C:\Windows\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe

Filesize
168KB

MD5
1642bfb29e15c94be7e037f1538a73fc

SHA1
65561c7dbb0c95f76ddcf2c4aaf5ab83b719c72b

SHA256
3552c2ca90a4f4bc9921f0fb91005ca77eef378303e3b268cb43385f398fa000

SHA512
a933be54b926d914d75fde0529222ca777dcf4b184a01799a9793381ddd36cd05147a35bfbaf99b2e669cb46abade99489a1cead396b284e04111e56efd04d6c

Download Submit
C:\Windows\{4A32A6FE-3FA3-43e9-8008-6F1153274F4F}.exe

Filesize
168KB

MD5
1642bfb29e15c94be7e037f1538a73fc

SHA1
65561c7dbb0c95f76ddcf2c4aaf5ab83b719c72b

SHA256
3552c2ca90a4f4bc9921f0fb91005ca77eef378303e3b268cb43385f398fa000

SHA512
a933be54b926d914d75fde0529222ca777dcf4b184a01799a9793381ddd36cd05147a35bfbaf99b2e669cb46abade99489a1cead396b284e04111e56efd04d6c

Download Submit
C:\Windows\{73C41C7F-B637-4a31-BC64-89FDF696DC40}.exe

Filesize
168KB

MD5
915e634dad60b9868dace785574f103b

SHA1
8151607233e3b0339975bcd3041a9f5960728b83

SHA256
ba1fd33687d4cf63dbec41190a771bdf00740ba9e4413a420775c880e90506ba

SHA512
7038d279dd0134a4f5b6be1b40ee8e05ba01931c2ebe4c7d775ae962a18f8c01c46375ba82f688f4192567caedfa5c9cbea4ebcd82e82e44f5883ccd3446ea5e

Download Submit
C:\Windows\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe

Filesize
168KB

MD5
7c10df5e485553de5917dd1787f3d656

SHA1
489aeadc88765b8564871525a940ec77a76d0169

SHA256
4e7e61f096a107a5ce30f6b470f77ece7200c3dbbf118add076d2c75751d2529

SHA512
619b68839f933cf539dac35ab08da959f416bcb2a48cf05a86b309d450090294b7718e689813ef4a3cd872f973abbf4453b1ba8869d43e58d6387dd0fa01dfe0

Download Submit
C:\Windows\{8470EE47-7AA0-4a01-9D94-EA4F0037EF6C}.exe

Filesize
168KB

MD5
7c10df5e485553de5917dd1787f3d656

SHA1
489aeadc88765b8564871525a940ec77a76d0169

SHA256
4e7e61f096a107a5ce30f6b470f77ece7200c3dbbf118add076d2c75751d2529

SHA512
619b68839f933cf539dac35ab08da959f416bcb2a48cf05a86b309d450090294b7718e689813ef4a3cd872f973abbf4453b1ba8869d43e58d6387dd0fa01dfe0

Download Submit
C:\Windows\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe

Filesize
168KB

MD5
4323ed9d9bfabd95993f0f9bcbf8fdb5

SHA1
862a46b3bf54c7ceb6f5b4d8273832ed20f6d68b

SHA256
ce1d994b14d72b7df4c70830c1bf422442e88d2595e03e0d0f8047651d94d59e

SHA512
fe8aae59265a17428581190f5f12f0d5dbe6aa44d26cc8855e5dcfd13fcefaed48533a86996640e1e27220544668c5a1f35ad600267ec7cfbf7a5f0a1bc1c513

Download Submit
C:\Windows\{9EB45B3A-A9BA-43b9-AD70-CC14B41451F3}.exe

Filesize
168KB

MD5
4323ed9d9bfabd95993f0f9bcbf8fdb5

SHA1
862a46b3bf54c7ceb6f5b4d8273832ed20f6d68b

SHA256
ce1d994b14d72b7df4c70830c1bf422442e88d2595e03e0d0f8047651d94d59e

SHA512
fe8aae59265a17428581190f5f12f0d5dbe6aa44d26cc8855e5dcfd13fcefaed48533a86996640e1e27220544668c5a1f35ad600267ec7cfbf7a5f0a1bc1c513

Download Submit
C:\Windows\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe

Filesize
168KB

MD5
8e8f3c064ca7f84ce16925a3a4b13205

SHA1
18caef3cac89eda0d39ffede4e6c26061a9f8de2

SHA256
d7023507f1d8aed83947d9efa9c98caa83888a561b83d7fd9f2b233015e9649a

SHA512
ffac9685d6d7cddc07dfab6236df36f7dd146c58865e80eaefb076b3c1ba046740c656a97c1f0a7e84650cf1272a44ee4c1e5b0ad56f550d34ebb4edf8e013e0

Download Submit
C:\Windows\{9ECF9E9C-97B5-4743-A4C1-83745638A6CE}.exe

Filesize
168KB

MD5
8e8f3c064ca7f84ce16925a3a4b13205

SHA1
18caef3cac89eda0d39ffede4e6c26061a9f8de2

SHA256
d7023507f1d8aed83947d9efa9c98caa83888a561b83d7fd9f2b233015e9649a

SHA512
ffac9685d6d7cddc07dfab6236df36f7dd146c58865e80eaefb076b3c1ba046740c656a97c1f0a7e84650cf1272a44ee4c1e5b0ad56f550d34ebb4edf8e013e0

Download Submit
C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe

Filesize
168KB

MD5
2060c3f63a4e9d4c027710b7820f838d

SHA1
11cb82e95c1d7e965ee01c3036da307339a88bb7

SHA256
1235af62b98f1b28082a15d3e0227d47445f74494ea04631fa5b20b63a16ec09

SHA512
061856dddcc4d71d7a63b83ea579bbf34f32ef71ca10103a1d1431a3efffe6f868699793c36e5a98417b36e0fc5c74adbe7e38bd524adfe7e120e66ac0dec3b9

Download Submit
C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe

Filesize
168KB

MD5
2060c3f63a4e9d4c027710b7820f838d

SHA1
11cb82e95c1d7e965ee01c3036da307339a88bb7

SHA256
1235af62b98f1b28082a15d3e0227d47445f74494ea04631fa5b20b63a16ec09

SHA512
061856dddcc4d71d7a63b83ea579bbf34f32ef71ca10103a1d1431a3efffe6f868699793c36e5a98417b36e0fc5c74adbe7e38bd524adfe7e120e66ac0dec3b9

Download Submit
C:\Windows\{A5947F77-B932-4d3f-AB30-B6808604C100}.exe

Filesize
168KB

MD5
2060c3f63a4e9d4c027710b7820f838d

SHA1
11cb82e95c1d7e965ee01c3036da307339a88bb7

SHA256
1235af62b98f1b28082a15d3e0227d47445f74494ea04631fa5b20b63a16ec09

SHA512
061856dddcc4d71d7a63b83ea579bbf34f32ef71ca10103a1d1431a3efffe6f868699793c36e5a98417b36e0fc5c74adbe7e38bd524adfe7e120e66ac0dec3b9

Download Submit
C:\Windows\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe

Filesize
168KB

MD5
d224ce941a290af4bacb1028c335ca45

SHA1
90acc09851f68488895996d675bcf843cf38373e

SHA256
cefadf463f552e5ee47b1e12f842dd9b7a1f3309ff1973aa28997de78d84e12f

SHA512
8ddc03ea3bc374f7f18f1f0d003798f5a6caa0c1bebec10a93cc707ea7f8258d24a10c4f474d688559a359484c88eba63f9d1037f2a71b7307687a5d658ec4f6

Download Submit
C:\Windows\{B5ABF64D-B136-40b7-8E01-F9D3D077533C}.exe

Filesize
168KB

MD5
d224ce941a290af4bacb1028c335ca45

SHA1
90acc09851f68488895996d675bcf843cf38373e

SHA256
cefadf463f552e5ee47b1e12f842dd9b7a1f3309ff1973aa28997de78d84e12f

SHA512
8ddc03ea3bc374f7f18f1f0d003798f5a6caa0c1bebec10a93cc707ea7f8258d24a10c4f474d688559a359484c88eba63f9d1037f2a71b7307687a5d658ec4f6

Download Submit
C:\Windows\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe

Filesize
168KB

MD5
937a4a8302526f4bb9aa5a76fcaa32e9

SHA1
0efefec5f77216c6ca0e94e2fe6983f4ef3cf2df

SHA256
9b65c3d7541cc631a51137a83bca547954c3f8f26a73ea1034c45252336d0339

SHA512
7c1a50d33bb2f901671da811e6ac1fa09e64e4a13fa2e34027e8cec95a48e7bb7b3d7a6742db1de4926ca4b7d11c399e1838ff14d9b9cbabf4940b9837577afd

Download Submit
C:\Windows\{CBD79EEF-1FCE-4c16-ABCB-7753683C3FC4}.exe

Filesize
168KB

MD5
937a4a8302526f4bb9aa5a76fcaa32e9

SHA1
0efefec5f77216c6ca0e94e2fe6983f4ef3cf2df

SHA256
9b65c3d7541cc631a51137a83bca547954c3f8f26a73ea1034c45252336d0339

SHA512
7c1a50d33bb2f901671da811e6ac1fa09e64e4a13fa2e34027e8cec95a48e7bb7b3d7a6742db1de4926ca4b7d11c399e1838ff14d9b9cbabf4940b9837577afd

Download Submit
C:\Windows\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe

Filesize
168KB

MD5
278475148743acc8b2ac31157f1e076b

SHA1
05237aa31e4fe062453fc421e59a3df325c1f710

SHA256
15cdd4b5137fee57b6e958af7d0ee354f08613164851a941a02782e8953752a5

SHA512
bab7a8930f359dc039138d39c906e5ee32da6667ccf89bb586d9ee60e22734bff17a23089bad85696c2a62aeaf43e4c5dd4a347092c5d72e93442a1b06a75d28

Download Submit
C:\Windows\{D6681AC3-F81B-40a4-9238-F6A49CDE2801}.exe

Filesize
168KB

MD5
278475148743acc8b2ac31157f1e076b

SHA1
05237aa31e4fe062453fc421e59a3df325c1f710

SHA256
15cdd4b5137fee57b6e958af7d0ee354f08613164851a941a02782e8953752a5

SHA512
bab7a8930f359dc039138d39c906e5ee32da6667ccf89bb586d9ee60e22734bff17a23089bad85696c2a62aeaf43e4c5dd4a347092c5d72e93442a1b06a75d28

Download Submit
C:\Windows\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe

Filesize
168KB

MD5
82c2062e4941e732b00b05d863fb6038

SHA1
c531ad8d29e1c3dbe49af6549bf2a9f5b20b5ae8

SHA256
c96282d2ab5edf968b9d072707100cf2e6dc1a3c6cb25592d1d882a85dd6d874

SHA512
f8e4a4d8f93fe558a0dd6545b822f2418299c5635e2094cfa9098cae5963e22252eea5d46047a72c100fad96ed392bc934d5b8858ffe08d95057d9c2ba8c05ff

Download Submit
C:\Windows\{EB8EBE25-A5A1-4783-8622-6E3FC292FABA}.exe

Filesize
168KB

MD5
82c2062e4941e732b00b05d863fb6038

SHA1
c531ad8d29e1c3dbe49af6549bf2a9f5b20b5ae8

SHA256
c96282d2ab5edf968b9d072707100cf2e6dc1a3c6cb25592d1d882a85dd6d874

SHA512
f8e4a4d8f93fe558a0dd6545b822f2418299c5635e2094cfa9098cae5963e22252eea5d46047a72c100fad96ed392bc934d5b8858ffe08d95057d9c2ba8c05ff

Download Submit