621baa635ebb452e2014a99592feaba0b42af8d52343ffe0a9fc7efa14123db5

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b373eb6e483dexeexeexeex.exe
Size

372KB
MD5

07b373eb6e483d1f4f87dd8f0d0b362b
SHA1

bb285562274d7bb2eff7826f5b0de6cbe6000305
SHA256

621baa635ebb452e2014a99592feaba0b42af8d52343ffe0a9fc7efa14123db5
SHA512

4a1b17b65e4e30a7b9db74d6d836dffbbc68938b95ccb49579cc45bcaa46c4e46f83297bcf89086a0b136c9dc671bc2bc5d160f3dfc404965f52491c67711722
SSDEEP

3072:CEGh0ormlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG8l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}	{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}\stubpath = "C:\\Windows\\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe"	{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}	07b373eb6e483dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F3A87FB-CEC4-4881-808E-992727424B75}	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B16676-9129-4691-9F5D-39788377A5E8}\stubpath = "C:\\Windows\\{81B16676-9129-4691-9F5D-39788377A5E8}.exe"	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}	{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}\stubpath = "C:\\Windows\\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe"	{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}\stubpath = "C:\\Windows\\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe"	{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}	{81B16676-9129-4691-9F5D-39788377A5E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}	{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}\stubpath = "C:\\Windows\\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe"	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}\stubpath = "C:\\Windows\\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe"	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}\stubpath = "C:\\Windows\\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe"	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B16676-9129-4691-9F5D-39788377A5E8}	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}	{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}\stubpath = "C:\\Windows\\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe"	07b373eb6e483dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F3A87FB-CEC4-4881-808E-992727424B75}\stubpath = "C:\\Windows\\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe"	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}\stubpath = "C:\\Windows\\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe"	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}\stubpath = "C:\\Windows\\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe"	{81B16676-9129-4691-9F5D-39788377A5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E129F720-6A1F-4930-BA9A-79F08021111B}\stubpath = "C:\\Windows\\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe"	{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}\stubpath = "C:\\Windows\\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe"	{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E129F720-6A1F-4930-BA9A-79F08021111B}	{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe

Deletes itself 1 IoCs

pid	Process
864	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe
2012	{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
2328	{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
2768	{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe
2784	{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
2940	{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
3052	{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe	{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
File created	C:\Windows\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe	{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
File created	C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	07b373eb6e483dexeexeexeex.exe
File created	C:\Windows\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
File created	C:\Windows\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
File created	C:\Windows\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
File created	C:\Windows\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe	{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
File created	C:\Windows\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe	{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
File created	C:\Windows\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
File created	C:\Windows\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
File created	C:\Windows\{81B16676-9129-4691-9F5D-39788377A5E8}.exe	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
File created	C:\Windows\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe	{81B16676-9129-4691-9F5D-39788377A5E8}.exe
File created	C:\Windows\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe	{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	07b373eb6e483dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
Token: SeIncBasePriorityPrivilege	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
Token: SeIncBasePriorityPrivilege	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
Token: SeIncBasePriorityPrivilege	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
Token: SeIncBasePriorityPrivilege	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
Token: SeIncBasePriorityPrivilege	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
Token: SeIncBasePriorityPrivilege	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe
Token: SeIncBasePriorityPrivilege	2012	{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
Token: SeIncBasePriorityPrivilege	2328	{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
Token: SeIncBasePriorityPrivilege	2768	{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe
Token: SeIncBasePriorityPrivilege	2784	{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
Token: SeIncBasePriorityPrivilege	2940	{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1360	2368	07b373eb6e483dexeexeexeex.exe	28
PID 2368 wrote to memory of 1360	2368	07b373eb6e483dexeexeexeex.exe	28
PID 2368 wrote to memory of 1360	2368	07b373eb6e483dexeexeexeex.exe	28
PID 2368 wrote to memory of 1360	2368	07b373eb6e483dexeexeexeex.exe	28
PID 2368 wrote to memory of 864	2368	07b373eb6e483dexeexeexeex.exe	29
PID 2368 wrote to memory of 864	2368	07b373eb6e483dexeexeexeex.exe	29
PID 2368 wrote to memory of 864	2368	07b373eb6e483dexeexeexeex.exe	29
PID 2368 wrote to memory of 864	2368	07b373eb6e483dexeexeexeex.exe	29
PID 1360 wrote to memory of 2172	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	30
PID 1360 wrote to memory of 2172	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	30
PID 1360 wrote to memory of 2172	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	30
PID 1360 wrote to memory of 2172	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	30
PID 1360 wrote to memory of 812	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	31
PID 1360 wrote to memory of 812	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	31
PID 1360 wrote to memory of 812	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	31
PID 1360 wrote to memory of 812	1360	{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe	31
PID 2172 wrote to memory of 1044	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	33
PID 2172 wrote to memory of 1044	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	33
PID 2172 wrote to memory of 1044	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	33
PID 2172 wrote to memory of 1044	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	33
PID 2172 wrote to memory of 652	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	32
PID 2172 wrote to memory of 652	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	32
PID 2172 wrote to memory of 652	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	32
PID 2172 wrote to memory of 652	2172	{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe	32
PID 1044 wrote to memory of 1992	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	34
PID 1044 wrote to memory of 1992	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	34
PID 1044 wrote to memory of 1992	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	34
PID 1044 wrote to memory of 1992	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	34
PID 1044 wrote to memory of 1576	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	35
PID 1044 wrote to memory of 1576	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	35
PID 1044 wrote to memory of 1576	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	35
PID 1044 wrote to memory of 1576	1044	{8F3A87FB-CEC4-4881-808E-992727424B75}.exe	35
PID 1992 wrote to memory of 1164	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	36
PID 1992 wrote to memory of 1164	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	36
PID 1992 wrote to memory of 1164	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	36
PID 1992 wrote to memory of 1164	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	36
PID 1992 wrote to memory of 3000	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	37
PID 1992 wrote to memory of 3000	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	37
PID 1992 wrote to memory of 3000	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	37
PID 1992 wrote to memory of 3000	1992	{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe	37
PID 1164 wrote to memory of 1436	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	39
PID 1164 wrote to memory of 1436	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	39
PID 1164 wrote to memory of 1436	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	39
PID 1164 wrote to memory of 1436	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	39
PID 1164 wrote to memory of 2212	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	38
PID 1164 wrote to memory of 2212	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	38
PID 1164 wrote to memory of 2212	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	38
PID 1164 wrote to memory of 2212	1164	{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe	38
PID 1436 wrote to memory of 1524	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	41
PID 1436 wrote to memory of 1524	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	41
PID 1436 wrote to memory of 1524	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	41
PID 1436 wrote to memory of 1524	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	41
PID 1436 wrote to memory of 992	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	40
PID 1436 wrote to memory of 992	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	40
PID 1436 wrote to memory of 992	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	40
PID 1436 wrote to memory of 992	1436	{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe	40
PID 1524 wrote to memory of 2012	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	43
PID 1524 wrote to memory of 2012	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	43
PID 1524 wrote to memory of 2012	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	43
PID 1524 wrote to memory of 2012	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	43
PID 1524 wrote to memory of 2436	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	42
PID 1524 wrote to memory of 2436	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	42
PID 1524 wrote to memory of 2436	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	42
PID 1524 wrote to memory of 2436	1524	{81B16676-9129-4691-9F5D-39788377A5E8}.exe	42

C:\Users\Admin\AppData\Local\Temp\07b373eb6e483dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\07b373eb6e483dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
  C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
    C:\Windows\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33C8C~1.EXE > nul
      4⤵
      PID:652
  - - C:\Windows\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
      C:\Windows\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
        
        C:\Windows\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
        
        C:\Windows\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C07~1.EXE > nul
        7⤵
        
        PID:2212
        
        C:\Windows\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
        
        C:\Windows\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7843A~1.EXE > nul
        8⤵
        
        PID:992
        
        C:\Windows\{81B16676-9129-4691-9F5D-39788377A5E8}.exe
        
        C:\Windows\{81B16676-9129-4691-9F5D-39788377A5E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B16~1.EXE > nul
        9⤵
        
        PID:2436
        
        C:\Windows\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
        
        C:\Windows\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
        
        C:\Windows\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DCA2~1.EXE > nul
        11⤵
        
        PID:2624
        
        C:\Windows\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe
        
        C:\Windows\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
        
        C:\Windows\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
        
        C:\Windows\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe
        
        C:\Windows\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe
        14⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DD7~1.EXE > nul
        14⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E129F~1.EXE > nul
        13⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C0C~1.EXE > nul
        12⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCF2E~1.EXE > nul
        10⤵
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{374F5~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F3A8~1.EXE > nul
        5⤵
        
        PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4142A~1.EXE > nul
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07B373~1.EXE > nul
  2⤵
  - Deletes itself
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe

Filesize
372KB

MD5
259cdf77995a04afa95ed4ac1a559326

SHA1
169226c7913b81642ecbc04309416678d1b81321

SHA256
7119fccb0863b44c61db5a33651bdd2a3613e57654d226a70cf35d329f0ee12c

SHA512
2f4d79b45622e23acf6b1ec69be1f52f5fc05aa66c8dfbdd351ece2974086fce78d360564bee7cb3aed879e7fce36aac0ba73c2ff022bb99d4322f9e14453c35

Download Submit
C:\Windows\{33C8C441-DFBA-4fa8-8251-157D9ABA3F60}.exe

Filesize
372KB

MD5
259cdf77995a04afa95ed4ac1a559326

SHA1
169226c7913b81642ecbc04309416678d1b81321

SHA256
7119fccb0863b44c61db5a33651bdd2a3613e57654d226a70cf35d329f0ee12c

SHA512
2f4d79b45622e23acf6b1ec69be1f52f5fc05aa66c8dfbdd351ece2974086fce78d360564bee7cb3aed879e7fce36aac0ba73c2ff022bb99d4322f9e14453c35

Download Submit
C:\Windows\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe

Filesize
372KB

MD5
3fdb5751d7ba5d6acdd614c735a4d271

SHA1
90ad9baca82c697e406c066579cc46b6ac85fd5d

SHA256
af5aea2056db9ebb2014dc787e5e3df885cb27226ff68c967201c5bb0fd2196c

SHA512
1db4a98dce97673661abf564360a7f6b06d45f570c817fdf0a50ca77cfba7eaef45d384be7d92b8f2683b1beea651ddbc7adaeb0d2d399b9cf1a8bcb114a1c32

Download Submit
C:\Windows\{374F5CD0-D483-4ded-8C09-76C37D9F6A5B}.exe

Filesize
372KB

MD5
3fdb5751d7ba5d6acdd614c735a4d271

SHA1
90ad9baca82c697e406c066579cc46b6ac85fd5d

SHA256
af5aea2056db9ebb2014dc787e5e3df885cb27226ff68c967201c5bb0fd2196c

SHA512
1db4a98dce97673661abf564360a7f6b06d45f570c817fdf0a50ca77cfba7eaef45d384be7d92b8f2683b1beea651ddbc7adaeb0d2d399b9cf1a8bcb114a1c32

Download Submit
C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe

Filesize
372KB

MD5
56c252e09622f680858e95204f7b48ee

SHA1
30336458f932bd6fdbb7aa68e37137591e63331d

SHA256
b82bb7b0f076b7c536e65b77122c08eabb80b0a5e2d09bcad25d293889ab1d8f

SHA512
8bf9d65fbe7527f776a6bc67b12db931500b022ad24cde3efc0f3c89729cab002d3445427d5b415e8b0fd3ffe12a786ac9a4c5785c41dae221f5a63c4a125644

Download Submit
C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe

Filesize
372KB

MD5
56c252e09622f680858e95204f7b48ee

SHA1
30336458f932bd6fdbb7aa68e37137591e63331d

SHA256
b82bb7b0f076b7c536e65b77122c08eabb80b0a5e2d09bcad25d293889ab1d8f

SHA512
8bf9d65fbe7527f776a6bc67b12db931500b022ad24cde3efc0f3c89729cab002d3445427d5b415e8b0fd3ffe12a786ac9a4c5785c41dae221f5a63c4a125644

Download Submit
C:\Windows\{4142A25B-9E9D-463c-8FCF-E2ACF558EE9A}.exe

Filesize
372KB

MD5
56c252e09622f680858e95204f7b48ee

SHA1
30336458f932bd6fdbb7aa68e37137591e63331d

SHA256
b82bb7b0f076b7c536e65b77122c08eabb80b0a5e2d09bcad25d293889ab1d8f

SHA512
8bf9d65fbe7527f776a6bc67b12db931500b022ad24cde3efc0f3c89729cab002d3445427d5b415e8b0fd3ffe12a786ac9a4c5785c41dae221f5a63c4a125644

Download Submit
C:\Windows\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe

Filesize
372KB

MD5
397eceae6e4422d72b801e0ca4838ab2

SHA1
2a9b5d91d060ca7b90f6721df6158b2dcbb21dc2

SHA256
edebeafe5264e665fa5d0f67498cab76c6b2a8a9a21462266db1efb41db3d813

SHA512
8f4fec02cbe3d1d5773031583aa399066ffbc2509626ef952ce9121dc3d10f5a374ecadb3cb27831e98340a4c13f710977c2a7c7368f371921724193b9b9c438

Download Submit
C:\Windows\{54DD70AB-8101-43a4-AC4D-97EDBFBC7680}.exe

Filesize
372KB

MD5
397eceae6e4422d72b801e0ca4838ab2

SHA1
2a9b5d91d060ca7b90f6721df6158b2dcbb21dc2

SHA256
edebeafe5264e665fa5d0f67498cab76c6b2a8a9a21462266db1efb41db3d813

SHA512
8f4fec02cbe3d1d5773031583aa399066ffbc2509626ef952ce9121dc3d10f5a374ecadb3cb27831e98340a4c13f710977c2a7c7368f371921724193b9b9c438

Download Submit
C:\Windows\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe

Filesize
372KB

MD5
0d068fead9d9afc056b32d30b3cfa43b

SHA1
8d969a4b112e03cc909deceb34a05d8371a92778

SHA256
18d1b04e5bb4d06e6b94d8a299457f219f19e2f9b6dc76e7ddd2b197d55cf8c0

SHA512
d90624fc29e8635e1fb2fa6b59359ea176986ef40fbebcc354bf53d95eaeb7c17a28d08ff4116a423571fb603fbef75ba3ad8dd7ef155f3718ef2dc3cd874bf6

Download Submit
C:\Windows\{7843A7C4-1323-4c93-B6DA-F9F236673D5B}.exe

Filesize
372KB

MD5
0d068fead9d9afc056b32d30b3cfa43b

SHA1
8d969a4b112e03cc909deceb34a05d8371a92778

SHA256
18d1b04e5bb4d06e6b94d8a299457f219f19e2f9b6dc76e7ddd2b197d55cf8c0

SHA512
d90624fc29e8635e1fb2fa6b59359ea176986ef40fbebcc354bf53d95eaeb7c17a28d08ff4116a423571fb603fbef75ba3ad8dd7ef155f3718ef2dc3cd874bf6

Download Submit
C:\Windows\{81B16676-9129-4691-9F5D-39788377A5E8}.exe

Filesize
372KB

MD5
ae19ff7f424486dc74de3be8959385de

SHA1
e7c30b2ea3cc27f807937af27ee963ded0f0e3e1

SHA256
fbbd5abfa9ba67df0d83b9831637bd7beee18c22c25731ac8782c48e2e3fdcb9

SHA512
f59bb3b61eec1b4141a5c665fa41443a74be29dbf826d94fdda93b4d9b9e914942e90a40315523e2629f3ac9fdc4b2ddd613c94dc15d3a0886616f27fd717cc3

Download Submit
C:\Windows\{81B16676-9129-4691-9F5D-39788377A5E8}.exe

Filesize
372KB

MD5
ae19ff7f424486dc74de3be8959385de

SHA1
e7c30b2ea3cc27f807937af27ee963ded0f0e3e1

SHA256
fbbd5abfa9ba67df0d83b9831637bd7beee18c22c25731ac8782c48e2e3fdcb9

SHA512
f59bb3b61eec1b4141a5c665fa41443a74be29dbf826d94fdda93b4d9b9e914942e90a40315523e2629f3ac9fdc4b2ddd613c94dc15d3a0886616f27fd717cc3

Download Submit
C:\Windows\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe

Filesize
372KB

MD5
f0fa881fc15f5286450ccf50aa1a0a4c

SHA1
4d5bcbf8fb24d3528e0c6e28fe78982731b0ba53

SHA256
cc0e988dca26d21e54349b2227d0e3c3d2b046d58adb67887634c59b8bc10814

SHA512
645b54aa85e27da7baf143d246f682c68a5d89c8535cbbb1eaffb1b895abac578f1f530f519699f76c172b2ffd7265eaab1a18b01a5a9675073caa3b7aa7658c

Download Submit
C:\Windows\{8F3A87FB-CEC4-4881-808E-992727424B75}.exe

Filesize
372KB

MD5
f0fa881fc15f5286450ccf50aa1a0a4c

SHA1
4d5bcbf8fb24d3528e0c6e28fe78982731b0ba53

SHA256
cc0e988dca26d21e54349b2227d0e3c3d2b046d58adb67887634c59b8bc10814

SHA512
645b54aa85e27da7baf143d246f682c68a5d89c8535cbbb1eaffb1b895abac578f1f530f519699f76c172b2ffd7265eaab1a18b01a5a9675073caa3b7aa7658c

Download Submit
C:\Windows\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe

Filesize
372KB

MD5
0e6b40643b480b10146b237089cde2f5

SHA1
aed546dba9197ca7a3fc83d9adde998ecd2d5c2d

SHA256
86dc976bb5acdd070ea2df27e7446a0c8149c050095b2db0129c550c42ea0d13

SHA512
8a61d14197215660551a75b3db313198f3f393f03d3ec0315009152654dd201c6322e7ce22576376c946a96cce4269d59c4a48704cf5a530b8ced7adb18a2d43

Download Submit
C:\Windows\{9DCA2C46-380C-4c8f-8E15-ABB763A50BCA}.exe

Filesize
372KB

MD5
0e6b40643b480b10146b237089cde2f5

SHA1
aed546dba9197ca7a3fc83d9adde998ecd2d5c2d

SHA256
86dc976bb5acdd070ea2df27e7446a0c8149c050095b2db0129c550c42ea0d13

SHA512
8a61d14197215660551a75b3db313198f3f393f03d3ec0315009152654dd201c6322e7ce22576376c946a96cce4269d59c4a48704cf5a530b8ced7adb18a2d43

Download Submit
C:\Windows\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe

Filesize
372KB

MD5
ac3134d7fd9ac51f5e8e70091e0c4e23

SHA1
d787d68260b4eafeed54eb80758d8e50a917df20

SHA256
f372d485917ecc0f5b84aceff7eb4de13194f3b713f074f108a0858d71093371

SHA512
597eaeb12fd9b90b10ac7f86d59af62809cf01a6c75f5cd703ed191b9a8fa99f9a2240c859a9770e49c0a474a8210ffa55ad467671926438f1e1402a2527fb7c

Download Submit
C:\Windows\{A4C07192-839C-46b5-9C77-BD9DBA9EDA7B}.exe

Filesize
372KB

MD5
ac3134d7fd9ac51f5e8e70091e0c4e23

SHA1
d787d68260b4eafeed54eb80758d8e50a917df20

SHA256
f372d485917ecc0f5b84aceff7eb4de13194f3b713f074f108a0858d71093371

SHA512
597eaeb12fd9b90b10ac7f86d59af62809cf01a6c75f5cd703ed191b9a8fa99f9a2240c859a9770e49c0a474a8210ffa55ad467671926438f1e1402a2527fb7c

Download Submit
C:\Windows\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe

Filesize
372KB

MD5
c9878f6c7dc5418e61e00e715e4f34ec

SHA1
37d29c1f95336dce9763f30655fc70e4a50dd794

SHA256
90f37038b2909930bcc8ddb14ed52b93e758e0a88fbc658af3c54d0aefe75f31

SHA512
fd617fb3229b074376e38fdcce4db51d6e075272635b0b32960d9efe22fbec2a6181b8b68080f5702280eb305c95f5cc790ff58ad019c9ca89565e8e3d7f1825

Download Submit
C:\Windows\{C1C0C152-5D00-43b2-9DD7-483FE47C9E73}.exe

Filesize
372KB

MD5
c9878f6c7dc5418e61e00e715e4f34ec

SHA1
37d29c1f95336dce9763f30655fc70e4a50dd794

SHA256
90f37038b2909930bcc8ddb14ed52b93e758e0a88fbc658af3c54d0aefe75f31

SHA512
fd617fb3229b074376e38fdcce4db51d6e075272635b0b32960d9efe22fbec2a6181b8b68080f5702280eb305c95f5cc790ff58ad019c9ca89565e8e3d7f1825

Download Submit
C:\Windows\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe

Filesize
372KB

MD5
70c14f0466a9fd5bd36bbfbec2af94b0

SHA1
ca98c65787999b3cc1c6ce6844a0ab50667e47a3

SHA256
6b51d562f698766f954b7101647223252c34dd378cfd819d4b81048efc8a22d8

SHA512
f11ac259c68d66f21834fce78df35d024a71326f33285bc3ec27044163f833cd2fc836d9e5980f25752df976b9902ce06b976701b5ff89ff91e6816128ac7b3b

Download Submit
C:\Windows\{DCF2E57E-2C28-4160-BC48-94BC4C8D8114}.exe

Filesize
372KB

MD5
70c14f0466a9fd5bd36bbfbec2af94b0

SHA1
ca98c65787999b3cc1c6ce6844a0ab50667e47a3

SHA256
6b51d562f698766f954b7101647223252c34dd378cfd819d4b81048efc8a22d8

SHA512
f11ac259c68d66f21834fce78df35d024a71326f33285bc3ec27044163f833cd2fc836d9e5980f25752df976b9902ce06b976701b5ff89ff91e6816128ac7b3b

Download Submit
C:\Windows\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe

Filesize
372KB

MD5
b9ecd399cbb469c4b52868cc3c58308c

SHA1
d8cbd5d30ad149b09d2bc0a4152973f58dab0f73

SHA256
3b08e99439659ed9dbcd93380857cb436ae6a18340216630f1b75aebfbfbc930

SHA512
5889fa0539ab8fddcbb596d3cfeb5ef2a9cd9cff062a9186ee7c1e3805234682b8d7ddb0b759b387e2c9f7f5ff6e6c1cb3b9676d9489435446a5161accc27b0f

Download Submit
C:\Windows\{E129F720-6A1F-4930-BA9A-79F08021111B}.exe

Filesize
372KB

MD5
b9ecd399cbb469c4b52868cc3c58308c

SHA1
d8cbd5d30ad149b09d2bc0a4152973f58dab0f73

SHA256
3b08e99439659ed9dbcd93380857cb436ae6a18340216630f1b75aebfbfbc930

SHA512
5889fa0539ab8fddcbb596d3cfeb5ef2a9cd9cff062a9186ee7c1e3805234682b8d7ddb0b759b387e2c9f7f5ff6e6c1cb3b9676d9489435446a5161accc27b0f

Download Submit
C:\Windows\{F7EFCB31-E8FF-48f5-90D9-843672EB5607}.exe

Filesize
372KB

MD5
a0bf9a0b9a5139e40599c726895fd66e

SHA1
cea9abbab3d3ee1cd320c1dfa1bb09fa16f96acd

SHA256
4986e761a376a5ae34f3b530621aa0e498063db485228d7b23ad5c446d44db91

SHA512
6db00877ad4afe89bdb6d489f203f52c36636121054d5729656ce0739411ec09f7a9fef9f3d0ab4075115732357c751e60421de456ce2762900904e68784df67

Download Submit