8f50d2307223b6bfa4f5d400a352c4d26e65a1103f0529e501e2c2238880805a

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7b02348b7f51exeexeexeex.exe
Size

372KB
MD5

0f7b02348b7f517800d67f56c78dbcef
SHA1

e069d47d34cc39a805f0c061933e85e0fbca7290
SHA256

8f50d2307223b6bfa4f5d400a352c4d26e65a1103f0529e501e2c2238880805a
SHA512

a58893a8c48283404bafdbb4c2f2beb08d0036243d1a9353e617a3025e003b7a08fccd655a0f8f4be704cbc840960b2d43ed0245777c98c0ccd56cc5a659dfd0
SSDEEP

3072:CEGh0otmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGKl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}\stubpath = "C:\\Windows\\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe"	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}\stubpath = "C:\\Windows\\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe"	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}\stubpath = "C:\\Windows\\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe"	{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}\stubpath = "C:\\Windows\\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe"	0f7b02348b7f51exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8635DEB3-E062-4ec6-9541-6955369116A7}\stubpath = "C:\\Windows\\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe"	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}\stubpath = "C:\\Windows\\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe"	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}	{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76CC97DC-47C1-49b7-971E-C77190857F88}	{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F01E5D-911A-4508-9E72-900A07E374B3}	{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}\stubpath = "C:\\Windows\\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe"	{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}\stubpath = "C:\\Windows\\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe"	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}	{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}\stubpath = "C:\\Windows\\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe"	{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F01E5D-911A-4508-9E72-900A07E374B3}\stubpath = "C:\\Windows\\{45F01E5D-911A-4508-9E72-900A07E374B3}.exe"	{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}	0f7b02348b7f51exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8635DEB3-E062-4ec6-9541-6955369116A7}	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}\stubpath = "C:\\Windows\\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe"	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}\stubpath = "C:\\Windows\\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe"	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}	{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76CC97DC-47C1-49b7-971E-C77190857F88}\stubpath = "C:\\Windows\\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe"	{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
2356	{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
2632	{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
2812	{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
3068	{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
2524	{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
2536	{45F01E5D-911A-4508-9E72-900A07E374B3}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
File created	C:\Windows\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe	{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
File created	C:\Windows\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe	{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
File created	C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	0f7b02348b7f51exeexeexeex.exe
File created	C:\Windows\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
File created	C:\Windows\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
File created	C:\Windows\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
File created	C:\Windows\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe	{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
File created	C:\Windows\{45F01E5D-911A-4508-9E72-900A07E374B3}.exe	{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
File created	C:\Windows\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
File created	C:\Windows\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
File created	C:\Windows\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
File created	C:\Windows\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe	{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	852	0f7b02348b7f51exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
Token: SeIncBasePriorityPrivilege	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
Token: SeIncBasePriorityPrivilege	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
Token: SeIncBasePriorityPrivilege	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
Token: SeIncBasePriorityPrivilege	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
Token: SeIncBasePriorityPrivilege	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
Token: SeIncBasePriorityPrivilege	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
Token: SeIncBasePriorityPrivilege	2356	{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
Token: SeIncBasePriorityPrivilege	2632	{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
Token: SeIncBasePriorityPrivilege	2812	{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
Token: SeIncBasePriorityPrivilege	3068	{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
Token: SeIncBasePriorityPrivilege	2524	{76CC97DC-47C1-49b7-971E-C77190857F88}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2404	852	0f7b02348b7f51exeexeexeex.exe	28
PID 852 wrote to memory of 2404	852	0f7b02348b7f51exeexeexeex.exe	28
PID 852 wrote to memory of 2404	852	0f7b02348b7f51exeexeexeex.exe	28
PID 852 wrote to memory of 2404	852	0f7b02348b7f51exeexeexeex.exe	28
PID 852 wrote to memory of 3060	852	0f7b02348b7f51exeexeexeex.exe	29
PID 852 wrote to memory of 3060	852	0f7b02348b7f51exeexeexeex.exe	29
PID 852 wrote to memory of 3060	852	0f7b02348b7f51exeexeexeex.exe	29
PID 852 wrote to memory of 3060	852	0f7b02348b7f51exeexeexeex.exe	29
PID 2404 wrote to memory of 1112	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	30
PID 2404 wrote to memory of 1112	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	30
PID 2404 wrote to memory of 1112	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	30
PID 2404 wrote to memory of 1112	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	30
PID 2404 wrote to memory of 2960	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	31
PID 2404 wrote to memory of 2960	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	31
PID 2404 wrote to memory of 2960	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	31
PID 2404 wrote to memory of 2960	2404	{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe	31
PID 1112 wrote to memory of 1452	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	32
PID 1112 wrote to memory of 1452	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	32
PID 1112 wrote to memory of 1452	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	32
PID 1112 wrote to memory of 1452	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	32
PID 1112 wrote to memory of 2252	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	33
PID 1112 wrote to memory of 2252	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	33
PID 1112 wrote to memory of 2252	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	33
PID 1112 wrote to memory of 2252	1112	{8635DEB3-E062-4ec6-9541-6955369116A7}.exe	33
PID 1452 wrote to memory of 876	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	34
PID 1452 wrote to memory of 876	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	34
PID 1452 wrote to memory of 876	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	34
PID 1452 wrote to memory of 876	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	34
PID 1452 wrote to memory of 908	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	35
PID 1452 wrote to memory of 908	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	35
PID 1452 wrote to memory of 908	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	35
PID 1452 wrote to memory of 908	1452	{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe	35
PID 876 wrote to memory of 2164	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	36
PID 876 wrote to memory of 2164	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	36
PID 876 wrote to memory of 2164	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	36
PID 876 wrote to memory of 2164	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	36
PID 876 wrote to memory of 1508	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	37
PID 876 wrote to memory of 1508	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	37
PID 876 wrote to memory of 1508	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	37
PID 876 wrote to memory of 1508	876	{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe	37
PID 2164 wrote to memory of 2148	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	38
PID 2164 wrote to memory of 2148	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	38
PID 2164 wrote to memory of 2148	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	38
PID 2164 wrote to memory of 2148	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	38
PID 2164 wrote to memory of 1428	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	39
PID 2164 wrote to memory of 1428	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	39
PID 2164 wrote to memory of 1428	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	39
PID 2164 wrote to memory of 1428	2164	{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe	39
PID 2148 wrote to memory of 2152	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	41
PID 2148 wrote to memory of 2152	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	41
PID 2148 wrote to memory of 2152	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	41
PID 2148 wrote to memory of 2152	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	41
PID 2148 wrote to memory of 2220	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	40
PID 2148 wrote to memory of 2220	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	40
PID 2148 wrote to memory of 2220	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	40
PID 2148 wrote to memory of 2220	2148	{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe	40
PID 2152 wrote to memory of 2356	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	42
PID 2152 wrote to memory of 2356	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	42
PID 2152 wrote to memory of 2356	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	42
PID 2152 wrote to memory of 2356	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	42
PID 2152 wrote to memory of 2576	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	43
PID 2152 wrote to memory of 2576	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	43
PID 2152 wrote to memory of 2576	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	43
PID 2152 wrote to memory of 2576	2152	{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe	43

C:\Users\Admin\AppData\Local\Temp\0f7b02348b7f51exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0f7b02348b7f51exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
  C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
    C:\Windows\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
      C:\Windows\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
        
        C:\Windows\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
        
        C:\Windows\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
        
        C:\Windows\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42C4C~1.EXE > nul
        8⤵
        
        PID:2220
        
        C:\Windows\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
        
        C:\Windows\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
        
        C:\Windows\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
        
        C:\Windows\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
        
        C:\Windows\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785B4~1.EXE > nul
        12⤵
        
        PID:2652
        
        C:\Windows\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
        
        C:\Windows\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95BAF~1.EXE > nul
        13⤵
        
        PID:2872
        
        C:\Windows\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
        
        C:\Windows\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76CC9~1.EXE > nul
        14⤵
        
        PID:2492
        
        C:\Windows\{45F01E5D-911A-4508-9E72-900A07E374B3}.exe
        
        C:\Windows\{45F01E5D-911A-4508-9E72-900A07E374B3}.exe
        14⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC9A3~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFFAF~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37FFF~1.EXE > nul
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C90B5~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92CCB~1.EXE > nul
        6⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7592~1.EXE > nul
        5⤵
        
        PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8635D~1.EXE > nul
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AEFF8~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F7B02~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe

Filesize
372KB

MD5
371a4e62de6686a7f85131c77a74c8d7

SHA1
1aa006871dc69dc3a61d197340c57d7c31250224

SHA256
3260264433e659d06ac052606506e2144c689a6191f15cdb5606d5c9c8ff785a

SHA512
211c3259ed45ab79768272b3b979eac88481ae54c99cfdb2e4f504582fdc65695444738a78b0bb7e672853be5dfb5bb3ea1ded20715f552a47f32f78d9dfa47e

Download Submit
C:\Windows\{37FFFDD6-E075-462e-9CA9-8110CECBA0D4}.exe

Filesize
372KB

MD5
371a4e62de6686a7f85131c77a74c8d7

SHA1
1aa006871dc69dc3a61d197340c57d7c31250224

SHA256
3260264433e659d06ac052606506e2144c689a6191f15cdb5606d5c9c8ff785a

SHA512
211c3259ed45ab79768272b3b979eac88481ae54c99cfdb2e4f504582fdc65695444738a78b0bb7e672853be5dfb5bb3ea1ded20715f552a47f32f78d9dfa47e

Download Submit
C:\Windows\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe

Filesize
372KB

MD5
691870f21175e4fa21dfe5be4aa6e207

SHA1
02f66742123aaa54cd78847ba7c9eea34bd1ac1c

SHA256
356de47fc234298a1a8c6bb267726742d2ca87e99209c78bc31a361982f60ea9

SHA512
0aacafd2014f09ee8a2a639a592bde785dfde75cff1fbcfac3cbe0e6fe5890695936bcf27f9216c6225e5285636303ab04f6c1abe5dabe171e942acc28c206d6

Download Submit
C:\Windows\{42C4CC88-0143-4a3d-A6E2-397B6B9D2746}.exe

Filesize
372KB

MD5
691870f21175e4fa21dfe5be4aa6e207

SHA1
02f66742123aaa54cd78847ba7c9eea34bd1ac1c

SHA256
356de47fc234298a1a8c6bb267726742d2ca87e99209c78bc31a361982f60ea9

SHA512
0aacafd2014f09ee8a2a639a592bde785dfde75cff1fbcfac3cbe0e6fe5890695936bcf27f9216c6225e5285636303ab04f6c1abe5dabe171e942acc28c206d6

Download Submit
C:\Windows\{45F01E5D-911A-4508-9E72-900A07E374B3}.exe

Filesize
372KB

MD5
4c45e8fc3d316de17dd096d59e6a76a7

SHA1
c8297f98a8d9a66f868eec398fdd73524479f40a

SHA256
59ee10cc3b22bc700e8391b504c69f2b78c7451d5ecafbe19aee3e82231ec4eb

SHA512
67338b8a452e8818e6e967cd2f755a0b471b0936fe1bea65f00de469660a97b06c48a93786607ee2d62b38e478668f4cf733f7921db01a3fe1c48fe14dff3559

Download Submit
C:\Windows\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe

Filesize
372KB

MD5
d9e2a541f0674ac5040e744a7cca9b38

SHA1
594b928556f5cb5adef01d501f4bf340aff92fd2

SHA256
c7b5c685e6fc2864663cd792fbfb38a0ffc20cdea9c6a53584628eb883f28451

SHA512
3e6b19283c84e9cb1d15b51fff4e05f10ecfe7af87d36d3a31c31f772e36f0e15b9ca11e948129a9a3119c0068cbbc1601a9dabf2663d7df8a9d1e5cabba59ba

Download Submit
C:\Windows\{76CC97DC-47C1-49b7-971E-C77190857F88}.exe

Filesize
372KB

MD5
d9e2a541f0674ac5040e744a7cca9b38

SHA1
594b928556f5cb5adef01d501f4bf340aff92fd2

SHA256
c7b5c685e6fc2864663cd792fbfb38a0ffc20cdea9c6a53584628eb883f28451

SHA512
3e6b19283c84e9cb1d15b51fff4e05f10ecfe7af87d36d3a31c31f772e36f0e15b9ca11e948129a9a3119c0068cbbc1601a9dabf2663d7df8a9d1e5cabba59ba

Download Submit
C:\Windows\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe

Filesize
372KB

MD5
63c7ad1b5f0534a4ea98c0a679053205

SHA1
ce44c1e11b34238a5d261389b5f9db26100c4994

SHA256
96d1716643f122d6cf44ea5ef7e7edfd070a29bab2ea3fcd8311b3c018a85b0c

SHA512
eed6342d44630b02949b65791127cd3a9c96ace358d48bed330aa676c108a1e0fa769b9f0bfee621a6d7bce5cc57fe54041d2975ee92e053a580ce49fac42b3a

Download Submit
C:\Windows\{785B496F-1CB8-4f63-BFF3-AB41C2A8912F}.exe

Filesize
372KB

MD5
63c7ad1b5f0534a4ea98c0a679053205

SHA1
ce44c1e11b34238a5d261389b5f9db26100c4994

SHA256
96d1716643f122d6cf44ea5ef7e7edfd070a29bab2ea3fcd8311b3c018a85b0c

SHA512
eed6342d44630b02949b65791127cd3a9c96ace358d48bed330aa676c108a1e0fa769b9f0bfee621a6d7bce5cc57fe54041d2975ee92e053a580ce49fac42b3a

Download Submit
C:\Windows\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe

Filesize
372KB

MD5
0631890a1b558e662a03b421f2250414

SHA1
81537e23c9ec568709003c81d1291b0e1438abb7

SHA256
ba3604e29a4c74fd9063f979e1b41cf11e9230a030e6d7ef5a42ed701853b5c3

SHA512
11e8281091c0b64c7dc461387cb9dba81b7951c2d57101749858fb02bc9653ae21202596148eb119cff685427683c8c8803dd4cfa06a1294aea3c80c36b25355

Download Submit
C:\Windows\{8635DEB3-E062-4ec6-9541-6955369116A7}.exe

Filesize
372KB

MD5
0631890a1b558e662a03b421f2250414

SHA1
81537e23c9ec568709003c81d1291b0e1438abb7

SHA256
ba3604e29a4c74fd9063f979e1b41cf11e9230a030e6d7ef5a42ed701853b5c3

SHA512
11e8281091c0b64c7dc461387cb9dba81b7951c2d57101749858fb02bc9653ae21202596148eb119cff685427683c8c8803dd4cfa06a1294aea3c80c36b25355

Download Submit
C:\Windows\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe

Filesize
372KB

MD5
7d7000dbdcccdb0a9318d95f0d85c63f

SHA1
3f6257d23ffafabf507649a369a2d33fe311bc98

SHA256
72e62c4ad6c42684e16785ef7168173f63da92277c8efc1b8c34866209128798

SHA512
2daaf8df57be4ff15d75b3a3ec9ae3a9dbd4429f261905fe05e318cd5dfe5f1e0b788e17c0e98bb3a8ff573e9a6a1d6cf643f7c84a5bcc7e297c870916e6db4a

Download Submit
C:\Windows\{92CCB37B-8AD2-4b22-AD82-C4F17C983C7A}.exe

Filesize
372KB

MD5
7d7000dbdcccdb0a9318d95f0d85c63f

SHA1
3f6257d23ffafabf507649a369a2d33fe311bc98

SHA256
72e62c4ad6c42684e16785ef7168173f63da92277c8efc1b8c34866209128798

SHA512
2daaf8df57be4ff15d75b3a3ec9ae3a9dbd4429f261905fe05e318cd5dfe5f1e0b788e17c0e98bb3a8ff573e9a6a1d6cf643f7c84a5bcc7e297c870916e6db4a

Download Submit
C:\Windows\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe

Filesize
372KB

MD5
2f36962c635e505893f9da8d00842450

SHA1
abce8675b1a1e7556513b0dd0fc19bbf859225ce

SHA256
c7421613d2239f4f75f447357ec8c911b8b4643277b1da5f0147aed6cdd97efa

SHA512
453defeb666e4923f0dda8ecfa91124ae4fc15c54bd4068527a6a1fa1d8efb2715d8cc5bc4f95bc484ffe5d77c998334103276448b66fceb62308b3ac8cd8d50

Download Submit
C:\Windows\{95BAF173-429C-4d7a-B1C0-C9AD88913EEB}.exe

Filesize
372KB

MD5
2f36962c635e505893f9da8d00842450

SHA1
abce8675b1a1e7556513b0dd0fc19bbf859225ce

SHA256
c7421613d2239f4f75f447357ec8c911b8b4643277b1da5f0147aed6cdd97efa

SHA512
453defeb666e4923f0dda8ecfa91124ae4fc15c54bd4068527a6a1fa1d8efb2715d8cc5bc4f95bc484ffe5d77c998334103276448b66fceb62308b3ac8cd8d50

Download Submit
C:\Windows\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe

Filesize
372KB

MD5
acebf10a9a5a97f295dfdb19be472fa9

SHA1
57891e5b8aba0d4f9b346bf4f353482984a546e5

SHA256
0c9f8597b36ed9a6ea2b8ae2cff9009ce86302e190db938362bcc863b8b3e400

SHA512
f74fb23c59ef2e0bfc27523f493c91867e4636f4f1391e8ef0651778de49d4829c4e0746a0675cd4e45faf490e58b7ec810d542377cd11e16057c1bcef93b64a

Download Submit
C:\Windows\{AC9A35BD-4293-48f6-A7E1-8D285B5CF64D}.exe

Filesize
372KB

MD5
acebf10a9a5a97f295dfdb19be472fa9

SHA1
57891e5b8aba0d4f9b346bf4f353482984a546e5

SHA256
0c9f8597b36ed9a6ea2b8ae2cff9009ce86302e190db938362bcc863b8b3e400

SHA512
f74fb23c59ef2e0bfc27523f493c91867e4636f4f1391e8ef0651778de49d4829c4e0746a0675cd4e45faf490e58b7ec810d542377cd11e16057c1bcef93b64a

Download Submit
C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe

Filesize
372KB

MD5
c814d4d67aadf89bcd5743bf1f2327c6

SHA1
d84b597d04e4fb7543836d930ff83d987cd2f14d

SHA256
068cf1538f5fbe97d5b3e40e590130a22b8341d3fd2a840f81bb105b146d1518

SHA512
d53e579fe9b5a947d490bdfde2dd31d837333cf9079989de47bcebfc2c5086ccb7248b48313f1923a00559dcf4d91775b418143f07737523e393a1f0d5c0f12e

Download Submit
C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe

Filesize
372KB

MD5
c814d4d67aadf89bcd5743bf1f2327c6

SHA1
d84b597d04e4fb7543836d930ff83d987cd2f14d

SHA256
068cf1538f5fbe97d5b3e40e590130a22b8341d3fd2a840f81bb105b146d1518

SHA512
d53e579fe9b5a947d490bdfde2dd31d837333cf9079989de47bcebfc2c5086ccb7248b48313f1923a00559dcf4d91775b418143f07737523e393a1f0d5c0f12e

Download Submit
C:\Windows\{AEFF83A2-44B1-415b-B9AC-EC68921A83FF}.exe

Filesize
372KB

MD5
c814d4d67aadf89bcd5743bf1f2327c6

SHA1
d84b597d04e4fb7543836d930ff83d987cd2f14d

SHA256
068cf1538f5fbe97d5b3e40e590130a22b8341d3fd2a840f81bb105b146d1518

SHA512
d53e579fe9b5a947d490bdfde2dd31d837333cf9079989de47bcebfc2c5086ccb7248b48313f1923a00559dcf4d91775b418143f07737523e393a1f0d5c0f12e

Download Submit
C:\Windows\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe

Filesize
372KB

MD5
285987f091b710f11a27f602aead9913

SHA1
0e2cb97ea3f38cf4c4844a8e38ec4fcd9ecf6f64

SHA256
ecb7b69e18ef60bffdc98ece3136563176151d19c0bc8929ac24f1898de4cb02

SHA512
f84af05e827dadf775828edc95c56dec1dbe09632c8c03fb052860c35882f1e7170896025f50804fb0bf722bea5030dbe20410dedd8a0221446caa4237b69221

Download Submit
C:\Windows\{C90B5B4B-BA7C-4787-B2B2-0FB9EF607D31}.exe

Filesize
372KB

MD5
285987f091b710f11a27f602aead9913

SHA1
0e2cb97ea3f38cf4c4844a8e38ec4fcd9ecf6f64

SHA256
ecb7b69e18ef60bffdc98ece3136563176151d19c0bc8929ac24f1898de4cb02

SHA512
f84af05e827dadf775828edc95c56dec1dbe09632c8c03fb052860c35882f1e7170896025f50804fb0bf722bea5030dbe20410dedd8a0221446caa4237b69221

Download Submit
C:\Windows\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe

Filesize
372KB

MD5
743ec7341b17f36780666a4abff09b35

SHA1
ce38dda9fa1d887af51a9afac41f99d17d27a556

SHA256
31bdfb918c30ea7b2a7e428e6a81ee111a4218c128772950827549d71ded83f0

SHA512
4932458d98e1ccea4be88d0b40d776a790ae568b3b76d1160d7e45c6f8ff1f9ba8c251b388ed8170de097a3ebec9b45bb9e11050e5caa42f2201f3ff62f3576d

Download Submit
C:\Windows\{E7592ABF-7F71-4bfb-8179-6A8E9FF81485}.exe

Filesize
372KB

MD5
743ec7341b17f36780666a4abff09b35

SHA1
ce38dda9fa1d887af51a9afac41f99d17d27a556

SHA256
31bdfb918c30ea7b2a7e428e6a81ee111a4218c128772950827549d71ded83f0

SHA512
4932458d98e1ccea4be88d0b40d776a790ae568b3b76d1160d7e45c6f8ff1f9ba8c251b388ed8170de097a3ebec9b45bb9e11050e5caa42f2201f3ff62f3576d

Download Submit
C:\Windows\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe

Filesize
372KB

MD5
edae4eee6b425d1b208a7e26d997e9ff

SHA1
844ac34652a4fdaa31833df53ff927b93ffc2fa6

SHA256
a75a926633effe8c80eb7531073f09bc11b0133ebb74360f01aa7be87054e823

SHA512
13fc51223a2bcbc5af2075e717ec9e50a4f3f3d8cc8ee0bb2c468eefd30f65efc6fb595afe0077b6e09b40c1b47207230cec55d02d530bc2c529a001be05514c

Download Submit
C:\Windows\{EFFAFA30-0BF6-464e-84F4-EAD26705D1F8}.exe

Filesize
372KB

MD5
edae4eee6b425d1b208a7e26d997e9ff

SHA1
844ac34652a4fdaa31833df53ff927b93ffc2fa6

SHA256
a75a926633effe8c80eb7531073f09bc11b0133ebb74360f01aa7be87054e823

SHA512
13fc51223a2bcbc5af2075e717ec9e50a4f3f3d8cc8ee0bb2c468eefd30f65efc6fb595afe0077b6e09b40c1b47207230cec55d02d530bc2c529a001be05514c

Download Submit