2de1eeaed5c46389f4f492d6e855e8de4774f8d7bc11953960aab9c652594c5a

Analysis

max time kernel
145s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c04d3bee8c694exeexeexeex.exe
Size

192KB
MD5

0c04d3bee8c69412132726c53b548f65
SHA1

bd28993e59c5b219c75bcbf93befa40df5005038
SHA256

2de1eeaed5c46389f4f492d6e855e8de4774f8d7bc11953960aab9c652594c5a
SHA512

0d29ab70c690dbf2bf7c49ecfabd8e5068ba306c3f5df59ed2051d306c9a00fdcf182f1593c684bebc47e7f1de3fb9e75db2d7040c4eb8ad7906d936c1202ec0
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oDl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}\stubpath = "C:\\Windows\\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe"	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}\stubpath = "C:\\Windows\\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe"	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}\stubpath = "C:\\Windows\\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe"	{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C9A4812-F577-453f-8D02-BB1610923403}\stubpath = "C:\\Windows\\{5C9A4812-F577-453f-8D02-BB1610923403}.exe"	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8053A94-8DF4-4150-BFED-6103782D5ECF}	{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}\stubpath = "C:\\Windows\\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe"	0c04d3bee8c694exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}\stubpath = "C:\\Windows\\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe"	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D784065-83D8-4a51-A427-58E61338B9E9}\stubpath = "C:\\Windows\\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe"	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43703FC-0688-45ff-A3FB-B45D5CADE958}	{5C9A4812-F577-453f-8D02-BB1610923403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43703FC-0688-45ff-A3FB-B45D5CADE958}\stubpath = "C:\\Windows\\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe"	{5C9A4812-F577-453f-8D02-BB1610923403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}	{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}\stubpath = "C:\\Windows\\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe"	{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6AB4CC-037D-4107-9688-07E94189847A}\stubpath = "C:\\Windows\\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe"	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}\stubpath = "C:\\Windows\\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe"	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6AB4CC-037D-4107-9688-07E94189847A}	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D784065-83D8-4a51-A427-58E61338B9E9}	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C9A4812-F577-453f-8D02-BB1610923403}	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8053A94-8DF4-4150-BFED-6103782D5ECF}\stubpath = "C:\\Windows\\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe"	{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}	{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}\stubpath = "C:\\Windows\\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe"	{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}	0c04d3bee8c694exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}	{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
1104	{5C9A4812-F577-453f-8D02-BB1610923403}.exe
2228	{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
2744	{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
2592	{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
2672	{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe
2640	{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
File created	C:\Windows\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
File created	C:\Windows\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe	{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
File created	C:\Windows\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
File created	C:\Windows\{5C9A4812-F577-453f-8D02-BB1610923403}.exe	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
File created	C:\Windows\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe	{5C9A4812-F577-453f-8D02-BB1610923403}.exe
File created	C:\Windows\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe	{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
File created	C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	0c04d3bee8c694exeexeexeex.exe
File created	C:\Windows\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
File created	C:\Windows\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
File created	C:\Windows\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
File created	C:\Windows\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe	{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
File created	C:\Windows\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe	{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	0c04d3bee8c694exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
Token: SeIncBasePriorityPrivilege	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
Token: SeIncBasePriorityPrivilege	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
Token: SeIncBasePriorityPrivilege	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
Token: SeIncBasePriorityPrivilege	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
Token: SeIncBasePriorityPrivilege	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
Token: SeIncBasePriorityPrivilege	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
Token: SeIncBasePriorityPrivilege	1104	{5C9A4812-F577-453f-8D02-BB1610923403}.exe
Token: SeIncBasePriorityPrivilege	2228	{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
Token: SeIncBasePriorityPrivilege	2744	{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
Token: SeIncBasePriorityPrivilege	2592	{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
Token: SeIncBasePriorityPrivilege	2672	{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2336	2180	0c04d3bee8c694exeexeexeex.exe	28
PID 2180 wrote to memory of 2336	2180	0c04d3bee8c694exeexeexeex.exe	28
PID 2180 wrote to memory of 2336	2180	0c04d3bee8c694exeexeexeex.exe	28
PID 2180 wrote to memory of 2336	2180	0c04d3bee8c694exeexeexeex.exe	28
PID 2180 wrote to memory of 2344	2180	0c04d3bee8c694exeexeexeex.exe	29
PID 2180 wrote to memory of 2344	2180	0c04d3bee8c694exeexeexeex.exe	29
PID 2180 wrote to memory of 2344	2180	0c04d3bee8c694exeexeexeex.exe	29
PID 2180 wrote to memory of 2344	2180	0c04d3bee8c694exeexeexeex.exe	29
PID 2336 wrote to memory of 2280	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	30
PID 2336 wrote to memory of 2280	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	30
PID 2336 wrote to memory of 2280	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	30
PID 2336 wrote to memory of 2280	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	30
PID 2336 wrote to memory of 2368	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	31
PID 2336 wrote to memory of 2368	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	31
PID 2336 wrote to memory of 2368	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	31
PID 2336 wrote to memory of 2368	2336	{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe	31
PID 2280 wrote to memory of 2980	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	33
PID 2280 wrote to memory of 2980	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	33
PID 2280 wrote to memory of 2980	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	33
PID 2280 wrote to memory of 2980	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	33
PID 2280 wrote to memory of 3064	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	32
PID 2280 wrote to memory of 3064	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	32
PID 2280 wrote to memory of 3064	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	32
PID 2280 wrote to memory of 3064	2280	{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe	32
PID 2980 wrote to memory of 2904	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	35
PID 2980 wrote to memory of 2904	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	35
PID 2980 wrote to memory of 2904	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	35
PID 2980 wrote to memory of 2904	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	35
PID 2980 wrote to memory of 2436	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	34
PID 2980 wrote to memory of 2436	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	34
PID 2980 wrote to memory of 2436	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	34
PID 2980 wrote to memory of 2436	2980	{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe	34
PID 2904 wrote to memory of 1892	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	36
PID 2904 wrote to memory of 1892	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	36
PID 2904 wrote to memory of 1892	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	36
PID 2904 wrote to memory of 1892	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	36
PID 2904 wrote to memory of 1208	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	37
PID 2904 wrote to memory of 1208	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	37
PID 2904 wrote to memory of 1208	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	37
PID 2904 wrote to memory of 1208	2904	{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe	37
PID 1892 wrote to memory of 2240	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	38
PID 1892 wrote to memory of 2240	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	38
PID 1892 wrote to memory of 2240	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	38
PID 1892 wrote to memory of 2240	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	38
PID 1892 wrote to memory of 2248	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	39
PID 1892 wrote to memory of 2248	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	39
PID 1892 wrote to memory of 2248	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	39
PID 1892 wrote to memory of 2248	1892	{EB6AB4CC-037D-4107-9688-07E94189847A}.exe	39
PID 2240 wrote to memory of 1524	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	40
PID 2240 wrote to memory of 1524	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	40
PID 2240 wrote to memory of 1524	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	40
PID 2240 wrote to memory of 1524	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	40
PID 2240 wrote to memory of 1680	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	41
PID 2240 wrote to memory of 1680	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	41
PID 2240 wrote to memory of 1680	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	41
PID 2240 wrote to memory of 1680	2240	{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe	41
PID 1524 wrote to memory of 1104	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	43
PID 1524 wrote to memory of 1104	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	43
PID 1524 wrote to memory of 1104	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	43
PID 1524 wrote to memory of 1104	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	43
PID 1524 wrote to memory of 2120	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	42
PID 1524 wrote to memory of 2120	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	42
PID 1524 wrote to memory of 2120	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	42
PID 1524 wrote to memory of 2120	1524	{1D784065-83D8-4a51-A427-58E61338B9E9}.exe	42

C:\Users\Admin\AppData\Local\Temp\0c04d3bee8c694exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0c04d3bee8c694exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
  C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
    C:\Windows\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC35~1.EXE > nul
      4⤵
      PID:3064
  - - C:\Windows\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
      C:\Windows\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16950~1.EXE > nul
        5⤵
        
        PID:2436
    - - C:\Windows\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
        
        C:\Windows\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
        
        C:\Windows\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
        
        C:\Windows\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
        
        C:\Windows\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D784~1.EXE > nul
        9⤵
        
        PID:2120
        
        C:\Windows\{5C9A4812-F577-453f-8D02-BB1610923403}.exe
        
        C:\Windows\{5C9A4812-F577-453f-8D02-BB1610923403}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
        
        C:\Windows\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
        
        C:\Windows\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8053~1.EXE > nul
        12⤵
        
        PID:2740
        
        C:\Windows\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
        
        C:\Windows\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe
        
        C:\Windows\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D12C5~1.EXE > nul
        14⤵
        
        PID:2604
        
        C:\Windows\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe
        
        C:\Windows\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe
        14⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8D6~1.EXE > nul
        13⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4370~1.EXE > nul
        11⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C9A4~1.EXE > nul
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AA93~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6AB~1.EXE > nul
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{410EE~1.EXE > nul
        6⤵
        
        PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72532~1.EXE > nul
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0C04D3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe

Filesize
192KB

MD5
ba8e297b831fa26d2d849bbfd6a99a48

SHA1
2e7e93b612161d3580ec74a842270ed9009ecc36

SHA256
bdf1eaa21745908725c3c3dd08509050aa64f35f7adf7e358f5f0a03632d7a52

SHA512
3f4715fcd01aff533fce738e1e0feb970dee189d311b28cc1b51d1956804ab112098ada97191ebdd3e002578e220ef20774c89aca0600ac4628a32c3e06b2590

Download Submit
C:\Windows\{16950C75-53F5-41b5-BB36-FF88C2B54CE2}.exe

Filesize
192KB

MD5
ba8e297b831fa26d2d849bbfd6a99a48

SHA1
2e7e93b612161d3580ec74a842270ed9009ecc36

SHA256
bdf1eaa21745908725c3c3dd08509050aa64f35f7adf7e358f5f0a03632d7a52

SHA512
3f4715fcd01aff533fce738e1e0feb970dee189d311b28cc1b51d1956804ab112098ada97191ebdd3e002578e220ef20774c89aca0600ac4628a32c3e06b2590

Download Submit
C:\Windows\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe

Filesize
192KB

MD5
5bb22b5f4d6d4fa6b013b7c7db52b6af

SHA1
071a2781ed1a8aa79328f92fd8fdf30cdbe885b2

SHA256
d11c85e486d1e988c38901b2e17fffe2339c9d6d0b440edcd862ded3673871bc

SHA512
34a8549c59e0199f6ffd62407a7799467f5122d32d5b8d7af137f3243bcf1f7312882ccb16f4f198bba8d5dac00dfe78e1e2b2aa3cdcf236c6164b63f270405b

Download Submit
C:\Windows\{1D784065-83D8-4a51-A427-58E61338B9E9}.exe

Filesize
192KB

MD5
5bb22b5f4d6d4fa6b013b7c7db52b6af

SHA1
071a2781ed1a8aa79328f92fd8fdf30cdbe885b2

SHA256
d11c85e486d1e988c38901b2e17fffe2339c9d6d0b440edcd862ded3673871bc

SHA512
34a8549c59e0199f6ffd62407a7799467f5122d32d5b8d7af137f3243bcf1f7312882ccb16f4f198bba8d5dac00dfe78e1e2b2aa3cdcf236c6164b63f270405b

Download Submit
C:\Windows\{1D9BDFD0-6FA2-4fdc-B4F1-9B96CE28C031}.exe

Filesize
192KB

MD5
bda00a1598ace1b034d46f8a158a405d

SHA1
ea84b6b200009b9eb47bad4677cd7de7ca61be51

SHA256
8118b5fff0c8003ceea75a11fe726bd76bf0d2b82b76348f50e8d8868025ab0f

SHA512
97a059e76ad2d0956591c59d4a3538e0f1e406702dd5209a7e302338e4880b1f487f797c1869e697b91bf0ecc4544b46683ba334c939450a9a7b0c2703cfe319

Download Submit
C:\Windows\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe

Filesize
192KB

MD5
bef91fda15a0aa5cba3090b83f3b25e5

SHA1
f949e4f37eab59a7469c7fa9ea2460c6845c710b

SHA256
4b1dabf22b0038152d9055e576f2ce6a32261f3cf391261526b6dce8a46af3e2

SHA512
64dde6e42da84653712b0121e33d57b677e0dc90a56eea2709a36a4b56beac67bbeb78dddb5c5e6af9c2c8bcdac294d269e0ac7f527466e2673218876a2c3d7f

Download Submit
C:\Windows\{1DC35CBD-E2D6-47ac-B54A-07872ED8A488}.exe

Filesize
192KB

MD5
bef91fda15a0aa5cba3090b83f3b25e5

SHA1
f949e4f37eab59a7469c7fa9ea2460c6845c710b

SHA256
4b1dabf22b0038152d9055e576f2ce6a32261f3cf391261526b6dce8a46af3e2

SHA512
64dde6e42da84653712b0121e33d57b677e0dc90a56eea2709a36a4b56beac67bbeb78dddb5c5e6af9c2c8bcdac294d269e0ac7f527466e2673218876a2c3d7f

Download Submit
C:\Windows\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe

Filesize
192KB

MD5
87a52e0d961b1590f459a39bfe714859

SHA1
35efe2222a8d5d3d5c6b536198db1d0a2df5fa6d

SHA256
df31dda5040c9519d6e536e8deb8aed2d920eb14969cfdf604efaa5b8776d4b6

SHA512
5c4598dd68d7c6ac83eb18e102a6e446d945781bb54cbe82acc0da1c2983641e10096ab8e4207e140f039889d0322807fb4f1b8d4d3e0ee7041e350798228137

Download Submit
C:\Windows\{410EE3DC-CE3D-4bbf-BEFB-FB9D3072788D}.exe

Filesize
192KB

MD5
87a52e0d961b1590f459a39bfe714859

SHA1
35efe2222a8d5d3d5c6b536198db1d0a2df5fa6d

SHA256
df31dda5040c9519d6e536e8deb8aed2d920eb14969cfdf604efaa5b8776d4b6

SHA512
5c4598dd68d7c6ac83eb18e102a6e446d945781bb54cbe82acc0da1c2983641e10096ab8e4207e140f039889d0322807fb4f1b8d4d3e0ee7041e350798228137

Download Submit
C:\Windows\{5C9A4812-F577-453f-8D02-BB1610923403}.exe

Filesize
192KB

MD5
837f0cbc25c12d69bf2e868b86af5394

SHA1
cde21626c21bd18bfcb9750b45ef507dd08759f4

SHA256
d92cbf9d3b413beb46f0129e5766286f5ddf1922af7d58e5ce8e0967b0370625

SHA512
ee6be5fffe63674629db2f16204d96e2e65eb102ad34e610a6daffd9ffaf248ce893360ad296630f86632f2cfc69726e53b0419ed73ae33b0d5dde7d9bd37ad7

Download Submit
C:\Windows\{5C9A4812-F577-453f-8D02-BB1610923403}.exe

Filesize
192KB

MD5
837f0cbc25c12d69bf2e868b86af5394

SHA1
cde21626c21bd18bfcb9750b45ef507dd08759f4

SHA256
d92cbf9d3b413beb46f0129e5766286f5ddf1922af7d58e5ce8e0967b0370625

SHA512
ee6be5fffe63674629db2f16204d96e2e65eb102ad34e610a6daffd9ffaf248ce893360ad296630f86632f2cfc69726e53b0419ed73ae33b0d5dde7d9bd37ad7

Download Submit
C:\Windows\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe

Filesize
192KB

MD5
e5aede5db3eb4784c1fef7f58558fad5

SHA1
3a64c096326c76557c0988604db436f1dfdf5bb3

SHA256
662c1c6ca0f343f46e28abfa7508bd10216b377298417b8234a40b9730a0d0fa

SHA512
fc333452a7dfcd599d415acabb8e1aeb249e9b8d75f53493b51b01957d5292e1965548d8c1ddb3f0bf484aa51cc8361735fc97845b8e7a1a4634d9c8a06288fd

Download Submit
C:\Windows\{6AA93BE5-1124-4ed7-AC47-A4BBFF59A124}.exe

Filesize
192KB

MD5
e5aede5db3eb4784c1fef7f58558fad5

SHA1
3a64c096326c76557c0988604db436f1dfdf5bb3

SHA256
662c1c6ca0f343f46e28abfa7508bd10216b377298417b8234a40b9730a0d0fa

SHA512
fc333452a7dfcd599d415acabb8e1aeb249e9b8d75f53493b51b01957d5292e1965548d8c1ddb3f0bf484aa51cc8361735fc97845b8e7a1a4634d9c8a06288fd

Download Submit
C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe

Filesize
192KB

MD5
9157ba0e02d5b73aaace3033e0f03976

SHA1
913e8666744e88a096565a49a0c82d0366ab1e94

SHA256
cc31c3afa7c9da5b83807bb57238cba89127b9bb4495853e32b024c96796f8a5

SHA512
d253e384b359a87dff5c560e50fc7e3e55cd99610911f18dd4d2d23a6d74e570af8726c14761dcd1efa0f3457f13f872873825df29da980e02759b97eae31383

Download Submit
C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe

Filesize
192KB

MD5
9157ba0e02d5b73aaace3033e0f03976

SHA1
913e8666744e88a096565a49a0c82d0366ab1e94

SHA256
cc31c3afa7c9da5b83807bb57238cba89127b9bb4495853e32b024c96796f8a5

SHA512
d253e384b359a87dff5c560e50fc7e3e55cd99610911f18dd4d2d23a6d74e570af8726c14761dcd1efa0f3457f13f872873825df29da980e02759b97eae31383

Download Submit
C:\Windows\{72532BB5-8E35-4d1b-80F5-6F88DB109D28}.exe

Filesize
192KB

MD5
9157ba0e02d5b73aaace3033e0f03976

SHA1
913e8666744e88a096565a49a0c82d0366ab1e94

SHA256
cc31c3afa7c9da5b83807bb57238cba89127b9bb4495853e32b024c96796f8a5

SHA512
d253e384b359a87dff5c560e50fc7e3e55cd99610911f18dd4d2d23a6d74e570af8726c14761dcd1efa0f3457f13f872873825df29da980e02759b97eae31383

Download Submit
C:\Windows\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe

Filesize
192KB

MD5
763594db8ea622575077fa5d9ba4906b

SHA1
3f5948fccfc659883e54ea39c1481c6ba3c6c813

SHA256
e896ee7b52e544e110f1d5aab66b76ebda0e5a00423fe89a94dedb4f8baf7506

SHA512
3e548f6ec2ba9c131bacc5fd20f595dc688ea5e5b62e95d1843db6c9b6d75dc5a8657162e83e545fa0ca3260b448085f4196e1c974218875a3499a85b2230229

Download Submit
C:\Windows\{AD8D6F2C-45FF-41c8-A3EE-1FA34A464771}.exe

Filesize
192KB

MD5
763594db8ea622575077fa5d9ba4906b

SHA1
3f5948fccfc659883e54ea39c1481c6ba3c6c813

SHA256
e896ee7b52e544e110f1d5aab66b76ebda0e5a00423fe89a94dedb4f8baf7506

SHA512
3e548f6ec2ba9c131bacc5fd20f595dc688ea5e5b62e95d1843db6c9b6d75dc5a8657162e83e545fa0ca3260b448085f4196e1c974218875a3499a85b2230229

Download Submit
C:\Windows\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe

Filesize
192KB

MD5
8dac6fd5e5a89fc3c22912c9e388ee06

SHA1
76657f97ec6dc6886ecb9bb927fb62b31d0b9ce2

SHA256
02ccd831b3fae32164da2ed9731ac7a0d6c0c218d943b56083753c9e458a1860

SHA512
05a7e7ddaa96aa759310a03fa736de60c8e09a116f0b93949745c93bd055b7c379f0c50ae5b869668fe6bed9b1a9a98dcfa45c33f1cef049947d2cfcf104ca11

Download Submit
C:\Windows\{C43703FC-0688-45ff-A3FB-B45D5CADE958}.exe

Filesize
192KB

MD5
8dac6fd5e5a89fc3c22912c9e388ee06

SHA1
76657f97ec6dc6886ecb9bb927fb62b31d0b9ce2

SHA256
02ccd831b3fae32164da2ed9731ac7a0d6c0c218d943b56083753c9e458a1860

SHA512
05a7e7ddaa96aa759310a03fa736de60c8e09a116f0b93949745c93bd055b7c379f0c50ae5b869668fe6bed9b1a9a98dcfa45c33f1cef049947d2cfcf104ca11

Download Submit
C:\Windows\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe

Filesize
192KB

MD5
e6e0d93fea5a818bb59502972de12f87

SHA1
e8d7843d54c7089a72fd86f34fbc555c602bd15f

SHA256
564da6f9e740ca7b3d0a49b110712d3329a88204578c5ea6765d63fac4011b79

SHA512
ecb3441a92517069a192d22c940e39ff88ebb7cd3201a53fc7090bba2bfeb75c55fe135e7633524a4211d8e46d6ba2c496fb02151a578535a817943b05124fb4

Download Submit
C:\Windows\{D12C5E5C-A3B1-45ab-8B9B-13F5E092573E}.exe

Filesize
192KB

MD5
e6e0d93fea5a818bb59502972de12f87

SHA1
e8d7843d54c7089a72fd86f34fbc555c602bd15f

SHA256
564da6f9e740ca7b3d0a49b110712d3329a88204578c5ea6765d63fac4011b79

SHA512
ecb3441a92517069a192d22c940e39ff88ebb7cd3201a53fc7090bba2bfeb75c55fe135e7633524a4211d8e46d6ba2c496fb02151a578535a817943b05124fb4

Download Submit
C:\Windows\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe

Filesize
192KB

MD5
67aad7a4387c8fadfa52eb608169f0ab

SHA1
76bae0f00a224ef35b2191a57072ee62edaac51e

SHA256
3e42881b42b606437e4b2873f5e43a4a9197844b83230d27291371d0fa80a432

SHA512
cd204177472ab16ff250a2ac97130acbb5009cbf77896a0348683d930511c3d8dcb305edb63fe8ad3d74fae6e82192bb53c4fe7c6dd6946c92144715801887c3

Download Submit
C:\Windows\{E8053A94-8DF4-4150-BFED-6103782D5ECF}.exe

Filesize
192KB

MD5
67aad7a4387c8fadfa52eb608169f0ab

SHA1
76bae0f00a224ef35b2191a57072ee62edaac51e

SHA256
3e42881b42b606437e4b2873f5e43a4a9197844b83230d27291371d0fa80a432

SHA512
cd204177472ab16ff250a2ac97130acbb5009cbf77896a0348683d930511c3d8dcb305edb63fe8ad3d74fae6e82192bb53c4fe7c6dd6946c92144715801887c3

Download Submit
C:\Windows\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe

Filesize
192KB

MD5
e9deee2e1fd0a7e4441ab6f71b41d9f8

SHA1
7e2230f6ebefa2024ebece58768664e919afec4f

SHA256
a6b4ddd4208750f7caa9bcd7103e49f9a0ef0ba9701aadd7ec5326792a86f50d

SHA512
a7187b8570a38cb5872660666d8f5fd63e903b25741c546bb55906ab4fd6a6d8c79a2eebc25e5082646312efcb19fa47bb047b767dfc2e7cc88504559c32ff7c

Download Submit
C:\Windows\{EB6AB4CC-037D-4107-9688-07E94189847A}.exe

Filesize
192KB

MD5
e9deee2e1fd0a7e4441ab6f71b41d9f8

SHA1
7e2230f6ebefa2024ebece58768664e919afec4f

SHA256
a6b4ddd4208750f7caa9bcd7103e49f9a0ef0ba9701aadd7ec5326792a86f50d

SHA512
a7187b8570a38cb5872660666d8f5fd63e903b25741c546bb55906ab4fd6a6d8c79a2eebc25e5082646312efcb19fa47bb047b767dfc2e7cc88504559c32ff7c

Download Submit