a7c4ace3a33392ee77dd93bb44b79637301136eb33a8227a4d69a367a3e71274

Analysis

max time kernel
146s
max time network
36s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c238842a415d3exeexeexeex.exe
Size

192KB
MD5

0c238842a415d3f3da27ef532c0498e8
SHA1

c8cce9c09c402ef6254e435ea58f87a0611e0c53
SHA256

a7c4ace3a33392ee77dd93bb44b79637301136eb33a8227a4d69a367a3e71274
SHA512

5e9e4bf8cd613916e829a5ea6c506ab69b508556b2ed2f6db230895d723586b21a3cd1111dc89da02aee99a5e45149552843a96e47d4b437cf92548f573e6995
SSDEEP

1536:1EGh0oml15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oml1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}\stubpath = "C:\\Windows\\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe"	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF3AE3CF-C862-4e15-98B7-839A7966737F}	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}	{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{930553AA-90A7-4e01-88AA-98D07C58865F}	{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}\stubpath = "C:\\Windows\\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe"	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}\stubpath = "C:\\Windows\\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe"	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}\stubpath = "C:\\Windows\\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe"	{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}	{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}\stubpath = "C:\\Windows\\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe"	{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}\stubpath = "C:\\Windows\\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe"	{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}	0c238842a415d3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8580859-799C-4f35-98B9-1FAF37580BB9}	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{666040E8-C465-4633-BC55-C7D253EBDF4B}	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{666040E8-C465-4633-BC55-C7D253EBDF4B}\stubpath = "C:\\Windows\\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe"	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}	{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{930553AA-90A7-4e01-88AA-98D07C58865F}\stubpath = "C:\\Windows\\{930553AA-90A7-4e01-88AA-98D07C58865F}.exe"	{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}\stubpath = "C:\\Windows\\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe"	{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}\stubpath = "C:\\Windows\\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe"	0c238842a415d3exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF3AE3CF-C862-4e15-98B7-839A7966737F}\stubpath = "C:\\Windows\\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe"	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8580859-799C-4f35-98B9-1FAF37580BB9}\stubpath = "C:\\Windows\\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe"	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}\stubpath = "C:\\Windows\\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe"	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}	{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe

Deletes itself 1 IoCs

pid	Process
2296	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
2948	{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
2728	{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe
2556	{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
2572	{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
2676	{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
2444	{930553AA-90A7-4e01-88AA-98D07C58865F}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
File created	C:\Windows\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
File created	C:\Windows\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
File created	C:\Windows\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe	{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
File created	C:\Windows\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe	{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
File created	C:\Windows\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
File created	C:\Windows\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
File created	C:\Windows\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
File created	C:\Windows\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe	{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
File created	C:\Windows\{930553AA-90A7-4e01-88AA-98D07C58865F}.exe	{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
File created	C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	0c238842a415d3exeexeexeex.exe
File created	C:\Windows\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
File created	C:\Windows\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe	{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	608	0c238842a415d3exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
Token: SeIncBasePriorityPrivilege	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
Token: SeIncBasePriorityPrivilege	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
Token: SeIncBasePriorityPrivilege	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
Token: SeIncBasePriorityPrivilege	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
Token: SeIncBasePriorityPrivilege	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
Token: SeIncBasePriorityPrivilege	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
Token: SeIncBasePriorityPrivilege	2948	{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
Token: SeIncBasePriorityPrivilege	2728	{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe
Token: SeIncBasePriorityPrivilege	2556	{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
Token: SeIncBasePriorityPrivilege	2572	{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
Token: SeIncBasePriorityPrivilege	2676	{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 2148	608	0c238842a415d3exeexeexeex.exe	27
PID 608 wrote to memory of 2148	608	0c238842a415d3exeexeexeex.exe	27
PID 608 wrote to memory of 2148	608	0c238842a415d3exeexeexeex.exe	27
PID 608 wrote to memory of 2148	608	0c238842a415d3exeexeexeex.exe	27
PID 608 wrote to memory of 2296	608	0c238842a415d3exeexeexeex.exe	28
PID 608 wrote to memory of 2296	608	0c238842a415d3exeexeexeex.exe	28
PID 608 wrote to memory of 2296	608	0c238842a415d3exeexeexeex.exe	28
PID 608 wrote to memory of 2296	608	0c238842a415d3exeexeexeex.exe	28
PID 2148 wrote to memory of 3024	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	29
PID 2148 wrote to memory of 3024	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	29
PID 2148 wrote to memory of 3024	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	29
PID 2148 wrote to memory of 3024	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	29
PID 2148 wrote to memory of 524	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	30
PID 2148 wrote to memory of 524	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	30
PID 2148 wrote to memory of 524	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	30
PID 2148 wrote to memory of 524	2148	{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe	30
PID 3024 wrote to memory of 1716	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	31
PID 3024 wrote to memory of 1716	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	31
PID 3024 wrote to memory of 1716	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	31
PID 3024 wrote to memory of 1716	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	31
PID 3024 wrote to memory of 1084	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	32
PID 3024 wrote to memory of 1084	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	32
PID 3024 wrote to memory of 1084	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	32
PID 3024 wrote to memory of 1084	3024	{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe	32
PID 1716 wrote to memory of 1052	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	33
PID 1716 wrote to memory of 1052	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	33
PID 1716 wrote to memory of 1052	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	33
PID 1716 wrote to memory of 1052	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	33
PID 1716 wrote to memory of 2076	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	34
PID 1716 wrote to memory of 2076	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	34
PID 1716 wrote to memory of 2076	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	34
PID 1716 wrote to memory of 2076	1716	{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe	34
PID 1052 wrote to memory of 936	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	36
PID 1052 wrote to memory of 936	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	36
PID 1052 wrote to memory of 936	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	36
PID 1052 wrote to memory of 936	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	36
PID 1052 wrote to memory of 772	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	35
PID 1052 wrote to memory of 772	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	35
PID 1052 wrote to memory of 772	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	35
PID 1052 wrote to memory of 772	1052	{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe	35
PID 936 wrote to memory of 2952	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	38
PID 936 wrote to memory of 2952	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	38
PID 936 wrote to memory of 2952	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	38
PID 936 wrote to memory of 2952	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	38
PID 936 wrote to memory of 2056	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	37
PID 936 wrote to memory of 2056	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	37
PID 936 wrote to memory of 2056	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	37
PID 936 wrote to memory of 2056	936	{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe	37
PID 2952 wrote to memory of 2168	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	39
PID 2952 wrote to memory of 2168	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	39
PID 2952 wrote to memory of 2168	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	39
PID 2952 wrote to memory of 2168	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	39
PID 2952 wrote to memory of 2884	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	40
PID 2952 wrote to memory of 2884	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	40
PID 2952 wrote to memory of 2884	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	40
PID 2952 wrote to memory of 2884	2952	{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe	40
PID 2168 wrote to memory of 2948	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	42
PID 2168 wrote to memory of 2948	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	42
PID 2168 wrote to memory of 2948	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	42
PID 2168 wrote to memory of 2948	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	42
PID 2168 wrote to memory of 560	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	41
PID 2168 wrote to memory of 560	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	41
PID 2168 wrote to memory of 560	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	41
PID 2168 wrote to memory of 560	2168	{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe	41

C:\Users\Admin\AppData\Local\Temp\0c238842a415d3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0c238842a415d3exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
  C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
    C:\Windows\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
      C:\Windows\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
        
        C:\Windows\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E17~1.EXE > nul
        6⤵
        
        PID:772
      - C:\Windows\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
        
        C:\Windows\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8580~1.EXE > nul
        7⤵
        
        PID:2056
        
        C:\Windows\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
        
        C:\Windows\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
        
        C:\Windows\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B91~1.EXE > nul
        9⤵
        
        PID:560
        
        C:\Windows\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
        
        C:\Windows\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe
        
        C:\Windows\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
        
        C:\Windows\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
        
        C:\Windows\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33223~1.EXE > nul
        13⤵
        
        PID:2576
        
        C:\Windows\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
        
        C:\Windows\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90B73~1.EXE > nul
        14⤵
        
        PID:2656
        
        C:\Windows\{930553AA-90A7-4e01-88AA-98D07C58865F}.exe
        
        C:\Windows\{930553AA-90A7-4e01-88AA-98D07C58865F}.exe
        14⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E97A1~1.EXE > nul
        12⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF91~1.EXE > nul
        11⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66604~1.EXE > nul
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D4F5~1.EXE > nul
        8⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF3AE~1.EXE > nul
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C8D3~1.EXE > nul
      4⤵
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C00A~1.EXE > nul
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0C2388~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe

Filesize
192KB

MD5
a1bf4d01da3a0033a9342d72fde13014

SHA1
6bea00daa915f7336bcec1c8e859228a523869f5

SHA256
35a2564150019265fc436e6b143cbd71ea8f3c5e7b4e2f5ecef27ef4560a2385

SHA512
86a63aa71d8c78676ad3ce026075de16a597ac485887f30c394c02bc527dd30badf84045e66cdee1a5fbe522cc7a7620b207f6ac04aae51b57c26a6c16e9e2a5

Download Submit
C:\Windows\{2D4F5FE7-2B92-412d-9662-F9D1BB4C28ED}.exe

Filesize
192KB

MD5
a1bf4d01da3a0033a9342d72fde13014

SHA1
6bea00daa915f7336bcec1c8e859228a523869f5

SHA256
35a2564150019265fc436e6b143cbd71ea8f3c5e7b4e2f5ecef27ef4560a2385

SHA512
86a63aa71d8c78676ad3ce026075de16a597ac485887f30c394c02bc527dd30badf84045e66cdee1a5fbe522cc7a7620b207f6ac04aae51b57c26a6c16e9e2a5

Download Submit
C:\Windows\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe

Filesize
192KB

MD5
bc4aa8872c6d1bc78d0b8376b568eff3

SHA1
8b30e5de7271a998cfdfe3c8c0b196dc50eda1a4

SHA256
96cc12bbfb5cc295a8cbb7ed4a24d3b182c63698d52a03c3a9e962b817c32a87

SHA512
3d0d14db16087a386f6b7ff3db3ab8a814b8b12fc8741f6391784a5a96ce4918c0b4536680fb7c5f9d643dd4fef8a88d186b19165da954498964da6fe49fab61

Download Submit
C:\Windows\{332239F8-5E6A-4a2a-8A1C-36478CD5FE43}.exe

Filesize
192KB

MD5
bc4aa8872c6d1bc78d0b8376b568eff3

SHA1
8b30e5de7271a998cfdfe3c8c0b196dc50eda1a4

SHA256
96cc12bbfb5cc295a8cbb7ed4a24d3b182c63698d52a03c3a9e962b817c32a87

SHA512
3d0d14db16087a386f6b7ff3db3ab8a814b8b12fc8741f6391784a5a96ce4918c0b4536680fb7c5f9d643dd4fef8a88d186b19165da954498964da6fe49fab61

Download Submit
C:\Windows\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe

Filesize
192KB

MD5
90ecfe0797d4adcc8aae1062ba9b326e

SHA1
b2069f8558b249ba3f1122962cee4b0dbb3a9375

SHA256
2908664f3a7e15df3d4f8386a3c4660dd525bf237618caf275d41b5dc8f93682

SHA512
d51bdc1e2e9d3f40fa37ee6da81f078ef4c953ff6b4b85faf2e4b876c1bb74a299b57245a57fd3c15185348ff814b6d122ea78c957f989359211bb2b058dd270

Download Submit
C:\Windows\{3C8D3EB3-EC9E-4bd0-B158-9F5175176A3F}.exe

Filesize
192KB

MD5
90ecfe0797d4adcc8aae1062ba9b326e

SHA1
b2069f8558b249ba3f1122962cee4b0dbb3a9375

SHA256
2908664f3a7e15df3d4f8386a3c4660dd525bf237618caf275d41b5dc8f93682

SHA512
d51bdc1e2e9d3f40fa37ee6da81f078ef4c953ff6b4b85faf2e4b876c1bb74a299b57245a57fd3c15185348ff814b6d122ea78c957f989359211bb2b058dd270

Download Submit
C:\Windows\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe

Filesize
192KB

MD5
751c66d76499cd381dafc4bc07b74f67

SHA1
c1335b5cdad8ab17153e1ca7df2c15bb9777b5f4

SHA256
96be81ed370b4e5d437117be530bdaee760349f08bd01fc1ee724491fb1592a8

SHA512
ee1a26a27c951b588c3e8eca8667b13290ed946e16dba5504baa0717e15a37c93c3a4e788c6a34dfa1015b8da70c4882e145a97eca1f1a4612e9aab138f1874c

Download Submit
C:\Windows\{44E170D5-9E78-4453-9EF2-DAF5A51CE100}.exe

Filesize
192KB

MD5
751c66d76499cd381dafc4bc07b74f67

SHA1
c1335b5cdad8ab17153e1ca7df2c15bb9777b5f4

SHA256
96be81ed370b4e5d437117be530bdaee760349f08bd01fc1ee724491fb1592a8

SHA512
ee1a26a27c951b588c3e8eca8667b13290ed946e16dba5504baa0717e15a37c93c3a4e788c6a34dfa1015b8da70c4882e145a97eca1f1a4612e9aab138f1874c

Download Submit
C:\Windows\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe

Filesize
192KB

MD5
6fbc8399c983d9b1e5aeaf5c9387c61e

SHA1
dfe004482a61b7261fe6a599df7eb6c82252712a

SHA256
29638bc292617ac09bd9017f3d3553bb00a6cde0a9fdbe7b6e49c6b1d3e1f58f

SHA512
656629073cae54a31c42efaa85ba044af57ea8349f1ccfb4e3cd5c03805063f96f7f9242c40cea650b49ddd41f46393c3869664023e152f174b4c8b888837dec

Download Submit
C:\Windows\{666040E8-C465-4633-BC55-C7D253EBDF4B}.exe

Filesize
192KB

MD5
6fbc8399c983d9b1e5aeaf5c9387c61e

SHA1
dfe004482a61b7261fe6a599df7eb6c82252712a

SHA256
29638bc292617ac09bd9017f3d3553bb00a6cde0a9fdbe7b6e49c6b1d3e1f58f

SHA512
656629073cae54a31c42efaa85ba044af57ea8349f1ccfb4e3cd5c03805063f96f7f9242c40cea650b49ddd41f46393c3869664023e152f174b4c8b888837dec

Download Submit
C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe

Filesize
192KB

MD5
41d6928e7cc60f0e2f574703667370ad

SHA1
ffd6bb6479ac5fd3918134a0a1299416b3ba910c

SHA256
dc638db9763b9255b89ca0fdb496e35f584bb508caae3adc9532584a259d663a

SHA512
4e07b9bb91aa1b0681a8487fa1212891d5a70a270c59199dc05abaa340971e728e9ac773342f47c14e0dbcfe18aaa896b075f753d022b0dc93b556d4082da05e

Download Submit
C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe

Filesize
192KB

MD5
41d6928e7cc60f0e2f574703667370ad

SHA1
ffd6bb6479ac5fd3918134a0a1299416b3ba910c

SHA256
dc638db9763b9255b89ca0fdb496e35f584bb508caae3adc9532584a259d663a

SHA512
4e07b9bb91aa1b0681a8487fa1212891d5a70a270c59199dc05abaa340971e728e9ac773342f47c14e0dbcfe18aaa896b075f753d022b0dc93b556d4082da05e

Download Submit
C:\Windows\{8C00A52F-33D0-4ac0-A559-D21A20DD34C6}.exe

Filesize
192KB

MD5
41d6928e7cc60f0e2f574703667370ad

SHA1
ffd6bb6479ac5fd3918134a0a1299416b3ba910c

SHA256
dc638db9763b9255b89ca0fdb496e35f584bb508caae3adc9532584a259d663a

SHA512
4e07b9bb91aa1b0681a8487fa1212891d5a70a270c59199dc05abaa340971e728e9ac773342f47c14e0dbcfe18aaa896b075f753d022b0dc93b556d4082da05e

Download Submit
C:\Windows\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe

Filesize
192KB

MD5
2fd8cd82e59e412728a57a02a77f5ce8

SHA1
88ed6f913120372b4bf16708d2eeae590fd7522f

SHA256
3bb09257b2882a4bba88591e1bf7825d8628f1c878529404e5de48cdcf9ce173

SHA512
7aed4e458f3a2737716acb2858e6eff64fd77a6ca4f818e9630a1dd761849985f90bb2e5bd911b6225f4a048a7a38b0eae844059fd16c918a0ac606f7bf36768

Download Submit
C:\Windows\{90B7358D-F6C0-4e52-A9BE-3DB0083FCBE4}.exe

Filesize
192KB

MD5
2fd8cd82e59e412728a57a02a77f5ce8

SHA1
88ed6f913120372b4bf16708d2eeae590fd7522f

SHA256
3bb09257b2882a4bba88591e1bf7825d8628f1c878529404e5de48cdcf9ce173

SHA512
7aed4e458f3a2737716acb2858e6eff64fd77a6ca4f818e9630a1dd761849985f90bb2e5bd911b6225f4a048a7a38b0eae844059fd16c918a0ac606f7bf36768

Download Submit
C:\Windows\{930553AA-90A7-4e01-88AA-98D07C58865F}.exe

Filesize
192KB

MD5
89cfe5ae4396dd66dd58720ff1957cd8

SHA1
78f616c19c07296c5eb7ef7a1612d16c08c53677

SHA256
cfec6c9348c7eb514556bc60ba3f4b369162504094ffe00a1d63e13a03513e29

SHA512
a90be61445d7526310ef4e37a4101b9ad6df6d20db573cdfe4e76ed000bf6f08a91766300bc269d96aab9db685b3eaa10e94b9b30bc1178338ee178411161e9a

Download Submit
C:\Windows\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe

Filesize
192KB

MD5
93bdfec9a1c9df6f01c807c20536961b

SHA1
cd28fa970e37646802a25e58a0bc3d61f1817b6e

SHA256
dfe0121c977992676d1f5e86a9b4145f13afe0aa553fa36b98710643febb4ec9

SHA512
ff1d23b9e4e12bb9fa507e3558b9cd25dfd3cb11314f5e59c49f1a4367eeb6a186a811c8fefbeaf5b5896f49b69abd89ff313e6a39f3d181c680cf6216f8c8f5

Download Submit
C:\Windows\{ACF91A49-7A24-4634-AA73-4D05A1F0DCF7}.exe

Filesize
192KB

MD5
93bdfec9a1c9df6f01c807c20536961b

SHA1
cd28fa970e37646802a25e58a0bc3d61f1817b6e

SHA256
dfe0121c977992676d1f5e86a9b4145f13afe0aa553fa36b98710643febb4ec9

SHA512
ff1d23b9e4e12bb9fa507e3558b9cd25dfd3cb11314f5e59c49f1a4367eeb6a186a811c8fefbeaf5b5896f49b69abd89ff313e6a39f3d181c680cf6216f8c8f5

Download Submit
C:\Windows\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe

Filesize
192KB

MD5
132d443621345d2d9801383b4d2b2d91

SHA1
bd3469631e2e24d981b0540f0c54ae2ca737b1e4

SHA256
9ac2ee9c8d76e1245c65aab47e664fc0e230cc35ce4af849b4f5b0321fdfafb1

SHA512
8136173ef9c337c3e80b20ec9a0c567689c9612501d1cb0890b921b1caafa01edf4cb9acda7340eab99709cf411faf0bb06e37423430b2a019359d34dc47f91b

Download Submit
C:\Windows\{AF3AE3CF-C862-4e15-98B7-839A7966737F}.exe

Filesize
192KB

MD5
132d443621345d2d9801383b4d2b2d91

SHA1
bd3469631e2e24d981b0540f0c54ae2ca737b1e4

SHA256
9ac2ee9c8d76e1245c65aab47e664fc0e230cc35ce4af849b4f5b0321fdfafb1

SHA512
8136173ef9c337c3e80b20ec9a0c567689c9612501d1cb0890b921b1caafa01edf4cb9acda7340eab99709cf411faf0bb06e37423430b2a019359d34dc47f91b

Download Submit
C:\Windows\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe

Filesize
192KB

MD5
b6ad517f050912a36fa0bdd11c336c55

SHA1
a4c7439728044280cf0c45482154c7fcfa33b811

SHA256
80c826cec1491ac710e90a0d7fdd1554a0fbcf3f3d01a2cceef7118142471ca3

SHA512
89b04f0c269fb2b1653ac49fd9575c7c88dc26288472b75f38bf5abe1ca66076ecb4f95d66d0b47d99ef7c9e193cb84ba2730c420d477236e9e84dd639066534

Download Submit
C:\Windows\{B8580859-799C-4f35-98B9-1FAF37580BB9}.exe

Filesize
192KB

MD5
b6ad517f050912a36fa0bdd11c336c55

SHA1
a4c7439728044280cf0c45482154c7fcfa33b811

SHA256
80c826cec1491ac710e90a0d7fdd1554a0fbcf3f3d01a2cceef7118142471ca3

SHA512
89b04f0c269fb2b1653ac49fd9575c7c88dc26288472b75f38bf5abe1ca66076ecb4f95d66d0b47d99ef7c9e193cb84ba2730c420d477236e9e84dd639066534

Download Submit
C:\Windows\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe

Filesize
192KB

MD5
48dac17ca8ba2ac75ad787a63365c62f

SHA1
793aeeeea8d4e2da3ea5ddc6a6e39ca30ef4de01

SHA256
e1461d72d5fbb79f68a1399e28ebb7751c8f5657318ebd6b37545ec019853b5f

SHA512
8ae16d13c60d9c44a67a52dcf031ae253d3c403bce2c97dc2bf418268bdae764d026fd68a8c4418162e403779f823c5d5595211fd1d0736aff543df38b4c114b

Download Submit
C:\Windows\{E97A11DD-BD43-40ec-9F0D-1DD1A381515C}.exe

Filesize
192KB

MD5
48dac17ca8ba2ac75ad787a63365c62f

SHA1
793aeeeea8d4e2da3ea5ddc6a6e39ca30ef4de01

SHA256
e1461d72d5fbb79f68a1399e28ebb7751c8f5657318ebd6b37545ec019853b5f

SHA512
8ae16d13c60d9c44a67a52dcf031ae253d3c403bce2c97dc2bf418268bdae764d026fd68a8c4418162e403779f823c5d5595211fd1d0736aff543df38b4c114b

Download Submit
C:\Windows\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe

Filesize
192KB

MD5
e3c9814cd2771681dea152dd41799815

SHA1
faca91eaa224e6393e4879001dfffb60f58856de

SHA256
6c7353cfe9e666bcd6d632633192cbb43fd70a63a96a3d51220884018701af3d

SHA512
143cd25aa806dcbab1de8acf11e7ff7f60b114341c51d56e708623cb102c3aed3a0d4e9889d75bf9b202f752fb3b3c02d2841de620233307fa86dead00805e0b

Download Submit
C:\Windows\{F6B914EF-87DF-47e4-91EA-D53E111BE1E6}.exe

Filesize
192KB

MD5
e3c9814cd2771681dea152dd41799815

SHA1
faca91eaa224e6393e4879001dfffb60f58856de

SHA256
6c7353cfe9e666bcd6d632633192cbb43fd70a63a96a3d51220884018701af3d

SHA512
143cd25aa806dcbab1de8acf11e7ff7f60b114341c51d56e708623cb102c3aed3a0d4e9889d75bf9b202f752fb3b3c02d2841de620233307fa86dead00805e0b

Download Submit