a14f5a31fb6a407d112494fa31aff72f4b80fba7ee8fe57e7549bb8af68a952d

Analysis

max time kernel
147s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3f0507f7e429exeexeexeex.exe
Size

408KB
MD5

0f3f0507f7e429c1a215382a0b52480a
SHA1

030b3bb4ac74eb3deccf508937da39ba460a5472
SHA256

a14f5a31fb6a407d112494fa31aff72f4b80fba7ee8fe57e7549bb8af68a952d
SHA512

2a7a5d3bd7758ec151d9815419b556d08d2294c26100691275ccd412973ab06035d3576b64c850f3b1befa299ab6c177374c1f7ded730b68fb9bbfcfb1131b37
SSDEEP

3072:CEGh0obl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{852D661D-9331-41e6-9655-70628AB5AE89}	{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}	{852D661D-9331-41e6-9655-70628AB5AE89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615C6C66-7246-468d-BAC1-DFCE93638365}\stubpath = "C:\\Windows\\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe"	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}\stubpath = "C:\\Windows\\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe"	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}\stubpath = "C:\\Windows\\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe"	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}\stubpath = "C:\\Windows\\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe"	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}	{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}\stubpath = "C:\\Windows\\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe"	{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E09B981-0837-418f-88FE-A9FAC8B47585}	0f3f0507f7e429exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615C6C66-7246-468d-BAC1-DFCE93638365}	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}\stubpath = "C:\\Windows\\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe"	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}\stubpath = "C:\\Windows\\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe"	{852D661D-9331-41e6-9655-70628AB5AE89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}\stubpath = "C:\\Windows\\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe"	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{852D661D-9331-41e6-9655-70628AB5AE89}\stubpath = "C:\\Windows\\{852D661D-9331-41e6-9655-70628AB5AE89}.exe"	{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2450A348-35DC-49d1-B4DA-A8B64C19264B}	{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}	{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E09B981-0837-418f-88FE-A9FAC8B47585}\stubpath = "C:\\Windows\\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe"	0f3f0507f7e429exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}\stubpath = "C:\\Windows\\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe"	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}\stubpath = "C:\\Windows\\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe"	{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2450A348-35DC-49d1-B4DA-A8B64C19264B}\stubpath = "C:\\Windows\\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe"	{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
2220	{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
2692	{852D661D-9331-41e6-9655-70628AB5AE89}.exe
2628	{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
2108	{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
2496	{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
2596	{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
File created	C:\Windows\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
File created	C:\Windows\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
File created	C:\Windows\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
File created	C:\Windows\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
File created	C:\Windows\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe	{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
File created	C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	0f3f0507f7e429exeexeexeex.exe
File created	C:\Windows\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
File created	C:\Windows\{852D661D-9331-41e6-9655-70628AB5AE89}.exe	{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
File created	C:\Windows\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe	{852D661D-9331-41e6-9655-70628AB5AE89}.exe
File created	C:\Windows\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe	{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
File created	C:\Windows\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe	{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
File created	C:\Windows\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	0f3f0507f7e429exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
Token: SeIncBasePriorityPrivilege	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
Token: SeIncBasePriorityPrivilege	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
Token: SeIncBasePriorityPrivilege	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
Token: SeIncBasePriorityPrivilege	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
Token: SeIncBasePriorityPrivilege	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
Token: SeIncBasePriorityPrivilege	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
Token: SeIncBasePriorityPrivilege	2220	{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
Token: SeIncBasePriorityPrivilege	2692	{852D661D-9331-41e6-9655-70628AB5AE89}.exe
Token: SeIncBasePriorityPrivilege	2628	{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
Token: SeIncBasePriorityPrivilege	2108	{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
Token: SeIncBasePriorityPrivilege	2496	{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 752	2176	0f3f0507f7e429exeexeexeex.exe	28
PID 2176 wrote to memory of 752	2176	0f3f0507f7e429exeexeexeex.exe	28
PID 2176 wrote to memory of 752	2176	0f3f0507f7e429exeexeexeex.exe	28
PID 2176 wrote to memory of 752	2176	0f3f0507f7e429exeexeexeex.exe	28
PID 2176 wrote to memory of 1952	2176	0f3f0507f7e429exeexeexeex.exe	29
PID 2176 wrote to memory of 1952	2176	0f3f0507f7e429exeexeexeex.exe	29
PID 2176 wrote to memory of 1952	2176	0f3f0507f7e429exeexeexeex.exe	29
PID 2176 wrote to memory of 1952	2176	0f3f0507f7e429exeexeexeex.exe	29
PID 752 wrote to memory of 1688	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	30
PID 752 wrote to memory of 1688	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	30
PID 752 wrote to memory of 1688	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	30
PID 752 wrote to memory of 1688	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	30
PID 752 wrote to memory of 2952	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	31
PID 752 wrote to memory of 2952	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	31
PID 752 wrote to memory of 2952	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	31
PID 752 wrote to memory of 2952	752	{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe	31
PID 1688 wrote to memory of 1736	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	33
PID 1688 wrote to memory of 1736	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	33
PID 1688 wrote to memory of 1736	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	33
PID 1688 wrote to memory of 1736	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	33
PID 1688 wrote to memory of 520	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	32
PID 1688 wrote to memory of 520	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	32
PID 1688 wrote to memory of 520	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	32
PID 1688 wrote to memory of 520	1688	{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe	32
PID 1736 wrote to memory of 1096	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	35
PID 1736 wrote to memory of 1096	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	35
PID 1736 wrote to memory of 1096	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	35
PID 1736 wrote to memory of 1096	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	35
PID 1736 wrote to memory of 2124	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	34
PID 1736 wrote to memory of 2124	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	34
PID 1736 wrote to memory of 2124	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	34
PID 1736 wrote to memory of 2124	1736	{615C6C66-7246-468d-BAC1-DFCE93638365}.exe	34
PID 1096 wrote to memory of 632	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	36
PID 1096 wrote to memory of 632	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	36
PID 1096 wrote to memory of 632	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	36
PID 1096 wrote to memory of 632	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	36
PID 1096 wrote to memory of 1600	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	37
PID 1096 wrote to memory of 1600	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	37
PID 1096 wrote to memory of 1600	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	37
PID 1096 wrote to memory of 1600	1096	{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe	37
PID 632 wrote to memory of 2372	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	39
PID 632 wrote to memory of 2372	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	39
PID 632 wrote to memory of 2372	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	39
PID 632 wrote to memory of 2372	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	39
PID 632 wrote to memory of 2976	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	38
PID 632 wrote to memory of 2976	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	38
PID 632 wrote to memory of 2976	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	38
PID 632 wrote to memory of 2976	632	{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe	38
PID 2372 wrote to memory of 2260	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	41
PID 2372 wrote to memory of 2260	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	41
PID 2372 wrote to memory of 2260	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	41
PID 2372 wrote to memory of 2260	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	41
PID 2372 wrote to memory of 1648	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	40
PID 2372 wrote to memory of 1648	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	40
PID 2372 wrote to memory of 1648	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	40
PID 2372 wrote to memory of 1648	2372	{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe	40
PID 2260 wrote to memory of 2220	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	42
PID 2260 wrote to memory of 2220	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	42
PID 2260 wrote to memory of 2220	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	42
PID 2260 wrote to memory of 2220	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	42
PID 2260 wrote to memory of 2088	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	43
PID 2260 wrote to memory of 2088	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	43
PID 2260 wrote to memory of 2088	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	43
PID 2260 wrote to memory of 2088	2260	{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe	43

C:\Users\Admin\AppData\Local\Temp\0f3f0507f7e429exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0f3f0507f7e429exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
  C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
    C:\Windows\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C2B~1.EXE > nul
      4⤵
      PID:520
  - - C:\Windows\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
      C:\Windows\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{615C6~1.EXE > nul
        5⤵
        
        PID:2124
    - - C:\Windows\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
        
        C:\Windows\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
        
        C:\Windows\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7595E~1.EXE > nul
        7⤵
        
        PID:2976
        
        C:\Windows\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
        
        C:\Windows\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F21DA~1.EXE > nul
        8⤵
        
        PID:1648
        
        C:\Windows\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
        
        C:\Windows\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
        
        C:\Windows\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{852D661D-9331-41e6-9655-70628AB5AE89}.exe
        
        C:\Windows\{852D661D-9331-41e6-9655-70628AB5AE89}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{852D6~1.EXE > nul
        11⤵
        
        PID:2764
        
        C:\Windows\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
        
        C:\Windows\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
        
        C:\Windows\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
        
        C:\Windows\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2450A~1.EXE > nul
        14⤵
        
        PID:2484
        
        C:\Windows\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe
        
        C:\Windows\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe
        14⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC57B~1.EXE > nul
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D734F~1.EXE > nul
        12⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4985~1.EXE > nul
        10⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C13B~1.EXE > nul
        9⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9CE1~1.EXE > nul
        6⤵
        
        PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E09B~1.EXE > nul
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F3F05~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06E87888-DA7A-4cb9-A738-7D5F89470FE8}.exe

Filesize
408KB

MD5
e44bbfc71565fdbc250d4bc5143434f6

SHA1
52f91b936637d521c545a7a7b46323de499e9a4a

SHA256
f0023a8d8fe31200d9870317fb2c6898d1a58e658db783a4220e9bc498eaf572

SHA512
1bba0e3fc99d3ebecb13064e1722941003c52548e0a97db3f3186a6e15befcbfdb057afd1e0959df399b6e4a4e2dea2b885734ddd236a025c6c383858dfc0e5f

Download Submit
C:\Windows\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe

Filesize
408KB

MD5
e41e138cd565bace2631cf92bffa0d95

SHA1
f9c9916af7f7f6df5fbdb44ce234955d6aafe0e3

SHA256
4345fc9254aff52bb53a54398bfc0f9b42e045d4ee40f75c4904eb3c965bbbc6

SHA512
efd6e64eaf9938dee759becdbdcaf71b327f50db1471d9ae1e331982a1e24859f5be024900301437792714e774d24ed426c9d3f14c5d3dcd9b4c0ffdeeca964f

Download Submit
C:\Windows\{2450A348-35DC-49d1-B4DA-A8B64C19264B}.exe

Filesize
408KB

MD5
e41e138cd565bace2631cf92bffa0d95

SHA1
f9c9916af7f7f6df5fbdb44ce234955d6aafe0e3

SHA256
4345fc9254aff52bb53a54398bfc0f9b42e045d4ee40f75c4904eb3c965bbbc6

SHA512
efd6e64eaf9938dee759becdbdcaf71b327f50db1471d9ae1e331982a1e24859f5be024900301437792714e774d24ed426c9d3f14c5d3dcd9b4c0ffdeeca964f

Download Submit
C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe

Filesize
408KB

MD5
66daf87f845bade5389c73c0d86d705f

SHA1
ba93f129472587a27c1078357478ac3e77c62e70

SHA256
d63c5a9993020d914a336ddba7dfd555d8f46dbcef635965b1d05459969a5e96

SHA512
f4405e385a057545cb618b7124f4ece5f16f6fcf044fdda6a8068860fba1916bf663a0d39ad247895b97d84ded2523e9ea24abf344b7d49b6a585dd9d594effd

Download Submit
C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe

Filesize
408KB

MD5
66daf87f845bade5389c73c0d86d705f

SHA1
ba93f129472587a27c1078357478ac3e77c62e70

SHA256
d63c5a9993020d914a336ddba7dfd555d8f46dbcef635965b1d05459969a5e96

SHA512
f4405e385a057545cb618b7124f4ece5f16f6fcf044fdda6a8068860fba1916bf663a0d39ad247895b97d84ded2523e9ea24abf344b7d49b6a585dd9d594effd

Download Submit
C:\Windows\{5E09B981-0837-418f-88FE-A9FAC8B47585}.exe

Filesize
408KB

MD5
66daf87f845bade5389c73c0d86d705f

SHA1
ba93f129472587a27c1078357478ac3e77c62e70

SHA256
d63c5a9993020d914a336ddba7dfd555d8f46dbcef635965b1d05459969a5e96

SHA512
f4405e385a057545cb618b7124f4ece5f16f6fcf044fdda6a8068860fba1916bf663a0d39ad247895b97d84ded2523e9ea24abf344b7d49b6a585dd9d594effd

Download Submit
C:\Windows\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe

Filesize
408KB

MD5
9edf3e4160755ad7d38f71711ece2dde

SHA1
dc2cb053a53eb9ac114c9daeece8b045aad724a9

SHA256
cf8a1899b4ad5ec9e6b402d5104ca8ea9adcfa417520d5fae0951bd793baeede

SHA512
e7b8383536bb1bab663f7b575899af69f244c5b47e339e4497831ce901efcecc878b56d719d2b2da7afca505416ccf00d02f3e33d54732902a1e5a49c880df6c

Download Submit
C:\Windows\{615C6C66-7246-468d-BAC1-DFCE93638365}.exe

Filesize
408KB

MD5
9edf3e4160755ad7d38f71711ece2dde

SHA1
dc2cb053a53eb9ac114c9daeece8b045aad724a9

SHA256
cf8a1899b4ad5ec9e6b402d5104ca8ea9adcfa417520d5fae0951bd793baeede

SHA512
e7b8383536bb1bab663f7b575899af69f244c5b47e339e4497831ce901efcecc878b56d719d2b2da7afca505416ccf00d02f3e33d54732902a1e5a49c880df6c

Download Submit
C:\Windows\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe

Filesize
408KB

MD5
806f54ae54a6ab3563b19cc71e5c3d6f

SHA1
437cd2bee71eaa7554cc82e13353daeba376e95b

SHA256
8008f6c74d688bdee3de0aa4cd1ef71f98f38de41d3809de1bc564b7ab4add62

SHA512
a9b254a83d58dd7fc8d9347196e9e55a28bb354a43463745fa838050d0566dc3261ea8b01864167b7ab41ac2eca66a55f1a476df496f78d3575f4647b45ed987

Download Submit
C:\Windows\{7595E3D5-7200-4ae2-83C9-505196DE7CF7}.exe

Filesize
408KB

MD5
806f54ae54a6ab3563b19cc71e5c3d6f

SHA1
437cd2bee71eaa7554cc82e13353daeba376e95b

SHA256
8008f6c74d688bdee3de0aa4cd1ef71f98f38de41d3809de1bc564b7ab4add62

SHA512
a9b254a83d58dd7fc8d9347196e9e55a28bb354a43463745fa838050d0566dc3261ea8b01864167b7ab41ac2eca66a55f1a476df496f78d3575f4647b45ed987

Download Submit
C:\Windows\{852D661D-9331-41e6-9655-70628AB5AE89}.exe

Filesize
408KB

MD5
8df34b36b38fb22e2553aeaf8d577f3c

SHA1
755293494f9a694434414a45b1156efff398730c

SHA256
e17485b240df1cf05375ad474ad6f7d3c243f73f7648f61f5d1cdbb818df0a3c

SHA512
6cb13ac4aa2f8ec4fe8efa13825319459466f3cb94b0a42a78a8c21eeb04b60d754d0481fc9ad251f66ae295bcc0e40c797779563a0c1ba480df6e55a628c647

Download Submit
C:\Windows\{852D661D-9331-41e6-9655-70628AB5AE89}.exe

Filesize
408KB

MD5
8df34b36b38fb22e2553aeaf8d577f3c

SHA1
755293494f9a694434414a45b1156efff398730c

SHA256
e17485b240df1cf05375ad474ad6f7d3c243f73f7648f61f5d1cdbb818df0a3c

SHA512
6cb13ac4aa2f8ec4fe8efa13825319459466f3cb94b0a42a78a8c21eeb04b60d754d0481fc9ad251f66ae295bcc0e40c797779563a0c1ba480df6e55a628c647

Download Submit
C:\Windows\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe

Filesize
408KB

MD5
faecd83cfc66227f84a9773034176705

SHA1
19f9f47b9a0828b46c89536e0425e69139e5c43d

SHA256
7aa2f1dc5845a7825f3c3168e9f6e4e23220c1fd05049babc387669e91a9e402

SHA512
0a161e7c6853333aeaae6dad75c5f9cf697f0d7aaf529538cac82d6131c84748e56473a9e6efbc5176bb814dafc6cb9a21642e586971cb5f593fc8b192feb69f

Download Submit
C:\Windows\{9C13B1A6-35B8-4129-937F-454FBE8B75E5}.exe

Filesize
408KB

MD5
faecd83cfc66227f84a9773034176705

SHA1
19f9f47b9a0828b46c89536e0425e69139e5c43d

SHA256
7aa2f1dc5845a7825f3c3168e9f6e4e23220c1fd05049babc387669e91a9e402

SHA512
0a161e7c6853333aeaae6dad75c5f9cf697f0d7aaf529538cac82d6131c84748e56473a9e6efbc5176bb814dafc6cb9a21642e586971cb5f593fc8b192feb69f

Download Submit
C:\Windows\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe

Filesize
408KB

MD5
aa365ad6944d25c6d420d2f58a61e314

SHA1
bf9e9c4c0d2697b8f49c1085b98a65131bd719a5

SHA256
6c88bbb84bcbe4e2f51d77ddae06dd4cfac609df45ea654d1eebc26daac26568

SHA512
3989a19f439c9b1a3cca875c33b32599484870f17267837eb2af69765aaa2acc5b16a4e58b67bccf997fdd4cd91f3cc4c4d7425ff9d2c84cea1b7f9ec6fb5520

Download Submit
C:\Windows\{A4985A0D-58BD-43a0-ACB4-D451F106DB8C}.exe

Filesize
408KB

MD5
aa365ad6944d25c6d420d2f58a61e314

SHA1
bf9e9c4c0d2697b8f49c1085b98a65131bd719a5

SHA256
6c88bbb84bcbe4e2f51d77ddae06dd4cfac609df45ea654d1eebc26daac26568

SHA512
3989a19f439c9b1a3cca875c33b32599484870f17267837eb2af69765aaa2acc5b16a4e58b67bccf997fdd4cd91f3cc4c4d7425ff9d2c84cea1b7f9ec6fb5520

Download Submit
C:\Windows\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe

Filesize
408KB

MD5
2c7f426998151b19febcbb23e0935cc6

SHA1
30bbe0c5190c45b6817da079a1aeb7780ae387d3

SHA256
228b81bb863e1287eef27d302aafaf8326d10b4b8d471d8f13710581ba59258a

SHA512
4ac1ca027888163ee7248725c5ac623025fcfb3bbe9ca3e9789461ee4fc1b4792849654fae80797bedf848de00d74dc947837072de9e05b043b7e1ead2a8dc9e

Download Submit
C:\Windows\{C9CE10FA-9021-4ad1-919B-19D19BA2782C}.exe

Filesize
408KB

MD5
2c7f426998151b19febcbb23e0935cc6

SHA1
30bbe0c5190c45b6817da079a1aeb7780ae387d3

SHA256
228b81bb863e1287eef27d302aafaf8326d10b4b8d471d8f13710581ba59258a

SHA512
4ac1ca027888163ee7248725c5ac623025fcfb3bbe9ca3e9789461ee4fc1b4792849654fae80797bedf848de00d74dc947837072de9e05b043b7e1ead2a8dc9e

Download Submit
C:\Windows\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe

Filesize
408KB

MD5
7c63ffc88b5092031d02ae63ed47dfff

SHA1
b1b05a1490ad551f97662c57c1e6f71967e6f016

SHA256
e53beae115161139f7d6912e08aa35f0ee8869db41e964703e3ff8ab2d87fca1

SHA512
54a64066c095495c3928dcbbd99e1c973174d26be5a04d9c4e0e60c4b94da2fd89449f09cf7eb320029d1e6b258cee2d5689e53f55988ddd50d3fcf5b2c7aad0

Download Submit
C:\Windows\{D0C2BBF3-9F42-4167-8D48-8562F66B68AB}.exe

Filesize
408KB

MD5
7c63ffc88b5092031d02ae63ed47dfff

SHA1
b1b05a1490ad551f97662c57c1e6f71967e6f016

SHA256
e53beae115161139f7d6912e08aa35f0ee8869db41e964703e3ff8ab2d87fca1

SHA512
54a64066c095495c3928dcbbd99e1c973174d26be5a04d9c4e0e60c4b94da2fd89449f09cf7eb320029d1e6b258cee2d5689e53f55988ddd50d3fcf5b2c7aad0

Download Submit
C:\Windows\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe

Filesize
408KB

MD5
ca2fb213de7f19c9ab33d806449764d1

SHA1
04a13ee65224bbd5853f56fb338ab74fd5a61564

SHA256
ffd286fc3a0294cdaeac78a34a641436cb210a321d4357f922e32afae40ae7f5

SHA512
bcd32a41b12e1b2c6b61a3e5b870e460823d8dc32213ecc1803ee1f9bc920f7bf87b9624702b06add811c4d48393da4cfb2ea0cd9e0d98df1c6a34729f3a0237

Download Submit
C:\Windows\{D734F3EA-1B9A-42cd-B278-ADFC465FCAD0}.exe

Filesize
408KB

MD5
ca2fb213de7f19c9ab33d806449764d1

SHA1
04a13ee65224bbd5853f56fb338ab74fd5a61564

SHA256
ffd286fc3a0294cdaeac78a34a641436cb210a321d4357f922e32afae40ae7f5

SHA512
bcd32a41b12e1b2c6b61a3e5b870e460823d8dc32213ecc1803ee1f9bc920f7bf87b9624702b06add811c4d48393da4cfb2ea0cd9e0d98df1c6a34729f3a0237

Download Submit
C:\Windows\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe

Filesize
408KB

MD5
1ab252d247e6c74b2e5eae288abf3a5a

SHA1
b98a568d1233f59ab721c2998bc759e74a529e02

SHA256
8efde62fca9ac1b22cb9fc34a9229d93ceecf839a98f1e8aed056eba9c415cb2

SHA512
1f7bb5acc2b517c3160bc46148a7109e979e2032f405e086c804d81e45482cae21a2146019e2b7e486b7a6fe883a62cf01aa42d99719d0643835504ce4824360

Download Submit
C:\Windows\{DC57B7FB-2F14-489d-B9F6-6016287D3D00}.exe

Filesize
408KB

MD5
1ab252d247e6c74b2e5eae288abf3a5a

SHA1
b98a568d1233f59ab721c2998bc759e74a529e02

SHA256
8efde62fca9ac1b22cb9fc34a9229d93ceecf839a98f1e8aed056eba9c415cb2

SHA512
1f7bb5acc2b517c3160bc46148a7109e979e2032f405e086c804d81e45482cae21a2146019e2b7e486b7a6fe883a62cf01aa42d99719d0643835504ce4824360

Download Submit
C:\Windows\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe

Filesize
408KB

MD5
8eed904073d9bf0168b3009efd22d408

SHA1
e74962cf962eec4f41fe679ed4c503f55a2d4a83

SHA256
131435e33cd2be1d80a2dbc7fa9e3885e2a1e9b63206b687f0f364be0473751d

SHA512
1a282541419301c75fd4bd37521e902b24863792ef335840ba7555f1ee683222523e4550d299915a6bbf4ed7638c0a9bb164341562d0e123f2ecf5726dd985b6

Download Submit
C:\Windows\{F21DA298-823C-4fca-AA94-FF6DBA857AD6}.exe

Filesize
408KB

MD5
8eed904073d9bf0168b3009efd22d408

SHA1
e74962cf962eec4f41fe679ed4c503f55a2d4a83

SHA256
131435e33cd2be1d80a2dbc7fa9e3885e2a1e9b63206b687f0f364be0473751d

SHA512
1a282541419301c75fd4bd37521e902b24863792ef335840ba7555f1ee683222523e4550d299915a6bbf4ed7638c0a9bb164341562d0e123f2ecf5726dd985b6

Download Submit