7fcf0ff8696a53975d5a5fba95ca377183ef5e693907fabac84c72d12146d29a

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12dd161b41121cexeexeexeex.exe
Size

192KB
MD5

12dd161b41121c609c66982c71803660
SHA1

4e19aaea34258c7d08b1699558a2f6ae6d00b923
SHA256

7fcf0ff8696a53975d5a5fba95ca377183ef5e693907fabac84c72d12146d29a
SHA512

d9cf01d21e95d40a29bf9416a692f0e6c04c0c2c6578b331321dae909f5aa1141cda7ca43df697aaee69ea235ab83920cfb60dcb9eb7d89cdb259ef2b6e0b261
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ocl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}	{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}\stubpath = "C:\\Windows\\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe"	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}\stubpath = "C:\\Windows\\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe"	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}\stubpath = "C:\\Windows\\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe"	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}	{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C35325-3B3E-4603-9633-433441356A00}	{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}\stubpath = "C:\\Windows\\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe"	12dd161b41121cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10157DCC-D76D-437e-8773-9D954F67991A}\stubpath = "C:\\Windows\\{10157DCC-D76D-437e-8773-9D954F67991A}.exe"	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}\stubpath = "C:\\Windows\\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe"	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD77116-B593-4375-A1B4-A492C300276E}	{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD77116-B593-4375-A1B4-A492C300276E}\stubpath = "C:\\Windows\\{DFD77116-B593-4375-A1B4-A492C300276E}.exe"	{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}	12dd161b41121cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}\stubpath = "C:\\Windows\\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe"	{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}\stubpath = "C:\\Windows\\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe"	{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E200E0-AC5B-4ad7-9175-892104EEDB74}	{DFD77116-B593-4375-A1B4-A492C300276E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}\stubpath = "C:\\Windows\\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe"	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44A4311-A613-4db3-921E-45DDF8E4AF36}	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44A4311-A613-4db3-921E-45DDF8E4AF36}\stubpath = "C:\\Windows\\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe"	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E200E0-AC5B-4ad7-9175-892104EEDB74}\stubpath = "C:\\Windows\\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe"	{DFD77116-B593-4375-A1B4-A492C300276E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C35325-3B3E-4603-9633-433441356A00}\stubpath = "C:\\Windows\\{74C35325-3B3E-4603-9633-433441356A00}.exe"	{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10157DCC-D76D-437e-8773-9D954F67991A}	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
2144	{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
1576	{DFD77116-B593-4375-A1B4-A492C300276E}.exe
2732	{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
2492	{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
2700	{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
2652	{74C35325-3B3E-4603-9633-433441356A00}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{DFD77116-B593-4375-A1B4-A492C300276E}.exe	{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
File created	C:\Windows\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe	{DFD77116-B593-4375-A1B4-A492C300276E}.exe
File created	C:\Windows\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe	{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
File created	C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
File created	C:\Windows\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
File created	C:\Windows\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
File created	C:\Windows\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
File created	C:\Windows\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
File created	C:\Windows\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe	{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
File created	C:\Windows\{74C35325-3B3E-4603-9633-433441356A00}.exe	{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
File created	C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	12dd161b41121cexeexeexeex.exe
File created	C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
File created	C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	{10157DCC-D76D-437e-8773-9D954F67991A}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	692	12dd161b41121cexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
Token: SeIncBasePriorityPrivilege	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe
Token: SeIncBasePriorityPrivilege	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
Token: SeIncBasePriorityPrivilege	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
Token: SeIncBasePriorityPrivilege	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
Token: SeIncBasePriorityPrivilege	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
Token: SeIncBasePriorityPrivilege	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
Token: SeIncBasePriorityPrivilege	2144	{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
Token: SeIncBasePriorityPrivilege	1576	{DFD77116-B593-4375-A1B4-A492C300276E}.exe
Token: SeIncBasePriorityPrivilege	2732	{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
Token: SeIncBasePriorityPrivilege	2492	{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
Token: SeIncBasePriorityPrivilege	2700	{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 540	692	12dd161b41121cexeexeexeex.exe	28
PID 692 wrote to memory of 540	692	12dd161b41121cexeexeexeex.exe	28
PID 692 wrote to memory of 540	692	12dd161b41121cexeexeexeex.exe	28
PID 692 wrote to memory of 540	692	12dd161b41121cexeexeexeex.exe	28
PID 692 wrote to memory of 2372	692	12dd161b41121cexeexeexeex.exe	29
PID 692 wrote to memory of 2372	692	12dd161b41121cexeexeexeex.exe	29
PID 692 wrote to memory of 2372	692	12dd161b41121cexeexeexeex.exe	29
PID 692 wrote to memory of 2372	692	12dd161b41121cexeexeexeex.exe	29
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 1176	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	30
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 540 wrote to memory of 2100	540	{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe	31
PID 1176 wrote to memory of 1932	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 1932	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 1932	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 1932	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	32
PID 1176 wrote to memory of 3008	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 3008	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 3008	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1176 wrote to memory of 3008	1176	{10157DCC-D76D-437e-8773-9D954F67991A}.exe	33
PID 1932 wrote to memory of 2888	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 1932 wrote to memory of 2888	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 1932 wrote to memory of 2888	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 1932 wrote to memory of 2888	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	34
PID 1932 wrote to memory of 2564	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 1932 wrote to memory of 2564	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 1932 wrote to memory of 2564	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 1932 wrote to memory of 2564	1932	{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe	35
PID 2888 wrote to memory of 2204	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2888 wrote to memory of 2204	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2888 wrote to memory of 2204	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2888 wrote to memory of 2204	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	36
PID 2888 wrote to memory of 2216	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2888 wrote to memory of 2216	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2888 wrote to memory of 2216	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2888 wrote to memory of 2216	2888	{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe	37
PID 2204 wrote to memory of 2012	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	38
PID 2204 wrote to memory of 2012	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	38
PID 2204 wrote to memory of 2012	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	38
PID 2204 wrote to memory of 2012	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	38
PID 2204 wrote to memory of 2428	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	39
PID 2204 wrote to memory of 2428	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	39
PID 2204 wrote to memory of 2428	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	39
PID 2204 wrote to memory of 2428	2204	{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe	39
PID 2012 wrote to memory of 2236	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	40
PID 2012 wrote to memory of 2236	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	40
PID 2012 wrote to memory of 2236	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	40
PID 2012 wrote to memory of 2236	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	40
PID 2012 wrote to memory of 2672	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	41
PID 2012 wrote to memory of 2672	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	41
PID 2012 wrote to memory of 2672	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	41
PID 2012 wrote to memory of 2672	2012	{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe	41
PID 2236 wrote to memory of 2144	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	42
PID 2236 wrote to memory of 2144	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	42
PID 2236 wrote to memory of 2144	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	42
PID 2236 wrote to memory of 2144	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	42
PID 2236 wrote to memory of 2940	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	43
PID 2236 wrote to memory of 2940	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	43
PID 2236 wrote to memory of 2940	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	43
PID 2236 wrote to memory of 2940	2236	{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe	43

C:\Users\Admin\AppData\Local\Temp\12dd161b41121cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\12dd161b41121cexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
  C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe
    C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
      C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
        
        C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
        
        C:\Windows\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
        
        C:\Windows\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
        
        C:\Windows\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
        
        C:\Windows\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{DFD77116-B593-4375-A1B4-A492C300276E}.exe
        
        C:\Windows\{DFD77116-B593-4375-A1B4-A492C300276E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
        
        C:\Windows\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
        
        C:\Windows\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
        
        C:\Windows\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{74C35325-3B3E-4603-9633-433441356A00}.exe
        
        C:\Windows\{74C35325-3B3E-4603-9633-433441356A00}.exe
        14⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C877~1.EXE > nul
        14⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF532~1.EXE > nul
        13⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E20~1.EXE > nul
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD77~1.EXE > nul
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D44A4~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F99C~1.EXE > nul
        9⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C9D8~1.EXE > nul
        8⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DCD1~1.EXE > nul
        7⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDD8~1.EXE > nul
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F38~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10157~1.EXE > nul
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC8E~1.EXE > nul
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\12DD16~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe

Filesize
192KB

MD5
173eef3207f6e10ab2a51a0bceb94543

SHA1
38843ac6c874a8c10f9fd487b79a4bcf041881b3

SHA256
07d6513e1d8505cecc88138e093a5eb0ed633d2f5dabfc34adc34a1d2d887cb9

SHA512
88fbc09963d870231fc5ee1758f1a78590fdf961d90a52625c1dc7252964a2b7ecad3c762ca52657384c31b4b6c14308cb7f5ce0284e631d321ccf2219e40034

Download Submit
C:\Windows\{08F388D6-36DF-4e0c-A895-BC67CF3EE63B}.exe

Filesize
192KB

MD5
173eef3207f6e10ab2a51a0bceb94543

SHA1
38843ac6c874a8c10f9fd487b79a4bcf041881b3

SHA256
07d6513e1d8505cecc88138e093a5eb0ed633d2f5dabfc34adc34a1d2d887cb9

SHA512
88fbc09963d870231fc5ee1758f1a78590fdf961d90a52625c1dc7252964a2b7ecad3c762ca52657384c31b4b6c14308cb7f5ce0284e631d321ccf2219e40034

Download Submit
C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe

Filesize
192KB

MD5
333f2f6c6d12b8d3dd087f143212b5f7

SHA1
30db08c37bbec0ad5785f2cdc53d324a8420feb0

SHA256
7cd0ae4fbc3f299738da0e6532f3ebce874c3c8be7e351630c89b028633f0934

SHA512
c847f5ab36ff2a9d9ffce6d6cb7ffd1029d622d7026d226bb7e04089b49c67f28fdf2161dd899afff242968bec1776e834a150a22b727f17d77b6667941dc71e

Download Submit
C:\Windows\{10157DCC-D76D-437e-8773-9D954F67991A}.exe

Filesize
192KB

MD5
333f2f6c6d12b8d3dd087f143212b5f7

SHA1
30db08c37bbec0ad5785f2cdc53d324a8420feb0

SHA256
7cd0ae4fbc3f299738da0e6532f3ebce874c3c8be7e351630c89b028633f0934

SHA512
c847f5ab36ff2a9d9ffce6d6cb7ffd1029d622d7026d226bb7e04089b49c67f28fdf2161dd899afff242968bec1776e834a150a22b727f17d77b6667941dc71e

Download Submit
C:\Windows\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe

Filesize
192KB

MD5
9da268e2cccd7754f01719ebd568aa6b

SHA1
8274161672bc7a1e98ea7f9e559c5d152ad27020

SHA256
9947362b4e055d58a13aad334ef5d0ba833bd8cbed8aeb9b258ef618e1008459

SHA512
3923558f4d33c3b1ae22603afef81224f18f80646270c51f539a4f3ab0128e09b741801e92eda0f1d114a343f55d01e1ca31c2220cdbe520da69ce1767e00b99

Download Submit
C:\Windows\{3F99C220-DE4D-40fb-BAAD-4C2A1F74D3C8}.exe

Filesize
192KB

MD5
9da268e2cccd7754f01719ebd568aa6b

SHA1
8274161672bc7a1e98ea7f9e559c5d152ad27020

SHA256
9947362b4e055d58a13aad334ef5d0ba833bd8cbed8aeb9b258ef618e1008459

SHA512
3923558f4d33c3b1ae22603afef81224f18f80646270c51f539a4f3ab0128e09b741801e92eda0f1d114a343f55d01e1ca31c2220cdbe520da69ce1767e00b99

Download Submit
C:\Windows\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe

Filesize
192KB

MD5
9e88b5afcb1394a43cf6b5e587961848

SHA1
00a090bb00db79b9b5780c21bba84459f1904a4f

SHA256
859d008bce99934bcf5087b3f571ddad75da19b1defc2e69c22418b61ae519a6

SHA512
f2a271664534ba346d7f42e6319807fe9405a136629d90c2c8b82832f5b94c0dcbacdbbd7d454f4891fc9ef3ee2e05f749ad47c8f35dd112b8c58c7727279e9f

Download Submit
C:\Windows\{5DCD1C20-60A6-4c0c-BA9F-404C8E171958}.exe

Filesize
192KB

MD5
9e88b5afcb1394a43cf6b5e587961848

SHA1
00a090bb00db79b9b5780c21bba84459f1904a4f

SHA256
859d008bce99934bcf5087b3f571ddad75da19b1defc2e69c22418b61ae519a6

SHA512
f2a271664534ba346d7f42e6319807fe9405a136629d90c2c8b82832f5b94c0dcbacdbbd7d454f4891fc9ef3ee2e05f749ad47c8f35dd112b8c58c7727279e9f

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
192KB

MD5
baa7b6112549f3edffef2e2eaa0dfcf8

SHA1
267773f9d79526c993b2b95fde185eeea0f4e16c

SHA256
5a0b07f3457ad9e806f97f954b8a9744a0070fecbddd78b4e9cd4859cdd45c94

SHA512
55f37b388fc30e68f03b7cc9beef1048a25ef1bc5effd4889d3402253a7ea5cef06f31a4f3fb75b77d290ddcf7ad3bdc2594f4342eae8220b1bfeaafe519180f

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
192KB

MD5
baa7b6112549f3edffef2e2eaa0dfcf8

SHA1
267773f9d79526c993b2b95fde185eeea0f4e16c

SHA256
5a0b07f3457ad9e806f97f954b8a9744a0070fecbddd78b4e9cd4859cdd45c94

SHA512
55f37b388fc30e68f03b7cc9beef1048a25ef1bc5effd4889d3402253a7ea5cef06f31a4f3fb75b77d290ddcf7ad3bdc2594f4342eae8220b1bfeaafe519180f

Download Submit
C:\Windows\{6BC8E0AE-C784-48c5-84CB-53B88C40BB85}.exe

Filesize
192KB

MD5
baa7b6112549f3edffef2e2eaa0dfcf8

SHA1
267773f9d79526c993b2b95fde185eeea0f4e16c

SHA256
5a0b07f3457ad9e806f97f954b8a9744a0070fecbddd78b4e9cd4859cdd45c94

SHA512
55f37b388fc30e68f03b7cc9beef1048a25ef1bc5effd4889d3402253a7ea5cef06f31a4f3fb75b77d290ddcf7ad3bdc2594f4342eae8220b1bfeaafe519180f

Download Submit
C:\Windows\{74C35325-3B3E-4603-9633-433441356A00}.exe

Filesize
192KB

MD5
4c8adafce982b101161a1dd5a964e504

SHA1
0ae4e54529ab49f2d55393f42111719efab413c1

SHA256
9e64cb8e0e312746fca495158efa8b51647aa800b7c51bdbeb2c852273e3edfb

SHA512
19fe66cf2c19e5acb2a1058ba0030105d4b67cf57293ac8ba54fdf83ea71c49c028982cc381dd7f708f1aae5b87d2b590b28298a29c19d9ce83913383a18be48

Download Submit
C:\Windows\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe

Filesize
192KB

MD5
3ddbb6569b18f188c8367f9402fd01b3

SHA1
a8aadd947a434fe1db3759380fa03678514f50a9

SHA256
196906a98f1a04636348c34f54101d70fdee8d301fa9283f92ccf54ebd62b5f3

SHA512
a09fc0ce9dbef0599d6b442c4f58b62842b570006ada08956bfb7711fc73e89639599489bd3402fdced5c920ad3d6b5030e9b6f6bbb2d56e5a6d04a55c3fc32d

Download Submit
C:\Windows\{8C877B9F-B6A1-4a5e-BB97-1CC1B4D971DA}.exe

Filesize
192KB

MD5
3ddbb6569b18f188c8367f9402fd01b3

SHA1
a8aadd947a434fe1db3759380fa03678514f50a9

SHA256
196906a98f1a04636348c34f54101d70fdee8d301fa9283f92ccf54ebd62b5f3

SHA512
a09fc0ce9dbef0599d6b442c4f58b62842b570006ada08956bfb7711fc73e89639599489bd3402fdced5c920ad3d6b5030e9b6f6bbb2d56e5a6d04a55c3fc32d

Download Submit
C:\Windows\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe

Filesize
192KB

MD5
fb2a6a452f01a6dcf7c99ca4dfea1c29

SHA1
999250295211510f218be6877f5d59812fcddb1b

SHA256
3624efc6c1138faf9ef1a8085f12cca9a65321e197b8b2cec67e939d339c16cf

SHA512
905d89c49e6deeb6ed61d92e7e556dedb35b2052f1a47259a2a8f86abaf187000b746a3c5ff2ed6b767657d131a99c8b2daa912dba223fafc057c34b906702d8

Download Submit
C:\Windows\{8C9D876B-D8CB-48a1-9029-402B97BB6A04}.exe

Filesize
192KB

MD5
fb2a6a452f01a6dcf7c99ca4dfea1c29

SHA1
999250295211510f218be6877f5d59812fcddb1b

SHA256
3624efc6c1138faf9ef1a8085f12cca9a65321e197b8b2cec67e939d339c16cf

SHA512
905d89c49e6deeb6ed61d92e7e556dedb35b2052f1a47259a2a8f86abaf187000b746a3c5ff2ed6b767657d131a99c8b2daa912dba223fafc057c34b906702d8

Download Submit
C:\Windows\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe

Filesize
192KB

MD5
1219085697f10a3a057ebfee8f430014

SHA1
bff910b46cf7e60cd2c3e015328a882f51be98a9

SHA256
1fa01a7de494f1e18b03bc399751e72aaa5707d194410fe09357829b1bbaac11

SHA512
d3cafab8fe45f0e72ab3e427619a48d7514460878c4433b7d2568c63f522d1c728aabbcb29f11e89af9c1194d4f3fabdb2c89f55da2d8cf8b414127c5c32bab8

Download Submit
C:\Windows\{92E200E0-AC5B-4ad7-9175-892104EEDB74}.exe

Filesize
192KB

MD5
1219085697f10a3a057ebfee8f430014

SHA1
bff910b46cf7e60cd2c3e015328a882f51be98a9

SHA256
1fa01a7de494f1e18b03bc399751e72aaa5707d194410fe09357829b1bbaac11

SHA512
d3cafab8fe45f0e72ab3e427619a48d7514460878c4433b7d2568c63f522d1c728aabbcb29f11e89af9c1194d4f3fabdb2c89f55da2d8cf8b414127c5c32bab8

Download Submit
C:\Windows\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe

Filesize
192KB

MD5
a2ff6e16f60ff8d61c9642cc075c0b18

SHA1
c082e52913becdafb582303fde2786f6610b1756

SHA256
b2c231ff05d81e421c7ceabf91ff6686bb1e6236cdd51a359c57c9aba5909501

SHA512
806a7dfb1ca5f17da0d1d426a7d8948ca222b363a28bc501d00090071ac3c9e4b8133524531ae1be898ab55872328f27207dac555986a90f14dd6559e10a3bc8

Download Submit
C:\Windows\{BF5322B6-2AF4-4770-877C-7C03CFF0F463}.exe

Filesize
192KB

MD5
a2ff6e16f60ff8d61c9642cc075c0b18

SHA1
c082e52913becdafb582303fde2786f6610b1756

SHA256
b2c231ff05d81e421c7ceabf91ff6686bb1e6236cdd51a359c57c9aba5909501

SHA512
806a7dfb1ca5f17da0d1d426a7d8948ca222b363a28bc501d00090071ac3c9e4b8133524531ae1be898ab55872328f27207dac555986a90f14dd6559e10a3bc8

Download Submit
C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe

Filesize
192KB

MD5
ccd6f0e87892e25ad188fdaba97a5bdb

SHA1
62dd50b07bcc3cb1ad1d9f76585efeb08a88f8d8

SHA256
b26768b13e79e6f33d96a045b6ffeac44fe417deea9197370b69f9ed498f999f

SHA512
3d79d3af2aadb92a1294307f80b32343ccfc14c903a10eb4b585b42b40a1195a8c8c3ebab52f726f13b07a8124d48e670d9e9b03d00ea333a715a7cf9bba8656

Download Submit
C:\Windows\{CFDD82D8-CBDF-4180-AE0E-17C891CFE128}.exe

Filesize
192KB

MD5
ccd6f0e87892e25ad188fdaba97a5bdb

SHA1
62dd50b07bcc3cb1ad1d9f76585efeb08a88f8d8

SHA256
b26768b13e79e6f33d96a045b6ffeac44fe417deea9197370b69f9ed498f999f

SHA512
3d79d3af2aadb92a1294307f80b32343ccfc14c903a10eb4b585b42b40a1195a8c8c3ebab52f726f13b07a8124d48e670d9e9b03d00ea333a715a7cf9bba8656

Download Submit
C:\Windows\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe

Filesize
192KB

MD5
4ff3b9885882326772700a9bc51ae68b

SHA1
7245c1bf135751db889e46bfa386f8e701f82a36

SHA256
117cb69da890fa6497a5bd09cdac2f4665a0bf7c0caca90ba3dbc99acf04e8a4

SHA512
97a1570b0979d91ad2e485356123c140dd1c9113c590ac6e1037d7526c94de566f630d99073022942949867aa3c817e2b06453ceaaf6b48eb8218992b558a07e

Download Submit
C:\Windows\{D44A4311-A613-4db3-921E-45DDF8E4AF36}.exe

Filesize
192KB

MD5
4ff3b9885882326772700a9bc51ae68b

SHA1
7245c1bf135751db889e46bfa386f8e701f82a36

SHA256
117cb69da890fa6497a5bd09cdac2f4665a0bf7c0caca90ba3dbc99acf04e8a4

SHA512
97a1570b0979d91ad2e485356123c140dd1c9113c590ac6e1037d7526c94de566f630d99073022942949867aa3c817e2b06453ceaaf6b48eb8218992b558a07e

Download Submit
C:\Windows\{DFD77116-B593-4375-A1B4-A492C300276E}.exe

Filesize
192KB

MD5
bfba1b5b84c5f7d2ae2bec07e93a9951

SHA1
8ec44f9e7259b1f0290115231604bb589a0fa214

SHA256
733a0ea9a77b3ae822eb18d960c6053be1485fce43bd972804d567536d165a53

SHA512
f370ece20bf4292e64939667cdd0dbd0f8acf321ef11871c96d02a882d7b26a8b9a73f4198269fa29e089adbd0ffab5971e512abd1713212303f9317c377e0c9

Download Submit
C:\Windows\{DFD77116-B593-4375-A1B4-A492C300276E}.exe

Filesize
192KB

MD5
bfba1b5b84c5f7d2ae2bec07e93a9951

SHA1
8ec44f9e7259b1f0290115231604bb589a0fa214

SHA256
733a0ea9a77b3ae822eb18d960c6053be1485fce43bd972804d567536d165a53

SHA512
f370ece20bf4292e64939667cdd0dbd0f8acf321ef11871c96d02a882d7b26a8b9a73f4198269fa29e089adbd0ffab5971e512abd1713212303f9317c377e0c9

Download Submit