f7f6f24c21b88c4f390af4165a62cd6eacfd30b11885f6d7ebe359bdd1829f21

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

290aac70b5c9eaexeexeexeex.exe
Size

204KB
MD5

290aac70b5c9eafc160dcc76d53049a1
SHA1

4aff8234b7d7308bcc4a984e075b97108d1550be
SHA256

f7f6f24c21b88c4f390af4165a62cd6eacfd30b11885f6d7ebe359bdd1829f21
SHA512

6306604569031b24f4f1259e9eb4fad1c2f9f81c93e451add39d71453716cdd76f42c39f51563e92856e9ecc387e39cf553c6581dfc5e4798053575eb5725da7
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A383E4F2-B690-49fe-88B9-C6FA2C253529}	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A383E4F2-B690-49fe-88B9-C6FA2C253529}\stubpath = "C:\\Windows\\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe"	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}\stubpath = "C:\\Windows\\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe"	{B8673933-585C-4505-AA57-936663E9FEC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86811381-C829-46d5-92C1-228FD85348B6}	{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B19050B-1B42-49b7-9DE8-787F005D2522}	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}\stubpath = "C:\\Windows\\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe"	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B19050B-1B42-49b7-9DE8-787F005D2522}\stubpath = "C:\\Windows\\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe"	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04402EF8-15B8-4143-9AA5-A84F93486B14}	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04402EF8-15B8-4143-9AA5-A84F93486B14}\stubpath = "C:\\Windows\\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe"	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}	{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8673933-585C-4505-AA57-936663E9FEC3}	{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}\stubpath = "C:\\Windows\\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe"	{86811381-C829-46d5-92C1-228FD85348B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293E0D8-4590-4b43-B639-D1931C710781}	290aac70b5c9eaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C038D381-40DA-4057-9EAB-4A72750438EC}\stubpath = "C:\\Windows\\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe"	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}	{B8673933-585C-4505-AA57-936663E9FEC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293E0D8-4590-4b43-B639-D1931C710781}\stubpath = "C:\\Windows\\{3293E0D8-4590-4b43-B639-D1931C710781}.exe"	290aac70b5c9eaexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}\stubpath = "C:\\Windows\\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe"	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C038D381-40DA-4057-9EAB-4A72750438EC}	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}\stubpath = "C:\\Windows\\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe"	{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8673933-585C-4505-AA57-936663E9FEC3}\stubpath = "C:\\Windows\\{B8673933-585C-4505-AA57-936663E9FEC3}.exe"	{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86811381-C829-46d5-92C1-228FD85348B6}\stubpath = "C:\\Windows\\{86811381-C829-46d5-92C1-228FD85348B6}.exe"	{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}	{86811381-C829-46d5-92C1-228FD85348B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}\stubpath = "C:\\Windows\\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe"	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
1524	{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
2412	{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
3056	{B8673933-585C-4505-AA57-936663E9FEC3}.exe
2728	{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
2672	{86811381-C829-46d5-92C1-228FD85348B6}.exe
2484	{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe	290aac70b5c9eaexeexeexeex.exe
File created	C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
File created	C:\Windows\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
File created	C:\Windows\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
File created	C:\Windows\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
File created	C:\Windows\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe	{86811381-C829-46d5-92C1-228FD85348B6}.exe
File created	C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
File created	C:\Windows\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
File created	C:\Windows\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
File created	C:\Windows\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe	{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
File created	C:\Windows\{B8673933-585C-4505-AA57-936663E9FEC3}.exe	{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
File created	C:\Windows\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe	{B8673933-585C-4505-AA57-936663E9FEC3}.exe
File created	C:\Windows\{86811381-C829-46d5-92C1-228FD85348B6}.exe	{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	290aac70b5c9eaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Token: SeIncBasePriorityPrivilege	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
Token: SeIncBasePriorityPrivilege	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Token: SeIncBasePriorityPrivilege	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
Token: SeIncBasePriorityPrivilege	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
Token: SeIncBasePriorityPrivilege	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
Token: SeIncBasePriorityPrivilege	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
Token: SeIncBasePriorityPrivilege	1524	{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
Token: SeIncBasePriorityPrivilege	2412	{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
Token: SeIncBasePriorityPrivilege	3056	{B8673933-585C-4505-AA57-936663E9FEC3}.exe
Token: SeIncBasePriorityPrivilege	2728	{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
Token: SeIncBasePriorityPrivilege	2672	{86811381-C829-46d5-92C1-228FD85348B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2316	2156	290aac70b5c9eaexeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	290aac70b5c9eaexeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	290aac70b5c9eaexeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	290aac70b5c9eaexeexeexeex.exe	27
PID 2156 wrote to memory of 2272	2156	290aac70b5c9eaexeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	290aac70b5c9eaexeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	290aac70b5c9eaexeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	290aac70b5c9eaexeexeexeex.exe	28
PID 2316 wrote to memory of 2140	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2140	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2140	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2140	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2248	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 2248	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 2248	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 2248	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2140 wrote to memory of 992	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2140 wrote to memory of 992	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2140 wrote to memory of 992	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2140 wrote to memory of 992	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2140 wrote to memory of 2916	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2140 wrote to memory of 2916	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2140 wrote to memory of 2916	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2140 wrote to memory of 2916	2140	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 992 wrote to memory of 2996	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 2996	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 2996	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 2996	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 1528	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1528	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1528	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1528	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 2996 wrote to memory of 1356	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	35
PID 2996 wrote to memory of 1356	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	35
PID 2996 wrote to memory of 1356	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	35
PID 2996 wrote to memory of 1356	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	35
PID 2996 wrote to memory of 2080	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	36
PID 2996 wrote to memory of 2080	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	36
PID 2996 wrote to memory of 2080	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	36
PID 2996 wrote to memory of 2080	2996	{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe	36
PID 1356 wrote to memory of 1052	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	37
PID 1356 wrote to memory of 1052	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	37
PID 1356 wrote to memory of 1052	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	37
PID 1356 wrote to memory of 1052	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	37
PID 1356 wrote to memory of 2160	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	38
PID 1356 wrote to memory of 2160	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	38
PID 1356 wrote to memory of 2160	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	38
PID 1356 wrote to memory of 2160	1356	{C038D381-40DA-4057-9EAB-4A72750438EC}.exe	38
PID 1052 wrote to memory of 2240	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	39
PID 1052 wrote to memory of 2240	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	39
PID 1052 wrote to memory of 2240	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	39
PID 1052 wrote to memory of 2240	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	39
PID 1052 wrote to memory of 2108	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	40
PID 1052 wrote to memory of 2108	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	40
PID 1052 wrote to memory of 2108	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	40
PID 1052 wrote to memory of 2108	1052	{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe	40
PID 2240 wrote to memory of 1524	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	41
PID 2240 wrote to memory of 1524	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	41
PID 2240 wrote to memory of 1524	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	41
PID 2240 wrote to memory of 1524	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	41
PID 2240 wrote to memory of 2536	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	42
PID 2240 wrote to memory of 2536	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	42
PID 2240 wrote to memory of 2536	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	42
PID 2240 wrote to memory of 2536	2240	{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe	42

C:\Users\Admin\AppData\Local\Temp\290aac70b5c9eaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\290aac70b5c9eaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe
  C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
    C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
      C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
        
        C:\Windows\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
        
        C:\Windows\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
        
        C:\Windows\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
        
        C:\Windows\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
        
        C:\Windows\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
        
        C:\Windows\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{B8673933-585C-4505-AA57-936663E9FEC3}.exe
        
        C:\Windows\{B8673933-585C-4505-AA57-936663E9FEC3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
        
        C:\Windows\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{86811381-C829-46d5-92C1-228FD85348B6}.exe
        
        C:\Windows\{86811381-C829-46d5-92C1-228FD85348B6}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe
        
        C:\Windows\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe
        14⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86811~1.EXE > nul
        14⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16A1~1.EXE > nul
        13⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8673~1.EXE > nul
        12⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C02C~1.EXE > nul
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A383E~1.EXE > nul
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79CFB~1.EXE > nul
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04402~1.EXE > nul
        8⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C038D~1.EXE > nul
        7⤵
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B190~1.EXE > nul
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CD2~1.EXE > nul
        5⤵
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06AE9~1.EXE > nul
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3293E~1.EXE > nul
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\290AAC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe

Filesize
204KB

MD5
628435a5cedbb1c34d40a1af5f7a575e

SHA1
9b7aaa8c3f8fbd6f0dad1835016b20f19a597c8e

SHA256
27ee2604df5ccfe5efbe4c23db7fa52f5163049959f85be6a467109ca9b3df01

SHA512
77b1a5753299c6fd54ab068ea958e9b3e0e03b95c4b6e1574168dd43fd623e0fafcb6750123372ec2b832d952c9608ac3fbf8b889966a7f42b1bd8044b3d1999

Download Submit
C:\Windows\{04402EF8-15B8-4143-9AA5-A84F93486B14}.exe

Filesize
204KB

MD5
628435a5cedbb1c34d40a1af5f7a575e

SHA1
9b7aaa8c3f8fbd6f0dad1835016b20f19a597c8e

SHA256
27ee2604df5ccfe5efbe4c23db7fa52f5163049959f85be6a467109ca9b3df01

SHA512
77b1a5753299c6fd54ab068ea958e9b3e0e03b95c4b6e1574168dd43fd623e0fafcb6750123372ec2b832d952c9608ac3fbf8b889966a7f42b1bd8044b3d1999

Download Submit
C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe

Filesize
204KB

MD5
b2d45275e99abbba49f6d4a4dfd0e7ec

SHA1
c24312a7281b2f65d140a904391d7868a0daddf9

SHA256
1c43b01f6f06863ef3033f3ada60cbd5f5ed789ae715d8a1adaeda8300afacc9

SHA512
8bf1d8d09a85f4abb68b55113a7f2435a69eaa0cc092266d003601b97c40881d5e74548b08a2a6aa2138dff9291baecf275115266e8ad53bc881ae1d3244db2c

Download Submit
C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe

Filesize
204KB

MD5
b2d45275e99abbba49f6d4a4dfd0e7ec

SHA1
c24312a7281b2f65d140a904391d7868a0daddf9

SHA256
1c43b01f6f06863ef3033f3ada60cbd5f5ed789ae715d8a1adaeda8300afacc9

SHA512
8bf1d8d09a85f4abb68b55113a7f2435a69eaa0cc092266d003601b97c40881d5e74548b08a2a6aa2138dff9291baecf275115266e8ad53bc881ae1d3244db2c

Download Submit
C:\Windows\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe

Filesize
204KB

MD5
2daae00219cdf77e94ee4a83a63ff2b4

SHA1
569f019d44480b0bf5a742a22199afcdefafd295

SHA256
0554d1a4328d2a785c3dfaac09b01829ab5113b7af74a2aec3d0a75a865dc18a

SHA512
7e6eda744dc3b3c651ccc2d3f0fc3b43ddf946d5bb52e1eb9868c08cd2d949655c0924fbadfc47c8b8f133a9836e1cd256368829f8e25123f9d2f588d0208c4d

Download Submit
C:\Windows\{0C02C10D-F6ED-49fb-B6A8-C32E16108B36}.exe

Filesize
204KB

MD5
2daae00219cdf77e94ee4a83a63ff2b4

SHA1
569f019d44480b0bf5a742a22199afcdefafd295

SHA256
0554d1a4328d2a785c3dfaac09b01829ab5113b7af74a2aec3d0a75a865dc18a

SHA512
7e6eda744dc3b3c651ccc2d3f0fc3b43ddf946d5bb52e1eb9868c08cd2d949655c0924fbadfc47c8b8f133a9836e1cd256368829f8e25123f9d2f588d0208c4d

Download Submit
C:\Windows\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe

Filesize
204KB

MD5
95accc0e9874954f91fc68e5d781df2c

SHA1
ce73f4c3bd97529b5b466496d520e7bbbcd63140

SHA256
6814c9520dd9fd15efd3e8a7ba99b4d34cefff5dd6150a22982b45ab84a12d7c

SHA512
e293c73183e14c3c85f88ab2bc51943ab5df8fce7fc984c80910f2253a0a15593b5756ca1594544b69d62fa97ebe133ad17639b209700bc3a4a94c6e018623e4

Download Submit
C:\Windows\{1B19050B-1B42-49b7-9DE8-787F005D2522}.exe

Filesize
204KB

MD5
95accc0e9874954f91fc68e5d781df2c

SHA1
ce73f4c3bd97529b5b466496d520e7bbbcd63140

SHA256
6814c9520dd9fd15efd3e8a7ba99b4d34cefff5dd6150a22982b45ab84a12d7c

SHA512
e293c73183e14c3c85f88ab2bc51943ab5df8fce7fc984c80910f2253a0a15593b5756ca1594544b69d62fa97ebe133ad17639b209700bc3a4a94c6e018623e4

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
204KB

MD5
c2dfb98655e57cb20a66d6f8729ee2ae

SHA1
bfc589d064ea075f0386b0fb7e6f8fce0afe29ba

SHA256
435192960790e8ecf81e6f79ff06952527a8241930dd844534f39f26eefa1520

SHA512
78514eb3a1aabb7e128dfc37f7f8f3c261a622008bceb5ba4ce7136279948bf945eaa7652e3baa6a86d97cd01487b1b321a8ef9c27658cc3a56c16e837fac129

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
204KB

MD5
c2dfb98655e57cb20a66d6f8729ee2ae

SHA1
bfc589d064ea075f0386b0fb7e6f8fce0afe29ba

SHA256
435192960790e8ecf81e6f79ff06952527a8241930dd844534f39f26eefa1520

SHA512
78514eb3a1aabb7e128dfc37f7f8f3c261a622008bceb5ba4ce7136279948bf945eaa7652e3baa6a86d97cd01487b1b321a8ef9c27658cc3a56c16e837fac129

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
204KB

MD5
c2dfb98655e57cb20a66d6f8729ee2ae

SHA1
bfc589d064ea075f0386b0fb7e6f8fce0afe29ba

SHA256
435192960790e8ecf81e6f79ff06952527a8241930dd844534f39f26eefa1520

SHA512
78514eb3a1aabb7e128dfc37f7f8f3c261a622008bceb5ba4ce7136279948bf945eaa7652e3baa6a86d97cd01487b1b321a8ef9c27658cc3a56c16e837fac129

Download Submit
C:\Windows\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe

Filesize
204KB

MD5
14b517fa3d3d9fd6de6454d701c7e6ec

SHA1
cc867555608cf97396324fd4d793ab1157ed5c32

SHA256
b4bf847c2cfee725b48014d05ac99da9b47726217ba34020f15b0ef11de26b02

SHA512
67c9e533b1ea85d3f9e2dd5b2c3c2cba640ea3ac90787afb96ba43a8341881ae9fa8cb4ec48eadb71ddee2e76e2e3967803ad39fb7844df48702c7c6296185ef

Download Submit
C:\Windows\{79CFBCCD-E620-4771-B272-BFF343F5E4FF}.exe

Filesize
204KB

MD5
14b517fa3d3d9fd6de6454d701c7e6ec

SHA1
cc867555608cf97396324fd4d793ab1157ed5c32

SHA256
b4bf847c2cfee725b48014d05ac99da9b47726217ba34020f15b0ef11de26b02

SHA512
67c9e533b1ea85d3f9e2dd5b2c3c2cba640ea3ac90787afb96ba43a8341881ae9fa8cb4ec48eadb71ddee2e76e2e3967803ad39fb7844df48702c7c6296185ef

Download Submit
C:\Windows\{86811381-C829-46d5-92C1-228FD85348B6}.exe

Filesize
204KB

MD5
fb3f0681709d38d926c8e9b5db18ed0b

SHA1
0c79c0ca87e4990edcdb1fe3089300438efb88ad

SHA256
6f669712f8a4a4b8ce608aa93110393e0347f98fcd8ec1acb843fa07698a530e

SHA512
03e43be995f6044d712c554e8dd509ccf9152997d1c50faaf3b12e370431dc8cbd11956280b4f906f38df5e3e65b3b9fcde795a73e02f4296250fa03ea605a95

Download Submit
C:\Windows\{86811381-C829-46d5-92C1-228FD85348B6}.exe

Filesize
204KB

MD5
fb3f0681709d38d926c8e9b5db18ed0b

SHA1
0c79c0ca87e4990edcdb1fe3089300438efb88ad

SHA256
6f669712f8a4a4b8ce608aa93110393e0347f98fcd8ec1acb843fa07698a530e

SHA512
03e43be995f6044d712c554e8dd509ccf9152997d1c50faaf3b12e370431dc8cbd11956280b4f906f38df5e3e65b3b9fcde795a73e02f4296250fa03ea605a95

Download Submit
C:\Windows\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe

Filesize
204KB

MD5
73e6d363b3cad3c2b0b276007424295c

SHA1
bcfd58504edffbb5a9ab5108a8e0f86d5483bdba

SHA256
227626187862fe823bfac83c97ccb180da53ec8f6d30526b9be15de2b3c8d0b5

SHA512
53c13f85660d92f0271f421c176c4c9cfed02304bab2b0aa1a5357a0c2bb171d86a6d9187ec19c7abcc9ec6b5fb825d682825b3ac59fcc74e75c86f40fb89e31

Download Submit
C:\Windows\{A383E4F2-B690-49fe-88B9-C6FA2C253529}.exe

Filesize
204KB

MD5
73e6d363b3cad3c2b0b276007424295c

SHA1
bcfd58504edffbb5a9ab5108a8e0f86d5483bdba

SHA256
227626187862fe823bfac83c97ccb180da53ec8f6d30526b9be15de2b3c8d0b5

SHA512
53c13f85660d92f0271f421c176c4c9cfed02304bab2b0aa1a5357a0c2bb171d86a6d9187ec19c7abcc9ec6b5fb825d682825b3ac59fcc74e75c86f40fb89e31

Download Submit
C:\Windows\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe

Filesize
204KB

MD5
0317899351ae6985a3d8dd5ed3168313

SHA1
4091e0a36a08fc36995ca0f25351482afac73828

SHA256
89cd5e2fbc10274426adc09bf0a25ec74dcc437656b35fbb4294c683cf959ad7

SHA512
5a73aaab7faf9a0ceb0cbcfd359527eff21a0e6fd10c9754209e0b0687af6573ad431af8e201f91ee0443f50f3d2bf37a46802d9d179298562607289b9f42de1

Download Submit
C:\Windows\{B16A1AE8-7B7C-4f3a-8DF6-A7E2B8FC63DC}.exe

Filesize
204KB

MD5
0317899351ae6985a3d8dd5ed3168313

SHA1
4091e0a36a08fc36995ca0f25351482afac73828

SHA256
89cd5e2fbc10274426adc09bf0a25ec74dcc437656b35fbb4294c683cf959ad7

SHA512
5a73aaab7faf9a0ceb0cbcfd359527eff21a0e6fd10c9754209e0b0687af6573ad431af8e201f91ee0443f50f3d2bf37a46802d9d179298562607289b9f42de1

Download Submit
C:\Windows\{B170B3AE-1FFA-4a46-9E9D-3CB9C1364BD9}.exe

Filesize
204KB

MD5
e7f7e66fb53c7437cb662e9e09b32569

SHA1
815c7437e5b4236e4de382cb6f3d737141b15b80

SHA256
c9070279f394a25268b3449436ba3c5c1b6b3087b41906e8b30ace890b09c5fb

SHA512
8c9d23152d0aef2ad95b420a6bd3519a436f4ebd3addb5457600f917868bd778f8d36986c8d3d3b2ef59016114fdd93a567900bd515c5002dcbd46ac814b3e2f

Download Submit
C:\Windows\{B8673933-585C-4505-AA57-936663E9FEC3}.exe

Filesize
204KB

MD5
08b79d5ba2710f3e5919a0bd080da1ac

SHA1
7bdf575b4ffc52a581bcfcda4ca855431811f490

SHA256
f223efc851f8d31167e24f16bf2ee89e24a3eba1c88ba6a0666d8a057df2380e

SHA512
5501a280f5413aca1744636a0de9bb37a62d7520f529f9c6b9e6f7a671f12422db49c614be58b19737c1c3db3c9a3ed4682636212556a1af289b0050d40c3b15

Download Submit
C:\Windows\{B8673933-585C-4505-AA57-936663E9FEC3}.exe

Filesize
204KB

MD5
08b79d5ba2710f3e5919a0bd080da1ac

SHA1
7bdf575b4ffc52a581bcfcda4ca855431811f490

SHA256
f223efc851f8d31167e24f16bf2ee89e24a3eba1c88ba6a0666d8a057df2380e

SHA512
5501a280f5413aca1744636a0de9bb37a62d7520f529f9c6b9e6f7a671f12422db49c614be58b19737c1c3db3c9a3ed4682636212556a1af289b0050d40c3b15

Download Submit
C:\Windows\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe

Filesize
204KB

MD5
fad7eb9a84e1f608e9ff44e4af1613a5

SHA1
546101a096fbb3f7c9e0617bd0daa79dd0fa53a5

SHA256
a5565a89f14ef5215e120e009987edda7f0320083fc1297d5902d235ccdf2c51

SHA512
ffe17f32b02179c763f3829c09cf05b80f76017c69df09ccc3609bd74aa8e8b10300c7166fc4f925f0bfd24a79faa04a7a325556f23282c4394134c2d3917cff

Download Submit
C:\Windows\{C038D381-40DA-4057-9EAB-4A72750438EC}.exe

Filesize
204KB

MD5
fad7eb9a84e1f608e9ff44e4af1613a5

SHA1
546101a096fbb3f7c9e0617bd0daa79dd0fa53a5

SHA256
a5565a89f14ef5215e120e009987edda7f0320083fc1297d5902d235ccdf2c51

SHA512
ffe17f32b02179c763f3829c09cf05b80f76017c69df09ccc3609bd74aa8e8b10300c7166fc4f925f0bfd24a79faa04a7a325556f23282c4394134c2d3917cff

Download Submit
C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe

Filesize
204KB

MD5
55d0592a7bc8682ee65d526695e71038

SHA1
0b07edea314a168742a2208b20d6a4a75d6c5780

SHA256
efff3cacd7908ed18a1d9caaa3f2a2bdd8e4140206ec9a607c461953a08a0a02

SHA512
1f6c44994ff889c411c395946eee723ee816dcb676da0283a94e5bc672c675543006582ab398ac22b2e31088607750c22bc1ff839ace06987f3ff03cef39bbc1

Download Submit
C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe

Filesize
204KB

MD5
55d0592a7bc8682ee65d526695e71038

SHA1
0b07edea314a168742a2208b20d6a4a75d6c5780

SHA256
efff3cacd7908ed18a1d9caaa3f2a2bdd8e4140206ec9a607c461953a08a0a02

SHA512
1f6c44994ff889c411c395946eee723ee816dcb676da0283a94e5bc672c675543006582ab398ac22b2e31088607750c22bc1ff839ace06987f3ff03cef39bbc1

Download Submit