4004871d42c681ae88a2ea2c4407905476fdceae4058703cf2640bc0bcf2ae9b

Analysis

max time kernel
147s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337f075f6d785aexeexeexeex.exe
Size

408KB
MD5

337f075f6d785a27edead596bdc36cbf
SHA1

e5124aea62a2ffcb22b68ebc8f33c34770b9ecff
SHA256

4004871d42c681ae88a2ea2c4407905476fdceae4058703cf2640bc0bcf2ae9b
SHA512

1bf67547c7bcacfa773f12acff64df9b454cbe0ae41d8eae43849d5d04304a9f7f488872901b6a23681594ca0fd85f82c68aed302c1c8c2b5db070058d899bce
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGxldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}	337f075f6d785aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}\stubpath = "C:\\Windows\\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe"	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}	{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781F0519-120A-492c-B2DC-A6DE8C789BE7}	{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}\stubpath = "C:\\Windows\\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe"	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEA5693-6F4F-494f-853E-E7116076432E}	{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}\stubpath = "C:\\Windows\\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe"	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}\stubpath = "C:\\Windows\\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe"	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}\stubpath = "C:\\Windows\\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe"	{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}\stubpath = "C:\\Windows\\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe"	{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}\stubpath = "C:\\Windows\\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe"	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}	{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}\stubpath = "C:\\Windows\\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe"	337f075f6d785aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D99F60C-AA4D-4874-B702-3E4C5017B563}	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D99F60C-AA4D-4874-B702-3E4C5017B563}\stubpath = "C:\\Windows\\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe"	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE57F80F-0276-49cf-8327-A63C514F7195}	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE57F80F-0276-49cf-8327-A63C514F7195}\stubpath = "C:\\Windows\\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe"	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEA5693-6F4F-494f-853E-E7116076432E}\stubpath = "C:\\Windows\\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe"	{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{781F0519-120A-492c-B2DC-A6DE8C789BE7}\stubpath = "C:\\Windows\\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe"	{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}	{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}\stubpath = "C:\\Windows\\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe"	{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe

Deletes itself 1 IoCs

pid	Process
1624	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
2216	{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
2628	{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
2776	{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
2748	{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
2600	{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe
3016	{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
File created	C:\Windows\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
File created	C:\Windows\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe	{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
File created	C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	337f075f6d785aexeexeexeex.exe
File created	C:\Windows\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
File created	C:\Windows\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
File created	C:\Windows\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
File created	C:\Windows\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
File created	C:\Windows\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe	{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
File created	C:\Windows\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe	{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
File created	C:\Windows\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe	{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
File created	C:\Windows\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
File created	C:\Windows\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe	{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	337f075f6d785aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
Token: SeIncBasePriorityPrivilege	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
Token: SeIncBasePriorityPrivilege	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
Token: SeIncBasePriorityPrivilege	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
Token: SeIncBasePriorityPrivilege	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
Token: SeIncBasePriorityPrivilege	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
Token: SeIncBasePriorityPrivilege	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
Token: SeIncBasePriorityPrivilege	2216	{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
Token: SeIncBasePriorityPrivilege	2628	{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
Token: SeIncBasePriorityPrivilege	2776	{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
Token: SeIncBasePriorityPrivilege	2748	{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
Token: SeIncBasePriorityPrivilege	2600	{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2912	2104	337f075f6d785aexeexeexeex.exe	28
PID 2104 wrote to memory of 2912	2104	337f075f6d785aexeexeexeex.exe	28
PID 2104 wrote to memory of 2912	2104	337f075f6d785aexeexeexeex.exe	28
PID 2104 wrote to memory of 2912	2104	337f075f6d785aexeexeexeex.exe	28
PID 2104 wrote to memory of 1624	2104	337f075f6d785aexeexeexeex.exe	29
PID 2104 wrote to memory of 1624	2104	337f075f6d785aexeexeexeex.exe	29
PID 2104 wrote to memory of 1624	2104	337f075f6d785aexeexeexeex.exe	29
PID 2104 wrote to memory of 1624	2104	337f075f6d785aexeexeexeex.exe	29
PID 2912 wrote to memory of 1696	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	30
PID 2912 wrote to memory of 1696	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	30
PID 2912 wrote to memory of 1696	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	30
PID 2912 wrote to memory of 1696	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	30
PID 2912 wrote to memory of 2136	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	31
PID 2912 wrote to memory of 2136	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	31
PID 2912 wrote to memory of 2136	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	31
PID 2912 wrote to memory of 2136	2912	{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe	31
PID 1696 wrote to memory of 556	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	32
PID 1696 wrote to memory of 556	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	32
PID 1696 wrote to memory of 556	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	32
PID 1696 wrote to memory of 556	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	32
PID 1696 wrote to memory of 2968	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	33
PID 1696 wrote to memory of 2968	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	33
PID 1696 wrote to memory of 2968	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	33
PID 1696 wrote to memory of 2968	1696	{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe	33
PID 556 wrote to memory of 3040	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	35
PID 556 wrote to memory of 3040	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	35
PID 556 wrote to memory of 3040	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	35
PID 556 wrote to memory of 3040	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	35
PID 556 wrote to memory of 2220	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	34
PID 556 wrote to memory of 2220	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	34
PID 556 wrote to memory of 2220	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	34
PID 556 wrote to memory of 2220	556	{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe	34
PID 3040 wrote to memory of 1436	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	37
PID 3040 wrote to memory of 1436	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	37
PID 3040 wrote to memory of 1436	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	37
PID 3040 wrote to memory of 1436	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	37
PID 3040 wrote to memory of 2228	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	36
PID 3040 wrote to memory of 2228	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	36
PID 3040 wrote to memory of 2228	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	36
PID 3040 wrote to memory of 2228	3040	{BE57F80F-0276-49cf-8327-A63C514F7195}.exe	36
PID 1436 wrote to memory of 868	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	39
PID 1436 wrote to memory of 868	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	39
PID 1436 wrote to memory of 868	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	39
PID 1436 wrote to memory of 868	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	39
PID 1436 wrote to memory of 2172	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	38
PID 1436 wrote to memory of 2172	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	38
PID 1436 wrote to memory of 2172	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	38
PID 1436 wrote to memory of 2172	1436	{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe	38
PID 868 wrote to memory of 2308	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	41
PID 868 wrote to memory of 2308	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	41
PID 868 wrote to memory of 2308	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	41
PID 868 wrote to memory of 2308	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	41
PID 868 wrote to memory of 576	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	40
PID 868 wrote to memory of 576	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	40
PID 868 wrote to memory of 576	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	40
PID 868 wrote to memory of 576	868	{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe	40
PID 2308 wrote to memory of 2216	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	43
PID 2308 wrote to memory of 2216	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	43
PID 2308 wrote to memory of 2216	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	43
PID 2308 wrote to memory of 2216	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	43
PID 2308 wrote to memory of 1056	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	42
PID 2308 wrote to memory of 1056	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	42
PID 2308 wrote to memory of 1056	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	42
PID 2308 wrote to memory of 1056	2308	{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe	42

C:\Users\Admin\AppData\Local\Temp\337f075f6d785aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\337f075f6d785aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
  C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
    C:\Windows\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
      C:\Windows\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D99F~1.EXE > nul
        5⤵
        
        PID:2220
    - - C:\Windows\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
        
        C:\Windows\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE57F~1.EXE > nul
        6⤵
        
        PID:2228
      - C:\Windows\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
        
        C:\Windows\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B09A1~1.EXE > nul
        7⤵
        
        PID:2172
        
        C:\Windows\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
        
        C:\Windows\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9330E~1.EXE > nul
        8⤵
        
        PID:576
        
        C:\Windows\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
        
        C:\Windows\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D847~1.EXE > nul
        9⤵
        
        PID:1056
        
        C:\Windows\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
        
        C:\Windows\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68BE3~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
        
        C:\Windows\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC55~1.EXE > nul
        11⤵
        
        PID:2608
        
        C:\Windows\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
        
        C:\Windows\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEA5~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
        
        C:\Windows\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D7D~1.EXE > nul
        13⤵
        
        PID:2512
        
        C:\Windows\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe
        
        C:\Windows\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe
        
        C:\Windows\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe
        14⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{781F0~1.EXE > nul
        14⤵
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D71~1.EXE > nul
      4⤵
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F001~1.EXE > nul
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\337F07~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe

Filesize
408KB

MD5
315a8c1613561b40c42aacd5d663afcc

SHA1
7b6292c5db12d2921844d7f8f353407b36c0d5a5

SHA256
1bf2421f3ef6887f30ded68a8c896e1d6ff368d18b522539c0757f9fab73dcda

SHA512
f3570189e08403674585ce09f7b48633e2c07e6c5889ebfdfa6f3dcc283e2a62e288b08fd1f6bb9721e7a5e2ec1b9a0728df131433df3678c3c889e7de449696

Download Submit
C:\Windows\{4CC55439-AD47-4881-A099-88C7F7F9CDD6}.exe

Filesize
408KB

MD5
315a8c1613561b40c42aacd5d663afcc

SHA1
7b6292c5db12d2921844d7f8f353407b36c0d5a5

SHA256
1bf2421f3ef6887f30ded68a8c896e1d6ff368d18b522539c0757f9fab73dcda

SHA512
f3570189e08403674585ce09f7b48633e2c07e6c5889ebfdfa6f3dcc283e2a62e288b08fd1f6bb9721e7a5e2ec1b9a0728df131433df3678c3c889e7de449696

Download Submit
C:\Windows\{5FF4DFF1-AB3E-4d4c-98B7-8CB2CC2302A3}.exe

Filesize
408KB

MD5
53396e33ed593393d23e3cf8032ee523

SHA1
c95ea0e57ac98db1e98d3749345e93e162b0440e

SHA256
73c96a9d2457d41e9c14b63ee4d5816de2a53b8a15a63ba88e63c65a40f8bfc1

SHA512
f3600b4a82854b056a0d438074cdbb26842c419fd9dc6120a7619c3056d430f9418fe3746f7c452a4f835de28bbec42abe172d67bbff1f7553e199b3207f30df

Download Submit
C:\Windows\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe

Filesize
408KB

MD5
c33a2547b5d8c2eb438d84f34edfdb9c

SHA1
4eae314cea4cbe9a660144c59d1c85cbe170b597

SHA256
bb84c9a311d10ed3746525dbca783862cf4031a25a06c417a373b135365009df

SHA512
474ecd336acf0c5a71cba42cf4da8080fc56fb8cf56cf8179dc903453a288a16688b45a88d52a1009e4b5e7d74943fbab6a224c6abe0747498c6edf23019fdb7

Download Submit
C:\Windows\{68BE3614-F6B4-456b-AA6F-0B85628B0CBC}.exe

Filesize
408KB

MD5
c33a2547b5d8c2eb438d84f34edfdb9c

SHA1
4eae314cea4cbe9a660144c59d1c85cbe170b597

SHA256
bb84c9a311d10ed3746525dbca783862cf4031a25a06c417a373b135365009df

SHA512
474ecd336acf0c5a71cba42cf4da8080fc56fb8cf56cf8179dc903453a288a16688b45a88d52a1009e4b5e7d74943fbab6a224c6abe0747498c6edf23019fdb7

Download Submit
C:\Windows\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe

Filesize
408KB

MD5
248d3ac8aea77c36550df0a44f38e044

SHA1
ec9c64780461583e84bb6e74c0cefd4cdbe435bb

SHA256
78578bf64603877f8fd2f2448e2b61525b28d9096892a7f90e610af257aced8e

SHA512
2ddf03e90059cfcd4495fc28a324e796a45c760138e3f93097acbd83a09cf35564ad22c02e0e2b6890d95abc0400f10dc64812c6740a8c4fdc3c083ded5e16ac

Download Submit
C:\Windows\{6D8475C4-77A7-4521-ACF2-FBAC58055AE9}.exe

Filesize
408KB

MD5
248d3ac8aea77c36550df0a44f38e044

SHA1
ec9c64780461583e84bb6e74c0cefd4cdbe435bb

SHA256
78578bf64603877f8fd2f2448e2b61525b28d9096892a7f90e610af257aced8e

SHA512
2ddf03e90059cfcd4495fc28a324e796a45c760138e3f93097acbd83a09cf35564ad22c02e0e2b6890d95abc0400f10dc64812c6740a8c4fdc3c083ded5e16ac

Download Submit
C:\Windows\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe

Filesize
408KB

MD5
159c7e1475909a755039f38b601061b0

SHA1
6421a79d906bce5b59f4f88ce1d5a715fd03e111

SHA256
c72891e29f79118d6104434de5a5b5f3f9e32073910887fa0eed64ae672def12

SHA512
7b068a1983d022743c1f2bb7f52901813d502678bb48867e4c3581c19007115685f5678298c87150a472813679e2eae72de27e184b9e4da48e61669b18c252ea

Download Submit
C:\Windows\{781F0519-120A-492c-B2DC-A6DE8C789BE7}.exe

Filesize
408KB

MD5
159c7e1475909a755039f38b601061b0

SHA1
6421a79d906bce5b59f4f88ce1d5a715fd03e111

SHA256
c72891e29f79118d6104434de5a5b5f3f9e32073910887fa0eed64ae672def12

SHA512
7b068a1983d022743c1f2bb7f52901813d502678bb48867e4c3581c19007115685f5678298c87150a472813679e2eae72de27e184b9e4da48e61669b18c252ea

Download Submit
C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe

Filesize
408KB

MD5
0067f73df81c391bd67ab541e47a72da

SHA1
4d5f4692dd768e05e88b5d5dadd06b706e48aaa6

SHA256
051aac9f91a98cad73c4e4cb10c0cddbe92957fb7f4e420db614f9d444a56622

SHA512
65a32139d1a1122c8a70eca317daf66ea3c6baf191307ee96ab447f8e668b33490a5e3fef2c6f1da86c496629835e6f012e6d667cf52b739790348b5d95cc114

Download Submit
C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe

Filesize
408KB

MD5
0067f73df81c391bd67ab541e47a72da

SHA1
4d5f4692dd768e05e88b5d5dadd06b706e48aaa6

SHA256
051aac9f91a98cad73c4e4cb10c0cddbe92957fb7f4e420db614f9d444a56622

SHA512
65a32139d1a1122c8a70eca317daf66ea3c6baf191307ee96ab447f8e668b33490a5e3fef2c6f1da86c496629835e6f012e6d667cf52b739790348b5d95cc114

Download Submit
C:\Windows\{7F001169-73EC-4b34-BE6C-32B2A151C0AA}.exe

Filesize
408KB

MD5
0067f73df81c391bd67ab541e47a72da

SHA1
4d5f4692dd768e05e88b5d5dadd06b706e48aaa6

SHA256
051aac9f91a98cad73c4e4cb10c0cddbe92957fb7f4e420db614f9d444a56622

SHA512
65a32139d1a1122c8a70eca317daf66ea3c6baf191307ee96ab447f8e668b33490a5e3fef2c6f1da86c496629835e6f012e6d667cf52b739790348b5d95cc114

Download Submit
C:\Windows\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe

Filesize
408KB

MD5
6382f0c671bb5829ef88c533ee3dac0d

SHA1
830cc9eb906be74d9da4e8ff11c80a5de49726ac

SHA256
4f56eecc833d73496537ec1904290706c0243d4f072817000348a0074b4c2ea3

SHA512
7dcde97e54d99951a8c6df5448c1ac0d263feae3c247558db7c35f53a475df38e4df9514ac2eabc39ebba790fa04cf490a9ab21aa542d63499dd90bdb0e7b60d

Download Submit
C:\Windows\{8D99F60C-AA4D-4874-B702-3E4C5017B563}.exe

Filesize
408KB

MD5
6382f0c671bb5829ef88c533ee3dac0d

SHA1
830cc9eb906be74d9da4e8ff11c80a5de49726ac

SHA256
4f56eecc833d73496537ec1904290706c0243d4f072817000348a0074b4c2ea3

SHA512
7dcde97e54d99951a8c6df5448c1ac0d263feae3c247558db7c35f53a475df38e4df9514ac2eabc39ebba790fa04cf490a9ab21aa542d63499dd90bdb0e7b60d

Download Submit
C:\Windows\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe

Filesize
408KB

MD5
bb515a54322efc88ef24d686f00955e5

SHA1
255ef7a2aa54ae15b0bb8fdb6fc61b7f2bc5df96

SHA256
2bc1a68285262b6a89ba67736b87c5626f96ac1b2c9fa0d2f0734a568a258a08

SHA512
3dd72e6cd7b177ec131316f44d763f7a41e43dc2d38e3cf18676f1c4389606691bbab42bdab30bdc78c82c1ad8349e93444a2fbc72337aec17d3d25cb589c10c

Download Submit
C:\Windows\{8EEA5693-6F4F-494f-853E-E7116076432E}.exe

Filesize
408KB

MD5
bb515a54322efc88ef24d686f00955e5

SHA1
255ef7a2aa54ae15b0bb8fdb6fc61b7f2bc5df96

SHA256
2bc1a68285262b6a89ba67736b87c5626f96ac1b2c9fa0d2f0734a568a258a08

SHA512
3dd72e6cd7b177ec131316f44d763f7a41e43dc2d38e3cf18676f1c4389606691bbab42bdab30bdc78c82c1ad8349e93444a2fbc72337aec17d3d25cb589c10c

Download Submit
C:\Windows\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe

Filesize
408KB

MD5
155864be3961a397f8a2453a5002bc68

SHA1
a261771ba5109d21a7d536025b18e092d6de2bbd

SHA256
164819f991b2af1616ed1247f39d200b182babe692a45b82bc5df7e6240f1338

SHA512
b94c17a5605f1282b9791814208e3826db54a1c41985ecb4f2b3d7aabc590707418b78db2a59e08735601469a7f8cc6b67f5d7ec93dd1c1cded60c87bfe31811

Download Submit
C:\Windows\{9330E735-F324-4d1b-A2C2-B3B2D223EAB3}.exe

Filesize
408KB

MD5
155864be3961a397f8a2453a5002bc68

SHA1
a261771ba5109d21a7d536025b18e092d6de2bbd

SHA256
164819f991b2af1616ed1247f39d200b182babe692a45b82bc5df7e6240f1338

SHA512
b94c17a5605f1282b9791814208e3826db54a1c41985ecb4f2b3d7aabc590707418b78db2a59e08735601469a7f8cc6b67f5d7ec93dd1c1cded60c87bfe31811

Download Submit
C:\Windows\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe

Filesize
408KB

MD5
a7904028b19b1ab0189efa1c88864bf9

SHA1
621de3446cf7d00b574e6c4df0213d81e2a986ed

SHA256
ab57d60a8378b5b1b04a10528169ef861eaefb70ac1abed684973117249c31c2

SHA512
a25eb8b087fa0917472d9c046d418cfe1968442c4b593d40784cc456d524467433d58f7018c70312fa569341f11573f1368e864e8e402ac5bbaede596c9ad98c

Download Submit
C:\Windows\{B09A1D6C-09C4-4003-8AE0-7C71628006D9}.exe

Filesize
408KB

MD5
a7904028b19b1ab0189efa1c88864bf9

SHA1
621de3446cf7d00b574e6c4df0213d81e2a986ed

SHA256
ab57d60a8378b5b1b04a10528169ef861eaefb70ac1abed684973117249c31c2

SHA512
a25eb8b087fa0917472d9c046d418cfe1968442c4b593d40784cc456d524467433d58f7018c70312fa569341f11573f1368e864e8e402ac5bbaede596c9ad98c

Download Submit
C:\Windows\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe

Filesize
408KB

MD5
cd2184c1057738381406bcf69c6f9a7a

SHA1
fecf8919a716d394de50e7d865d915a95016eeae

SHA256
5df5e0085e0af3bc675d77fd3a7e3ed4ceed140dff0a7a0f23d0f615db06c77b

SHA512
fa1e8c4f3e9992f843e04606152e5ef5f07fa926e23cf272e0923515d71c1ae66dc268f6a7fc5ceefcf0469019cc1b6b2b5863f37c06fbf3e281eada2694251a

Download Submit
C:\Windows\{B2D710E8-E9A6-4c23-93F4-533D0270FBCB}.exe

Filesize
408KB

MD5
cd2184c1057738381406bcf69c6f9a7a

SHA1
fecf8919a716d394de50e7d865d915a95016eeae

SHA256
5df5e0085e0af3bc675d77fd3a7e3ed4ceed140dff0a7a0f23d0f615db06c77b

SHA512
fa1e8c4f3e9992f843e04606152e5ef5f07fa926e23cf272e0923515d71c1ae66dc268f6a7fc5ceefcf0469019cc1b6b2b5863f37c06fbf3e281eada2694251a

Download Submit
C:\Windows\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe

Filesize
408KB

MD5
f5c24b0d8615e0530ad2fe0b33308600

SHA1
19e8418b5194898a7c57675c6b8dfaf4b3e6f618

SHA256
e3f869c35864beccc6fba552b832ad8dbadad5ea7b447adfabc5f4a54182a5ac

SHA512
b9cf1419d0aae236e20f5bdb6aeff048ee53356019cfa79d0ea0ac69615793902d4a704b3605c5a83d3054099f5c7e705d98e6da22b34afc338b401d57c2bc89

Download Submit
C:\Windows\{BE57F80F-0276-49cf-8327-A63C514F7195}.exe

Filesize
408KB

MD5
f5c24b0d8615e0530ad2fe0b33308600

SHA1
19e8418b5194898a7c57675c6b8dfaf4b3e6f618

SHA256
e3f869c35864beccc6fba552b832ad8dbadad5ea7b447adfabc5f4a54182a5ac

SHA512
b9cf1419d0aae236e20f5bdb6aeff048ee53356019cfa79d0ea0ac69615793902d4a704b3605c5a83d3054099f5c7e705d98e6da22b34afc338b401d57c2bc89

Download Submit
C:\Windows\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe

Filesize
408KB

MD5
8b3cbb6773e10febf9f12321e8bed77e

SHA1
1ca1c7ab280233af7e7822f39f2e94cca456534b

SHA256
c7ce384b2b35612181b24cda3f0f18fcf838b99726976a88e74daba7185a0d5d

SHA512
9308c0627baad193b4cb10d46488f8af69118346c391c6661f1bd67f5e4a246d27b0112234203929d30d6f37b3256cc268173a2ec40a89dd6668e91d1d7e27fd

Download Submit
C:\Windows\{F9D7DF7E-4335-4b17-8DBA-4DF67361667F}.exe

Filesize
408KB

MD5
8b3cbb6773e10febf9f12321e8bed77e

SHA1
1ca1c7ab280233af7e7822f39f2e94cca456534b

SHA256
c7ce384b2b35612181b24cda3f0f18fcf838b99726976a88e74daba7185a0d5d

SHA512
9308c0627baad193b4cb10d46488f8af69118346c391c6661f1bd67f5e4a246d27b0112234203929d30d6f37b3256cc268173a2ec40a89dd6668e91d1d7e27fd

Download Submit