c83c5e20463279ca92c312cf26c1a2d0b69a885be0c47858c95911db601f793b

Analysis

max time kernel
148s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30190654f0f55dexeexeexeex.exe
Size

204KB
MD5

30190654f0f55dffbf370b848763b1dd
SHA1

e0b8e8b27f8323f0f21e4f214aa692fd0456e399
SHA256

c83c5e20463279ca92c312cf26c1a2d0b69a885be0c47858c95911db601f793b
SHA512

b284fbbd808b2b2c31acdc41a4963b8cd87c1019ec48f7c65806f5c07856a83bc1e92006eed0d2df53390e423af1cd963f7a9fc39c0bf6796549acce249ab4e0
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}	{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03C7CCF7-183C-4735-BC38-731926125FE9}\stubpath = "C:\\Windows\\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe"	30190654f0f55dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8422F0-0123-44b9-85AB-F704D9B46453}	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB66F813-4BCC-44a8-9734-14BDC32A3637}\stubpath = "C:\\Windows\\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe"	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96DB1E21-DC78-4e6a-8779-19530D6F5705}	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}	{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03C7CCF7-183C-4735-BC38-731926125FE9}	30190654f0f55dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8422F0-0123-44b9-85AB-F704D9B46453}\stubpath = "C:\\Windows\\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe"	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}\stubpath = "C:\\Windows\\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe"	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}\stubpath = "C:\\Windows\\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe"	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B7659FC-375B-4e1a-BF23-361C9D45B220}	{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}	{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}\stubpath = "C:\\Windows\\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe"	{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}\stubpath = "C:\\Windows\\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe"	{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB66F813-4BCC-44a8-9734-14BDC32A3637}	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96DB1E21-DC78-4e6a-8779-19530D6F5705}\stubpath = "C:\\Windows\\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe"	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}\stubpath = "C:\\Windows\\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe"	{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2547D1D4-7AA8-474b-A401-FBCD3381010A}	{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B7659FC-375B-4e1a-BF23-361C9D45B220}\stubpath = "C:\\Windows\\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe"	{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}\stubpath = "C:\\Windows\\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe"	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}\stubpath = "C:\\Windows\\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe"	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2547D1D4-7AA8-474b-A401-FBCD3381010A}\stubpath = "C:\\Windows\\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe"	{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
2016	{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
772	{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
2756	{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
2720	{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
2988	{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
2500	{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
File created	C:\Windows\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe	{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
File created	C:\Windows\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe	{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
File created	C:\Windows\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
File created	C:\Windows\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
File created	C:\Windows\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
File created	C:\Windows\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
File created	C:\Windows\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
File created	C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	30190654f0f55dexeexeexeex.exe
File created	C:\Windows\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
File created	C:\Windows\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe	{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
File created	C:\Windows\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe	{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
File created	C:\Windows\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe	{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	30190654f0f55dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
Token: SeIncBasePriorityPrivilege	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
Token: SeIncBasePriorityPrivilege	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
Token: SeIncBasePriorityPrivilege	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
Token: SeIncBasePriorityPrivilege	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
Token: SeIncBasePriorityPrivilege	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
Token: SeIncBasePriorityPrivilege	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
Token: SeIncBasePriorityPrivilege	2016	{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
Token: SeIncBasePriorityPrivilege	772	{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
Token: SeIncBasePriorityPrivilege	2756	{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
Token: SeIncBasePriorityPrivilege	2720	{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
Token: SeIncBasePriorityPrivilege	2988	{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2392	2084	30190654f0f55dexeexeexeex.exe	29
PID 2084 wrote to memory of 2392	2084	30190654f0f55dexeexeexeex.exe	29
PID 2084 wrote to memory of 2392	2084	30190654f0f55dexeexeexeex.exe	29
PID 2084 wrote to memory of 2392	2084	30190654f0f55dexeexeexeex.exe	29
PID 2084 wrote to memory of 2024	2084	30190654f0f55dexeexeexeex.exe	30
PID 2084 wrote to memory of 2024	2084	30190654f0f55dexeexeexeex.exe	30
PID 2084 wrote to memory of 2024	2084	30190654f0f55dexeexeexeex.exe	30
PID 2084 wrote to memory of 2024	2084	30190654f0f55dexeexeexeex.exe	30
PID 2392 wrote to memory of 1820	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	31
PID 2392 wrote to memory of 1820	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	31
PID 2392 wrote to memory of 1820	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	31
PID 2392 wrote to memory of 1820	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	31
PID 2392 wrote to memory of 668	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	32
PID 2392 wrote to memory of 668	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	32
PID 2392 wrote to memory of 668	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	32
PID 2392 wrote to memory of 668	2392	{03C7CCF7-183C-4735-BC38-731926125FE9}.exe	32
PID 1820 wrote to memory of 2212	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	33
PID 1820 wrote to memory of 2212	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	33
PID 1820 wrote to memory of 2212	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	33
PID 1820 wrote to memory of 2212	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	33
PID 1820 wrote to memory of 544	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	34
PID 1820 wrote to memory of 544	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	34
PID 1820 wrote to memory of 544	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	34
PID 1820 wrote to memory of 544	1820	{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe	34
PID 2212 wrote to memory of 2060	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	36
PID 2212 wrote to memory of 2060	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	36
PID 2212 wrote to memory of 2060	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	36
PID 2212 wrote to memory of 2060	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	36
PID 2212 wrote to memory of 2124	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	35
PID 2212 wrote to memory of 2124	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	35
PID 2212 wrote to memory of 2124	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	35
PID 2212 wrote to memory of 2124	2212	{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe	35
PID 2060 wrote to memory of 384	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	37
PID 2060 wrote to memory of 384	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	37
PID 2060 wrote to memory of 384	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	37
PID 2060 wrote to memory of 384	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	37
PID 2060 wrote to memory of 2812	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	38
PID 2060 wrote to memory of 2812	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	38
PID 2060 wrote to memory of 2812	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	38
PID 2060 wrote to memory of 2812	2060	{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe	38
PID 384 wrote to memory of 1316	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	39
PID 384 wrote to memory of 1316	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	39
PID 384 wrote to memory of 1316	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	39
PID 384 wrote to memory of 1316	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	39
PID 384 wrote to memory of 1080	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	40
PID 384 wrote to memory of 1080	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	40
PID 384 wrote to memory of 1080	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	40
PID 384 wrote to memory of 1080	384	{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe	40
PID 1316 wrote to memory of 3036	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	41
PID 1316 wrote to memory of 3036	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	41
PID 1316 wrote to memory of 3036	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	41
PID 1316 wrote to memory of 3036	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	41
PID 1316 wrote to memory of 980	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	42
PID 1316 wrote to memory of 980	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	42
PID 1316 wrote to memory of 980	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	42
PID 1316 wrote to memory of 980	1316	{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe	42
PID 3036 wrote to memory of 2016	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	44
PID 3036 wrote to memory of 2016	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	44
PID 3036 wrote to memory of 2016	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	44
PID 3036 wrote to memory of 2016	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	44
PID 3036 wrote to memory of 2336	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	43
PID 3036 wrote to memory of 2336	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	43
PID 3036 wrote to memory of 2336	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	43
PID 3036 wrote to memory of 2336	3036	{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe	43

C:\Users\Admin\AppData\Local\Temp\30190654f0f55dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\30190654f0f55dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
  C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
    C:\Windows\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
      C:\Windows\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEBBC~1.EXE > nul
        5⤵
        
        PID:2124
    - - C:\Windows\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
        
        C:\Windows\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
        
        C:\Windows\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
        
        C:\Windows\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
        
        C:\Windows\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AFBF~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
        
        C:\Windows\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96DB1~1.EXE > nul
        10⤵
        
        PID:2624
        
        C:\Windows\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
        
        C:\Windows\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DA4~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
        
        C:\Windows\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
        
        C:\Windows\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
        
        C:\Windows\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B765~1.EXE > nul
        14⤵
        
        PID:2612
        
        C:\Windows\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe
        
        C:\Windows\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe
        14⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86CFA~1.EXE > nul
        13⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2547D~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB66F~1.EXE > nul
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D0D0~1.EXE > nul
        7⤵
        
        PID:1080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3A70~1.EXE > nul
        6⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF842~1.EXE > nul
      4⤵
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03C7C~1.EXE > nul
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\301906~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe

Filesize
204KB

MD5
5db316688fe10bc9305f19bf23fc366a

SHA1
b70c457c672b511ac258fa1f3bd57eddbf25e122

SHA256
537c2ad5a88e7e2da9116a1b451fd927adb8ad64e95280e372b2e7c5e6a36f5f

SHA512
b759777f3f1f720bff0215f7af0199a2f1de6134450e3f46141a9be9698c879002024d411614f224e5ab0a22adf3c716ceb5d064a9713e28798137f16b70b680

Download Submit
C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe

Filesize
204KB

MD5
5db316688fe10bc9305f19bf23fc366a

SHA1
b70c457c672b511ac258fa1f3bd57eddbf25e122

SHA256
537c2ad5a88e7e2da9116a1b451fd927adb8ad64e95280e372b2e7c5e6a36f5f

SHA512
b759777f3f1f720bff0215f7af0199a2f1de6134450e3f46141a9be9698c879002024d411614f224e5ab0a22adf3c716ceb5d064a9713e28798137f16b70b680

Download Submit
C:\Windows\{03C7CCF7-183C-4735-BC38-731926125FE9}.exe

Filesize
204KB

MD5
5db316688fe10bc9305f19bf23fc366a

SHA1
b70c457c672b511ac258fa1f3bd57eddbf25e122

SHA256
537c2ad5a88e7e2da9116a1b451fd927adb8ad64e95280e372b2e7c5e6a36f5f

SHA512
b759777f3f1f720bff0215f7af0199a2f1de6134450e3f46141a9be9698c879002024d411614f224e5ab0a22adf3c716ceb5d064a9713e28798137f16b70b680

Download Submit
C:\Windows\{0D8C3EFE-3F69-4b8f-89B7-09323338F1EC}.exe

Filesize
204KB

MD5
10e743cd96bc0116b0d91c54a4fb3eb6

SHA1
e20ad679359f2278505242ad683ba6f530885bbc

SHA256
249e1f0afded47ff6a4a18a8ce9550a938e780df79637457aa8442f9a11c1f69

SHA512
1a3a5dfe5243bfb25420a983c91f841b0eaa8fb154dfd914e395843037ae9d415fad440d34f96722745c2e30c188a2ac96b39d1dc4ff648d8ad13eaf772f2c59

Download Submit
C:\Windows\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe

Filesize
204KB

MD5
031d81d181292ffb2fd1e78fe42f2f32

SHA1
77b5d9dbf600a297eb26eeed1e06451941a4a24e

SHA256
52c2517ced122c903a811e40847d1849a07a0e9c60066bea73ed548cf9bcabd3

SHA512
ab2f73dc3272420382adaa78add9423d0c72780c4e92d072ad9d793ba2f274135911b3a2859023b60c6efb55ae56a0f30f66d9d7bf42e6c0a45478d6ffff5234

Download Submit
C:\Windows\{2547D1D4-7AA8-474b-A401-FBCD3381010A}.exe

Filesize
204KB

MD5
031d81d181292ffb2fd1e78fe42f2f32

SHA1
77b5d9dbf600a297eb26eeed1e06451941a4a24e

SHA256
52c2517ced122c903a811e40847d1849a07a0e9c60066bea73ed548cf9bcabd3

SHA512
ab2f73dc3272420382adaa78add9423d0c72780c4e92d072ad9d793ba2f274135911b3a2859023b60c6efb55ae56a0f30f66d9d7bf42e6c0a45478d6ffff5234

Download Submit
C:\Windows\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe

Filesize
204KB

MD5
0bb6679a0b4df1f9674054aa7cea0033

SHA1
2dccaac8f7e5add65c4730e36da765ef740380e4

SHA256
e8c9d01d69fb964863e6b0cf6ed80197f6fdd5a9b788494c0c58df55d3c470fe

SHA512
cfa0af7cf3772af2569cd858dc5a8ca6388667c832768989feaf0511a47322e749059af6ad406529b89c9eccd708f246c61c2985b9f2a3c86cf3cef1f8d55697

Download Submit
C:\Windows\{2D0D0097-5CEB-4788-95BF-E3A953AF740B}.exe

Filesize
204KB

MD5
0bb6679a0b4df1f9674054aa7cea0033

SHA1
2dccaac8f7e5add65c4730e36da765ef740380e4

SHA256
e8c9d01d69fb964863e6b0cf6ed80197f6fdd5a9b788494c0c58df55d3c470fe

SHA512
cfa0af7cf3772af2569cd858dc5a8ca6388667c832768989feaf0511a47322e749059af6ad406529b89c9eccd708f246c61c2985b9f2a3c86cf3cef1f8d55697

Download Submit
C:\Windows\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe

Filesize
204KB

MD5
ee092af4223a66b0f56da1eb9f4ca3fc

SHA1
177daada90bc847477b43b6aa3334f6291d6e640

SHA256
811e2b593b015b2e1f9630bc1e5f8ba39ac93bd8294489165c085e599a7ba150

SHA512
b5c9b13c299febd5a2860cc50277754002fdaa8fbd4a4af0fb4e61fb8d1c4e12f67a109c030ac89c5c5b009373eb3f47dc70fbee0811117528b3f507353a3a07

Download Submit
C:\Windows\{3AFBF0F5-6C7C-42c9-A8AF-34302C543DF8}.exe

Filesize
204KB

MD5
ee092af4223a66b0f56da1eb9f4ca3fc

SHA1
177daada90bc847477b43b6aa3334f6291d6e640

SHA256
811e2b593b015b2e1f9630bc1e5f8ba39ac93bd8294489165c085e599a7ba150

SHA512
b5c9b13c299febd5a2860cc50277754002fdaa8fbd4a4af0fb4e61fb8d1c4e12f67a109c030ac89c5c5b009373eb3f47dc70fbee0811117528b3f507353a3a07

Download Submit
C:\Windows\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe

Filesize
204KB

MD5
1646bfb192dabe109d794451eb638955

SHA1
f2de2eeff163de3a135bae0723ecc2a13c590e10

SHA256
effa63b7f1ebd611c58a148b17754d9a855d529aa86a573976933f4abe4b3b83

SHA512
ef994fc038c8c6faed6092417082a7b01304abeb91c27bec2d8d64492667f4e00663a1ad2f21501765d77884607d5c5b5c1ddedf2cb3e72b4c341c8b12aaf646

Download Submit
C:\Windows\{6B7659FC-375B-4e1a-BF23-361C9D45B220}.exe

Filesize
204KB

MD5
1646bfb192dabe109d794451eb638955

SHA1
f2de2eeff163de3a135bae0723ecc2a13c590e10

SHA256
effa63b7f1ebd611c58a148b17754d9a855d529aa86a573976933f4abe4b3b83

SHA512
ef994fc038c8c6faed6092417082a7b01304abeb91c27bec2d8d64492667f4e00663a1ad2f21501765d77884607d5c5b5c1ddedf2cb3e72b4c341c8b12aaf646

Download Submit
C:\Windows\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe

Filesize
204KB

MD5
0908e10868c9180369145be660723da8

SHA1
baa07ce2eb5f6e4540429f7bc75381be3c6d45e9

SHA256
5754cb8e09755f9b5629a049b6631941a6e74687ad28722826973ec149049cb1

SHA512
b069e104ad717d40d1d1b37a35f89510b8758d752eb7389f79841d85fbb996497a64de310a57402a5775ceab33be7dc0f27ea190dade5b18025ff072962f8095

Download Submit
C:\Windows\{79DA4C9D-58A1-42b1-ACAC-4FA6474D6349}.exe

Filesize
204KB

MD5
0908e10868c9180369145be660723da8

SHA1
baa07ce2eb5f6e4540429f7bc75381be3c6d45e9

SHA256
5754cb8e09755f9b5629a049b6631941a6e74687ad28722826973ec149049cb1

SHA512
b069e104ad717d40d1d1b37a35f89510b8758d752eb7389f79841d85fbb996497a64de310a57402a5775ceab33be7dc0f27ea190dade5b18025ff072962f8095

Download Submit
C:\Windows\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe

Filesize
204KB

MD5
adb0a3ace94e1e789b33aa5d65005e33

SHA1
d085e60d64561df4d41bf2ddfb9707438698d974

SHA256
4379379490deb63578a4756b6fdbb14646da55f7d62b6585ca2431ee3de9761a

SHA512
35a3bafc02fdecf5824d883ac6e36cace39f1d36f88c8eed8fa0f731973e6fb0a9b1d2f552270942358b0d9dd196e76066720f317eff15d3feca87278699153e

Download Submit
C:\Windows\{86CFA1EB-32FB-43e3-B056-A582CA9A3470}.exe

Filesize
204KB

MD5
adb0a3ace94e1e789b33aa5d65005e33

SHA1
d085e60d64561df4d41bf2ddfb9707438698d974

SHA256
4379379490deb63578a4756b6fdbb14646da55f7d62b6585ca2431ee3de9761a

SHA512
35a3bafc02fdecf5824d883ac6e36cace39f1d36f88c8eed8fa0f731973e6fb0a9b1d2f552270942358b0d9dd196e76066720f317eff15d3feca87278699153e

Download Submit
C:\Windows\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe

Filesize
204KB

MD5
19113d7d015cd5c856792022953ac3c9

SHA1
cb6e70c9cb87f54aa0f9d334065f4f0f6c5f027a

SHA256
6f8b97f057084552c5eb8ca96ba94b7ca02ec5a1a30025e11bc662a2735fb8f5

SHA512
c2c07252c8e58ce58907ffcf484e1dfa239fbab03d6e530b9d06b93799d2c84dd98527e1ecf277c60f039b8bbe4d86201f28cd47a0ebcb70f25ca35066893258

Download Submit
C:\Windows\{96DB1E21-DC78-4e6a-8779-19530D6F5705}.exe

Filesize
204KB

MD5
19113d7d015cd5c856792022953ac3c9

SHA1
cb6e70c9cb87f54aa0f9d334065f4f0f6c5f027a

SHA256
6f8b97f057084552c5eb8ca96ba94b7ca02ec5a1a30025e11bc662a2735fb8f5

SHA512
c2c07252c8e58ce58907ffcf484e1dfa239fbab03d6e530b9d06b93799d2c84dd98527e1ecf277c60f039b8bbe4d86201f28cd47a0ebcb70f25ca35066893258

Download Submit
C:\Windows\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe

Filesize
204KB

MD5
a878a546e09565558f337905c24c7ef7

SHA1
c5d14fef44411cebe7174b93a918fcf5106e6ae3

SHA256
f2c12769184393ffc7d721b75afcd8d458654ab81bea67320f807f0807e3d0fd

SHA512
1d8049a29a1223b334544fc21ffa7a6cf57b9ccac22b8a61c534df8c4b4c09d33446a140923d22cd003e4a590cfe97ce2c38fa50599854381fba33d2b0547a6f

Download Submit
C:\Windows\{BB66F813-4BCC-44a8-9734-14BDC32A3637}.exe

Filesize
204KB

MD5
a878a546e09565558f337905c24c7ef7

SHA1
c5d14fef44411cebe7174b93a918fcf5106e6ae3

SHA256
f2c12769184393ffc7d721b75afcd8d458654ab81bea67320f807f0807e3d0fd

SHA512
1d8049a29a1223b334544fc21ffa7a6cf57b9ccac22b8a61c534df8c4b4c09d33446a140923d22cd003e4a590cfe97ce2c38fa50599854381fba33d2b0547a6f

Download Submit
C:\Windows\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe

Filesize
204KB

MD5
529f08733e3b0da5566fdf41462fdbd4

SHA1
e6dd845f2782aeeb09eda14bdad9fb08219e1869

SHA256
187929c1a5b9d13b62516d2e02ffe1efa511e5ef0f66cfef7588d6e4d4df60ca

SHA512
a9b045fa637b7c54917349022689f3e1bac158a92201896f26eb6ad2b218fcd2121ead0b08f0ab6e43bd9ba32cf24acec6ad0a2b640018e505a9b2a66d2c3151

Download Submit
C:\Windows\{BF8422F0-0123-44b9-85AB-F704D9B46453}.exe

Filesize
204KB

MD5
529f08733e3b0da5566fdf41462fdbd4

SHA1
e6dd845f2782aeeb09eda14bdad9fb08219e1869

SHA256
187929c1a5b9d13b62516d2e02ffe1efa511e5ef0f66cfef7588d6e4d4df60ca

SHA512
a9b045fa637b7c54917349022689f3e1bac158a92201896f26eb6ad2b218fcd2121ead0b08f0ab6e43bd9ba32cf24acec6ad0a2b640018e505a9b2a66d2c3151

Download Submit
C:\Windows\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe

Filesize
204KB

MD5
540747ccffbac88e80d2b514cbe3a47b

SHA1
17541ff667fc29de580105226755761b39408ff5

SHA256
3bfc1ebdf55bef0bbbc3f897b0b70e29b3c9d39bb5b08c9aa29469a14ccb0154

SHA512
68fd42ac7e925fb5d9a9ad09040caca04a996a91595a1d4c0c62535db5cd5e0335cdae64de852b2c425c3b03011c49ced0e816a187a05639a374d4e5b6be8a98

Download Submit
C:\Windows\{DEBBC17C-064F-45df-89D8-1E195DE33DA9}.exe

Filesize
204KB

MD5
540747ccffbac88e80d2b514cbe3a47b

SHA1
17541ff667fc29de580105226755761b39408ff5

SHA256
3bfc1ebdf55bef0bbbc3f897b0b70e29b3c9d39bb5b08c9aa29469a14ccb0154

SHA512
68fd42ac7e925fb5d9a9ad09040caca04a996a91595a1d4c0c62535db5cd5e0335cdae64de852b2c425c3b03011c49ced0e816a187a05639a374d4e5b6be8a98

Download Submit
C:\Windows\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe

Filesize
204KB

MD5
4fa260d2b73767e54210e4d47350852c

SHA1
b6c57a18873c17cc6a45a307abaae7735335f1e3

SHA256
9077d931266fa3dc38853b8b2913b284007ef68e8883306ffe6d03f359c6aec6

SHA512
6e46893bad7785286950fb56b16e3ba805950aed5f775b0282ad1b4cfc5c061db20177c5d733ff2c428e709a665de54affccd3eb42ce28db5460556ab5d4b35e

Download Submit
C:\Windows\{F3A7067C-7C98-4cbb-9771-0D173D5DFB47}.exe

Filesize
204KB

MD5
4fa260d2b73767e54210e4d47350852c

SHA1
b6c57a18873c17cc6a45a307abaae7735335f1e3

SHA256
9077d931266fa3dc38853b8b2913b284007ef68e8883306ffe6d03f359c6aec6

SHA512
6e46893bad7785286950fb56b16e3ba805950aed5f775b0282ad1b4cfc5c061db20177c5d733ff2c428e709a665de54affccd3eb42ce28db5460556ab5d4b35e

Download Submit