f0574d017d93e6632ffbd08a009b4bd228c226395d8779d7c985a3d164264e0b

Analysis

max time kernel
145s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37ca8cfc1072afexeexeexeex.exe
Size

168KB
MD5

37ca8cfc1072af20c31f0cf20f35d7a3
SHA1

3e8308909196e4672f05af23ed146f89d9ded393
SHA256

f0574d017d93e6632ffbd08a009b4bd228c226395d8779d7c985a3d164264e0b
SHA512

3ca43455788f245573e437982ce2f1a2b6b88db0b035615e06e10ca4cb3fae9913b24f5cd5c129e793174f03b9aca56dcb854a05a6eb6c2b309b291d686f5fe2
SSDEEP

1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0749D33-C205-4dba-92FB-6F5062D205C9}\stubpath = "C:\\Windows\\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe"	{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}\stubpath = "C:\\Windows\\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe"	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}\stubpath = "C:\\Windows\\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe"	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01F3EA9E-2292-4d3d-934B-C7013D21518A}	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B33C8D3-9239-454e-9102-14869ECC4048}\stubpath = "C:\\Windows\\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe"	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}\stubpath = "C:\\Windows\\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe"	{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}\stubpath = "C:\\Windows\\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe"	{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B33C8D3-9239-454e-9102-14869ECC4048}	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}	{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64954101-BB30-4779-BF6A-28EBFE8C4B53}\stubpath = "C:\\Windows\\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe"	{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0749D33-C205-4dba-92FB-6F5062D205C9}	{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}\stubpath = "C:\\Windows\\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe"	37ca8cfc1072afexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01F3EA9E-2292-4d3d-934B-C7013D21518A}\stubpath = "C:\\Windows\\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe"	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64954101-BB30-4779-BF6A-28EBFE8C4B53}	{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}	{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}	37ca8cfc1072afexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B17144-2E30-4c19-BD9D-5A047684ADA6}	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B17144-2E30-4c19-BD9D-5A047684ADA6}\stubpath = "C:\\Windows\\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe"	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}\stubpath = "C:\\Windows\\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe"	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}\stubpath = "C:\\Windows\\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe"	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F2B13C2-6CD1-4657-B47C-F1914549A992}	{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F2B13C2-6CD1-4657-B47C-F1914549A992}\stubpath = "C:\\Windows\\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe"	{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
1784	{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
2604	{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
2788	{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
2768	{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
2656	{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
2240	{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
File created	C:\Windows\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
File created	C:\Windows\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
File created	C:\Windows\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
File created	C:\Windows\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe	{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
File created	C:\Windows\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe	{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
File created	C:\Windows\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe	{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
File created	C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	37ca8cfc1072afexeexeexeex.exe
File created	C:\Windows\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
File created	C:\Windows\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
File created	C:\Windows\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
File created	C:\Windows\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe	{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
File created	C:\Windows\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe	{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	37ca8cfc1072afexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
Token: SeIncBasePriorityPrivilege	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
Token: SeIncBasePriorityPrivilege	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
Token: SeIncBasePriorityPrivilege	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
Token: SeIncBasePriorityPrivilege	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
Token: SeIncBasePriorityPrivilege	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
Token: SeIncBasePriorityPrivilege	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
Token: SeIncBasePriorityPrivilege	1784	{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
Token: SeIncBasePriorityPrivilege	2604	{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
Token: SeIncBasePriorityPrivilege	2788	{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
Token: SeIncBasePriorityPrivilege	2768	{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
Token: SeIncBasePriorityPrivilege	2656	{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 436	2272	37ca8cfc1072afexeexeexeex.exe	28
PID 2272 wrote to memory of 436	2272	37ca8cfc1072afexeexeexeex.exe	28
PID 2272 wrote to memory of 436	2272	37ca8cfc1072afexeexeexeex.exe	28
PID 2272 wrote to memory of 436	2272	37ca8cfc1072afexeexeexeex.exe	28
PID 2272 wrote to memory of 2288	2272	37ca8cfc1072afexeexeexeex.exe	29
PID 2272 wrote to memory of 2288	2272	37ca8cfc1072afexeexeexeex.exe	29
PID 2272 wrote to memory of 2288	2272	37ca8cfc1072afexeexeexeex.exe	29
PID 2272 wrote to memory of 2288	2272	37ca8cfc1072afexeexeexeex.exe	29
PID 436 wrote to memory of 2268	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	30
PID 436 wrote to memory of 2268	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	30
PID 436 wrote to memory of 2268	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	30
PID 436 wrote to memory of 2268	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	30
PID 436 wrote to memory of 1256	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	31
PID 436 wrote to memory of 1256	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	31
PID 436 wrote to memory of 1256	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	31
PID 436 wrote to memory of 1256	436	{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe	31
PID 2268 wrote to memory of 1612	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	33
PID 2268 wrote to memory of 1612	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	33
PID 2268 wrote to memory of 1612	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	33
PID 2268 wrote to memory of 1612	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	33
PID 2268 wrote to memory of 2056	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	32
PID 2268 wrote to memory of 2056	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	32
PID 2268 wrote to memory of 2056	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	32
PID 2268 wrote to memory of 2056	2268	{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe	32
PID 1612 wrote to memory of 1736	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	34
PID 1612 wrote to memory of 1736	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	34
PID 1612 wrote to memory of 1736	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	34
PID 1612 wrote to memory of 1736	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	34
PID 1612 wrote to memory of 2084	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	35
PID 1612 wrote to memory of 2084	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	35
PID 1612 wrote to memory of 2084	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	35
PID 1612 wrote to memory of 2084	1612	{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe	35
PID 1736 wrote to memory of 984	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	37
PID 1736 wrote to memory of 984	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	37
PID 1736 wrote to memory of 984	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	37
PID 1736 wrote to memory of 984	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	37
PID 1736 wrote to memory of 2232	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	36
PID 1736 wrote to memory of 2232	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	36
PID 1736 wrote to memory of 2232	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	36
PID 1736 wrote to memory of 2232	1736	{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe	36
PID 984 wrote to memory of 2060	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	38
PID 984 wrote to memory of 2060	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	38
PID 984 wrote to memory of 2060	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	38
PID 984 wrote to memory of 2060	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	38
PID 984 wrote to memory of 2100	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	39
PID 984 wrote to memory of 2100	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	39
PID 984 wrote to memory of 2100	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	39
PID 984 wrote to memory of 2100	984	{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe	39
PID 2060 wrote to memory of 1532	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	40
PID 2060 wrote to memory of 1532	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	40
PID 2060 wrote to memory of 1532	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	40
PID 2060 wrote to memory of 1532	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	40
PID 2060 wrote to memory of 2968	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	41
PID 2060 wrote to memory of 2968	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	41
PID 2060 wrote to memory of 2968	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	41
PID 2060 wrote to memory of 2968	2060	{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe	41
PID 1532 wrote to memory of 1784	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	43
PID 1532 wrote to memory of 1784	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	43
PID 1532 wrote to memory of 1784	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	43
PID 1532 wrote to memory of 1784	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	43
PID 1532 wrote to memory of 2076	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	42
PID 1532 wrote to memory of 2076	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	42
PID 1532 wrote to memory of 2076	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	42
PID 1532 wrote to memory of 2076	1532	{5B33C8D3-9239-454e-9102-14869ECC4048}.exe	42

C:\Users\Admin\AppData\Local\Temp\37ca8cfc1072afexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\37ca8cfc1072afexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
  C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
    C:\Windows\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE77~1.EXE > nul
      4⤵
      PID:2056
  - - C:\Windows\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
      C:\Windows\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
        
        C:\Windows\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ACF8~1.EXE > nul
        6⤵
        
        PID:2232
      - C:\Windows\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
        
        C:\Windows\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
        
        C:\Windows\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
        
        C:\Windows\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B33C~1.EXE > nul
        9⤵
        
        PID:2076
        
        C:\Windows\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
        
        C:\Windows\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
        
        C:\Windows\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
        
        C:\Windows\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
        
        C:\Windows\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
        
        C:\Windows\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F2B1~1.EXE > nul
        14⤵
        
        PID:2796
        
        C:\Windows\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe
        
        C:\Windows\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe
        14⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0749~1.EXE > nul
        13⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64954~1.EXE > nul
        12⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB41~1.EXE > nul
        11⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80B30~1.EXE > nul
        10⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01F3E~1.EXE > nul
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54415~1.EXE > nul
        7⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24B17~1.EXE > nul
        5⤵
        
        PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E875F~1.EXE > nul
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\37CA8C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe

Filesize
168KB

MD5
899b8c7d8a1f87d2c7f0a5426dd1b661

SHA1
4f285c714faa978b7308bcc41c318490f4afa097

SHA256
4db54af9c60c30a3b5657742905c09647f4ff197bbe9f3580ed0bce41b799a11

SHA512
5151ed4176fd783f616b7098fb7de120adc4060f0feb851b5d1e39215c7490de819dab6d1a7f2d046bc732ac5a5a9b95200d32e40c3ac6d9874091ab559ed225

Download Submit
C:\Windows\{01F3EA9E-2292-4d3d-934B-C7013D21518A}.exe

Filesize
168KB

MD5
899b8c7d8a1f87d2c7f0a5426dd1b661

SHA1
4f285c714faa978b7308bcc41c318490f4afa097

SHA256
4db54af9c60c30a3b5657742905c09647f4ff197bbe9f3580ed0bce41b799a11

SHA512
5151ed4176fd783f616b7098fb7de120adc4060f0feb851b5d1e39215c7490de819dab6d1a7f2d046bc732ac5a5a9b95200d32e40c3ac6d9874091ab559ed225

Download Submit
C:\Windows\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe

Filesize
168KB

MD5
8fdb05f24324704ddb6e1669c1917f8b

SHA1
624a0e872e7309181ce577d45a07ed35bfa090fa

SHA256
845bbd6c9c9e51a3c27b0a3ec3238d2f14eb85319d1bf944d58edb6976c84bf9

SHA512
cd165410534ae779b3c0f040673f5ecffda972ce68623400b4b17fb120b4954998b8de5eb44868e793fe9acfd8259146ce1a9759a639cb9b74f1a078b7729e70

Download Submit
C:\Windows\{24B17144-2E30-4c19-BD9D-5A047684ADA6}.exe

Filesize
168KB

MD5
8fdb05f24324704ddb6e1669c1917f8b

SHA1
624a0e872e7309181ce577d45a07ed35bfa090fa

SHA256
845bbd6c9c9e51a3c27b0a3ec3238d2f14eb85319d1bf944d58edb6976c84bf9

SHA512
cd165410534ae779b3c0f040673f5ecffda972ce68623400b4b17fb120b4954998b8de5eb44868e793fe9acfd8259146ce1a9759a639cb9b74f1a078b7729e70

Download Submit
C:\Windows\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe

Filesize
168KB

MD5
baa3fedfea0525082fe7eb3a3aacb8c6

SHA1
f4b48913f3268ffe0f8c242ee163516a71718746

SHA256
1e3cc06ebd9250e20e2c08d58c4bf266d5920fe29a63cac174a6e8b4985cbf40

SHA512
865340ef2896d006a646dca9e8a9c5fbafcbe5d6b68b5293f345f7258d58dfc36666cab27302435772ef56db7ba176da582fdddd5892f17b47733692212828de

Download Submit
C:\Windows\{544151E4-CC1E-4a18-9AA2-626C1F5FC619}.exe

Filesize
168KB

MD5
baa3fedfea0525082fe7eb3a3aacb8c6

SHA1
f4b48913f3268ffe0f8c242ee163516a71718746

SHA256
1e3cc06ebd9250e20e2c08d58c4bf266d5920fe29a63cac174a6e8b4985cbf40

SHA512
865340ef2896d006a646dca9e8a9c5fbafcbe5d6b68b5293f345f7258d58dfc36666cab27302435772ef56db7ba176da582fdddd5892f17b47733692212828de

Download Submit
C:\Windows\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe

Filesize
168KB

MD5
3e1b636fc865f7a39bf7a72880f2a6d7

SHA1
96e9f768b8254138cae16dfbf8c00b69ffa7cc9b

SHA256
51954578c087dc5bca2ea7971d8987bbf3f6dda2b8ce232990864f7809755583

SHA512
de902b164ebbf3927283170b058ab405ff83fda62d8e844dde188328652d0ce3ec9412d0cb4f1b39d2c0559078714af78cd4a33ee736d2f494deb19e35f6ae4d

Download Submit
C:\Windows\{5B33C8D3-9239-454e-9102-14869ECC4048}.exe

Filesize
168KB

MD5
3e1b636fc865f7a39bf7a72880f2a6d7

SHA1
96e9f768b8254138cae16dfbf8c00b69ffa7cc9b

SHA256
51954578c087dc5bca2ea7971d8987bbf3f6dda2b8ce232990864f7809755583

SHA512
de902b164ebbf3927283170b058ab405ff83fda62d8e844dde188328652d0ce3ec9412d0cb4f1b39d2c0559078714af78cd4a33ee736d2f494deb19e35f6ae4d

Download Submit
C:\Windows\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe

Filesize
168KB

MD5
4d0e5cf3c87e709ebd1db9f00576ad20

SHA1
294831334492f237f20770b9f212b56845c7b495

SHA256
22f2174a7f9119bbf282fbaa53613047b70a7a9781c989a7086dcda803347646

SHA512
026314500f41a193a98b8414713837616006a315a9d9bf82072c7e37113114db00d24bda48129c626905539a07722d076af48a3cffec3383674cf02ae3b50ccc

Download Submit
C:\Windows\{5F2B13C2-6CD1-4657-B47C-F1914549A992}.exe

Filesize
168KB

MD5
4d0e5cf3c87e709ebd1db9f00576ad20

SHA1
294831334492f237f20770b9f212b56845c7b495

SHA256
22f2174a7f9119bbf282fbaa53613047b70a7a9781c989a7086dcda803347646

SHA512
026314500f41a193a98b8414713837616006a315a9d9bf82072c7e37113114db00d24bda48129c626905539a07722d076af48a3cffec3383674cf02ae3b50ccc

Download Submit
C:\Windows\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe

Filesize
168KB

MD5
8056783145994eba3d3340ad883b6752

SHA1
200bf7025bc2ccdb6454a312756be0e65d41e70d

SHA256
cd979b9fbf9aaa5f60648b8be64f696541c22651952d9a1f1233d17426dddaea

SHA512
d224110d86e89302d2bfd755f693f33b3bf5944270d89eee4e5dc2a645eb9935a6e3ff6528c71ea4a115a88e5294dcb0fb25e609079768136f09e27fb821e07e

Download Submit
C:\Windows\{64954101-BB30-4779-BF6A-28EBFE8C4B53}.exe

Filesize
168KB

MD5
8056783145994eba3d3340ad883b6752

SHA1
200bf7025bc2ccdb6454a312756be0e65d41e70d

SHA256
cd979b9fbf9aaa5f60648b8be64f696541c22651952d9a1f1233d17426dddaea

SHA512
d224110d86e89302d2bfd755f693f33b3bf5944270d89eee4e5dc2a645eb9935a6e3ff6528c71ea4a115a88e5294dcb0fb25e609079768136f09e27fb821e07e

Download Submit
C:\Windows\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe

Filesize
168KB

MD5
482e301312a716d42e233bec58b80180

SHA1
32fad9b4b91cafd5869a7d8758bece0e3a7e9af8

SHA256
ac406780f2e3285b95345922f957d8bc526cd2ff9893df4ec3546bd19b39319d

SHA512
2292f4995f00ebd69232d856717dd3fc459a38402da15a9e5fd96ddc694a53253d1e86d5edce54538fb4239fe24d22cc36ec91d7bed5a0e2f6e89559d9cf5d47

Download Submit
C:\Windows\{80B3062E-17A8-4eb9-8D5F-BAE41585D729}.exe

Filesize
168KB

MD5
482e301312a716d42e233bec58b80180

SHA1
32fad9b4b91cafd5869a7d8758bece0e3a7e9af8

SHA256
ac406780f2e3285b95345922f957d8bc526cd2ff9893df4ec3546bd19b39319d

SHA512
2292f4995f00ebd69232d856717dd3fc459a38402da15a9e5fd96ddc694a53253d1e86d5edce54538fb4239fe24d22cc36ec91d7bed5a0e2f6e89559d9cf5d47

Download Submit
C:\Windows\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe

Filesize
168KB

MD5
555a11c33d80b4e93b96770e035b62e1

SHA1
895f9d56941684455004bef2f317379ead33fbc7

SHA256
86f74f73a64d8766731f3672ae77318b945d54292c10d6b38b79a105e663dbe4

SHA512
3e47b6ad0acbd14f5570448c5c96a0d657240fb4a6937c02cae160fe7a78a3dcf29d194f02b4e3ed69df0fac1299e40b3b1cb700522811a6e03c8226e29c9573

Download Submit
C:\Windows\{9ACF8D75-7D56-45f0-8BEB-8FFA7ACDE0C7}.exe

Filesize
168KB

MD5
555a11c33d80b4e93b96770e035b62e1

SHA1
895f9d56941684455004bef2f317379ead33fbc7

SHA256
86f74f73a64d8766731f3672ae77318b945d54292c10d6b38b79a105e663dbe4

SHA512
3e47b6ad0acbd14f5570448c5c96a0d657240fb4a6937c02cae160fe7a78a3dcf29d194f02b4e3ed69df0fac1299e40b3b1cb700522811a6e03c8226e29c9573

Download Submit
C:\Windows\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe

Filesize
168KB

MD5
73a7ae7de1f8a463dc8b22ea712a6ade

SHA1
a280843ba08539e07a4cd5b34812a6bb3d1ac9ea

SHA256
17f5a42b98eac0a17b747148a7f4dbe3089437430eb2b6640d60153485ba8a1b

SHA512
913ccb76e5ca57f7b5fe69aefe5bfcb8c3a34b490aab341dfde5aa4160bcdeb5aeae2294fd062d31f4c4f8630250fa5a685cd112b3275df69392d9f059b5b175

Download Submit
C:\Windows\{9DE7750F-9A74-4b0f-8B73-3F151100F3DD}.exe

Filesize
168KB

MD5
73a7ae7de1f8a463dc8b22ea712a6ade

SHA1
a280843ba08539e07a4cd5b34812a6bb3d1ac9ea

SHA256
17f5a42b98eac0a17b747148a7f4dbe3089437430eb2b6640d60153485ba8a1b

SHA512
913ccb76e5ca57f7b5fe69aefe5bfcb8c3a34b490aab341dfde5aa4160bcdeb5aeae2294fd062d31f4c4f8630250fa5a685cd112b3275df69392d9f059b5b175

Download Submit
C:\Windows\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe

Filesize
168KB

MD5
7771fce4b6b46e6539e6b52d8fa8df1e

SHA1
142e2e9703c67f13aaad062592577e709d9ffc2a

SHA256
ae4661ac77cdd75ba1a67efffdbb57c0b8b0557b3eb0206290f8a50dd4be6720

SHA512
03a7aca665089ae0c5b08814959ddbbd6d387706b8074e258d9c291ef7cc9b814947fb1d06f2eabebb8a6fb9587456fb230435536aed1aff7c06267551669f7d

Download Submit
C:\Windows\{B0749D33-C205-4dba-92FB-6F5062D205C9}.exe

Filesize
168KB

MD5
7771fce4b6b46e6539e6b52d8fa8df1e

SHA1
142e2e9703c67f13aaad062592577e709d9ffc2a

SHA256
ae4661ac77cdd75ba1a67efffdbb57c0b8b0557b3eb0206290f8a50dd4be6720

SHA512
03a7aca665089ae0c5b08814959ddbbd6d387706b8074e258d9c291ef7cc9b814947fb1d06f2eabebb8a6fb9587456fb230435536aed1aff7c06267551669f7d

Download Submit
C:\Windows\{B3D5BA42-4D5B-4a39-84C2-3CDBC6D5891F}.exe

Filesize
168KB

MD5
a440f7f59db54b81dffea99ef1f98f8f

SHA1
e5cbd18e727b7443e0bf8625b37798b547d7bfbb

SHA256
e47cf889e48c24f50234ceb48050c14b6ec8979666fd7b0feb992a4a42a12a99

SHA512
a8d802ae21f50f050c514928949a20dfb5c3cafa93686fbbea9edb64309096552d9e7913da8644ce311ce4a9510c24161290bed1d9e651655877b68bbaf29a7d

Download Submit
C:\Windows\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe

Filesize
168KB

MD5
03aba08c2201333a4c1db3a39f66761d

SHA1
c7cc4d97d54f27ff2b26251f8b0604122e5844b6

SHA256
28f0b42666580eae16f16b988ca45ddca8f9c5537d7083f5445bdcf2acdc3729

SHA512
ddbf7f219d001c70d210ef9a2a3444d9a941c11d7aa7b2c56c02a984630f3b1f5ead986897b6556f9950f1c0cb6408f437e540aafdd2d2eb0ed57a2055d37c1f

Download Submit
C:\Windows\{BFB419BD-A579-41fd-ADCC-E15F538A1FB4}.exe

Filesize
168KB

MD5
03aba08c2201333a4c1db3a39f66761d

SHA1
c7cc4d97d54f27ff2b26251f8b0604122e5844b6

SHA256
28f0b42666580eae16f16b988ca45ddca8f9c5537d7083f5445bdcf2acdc3729

SHA512
ddbf7f219d001c70d210ef9a2a3444d9a941c11d7aa7b2c56c02a984630f3b1f5ead986897b6556f9950f1c0cb6408f437e540aafdd2d2eb0ed57a2055d37c1f

Download Submit
C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe

Filesize
168KB

MD5
3b1f86442af97bcf595aaa4d36d9b65c

SHA1
f6280dc5c8a6553d242cb3a0d0c0d1570dc82817

SHA256
d21635410340cdefcab407f662710a7600c9e4bfe08ca0388e5e015b4f716cf8

SHA512
5260d2d9efa520c7017b016ba7ea276464251393c4c3593e1d27dd6ed70721cb81ad976a1c159b0a74f140940417f1ab93e39e82d663ae4a3e4240b08324857e

Download Submit
C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe

Filesize
168KB

MD5
3b1f86442af97bcf595aaa4d36d9b65c

SHA1
f6280dc5c8a6553d242cb3a0d0c0d1570dc82817

SHA256
d21635410340cdefcab407f662710a7600c9e4bfe08ca0388e5e015b4f716cf8

SHA512
5260d2d9efa520c7017b016ba7ea276464251393c4c3593e1d27dd6ed70721cb81ad976a1c159b0a74f140940417f1ab93e39e82d663ae4a3e4240b08324857e

Download Submit
C:\Windows\{E875F7BC-9D87-4981-80BC-B0FDE35AF8F8}.exe

Filesize
168KB

MD5
3b1f86442af97bcf595aaa4d36d9b65c

SHA1
f6280dc5c8a6553d242cb3a0d0c0d1570dc82817

SHA256
d21635410340cdefcab407f662710a7600c9e4bfe08ca0388e5e015b4f716cf8

SHA512
5260d2d9efa520c7017b016ba7ea276464251393c4c3593e1d27dd6ed70721cb81ad976a1c159b0a74f140940417f1ab93e39e82d663ae4a3e4240b08324857e

Download Submit