c0967e4840ed300b7aedb3c8ea69d679a10d6ce623b838821329c899e99afc82

Analysis

max time kernel
147s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51660088828d7eexeexeexeex.exe
Size

372KB
MD5

51660088828d7eb3246bdca921b72183
SHA1

46f17a1b539e4eb46be4c878a36f568cd7b93573
SHA256

c0967e4840ed300b7aedb3c8ea69d679a10d6ce623b838821329c899e99afc82
SHA512

abeb71d24a63d15ca6c587433ff0e1ef33bada47752c4b7b2dbcfcdc7229435c189689915829d434b2b4b8813b224fec6ea5a5ec0119e178049b968edba4bb68
SSDEEP

3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGSl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}\stubpath = "C:\\Windows\\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe"	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}\stubpath = "C:\\Windows\\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe"	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B9798C-6609-4a5f-B486-268FAE229663}\stubpath = "C:\\Windows\\{99B9798C-6609-4a5f-B486-268FAE229663}.exe"	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}\stubpath = "C:\\Windows\\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe"	{71A416D6-3735-4114-B039-BC599D078A21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}\stubpath = "C:\\Windows\\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe"	{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}\stubpath = "C:\\Windows\\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe"	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}\stubpath = "C:\\Windows\\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe"	{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8968477-46EC-42c0-B7A5-0431D7F996CF}	51660088828d7eexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}\stubpath = "C:\\Windows\\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe"	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}\stubpath = "C:\\Windows\\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe"	{99B9798C-6609-4a5f-B486-268FAE229663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A416D6-3735-4114-B039-BC599D078A21}\stubpath = "C:\\Windows\\{71A416D6-3735-4114-B039-BC599D078A21}.exe"	{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}\stubpath = "C:\\Windows\\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe"	{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}	{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8968477-46EC-42c0-B7A5-0431D7F996CF}\stubpath = "C:\\Windows\\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe"	51660088828d7eexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}\stubpath = "C:\\Windows\\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe"	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B9798C-6609-4a5f-B486-268FAE229663}	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}	{99B9798C-6609-4a5f-B486-268FAE229663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A416D6-3735-4114-B039-BC599D078A21}	{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}	{71A416D6-3735-4114-B039-BC599D078A21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}	{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}	{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe

Deletes itself 1 IoCs

pid	Process
2088	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe
824	{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
2684	{71A416D6-3735-4114-B039-BC599D078A21}.exe
2620	{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
2676	{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
2632	{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe
2480	{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
File created	C:\Windows\{99B9798C-6609-4a5f-B486-268FAE229663}.exe	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
File created	C:\Windows\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe	{71A416D6-3735-4114-B039-BC599D078A21}.exe
File created	C:\Windows\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe	{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
File created	C:\Windows\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe	{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
File created	C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	51660088828d7eexeexeexeex.exe
File created	C:\Windows\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
File created	C:\Windows\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
File created	C:\Windows\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
File created	C:\Windows\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe	{99B9798C-6609-4a5f-B486-268FAE229663}.exe
File created	C:\Windows\{71A416D6-3735-4114-B039-BC599D078A21}.exe	{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
File created	C:\Windows\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe	{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe
File created	C:\Windows\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	51660088828d7eexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
Token: SeIncBasePriorityPrivilege	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
Token: SeIncBasePriorityPrivilege	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
Token: SeIncBasePriorityPrivilege	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
Token: SeIncBasePriorityPrivilege	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
Token: SeIncBasePriorityPrivilege	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
Token: SeIncBasePriorityPrivilege	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe
Token: SeIncBasePriorityPrivilege	824	{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
Token: SeIncBasePriorityPrivilege	2684	{71A416D6-3735-4114-B039-BC599D078A21}.exe
Token: SeIncBasePriorityPrivilege	2620	{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
Token: SeIncBasePriorityPrivilege	2676	{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
Token: SeIncBasePriorityPrivilege	2632	{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2976	2956	51660088828d7eexeexeexeex.exe	28
PID 2956 wrote to memory of 2976	2956	51660088828d7eexeexeexeex.exe	28
PID 2956 wrote to memory of 2976	2956	51660088828d7eexeexeexeex.exe	28
PID 2956 wrote to memory of 2976	2956	51660088828d7eexeexeexeex.exe	28
PID 2956 wrote to memory of 2088	2956	51660088828d7eexeexeexeex.exe	29
PID 2956 wrote to memory of 2088	2956	51660088828d7eexeexeexeex.exe	29
PID 2956 wrote to memory of 2088	2956	51660088828d7eexeexeexeex.exe	29
PID 2956 wrote to memory of 2088	2956	51660088828d7eexeexeexeex.exe	29
PID 2976 wrote to memory of 2932	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	30
PID 2976 wrote to memory of 2932	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	30
PID 2976 wrote to memory of 2932	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	30
PID 2976 wrote to memory of 2932	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	30
PID 2976 wrote to memory of 764	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	31
PID 2976 wrote to memory of 764	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	31
PID 2976 wrote to memory of 764	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	31
PID 2976 wrote to memory of 764	2976	{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe	31
PID 2932 wrote to memory of 2132	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	32
PID 2932 wrote to memory of 2132	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	32
PID 2932 wrote to memory of 2132	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	32
PID 2932 wrote to memory of 2132	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	32
PID 2932 wrote to memory of 2064	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	33
PID 2932 wrote to memory of 2064	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	33
PID 2932 wrote to memory of 2064	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	33
PID 2932 wrote to memory of 2064	2932	{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe	33
PID 2132 wrote to memory of 468	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	34
PID 2132 wrote to memory of 468	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	34
PID 2132 wrote to memory of 468	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	34
PID 2132 wrote to memory of 468	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	34
PID 2132 wrote to memory of 580	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	35
PID 2132 wrote to memory of 580	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	35
PID 2132 wrote to memory of 580	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	35
PID 2132 wrote to memory of 580	2132	{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe	35
PID 468 wrote to memory of 2828	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	36
PID 468 wrote to memory of 2828	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	36
PID 468 wrote to memory of 2828	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	36
PID 468 wrote to memory of 2828	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	36
PID 468 wrote to memory of 2084	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	37
PID 468 wrote to memory of 2084	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	37
PID 468 wrote to memory of 2084	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	37
PID 468 wrote to memory of 2084	468	{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe	37
PID 2828 wrote to memory of 1196	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	38
PID 2828 wrote to memory of 1196	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	38
PID 2828 wrote to memory of 1196	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	38
PID 2828 wrote to memory of 1196	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	38
PID 2828 wrote to memory of 684	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	39
PID 2828 wrote to memory of 684	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	39
PID 2828 wrote to memory of 684	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	39
PID 2828 wrote to memory of 684	2828	{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe	39
PID 1196 wrote to memory of 2880	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	40
PID 1196 wrote to memory of 2880	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	40
PID 1196 wrote to memory of 2880	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	40
PID 1196 wrote to memory of 2880	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	40
PID 1196 wrote to memory of 1476	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	41
PID 1196 wrote to memory of 1476	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	41
PID 1196 wrote to memory of 1476	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	41
PID 1196 wrote to memory of 1476	1196	{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe	41
PID 2880 wrote to memory of 824	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	42
PID 2880 wrote to memory of 824	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	42
PID 2880 wrote to memory of 824	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	42
PID 2880 wrote to memory of 824	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	42
PID 2880 wrote to memory of 2780	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	43
PID 2880 wrote to memory of 2780	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	43
PID 2880 wrote to memory of 2780	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	43
PID 2880 wrote to memory of 2780	2880	{99B9798C-6609-4a5f-B486-268FAE229663}.exe	43

C:\Users\Admin\AppData\Local\Temp\51660088828d7eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\51660088828d7eexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
  C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
    C:\Windows\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
      C:\Windows\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
        
        C:\Windows\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Windows\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
        
        C:\Windows\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
        
        C:\Windows\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{99B9798C-6609-4a5f-B486-268FAE229663}.exe
        
        C:\Windows\{99B9798C-6609-4a5f-B486-268FAE229663}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
        
        C:\Windows\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\{71A416D6-3735-4114-B039-BC599D078A21}.exe
        
        C:\Windows\{71A416D6-3735-4114-B039-BC599D078A21}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
        
        C:\Windows\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
        
        C:\Windows\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe
        
        C:\Windows\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe
        
        C:\Windows\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe
        14⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE13~1.EXE > nul
        14⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00A47~1.EXE > nul
        13⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC3C9~1.EXE > nul
        12⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A41~1.EXE > nul
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AFDA~1.EXE > nul
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99B97~1.EXE > nul
        9⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDDBC~1.EXE > nul
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC89~1.EXE > nul
        7⤵
        
        PID:684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AEE2~1.EXE > nul
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5609~1.EXE > nul
        5⤵
        
        PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63F85~1.EXE > nul
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8968~1.EXE > nul
    3⤵
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\516600~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe

Filesize
372KB

MD5
3d829d8cd62058cc7fe2c0176d437861

SHA1
c660f719cbcbf46b9409bdd7660a4ac79ab71a70

SHA256
f31d227e0fd93df9211bc461fbfd6d83b08e8bd88f73712b01aec787675e6d22

SHA512
d2143ab3799469acb25ef09c5230ed75cda3608881b61c167aab6e0e8c922e12b0d6ea52343da91775b2f71f128bcdda7443da235e3b2bc39aa213f7207b6a91

Download Submit
C:\Windows\{00A473F9-F7B3-4f8d-9470-41A31B47DF7D}.exe

Filesize
372KB

MD5
3d829d8cd62058cc7fe2c0176d437861

SHA1
c660f719cbcbf46b9409bdd7660a4ac79ab71a70

SHA256
f31d227e0fd93df9211bc461fbfd6d83b08e8bd88f73712b01aec787675e6d22

SHA512
d2143ab3799469acb25ef09c5230ed75cda3608881b61c167aab6e0e8c922e12b0d6ea52343da91775b2f71f128bcdda7443da235e3b2bc39aa213f7207b6a91

Download Submit
C:\Windows\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe

Filesize
372KB

MD5
8bbb15713f56dee39f694d7fa014d62e

SHA1
93e689c7ddea59c5e62d4701f12dfff24ea60060

SHA256
c2f2a2d1169ecf1457634cdc76a764c932a81c3da0fbeed7cf0711363a61782e

SHA512
4ec608e0608e0ba864c3070b57fdb99f5f34824232e1c1f5a97c927292fabf2600df41e6e1228b90c4be0826289d10149297ca30ad6daadfc90725d3d489cb5f

Download Submit
C:\Windows\{2BE135CC-86C2-4d35-A1EA-B31CA04172F6}.exe

Filesize
372KB

MD5
8bbb15713f56dee39f694d7fa014d62e

SHA1
93e689c7ddea59c5e62d4701f12dfff24ea60060

SHA256
c2f2a2d1169ecf1457634cdc76a764c932a81c3da0fbeed7cf0711363a61782e

SHA512
4ec608e0608e0ba864c3070b57fdb99f5f34824232e1c1f5a97c927292fabf2600df41e6e1228b90c4be0826289d10149297ca30ad6daadfc90725d3d489cb5f

Download Submit
C:\Windows\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe

Filesize
372KB

MD5
a0a131c92d1154b30c5b4e307cf08c2d

SHA1
6851ab5fbe01b46d9b54d9a7cb4e96b12158a22c

SHA256
f899d70ff76e3ca3bb21ebe91393395d1189b8be7459662bd84a89bd2d663bc8

SHA512
b5bf4935c7aa48402f76338233569cd896ff07dd71f68d242c7200a20dfcbd4c1ca8700fa7c430eca0ebebe6014efa940f39688701c5cd1110605bd8144c7d01

Download Submit
C:\Windows\{4AEE292E-32D8-42cf-AB42-B329B86E01C4}.exe

Filesize
372KB

MD5
a0a131c92d1154b30c5b4e307cf08c2d

SHA1
6851ab5fbe01b46d9b54d9a7cb4e96b12158a22c

SHA256
f899d70ff76e3ca3bb21ebe91393395d1189b8be7459662bd84a89bd2d663bc8

SHA512
b5bf4935c7aa48402f76338233569cd896ff07dd71f68d242c7200a20dfcbd4c1ca8700fa7c430eca0ebebe6014efa940f39688701c5cd1110605bd8144c7d01

Download Submit
C:\Windows\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe

Filesize
372KB

MD5
f30407ce05433f563af26bbeee1b7ed4

SHA1
ba4d3c5ab4f45f2a49765d4616e0fc17a506dd07

SHA256
125ea84c32ab28b0ea84611a952a2a88ca35281a64073aa996b55a4bde199002

SHA512
e020aa0e62d0890ce2fe2db6c54b7a3d82c331f988f7bdd89fdd991bd4f6bf7147ecbb9bec8a2d44f78318bc361f835c543cf03596042d7e13d3e4443edf73e2

Download Submit
C:\Windows\{4AFDA83F-D56F-4d46-B4DB-C0AFDD6523FC}.exe

Filesize
372KB

MD5
f30407ce05433f563af26bbeee1b7ed4

SHA1
ba4d3c5ab4f45f2a49765d4616e0fc17a506dd07

SHA256
125ea84c32ab28b0ea84611a952a2a88ca35281a64073aa996b55a4bde199002

SHA512
e020aa0e62d0890ce2fe2db6c54b7a3d82c331f988f7bdd89fdd991bd4f6bf7147ecbb9bec8a2d44f78318bc361f835c543cf03596042d7e13d3e4443edf73e2

Download Submit
C:\Windows\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe

Filesize
372KB

MD5
ddda7713046cbc49c79b8cbe38e036ff

SHA1
cbe09f9a6a0825c6b5d4d1c5b94a75c03f3fa017

SHA256
b471abaabb031b8dd94d4252ead2ca1fcc01a844f9d254ca6b6888f70f10ef83

SHA512
b2ce4a7e98748fc01b843d31778a55231c6ae3b48d2bb55ce324b8e79eba81a1b0c272039e22dfcb4340148d8177c6a161d928de0d676668af40e1ec336974b5

Download Submit
C:\Windows\{63F851F6-118D-4f1a-BF6C-A215A9AC35FA}.exe

Filesize
372KB

MD5
ddda7713046cbc49c79b8cbe38e036ff

SHA1
cbe09f9a6a0825c6b5d4d1c5b94a75c03f3fa017

SHA256
b471abaabb031b8dd94d4252ead2ca1fcc01a844f9d254ca6b6888f70f10ef83

SHA512
b2ce4a7e98748fc01b843d31778a55231c6ae3b48d2bb55ce324b8e79eba81a1b0c272039e22dfcb4340148d8177c6a161d928de0d676668af40e1ec336974b5

Download Submit
C:\Windows\{71A416D6-3735-4114-B039-BC599D078A21}.exe

Filesize
372KB

MD5
f660d8930130e05be6df2070b04ccb37

SHA1
898b2bb1fb2796bf5075dc93f61304b969808605

SHA256
a4c459fb2db71ea19f5cbb9c6249199275c2ce388c5bcab2799a80c22811bae7

SHA512
6279eb1b73000cf1857530f172792408d0d96ce08755fc46fa642ac107b2b9d952d45ef57bfe5d4234a7af3edcd6d357ef0655f210bbc49999c81ee865b6847a

Download Submit
C:\Windows\{71A416D6-3735-4114-B039-BC599D078A21}.exe

Filesize
372KB

MD5
f660d8930130e05be6df2070b04ccb37

SHA1
898b2bb1fb2796bf5075dc93f61304b969808605

SHA256
a4c459fb2db71ea19f5cbb9c6249199275c2ce388c5bcab2799a80c22811bae7

SHA512
6279eb1b73000cf1857530f172792408d0d96ce08755fc46fa642ac107b2b9d952d45ef57bfe5d4234a7af3edcd6d357ef0655f210bbc49999c81ee865b6847a

Download Submit
C:\Windows\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe

Filesize
372KB

MD5
ce1e75cce60d1b237f23870bec4a9fab

SHA1
99dceeef271de2e5517b3f2bf4963f920b833521

SHA256
e75bec952ca87e4ffd8e5b323c280b12333765dfd55f419b216a39eb81f1e388

SHA512
3018cb9aba7f00e57d7493b49120b944e51b43cfcfa311a32e3ffd55e103cd063344f4275c7c083a8f4a976265d4ac895437f3e8bb81fcf6f5335b0d3d66939d

Download Submit
C:\Windows\{8CC8949F-770D-434f-98AF-60DBAB40E2A7}.exe

Filesize
372KB

MD5
ce1e75cce60d1b237f23870bec4a9fab

SHA1
99dceeef271de2e5517b3f2bf4963f920b833521

SHA256
e75bec952ca87e4ffd8e5b323c280b12333765dfd55f419b216a39eb81f1e388

SHA512
3018cb9aba7f00e57d7493b49120b944e51b43cfcfa311a32e3ffd55e103cd063344f4275c7c083a8f4a976265d4ac895437f3e8bb81fcf6f5335b0d3d66939d

Download Submit
C:\Windows\{99B9798C-6609-4a5f-B486-268FAE229663}.exe

Filesize
372KB

MD5
85d61e9f89b274f8094f8d4a586ad1b4

SHA1
6a97cb73492a6894774976d5c555bff3fb5c26d4

SHA256
45a5f79b56c74ec9344695c2738c1dda055e1016ccc4e229ac86cdf797e8b87a

SHA512
f1039d961c41175d9f9e242c6008a469692430dc66d40503ec3380837c80f85b5f20e074c363a3f75eb502c4777e3be90af14a262478b85546ca6581a8dc1a1f

Download Submit
C:\Windows\{99B9798C-6609-4a5f-B486-268FAE229663}.exe

Filesize
372KB

MD5
85d61e9f89b274f8094f8d4a586ad1b4

SHA1
6a97cb73492a6894774976d5c555bff3fb5c26d4

SHA256
45a5f79b56c74ec9344695c2738c1dda055e1016ccc4e229ac86cdf797e8b87a

SHA512
f1039d961c41175d9f9e242c6008a469692430dc66d40503ec3380837c80f85b5f20e074c363a3f75eb502c4777e3be90af14a262478b85546ca6581a8dc1a1f

Download Submit
C:\Windows\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe

Filesize
372KB

MD5
b074cbdfa92ff9633f460c47efd08bed

SHA1
e082ac7dc1c39800837f71278cd0a1ce81c6b892

SHA256
537d49e85e86a1714f7a9d00b2acf9e521a3dcc9d4b422f60c6700ced325df27

SHA512
dee1ddabb09a832c83711cc352ba20e4917f238bbda031c87ecc1994658bdb270405fb2cc1230c3c5d4c38fc871c6cfbf40c2464726b8e01a5e0b77a5a73d924

Download Submit
C:\Windows\{A5609AB5-83C1-4ed3-B707-B43DCF1150F6}.exe

Filesize
372KB

MD5
b074cbdfa92ff9633f460c47efd08bed

SHA1
e082ac7dc1c39800837f71278cd0a1ce81c6b892

SHA256
537d49e85e86a1714f7a9d00b2acf9e521a3dcc9d4b422f60c6700ced325df27

SHA512
dee1ddabb09a832c83711cc352ba20e4917f238bbda031c87ecc1994658bdb270405fb2cc1230c3c5d4c38fc871c6cfbf40c2464726b8e01a5e0b77a5a73d924

Download Submit
C:\Windows\{AA57AF27-F8E4-4796-9342-59F6598B4F0B}.exe

Filesize
372KB

MD5
7a3366fb0efe29764cf76bb231458f0b

SHA1
2bf1f0eb56c82f9d57232512ac0444f1abcdaf7f

SHA256
5fd34246c98a255c4e197542605d3919031cadb7fff026196bb028b49be24f0d

SHA512
c6ceff39adf3b79f30ad1f967dd1093f5ff36802e5b13bd31f4202e9e9b04c6eece2aa196c18eb8a9fe4e7de794afa90ce7a09cb14be6a4ee0e3ecdba5e82970

Download Submit
C:\Windows\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe

Filesize
372KB

MD5
795c5eb860648aebcaee3ee074935b61

SHA1
46871f318b06d1056a3f61dc722cd3b48243aa95

SHA256
4cf326d0952b9d5f3d7cc7863890363876b28d26846ad346725c75678f872c32

SHA512
84634f4ab4c6cabf9fcdeabd0d951e59802bb3ecb3b67945c3869d7a690400fbc33b18d93a0bbdcfd452dd6cb3bff4a97d3aa0676288fe2949c4a6546cb07f53

Download Submit
C:\Windows\{CC3C94DA-F4B7-4b9f-B59C-DEB8A40C4776}.exe

Filesize
372KB

MD5
795c5eb860648aebcaee3ee074935b61

SHA1
46871f318b06d1056a3f61dc722cd3b48243aa95

SHA256
4cf326d0952b9d5f3d7cc7863890363876b28d26846ad346725c75678f872c32

SHA512
84634f4ab4c6cabf9fcdeabd0d951e59802bb3ecb3b67945c3869d7a690400fbc33b18d93a0bbdcfd452dd6cb3bff4a97d3aa0676288fe2949c4a6546cb07f53

Download Submit
C:\Windows\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe

Filesize
372KB

MD5
73425ae89d35e2d8af0e4d36216961a0

SHA1
e7c12af442af14f296d4c48ecd5f8cb1aae3c5d7

SHA256
601618da8eee3880aa596fc4637a815a84104c547bc454d5e707269cb60ae868

SHA512
0fe72381c4417e738feab97af75546377d2d6d469dfe82b2cdfef986878730a268a77070886ec150187592f2c580fa309ed21f013a3dd6e28ef3c3401b1a51d9

Download Submit
C:\Windows\{CDDBCA03-B60E-4875-B28F-7F422EF90FDB}.exe

Filesize
372KB

MD5
73425ae89d35e2d8af0e4d36216961a0

SHA1
e7c12af442af14f296d4c48ecd5f8cb1aae3c5d7

SHA256
601618da8eee3880aa596fc4637a815a84104c547bc454d5e707269cb60ae868

SHA512
0fe72381c4417e738feab97af75546377d2d6d469dfe82b2cdfef986878730a268a77070886ec150187592f2c580fa309ed21f013a3dd6e28ef3c3401b1a51d9

Download Submit
C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe

Filesize
372KB

MD5
044bb1a954c8bd0507dcf54b2aa609d5

SHA1
182807aa4966b03e50265065163c7f8bf6d85808

SHA256
e9bbe22a0dac158fad45458d175862f5076c0aabc7c20f7fb82afe7b0d14805a

SHA512
2af5d8bc0e277bd25022d9a5bb75682b768417a19889662dd98018e534b1d96105e6cfe7eb1128d3f00e8d40979f594c86f1b01b4807c3cba138439e8c575803

Download Submit
C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe

Filesize
372KB

MD5
044bb1a954c8bd0507dcf54b2aa609d5

SHA1
182807aa4966b03e50265065163c7f8bf6d85808

SHA256
e9bbe22a0dac158fad45458d175862f5076c0aabc7c20f7fb82afe7b0d14805a

SHA512
2af5d8bc0e277bd25022d9a5bb75682b768417a19889662dd98018e534b1d96105e6cfe7eb1128d3f00e8d40979f594c86f1b01b4807c3cba138439e8c575803

Download Submit
C:\Windows\{E8968477-46EC-42c0-B7A5-0431D7F996CF}.exe

Filesize
372KB

MD5
044bb1a954c8bd0507dcf54b2aa609d5

SHA1
182807aa4966b03e50265065163c7f8bf6d85808

SHA256
e9bbe22a0dac158fad45458d175862f5076c0aabc7c20f7fb82afe7b0d14805a

SHA512
2af5d8bc0e277bd25022d9a5bb75682b768417a19889662dd98018e534b1d96105e6cfe7eb1128d3f00e8d40979f594c86f1b01b4807c3cba138439e8c575803

Download Submit