949a33372272dfacf3b48e66c65d2b983fd669d0a0508d3d998a68dd17185f6c

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b8cf79d89782fexeexeexeex.exe
Size

372KB
MD5

6b8cf79d89782f8d4f87927b40c101cc
SHA1

81ef4a4f6686488b71e7f056307e6f54a9cadc84
SHA256

949a33372272dfacf3b48e66c65d2b983fd669d0a0508d3d998a68dd17185f6c
SHA512

dbf8246f3b420e7fa8ade29ea21d1cba95d15808c2efc08e462aa92bd1ad088cbb9e0ad32fb8b12744579220232ba95ae0abaaa0df98c297fee80b91fc900b6a
SSDEEP

3072:CEGh0opmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG6l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{161CF771-A808-43f7-82DF-E2F22E0A52F4}	6b8cf79d89782fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}\stubpath = "C:\\Windows\\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe"	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}\stubpath = "C:\\Windows\\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe"	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E947AD-E19B-469e-AE77-9EC6114623E1}\stubpath = "C:\\Windows\\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe"	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E914D70C-D0AC-4093-971B-DE49DFF41810}\stubpath = "C:\\Windows\\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe"	{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}\stubpath = "C:\\Windows\\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe"	{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}\stubpath = "C:\\Windows\\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe"	{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{161CF771-A808-43f7-82DF-E2F22E0A52F4}\stubpath = "C:\\Windows\\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe"	6b8cf79d89782fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}\stubpath = "C:\\Windows\\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe"	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A9A22B-EF2F-4a54-989F-777E92231F97}	{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A9A22B-EF2F-4a54-989F-777E92231F97}\stubpath = "C:\\Windows\\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe"	{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}	{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3B10FE-4100-448a-858F-9B39F5DE385F}	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E947AD-E19B-469e-AE77-9EC6114623E1}	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFFBEDB4-015D-467b-AF10-BF8853648C87}\stubpath = "C:\\Windows\\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe"	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E914D70C-D0AC-4093-971B-DE49DFF41810}	{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}	{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}\stubpath = "C:\\Windows\\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe"	{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3B10FE-4100-448a-858F-9B39F5DE385F}\stubpath = "C:\\Windows\\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe"	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}\stubpath = "C:\\Windows\\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe"	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFFBEDB4-015D-467b-AF10-BF8853648C87}	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}	{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
864	{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
2648	{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
3008	{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
2408	{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
2520	{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
2552	{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
File created	C:\Windows\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
File created	C:\Windows\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
File created	C:\Windows\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
File created	C:\Windows\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe	{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
File created	C:\Windows\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe	{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
File created	C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	6b8cf79d89782fexeexeexeex.exe
File created	C:\Windows\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
File created	C:\Windows\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
File created	C:\Windows\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe	{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
File created	C:\Windows\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe	{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
File created	C:\Windows\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe	{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
File created	C:\Windows\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2436	6b8cf79d89782fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
Token: SeIncBasePriorityPrivilege	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
Token: SeIncBasePriorityPrivilege	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
Token: SeIncBasePriorityPrivilege	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
Token: SeIncBasePriorityPrivilege	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
Token: SeIncBasePriorityPrivilege	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
Token: SeIncBasePriorityPrivilege	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
Token: SeIncBasePriorityPrivilege	864	{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
Token: SeIncBasePriorityPrivilege	2648	{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
Token: SeIncBasePriorityPrivilege	3008	{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
Token: SeIncBasePriorityPrivilege	2408	{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
Token: SeIncBasePriorityPrivilege	2520	{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2064	2436	6b8cf79d89782fexeexeexeex.exe	28
PID 2436 wrote to memory of 2064	2436	6b8cf79d89782fexeexeexeex.exe	28
PID 2436 wrote to memory of 2064	2436	6b8cf79d89782fexeexeexeex.exe	28
PID 2436 wrote to memory of 2064	2436	6b8cf79d89782fexeexeexeex.exe	28
PID 2436 wrote to memory of 2444	2436	6b8cf79d89782fexeexeexeex.exe	29
PID 2436 wrote to memory of 2444	2436	6b8cf79d89782fexeexeexeex.exe	29
PID 2436 wrote to memory of 2444	2436	6b8cf79d89782fexeexeexeex.exe	29
PID 2436 wrote to memory of 2444	2436	6b8cf79d89782fexeexeexeex.exe	29
PID 2064 wrote to memory of 3000	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	31
PID 2064 wrote to memory of 3000	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	31
PID 2064 wrote to memory of 3000	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	31
PID 2064 wrote to memory of 3000	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	31
PID 2064 wrote to memory of 1876	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	30
PID 2064 wrote to memory of 1876	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	30
PID 2064 wrote to memory of 1876	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	30
PID 2064 wrote to memory of 1876	2064	{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe	30
PID 3000 wrote to memory of 1112	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	32
PID 3000 wrote to memory of 1112	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	32
PID 3000 wrote to memory of 1112	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	32
PID 3000 wrote to memory of 1112	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	32
PID 3000 wrote to memory of 3028	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	33
PID 3000 wrote to memory of 3028	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	33
PID 3000 wrote to memory of 3028	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	33
PID 3000 wrote to memory of 3028	3000	{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe	33
PID 1112 wrote to memory of 1812	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	34
PID 1112 wrote to memory of 1812	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	34
PID 1112 wrote to memory of 1812	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	34
PID 1112 wrote to memory of 1812	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	34
PID 1112 wrote to memory of 2188	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	35
PID 1112 wrote to memory of 2188	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	35
PID 1112 wrote to memory of 2188	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	35
PID 1112 wrote to memory of 2188	1112	{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe	35
PID 1812 wrote to memory of 2984	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	36
PID 1812 wrote to memory of 2984	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	36
PID 1812 wrote to memory of 2984	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	36
PID 1812 wrote to memory of 2984	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	36
PID 1812 wrote to memory of 1932	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	37
PID 1812 wrote to memory of 1932	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	37
PID 1812 wrote to memory of 1932	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	37
PID 1812 wrote to memory of 1932	1812	{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe	37
PID 2984 wrote to memory of 1304	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	38
PID 2984 wrote to memory of 1304	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	38
PID 2984 wrote to memory of 1304	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	38
PID 2984 wrote to memory of 1304	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	38
PID 2984 wrote to memory of 1056	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	39
PID 2984 wrote to memory of 1056	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	39
PID 2984 wrote to memory of 1056	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	39
PID 2984 wrote to memory of 1056	2984	{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe	39
PID 1304 wrote to memory of 2248	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	41
PID 1304 wrote to memory of 2248	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	41
PID 1304 wrote to memory of 2248	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	41
PID 1304 wrote to memory of 2248	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	41
PID 1304 wrote to memory of 2460	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	40
PID 1304 wrote to memory of 2460	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	40
PID 1304 wrote to memory of 2460	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	40
PID 1304 wrote to memory of 2460	1304	{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe	40
PID 2248 wrote to memory of 864	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	43
PID 2248 wrote to memory of 864	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	43
PID 2248 wrote to memory of 864	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	43
PID 2248 wrote to memory of 864	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	43
PID 2248 wrote to memory of 2844	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	42
PID 2248 wrote to memory of 2844	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	42
PID 2248 wrote to memory of 2844	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	42
PID 2248 wrote to memory of 2844	2248	{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe	42

C:\Users\Admin\AppData\Local\Temp\6b8cf79d89782fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6b8cf79d89782fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
  C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{161CF~1.EXE > nul
    3⤵
    PID:1876
- - C:\Windows\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
    C:\Windows\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
      C:\Windows\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
        
        C:\Windows\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
        
        C:\Windows\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
        
        C:\Windows\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22E94~1.EXE > nul
        8⤵
        
        PID:2460
        
        C:\Windows\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
        
        C:\Windows\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFFBE~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
        
        C:\Windows\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C847~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
        
        C:\Windows\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A9A~1.EXE > nul
        11⤵
        
        PID:2852
        
        C:\Windows\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
        
        C:\Windows\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E914D~1.EXE > nul
        12⤵
        
        PID:2660
        
        C:\Windows\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
        
        C:\Windows\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DF2B~1.EXE > nul
        13⤵
        
        PID:2668
        
        C:\Windows\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
        
        C:\Windows\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCA16~1.EXE > nul
        14⤵
        
        PID:2480
        
        C:\Windows\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe
        
        C:\Windows\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe
        14⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0F2~1.EXE > nul
        7⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5268A~1.EXE > nul
        6⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{363FF~1.EXE > nul
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3B1~1.EXE > nul
      4⤵
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6B8CF7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe

Filesize
372KB

MD5
d29341afc56503ae0d9d35e91d3d6f91

SHA1
ef10f3221c8a69a5037e8468f4f86eda36d36cd5

SHA256
99416d7883ae835b6937dfa46c66a116b21c41ecdc9d7db4cc3298c522f0c4e6

SHA512
beb7cbac531c15a5368673a16595d291ebe20328fccfa697571ae0af5a55e08259aca592e7ea9b0f47b9b3b1f6c1324e7e1be2fb41cbc615f9e79c4fe11ab16d

Download Submit
C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe

Filesize
372KB

MD5
d29341afc56503ae0d9d35e91d3d6f91

SHA1
ef10f3221c8a69a5037e8468f4f86eda36d36cd5

SHA256
99416d7883ae835b6937dfa46c66a116b21c41ecdc9d7db4cc3298c522f0c4e6

SHA512
beb7cbac531c15a5368673a16595d291ebe20328fccfa697571ae0af5a55e08259aca592e7ea9b0f47b9b3b1f6c1324e7e1be2fb41cbc615f9e79c4fe11ab16d

Download Submit
C:\Windows\{161CF771-A808-43f7-82DF-E2F22E0A52F4}.exe

Filesize
372KB

MD5
d29341afc56503ae0d9d35e91d3d6f91

SHA1
ef10f3221c8a69a5037e8468f4f86eda36d36cd5

SHA256
99416d7883ae835b6937dfa46c66a116b21c41ecdc9d7db4cc3298c522f0c4e6

SHA512
beb7cbac531c15a5368673a16595d291ebe20328fccfa697571ae0af5a55e08259aca592e7ea9b0f47b9b3b1f6c1324e7e1be2fb41cbc615f9e79c4fe11ab16d

Download Submit
C:\Windows\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe

Filesize
372KB

MD5
92060a7664bf314b5b9f36a140c46ff0

SHA1
085907170559b2ded0e1658d20f4d20b3bf74daa

SHA256
7653a997a567f6490a96291ce1a0048452dc7602d7925b08ed83c3aa1f697dc6

SHA512
4cb1c053dd9e9a2688a162403231f0d15b956aa1d0c4df16adcf0f89f3b675f7e8b60a01d30de10fb9a82ba410912913cea3af5b4d85b5eef24e73202d9e7af8

Download Submit
C:\Windows\{22E947AD-E19B-469e-AE77-9EC6114623E1}.exe

Filesize
372KB

MD5
92060a7664bf314b5b9f36a140c46ff0

SHA1
085907170559b2ded0e1658d20f4d20b3bf74daa

SHA256
7653a997a567f6490a96291ce1a0048452dc7602d7925b08ed83c3aa1f697dc6

SHA512
4cb1c053dd9e9a2688a162403231f0d15b956aa1d0c4df16adcf0f89f3b675f7e8b60a01d30de10fb9a82ba410912913cea3af5b4d85b5eef24e73202d9e7af8

Download Submit
C:\Windows\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe

Filesize
372KB

MD5
e3ab8bd48dcd4b124bb26fc949e0c086

SHA1
737fa20fe9e9ad665c3c318cc97f3a8328eb848c

SHA256
bda61f325f3b83dd1828c1d11cc8136d222121b23adf28aaa72bd6b8a58d26b4

SHA512
d0c9b9d479af9662f3fab05c7d415dfe0fc9b52e1a3a86737fe4d30e1b758965390bce1f989550a5158ed7724193b0cc48e63cafb620ef159427a280ed2a6eff

Download Submit
C:\Windows\{363FFBB8-759A-4bda-81CD-75FCB4C9203F}.exe

Filesize
372KB

MD5
e3ab8bd48dcd4b124bb26fc949e0c086

SHA1
737fa20fe9e9ad665c3c318cc97f3a8328eb848c

SHA256
bda61f325f3b83dd1828c1d11cc8136d222121b23adf28aaa72bd6b8a58d26b4

SHA512
d0c9b9d479af9662f3fab05c7d415dfe0fc9b52e1a3a86737fe4d30e1b758965390bce1f989550a5158ed7724193b0cc48e63cafb620ef159427a280ed2a6eff

Download Submit
C:\Windows\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe

Filesize
372KB

MD5
b0453fe75b42533b47032245eb3a9de4

SHA1
e3726bcf5db43c46c60fd6786a7c4d457019ffa4

SHA256
5fd34ce59fa5f1485051d2a209484d621d2aacc9fac5a3590fd5c78dc9426163

SHA512
7204ae022fadb774fa3d0054790f2d0649d0cacfec17caf55006cbe1c54d34a82dbdb68cd75bdcdd137243a8ed4c73670c2a868aabbe42d72c79260194fd2740

Download Submit
C:\Windows\{3DF2B913-3D05-4b98-9EB3-CC450C1AE11C}.exe

Filesize
372KB

MD5
b0453fe75b42533b47032245eb3a9de4

SHA1
e3726bcf5db43c46c60fd6786a7c4d457019ffa4

SHA256
5fd34ce59fa5f1485051d2a209484d621d2aacc9fac5a3590fd5c78dc9426163

SHA512
7204ae022fadb774fa3d0054790f2d0649d0cacfec17caf55006cbe1c54d34a82dbdb68cd75bdcdd137243a8ed4c73670c2a868aabbe42d72c79260194fd2740

Download Submit
C:\Windows\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe

Filesize
372KB

MD5
67d9c7fdd3e9d87a79a0bd7478ae589b

SHA1
60e4645619429616557d26e9543c80e2060d7bd0

SHA256
42772f48d83a80403d711c26954265c4dd185acc2d9863e40032017c3d17b2d8

SHA512
f258419b80d35e2a9ef00b5063cedee2765edc9626d8d837b7f4cd8c58e88f8437f614699e0b899234666cbe9be7da71b640e86dfd09367475d57c317d887883

Download Submit
C:\Windows\{5268ABE4-7517-43a3-AE51-5DA070F30CF9}.exe

Filesize
372KB

MD5
67d9c7fdd3e9d87a79a0bd7478ae589b

SHA1
60e4645619429616557d26e9543c80e2060d7bd0

SHA256
42772f48d83a80403d711c26954265c4dd185acc2d9863e40032017c3d17b2d8

SHA512
f258419b80d35e2a9ef00b5063cedee2765edc9626d8d837b7f4cd8c58e88f8437f614699e0b899234666cbe9be7da71b640e86dfd09367475d57c317d887883

Download Submit
C:\Windows\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe

Filesize
372KB

MD5
6a229872f02a908e41993fb26e3185db

SHA1
c4f576a86d4a95f7f10e908b9dc21b3b7355d42c

SHA256
d22012855ba95c1edd42bb2e0790444f6033fea44eb5f0d20f871f13cfc00e36

SHA512
ece8d0b78027705078e583de3e05e15425a5e689db28fbd7989fbda72e56a60b91e34b7a4fa4fcba7c68fd84a1c43e6a5e4df31b8a9be84ac7b2662e5a6c8ffe

Download Submit
C:\Windows\{5C847A25-C1D0-4b28-B811-4C9B70FD7C05}.exe

Filesize
372KB

MD5
6a229872f02a908e41993fb26e3185db

SHA1
c4f576a86d4a95f7f10e908b9dc21b3b7355d42c

SHA256
d22012855ba95c1edd42bb2e0790444f6033fea44eb5f0d20f871f13cfc00e36

SHA512
ece8d0b78027705078e583de3e05e15425a5e689db28fbd7989fbda72e56a60b91e34b7a4fa4fcba7c68fd84a1c43e6a5e4df31b8a9be84ac7b2662e5a6c8ffe

Download Submit
C:\Windows\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe

Filesize
372KB

MD5
bc2c4ea1475295bc9e3a3357a7340979

SHA1
33f8c09c0563b83bd6325b587389834eecbde7b4

SHA256
51d3e8a0e5e7edff28d51155732a1bc51f90f765b437456ad0fe5cdd0df37775

SHA512
3a969b5199b4baf30e168c97985f257947af009496603b1cac1de3a56667b84e8c6a634f86f60fe62d09f02afa65ef2135fe05a1960c0ae597284684d9c04fc6

Download Submit
C:\Windows\{AFFBEDB4-015D-467b-AF10-BF8853648C87}.exe

Filesize
372KB

MD5
bc2c4ea1475295bc9e3a3357a7340979

SHA1
33f8c09c0563b83bd6325b587389834eecbde7b4

SHA256
51d3e8a0e5e7edff28d51155732a1bc51f90f765b437456ad0fe5cdd0df37775

SHA512
3a969b5199b4baf30e168c97985f257947af009496603b1cac1de3a56667b84e8c6a634f86f60fe62d09f02afa65ef2135fe05a1960c0ae597284684d9c04fc6

Download Submit
C:\Windows\{B0542D76-A72C-4dbd-8335-D7E2B5CF6431}.exe

Filesize
372KB

MD5
f3577a63dec0ceaee566e795108a92a5

SHA1
a89079043707eb8f6bb63414081ed44aa85e3026

SHA256
93f579d25545c649bd6e0471851559c44df3e328ce19ea558d73a56c8e1e16c7

SHA512
398368a5c6a56ac35e90c29ccbc5422eff2e67af6ec525fc69f2aa3ef0a6896ea8328b6c55b7517fdc9a1822917151bed37ec80fdc614a83537f6734790f84eb

Download Submit
C:\Windows\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe

Filesize
372KB

MD5
f17adb202f44245ec4894b83f8e43802

SHA1
920d2569044dab9f27f246d63c5226f6e3154db2

SHA256
273cb636be148fce2d2a2a091dd5078abc44435cb0798fd03cbbe27665e422b0

SHA512
ba929e777c8357b9acb925e8c2754d6351f6b947f0c55978b5516ddfe9027339044eb2818467690dbb92e95bff156875d4531fd7b88aa3973eabe5762392743c

Download Submit
C:\Windows\{B6A9A22B-EF2F-4a54-989F-777E92231F97}.exe

Filesize
372KB

MD5
f17adb202f44245ec4894b83f8e43802

SHA1
920d2569044dab9f27f246d63c5226f6e3154db2

SHA256
273cb636be148fce2d2a2a091dd5078abc44435cb0798fd03cbbe27665e422b0

SHA512
ba929e777c8357b9acb925e8c2754d6351f6b947f0c55978b5516ddfe9027339044eb2818467690dbb92e95bff156875d4531fd7b88aa3973eabe5762392743c

Download Submit
C:\Windows\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe

Filesize
372KB

MD5
1fac5030647e27b401c341c9d19ca5e9

SHA1
4418bcd4d6234fd61e846b277a1293f470d5bf53

SHA256
7af8cc2465eefa4e5d8d494793ff396a7983334afa8ed5bd6a6f1fa15b017441

SHA512
3008fd622aaae183f6d83dfbeccca502d5e04cfcb7a60a29f4eb8f06abdd4d409ce9b33dacd10fa036f5b5522a1b959da9d049a30d394f44a3382a78c1962836

Download Submit
C:\Windows\{DC0F2FC0-2132-4cb7-B45C-0043054CD187}.exe

Filesize
372KB

MD5
1fac5030647e27b401c341c9d19ca5e9

SHA1
4418bcd4d6234fd61e846b277a1293f470d5bf53

SHA256
7af8cc2465eefa4e5d8d494793ff396a7983334afa8ed5bd6a6f1fa15b017441

SHA512
3008fd622aaae183f6d83dfbeccca502d5e04cfcb7a60a29f4eb8f06abdd4d409ce9b33dacd10fa036f5b5522a1b959da9d049a30d394f44a3382a78c1962836

Download Submit
C:\Windows\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe

Filesize
372KB

MD5
00295eb72ba818840aabe864e2d97588

SHA1
70e665e5ebd3f60e2cf49a21d39670be75a68c32

SHA256
6aef3d8ab24cefeea3fb2fa90b98ee690aafbd1c5c382ad1b09c096d50cdd696

SHA512
a41837cafd72e4b9a66a5451406820f5888bb99bf7d460baed2732113ab5f9b12c8c411d65ddb45035ae6b85094f018d035f2c2e7c08690ace57148b81daf9a0

Download Submit
C:\Windows\{E914D70C-D0AC-4093-971B-DE49DFF41810}.exe

Filesize
372KB

MD5
00295eb72ba818840aabe864e2d97588

SHA1
70e665e5ebd3f60e2cf49a21d39670be75a68c32

SHA256
6aef3d8ab24cefeea3fb2fa90b98ee690aafbd1c5c382ad1b09c096d50cdd696

SHA512
a41837cafd72e4b9a66a5451406820f5888bb99bf7d460baed2732113ab5f9b12c8c411d65ddb45035ae6b85094f018d035f2c2e7c08690ace57148b81daf9a0

Download Submit
C:\Windows\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe

Filesize
372KB

MD5
3c9730a49890a9b3d81ef62aabb16edb

SHA1
24fad8ead56e47a5f4481d4ae3835427a3ed120f

SHA256
3200669d4c962771982f412bd1a11a5b24765a4cb051d6c036407aaed24dad85

SHA512
3a194e8ce2265340f24756c898c9ea39cebb184eecdf6df3d062625ef0a78eccd1c13ebd4c049f2b6c1303efc2ef7828d46d842154e425278e9717318058ae71

Download Submit
C:\Windows\{FCA16C8A-2C53-447d-AAC7-08C763C6F3FE}.exe

Filesize
372KB

MD5
3c9730a49890a9b3d81ef62aabb16edb

SHA1
24fad8ead56e47a5f4481d4ae3835427a3ed120f

SHA256
3200669d4c962771982f412bd1a11a5b24765a4cb051d6c036407aaed24dad85

SHA512
3a194e8ce2265340f24756c898c9ea39cebb184eecdf6df3d062625ef0a78eccd1c13ebd4c049f2b6c1303efc2ef7828d46d842154e425278e9717318058ae71

Download Submit
C:\Windows\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe

Filesize
372KB

MD5
fefb20cd0b29b88f65dd099eb300c85f

SHA1
e96ba507ee909c6199cee363a90ef259cfaa1752

SHA256
570738696394ba5dd91115e1963b6241c8075b74c32022ff331cbb56f69157e2

SHA512
8da34da1196f287835a4f4c9e6b4db123c34f7cd2998223730ea0aacb38f66a3f9739d8c93a49779cf9c84a337463509bc4b9c377ffdf5c8cf09a470578d1ad8

Download Submit
C:\Windows\{FE3B10FE-4100-448a-858F-9B39F5DE385F}.exe

Filesize
372KB

MD5
fefb20cd0b29b88f65dd099eb300c85f

SHA1
e96ba507ee909c6199cee363a90ef259cfaa1752

SHA256
570738696394ba5dd91115e1963b6241c8075b74c32022ff331cbb56f69157e2

SHA512
8da34da1196f287835a4f4c9e6b4db123c34f7cd2998223730ea0aacb38f66a3f9739d8c93a49779cf9c84a337463509bc4b9c377ffdf5c8cf09a470578d1ad8

Download Submit