43b46c5d2dd21ef1ff93088994c0b1a3a83a8eecee7ec27113228e4811fca09e

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776313dc7c1675exeexeexeex.exe
Size

372KB
MD5

776313dc7c16759e0d4d58f30ae9d1a9
SHA1

5bf219e0dbd7c762fee7b03c849a230a35bdebdc
SHA256

43b46c5d2dd21ef1ff93088994c0b1a3a83a8eecee7ec27113228e4811fca09e
SHA512

0770cadd78169c2687b355ca61949eeea923aecc3e4f4c179fdcb67bd71608662867b58f3036ef15b1ec4132e7902e119b52615f803307c156546ab940490d8e
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG7l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79B641A-55EF-4368-803C-72D905FCF0BD}	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}\stubpath = "C:\\Windows\\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe"	{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}	{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F428888-8397-4fe7-A5D3-9830AB349243}\stubpath = "C:\\Windows\\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe"	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8847DD-085E-4379-AD90-0A7302C84A3F}	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8847DD-085E-4379-AD90-0A7302C84A3F}\stubpath = "C:\\Windows\\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe"	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}\stubpath = "C:\\Windows\\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe"	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015CEB1C-2683-441c-86FF-1246C13CC5D4}\stubpath = "C:\\Windows\\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe"	{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015CEB1C-2683-441c-86FF-1246C13CC5D4}	{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}	{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}	{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}	{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}	776313dc7c1675exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}\stubpath = "C:\\Windows\\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe"	776313dc7c1675exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F428888-8397-4fe7-A5D3-9830AB349243}	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}\stubpath = "C:\\Windows\\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe"	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}\stubpath = "C:\\Windows\\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe"	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}\stubpath = "C:\\Windows\\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe"	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79B641A-55EF-4368-803C-72D905FCF0BD}\stubpath = "C:\\Windows\\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe"	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}\stubpath = "C:\\Windows\\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe"	{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}\stubpath = "C:\\Windows\\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe"	{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}\stubpath = "C:\\Windows\\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe"	{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe

Deletes itself 1 IoCs

pid	Process
1284	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
1152	{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
2604	{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
2664	{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
2716	{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
2768	{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe
2504	{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
File created	C:\Windows\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
File created	C:\Windows\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe	{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
File created	C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	776313dc7c1675exeexeexeex.exe
File created	C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
File created	C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
File created	C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
File created	C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
File created	C:\Windows\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe	{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
File created	C:\Windows\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe	{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
File created	C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
File created	C:\Windows\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe	{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
File created	C:\Windows\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe	{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	776313dc7c1675exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
Token: SeIncBasePriorityPrivilege	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
Token: SeIncBasePriorityPrivilege	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
Token: SeIncBasePriorityPrivilege	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
Token: SeIncBasePriorityPrivilege	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
Token: SeIncBasePriorityPrivilege	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
Token: SeIncBasePriorityPrivilege	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
Token: SeIncBasePriorityPrivilege	1152	{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
Token: SeIncBasePriorityPrivilege	2604	{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
Token: SeIncBasePriorityPrivilege	2664	{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
Token: SeIncBasePriorityPrivilege	2716	{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
Token: SeIncBasePriorityPrivilege	2768	{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3048	2320	776313dc7c1675exeexeexeex.exe	29
PID 2320 wrote to memory of 3048	2320	776313dc7c1675exeexeexeex.exe	29
PID 2320 wrote to memory of 3048	2320	776313dc7c1675exeexeexeex.exe	29
PID 2320 wrote to memory of 3048	2320	776313dc7c1675exeexeexeex.exe	29
PID 2320 wrote to memory of 1284	2320	776313dc7c1675exeexeexeex.exe	30
PID 2320 wrote to memory of 1284	2320	776313dc7c1675exeexeexeex.exe	30
PID 2320 wrote to memory of 1284	2320	776313dc7c1675exeexeexeex.exe	30
PID 2320 wrote to memory of 1284	2320	776313dc7c1675exeexeexeex.exe	30
PID 3048 wrote to memory of 3016	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3048 wrote to memory of 3016	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3048 wrote to memory of 3016	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3048 wrote to memory of 3016	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	31
PID 3048 wrote to memory of 1916	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3048 wrote to memory of 1916	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3048 wrote to memory of 1916	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3048 wrote to memory of 1916	3048	{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe	32
PID 3016 wrote to memory of 1504	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 3016 wrote to memory of 1504	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 3016 wrote to memory of 1504	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 3016 wrote to memory of 1504	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	33
PID 3016 wrote to memory of 804	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 3016 wrote to memory of 804	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 3016 wrote to memory of 804	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 3016 wrote to memory of 804	3016	{0F428888-8397-4fe7-A5D3-9830AB349243}.exe	34
PID 1504 wrote to memory of 3068	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 1504 wrote to memory of 3068	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 1504 wrote to memory of 3068	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 1504 wrote to memory of 3068	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	35
PID 1504 wrote to memory of 1384	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 1504 wrote to memory of 1384	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 1504 wrote to memory of 1384	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 1504 wrote to memory of 1384	1504	{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe	36
PID 3068 wrote to memory of 2872	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 3068 wrote to memory of 2872	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 3068 wrote to memory of 2872	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 3068 wrote to memory of 2872	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	37
PID 3068 wrote to memory of 2944	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 3068 wrote to memory of 2944	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 3068 wrote to memory of 2944	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 3068 wrote to memory of 2944	3068	{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe	38
PID 2872 wrote to memory of 2000	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2872 wrote to memory of 2000	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2872 wrote to memory of 2000	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2872 wrote to memory of 2000	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	39
PID 2872 wrote to memory of 2064	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2872 wrote to memory of 2064	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2872 wrote to memory of 2064	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2872 wrote to memory of 2064	2872	{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe	40
PID 2000 wrote to memory of 2108	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 2000 wrote to memory of 2108	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 2000 wrote to memory of 2108	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 2000 wrote to memory of 2108	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	41
PID 2000 wrote to memory of 2060	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 2000 wrote to memory of 2060	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 2000 wrote to memory of 2060	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 2000 wrote to memory of 2060	2000	{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe	42
PID 2108 wrote to memory of 1152	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	43
PID 2108 wrote to memory of 1152	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	43
PID 2108 wrote to memory of 1152	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	43
PID 2108 wrote to memory of 1152	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	43
PID 2108 wrote to memory of 772	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	44
PID 2108 wrote to memory of 772	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	44
PID 2108 wrote to memory of 772	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	44
PID 2108 wrote to memory of 772	2108	{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe	44

C:\Users\Admin\AppData\Local\Temp\776313dc7c1675exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\776313dc7c1675exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
  C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
    C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
      C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
        
        C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
        
        C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
        
        C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
        
        C:\Windows\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
        
        C:\Windows\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
        
        C:\Windows\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
        
        C:\Windows\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
        
        C:\Windows\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe
        
        C:\Windows\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe
        
        C:\Windows\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe
        14⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F8C1~1.EXE > nul
        14⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699C9~1.EXE > nul
        13⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A82B~1.EXE > nul
        12⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{015CE~1.EXE > nul
        11⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D04A5~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C79B6~1.EXE > nul
        9⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF07B~1.EXE > nul
        8⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA19~1.EXE > nul
        7⤵
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD884~1.EXE > nul
        6⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DBD9~1.EXE > nul
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F428~1.EXE > nul
      4⤵
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EB549~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\776313~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe

Filesize
372KB

MD5
e450a462f4107254c1f64c4f5b1096d4

SHA1
81ade5fad3f870e092b0d025cbb26de031392e33

SHA256
f27294af2685878d75fac54b8f6d9903717e0bf95fcb0b6519ad77a5b5b35126

SHA512
77020d4e10eb1dba090bbc687a48f412e5eb319dc25d62bb1d6b86ed2e52b15b0e776ec3a110157f30ecd5584e41d51278c20e5266877b7ff3b2e4e1f291a779

Download Submit
C:\Windows\{015CEB1C-2683-441c-86FF-1246C13CC5D4}.exe

Filesize
372KB

MD5
e450a462f4107254c1f64c4f5b1096d4

SHA1
81ade5fad3f870e092b0d025cbb26de031392e33

SHA256
f27294af2685878d75fac54b8f6d9903717e0bf95fcb0b6519ad77a5b5b35126

SHA512
77020d4e10eb1dba090bbc687a48f412e5eb319dc25d62bb1d6b86ed2e52b15b0e776ec3a110157f30ecd5584e41d51278c20e5266877b7ff3b2e4e1f291a779

Download Submit
C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe

Filesize
372KB

MD5
d895aa4843b0837fa6f70c44cfc59943

SHA1
a5a1130d226330949f2ba469fdd8369ff78a2b6e

SHA256
2b5ecc470673f8c5f7b6dfdf0dbaa152635610905deb8c46cb3fed8fb133072f

SHA512
c7307a2f3133b555fc39a90a8f1a5720e2f39fd0acb9d6f67a2b33863b4f21c553c950b406f6738006e9d3fa78f1293c1f54f7e5c414aa8593c704c8caf17b28

Download Submit
C:\Windows\{0F428888-8397-4fe7-A5D3-9830AB349243}.exe

Filesize
372KB

MD5
d895aa4843b0837fa6f70c44cfc59943

SHA1
a5a1130d226330949f2ba469fdd8369ff78a2b6e

SHA256
2b5ecc470673f8c5f7b6dfdf0dbaa152635610905deb8c46cb3fed8fb133072f

SHA512
c7307a2f3133b555fc39a90a8f1a5720e2f39fd0acb9d6f67a2b33863b4f21c553c950b406f6738006e9d3fa78f1293c1f54f7e5c414aa8593c704c8caf17b28

Download Submit
C:\Windows\{160A84FD-532C-45f4-B7E4-54F227D1E6CF}.exe

Filesize
372KB

MD5
4980fa9e17249f05a59ac851ff815726

SHA1
2a1ef7b1fb1906969226810627620a3360124a81

SHA256
9c5fe4ec7034c8049d0ace6b936891affc11e0003f6b0683acb8ee902ca23832

SHA512
e05faf7155c7cfa2d3806104f65b7da9824a2cdaec5d0bfc2664bf3392bdb136e1dc992051f89a95635a0de5120f83a7eb46bf866dbc92d2ac92cffa04ff61c2

Download Submit
C:\Windows\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe

Filesize
372KB

MD5
05e03b3bd5b20891b600b7f8f57fbb2e

SHA1
34cc7a6fb9922fb1833f375befe62fdc86d5ab1d

SHA256
a89a6ae9d4e9cbd1285184a423c38faf119285d62469fe78a32f5247ab24f483

SHA512
c88743c84e0b1c14333d23c388295237efabda43cbb0edc388040c80eea57cd1331fa9da455212b9e845dc8d4c28b47cebe0b4bee3c34b2ff9d220b5c735f2ac

Download Submit
C:\Windows\{1A82B9CD-F0F5-4a08-8D14-20C36AC987E6}.exe

Filesize
372KB

MD5
05e03b3bd5b20891b600b7f8f57fbb2e

SHA1
34cc7a6fb9922fb1833f375befe62fdc86d5ab1d

SHA256
a89a6ae9d4e9cbd1285184a423c38faf119285d62469fe78a32f5247ab24f483

SHA512
c88743c84e0b1c14333d23c388295237efabda43cbb0edc388040c80eea57cd1331fa9da455212b9e845dc8d4c28b47cebe0b4bee3c34b2ff9d220b5c735f2ac

Download Submit
C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe

Filesize
372KB

MD5
7f7a61d7a9318fbd15bd80669780fd48

SHA1
54a0d66c64d90cb143906b8b375dc1b99da53a54

SHA256
9ae4a55cc7534cc0fbd21a6a21784782cd0ce72a5c58e9cdc9a730b3293103ed

SHA512
e780ad7bd12f7c76104ac641d475c3b098d3a54859a35764cc395e7ac6b11f400c3123add51b66db2471a5508fb97ca0debf0e5684a1dfe6a6ff996af2dead6e

Download Submit
C:\Windows\{4DBD9372-E48E-478e-B34A-B6C35BE777EC}.exe

Filesize
372KB

MD5
7f7a61d7a9318fbd15bd80669780fd48

SHA1
54a0d66c64d90cb143906b8b375dc1b99da53a54

SHA256
9ae4a55cc7534cc0fbd21a6a21784782cd0ce72a5c58e9cdc9a730b3293103ed

SHA512
e780ad7bd12f7c76104ac641d475c3b098d3a54859a35764cc395e7ac6b11f400c3123add51b66db2471a5508fb97ca0debf0e5684a1dfe6a6ff996af2dead6e

Download Submit
C:\Windows\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe

Filesize
372KB

MD5
a28d1db71c78d35f2d2b4b4fdee5bbfb

SHA1
67ed928a25541f3f226bac4f6c7c059b8761c4de

SHA256
5d140d0a72d634be770ff3d0680f988f93612819afa848e4af3b342cacbb11a1

SHA512
146b100f4be021b813f4b07c85ff9e7f0ef5585843d4d2e0d409ec2861d5639c7c3132fc34d3bf75f0f00090e7bd36400b4496e65448970c1a94394f9a9bf290

Download Submit
C:\Windows\{699C94B8-AF05-4de9-B5C0-81CDBD5001E3}.exe

Filesize
372KB

MD5
a28d1db71c78d35f2d2b4b4fdee5bbfb

SHA1
67ed928a25541f3f226bac4f6c7c059b8761c4de

SHA256
5d140d0a72d634be770ff3d0680f988f93612819afa848e4af3b342cacbb11a1

SHA512
146b100f4be021b813f4b07c85ff9e7f0ef5585843d4d2e0d409ec2861d5639c7c3132fc34d3bf75f0f00090e7bd36400b4496e65448970c1a94394f9a9bf290

Download Submit
C:\Windows\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe

Filesize
372KB

MD5
29442a7dea4d7b39d66fe549b57f97ff

SHA1
13d956ada0575537caa9bd535a2685166dca9d43

SHA256
4c9a7346c9cba0a20e0ef82da9f4c8fd13e091a2f165ff54cc23ec98decc7323

SHA512
754d7b398778fdc9f6bd7a42620f87dccf1c1cd659f83a7d7f3c7cc382b150547fe70fd02d7fd4a9b9071d267aaf25f12cd1934053b0d9dbf26dc6d1f0ffb772

Download Submit
C:\Windows\{6F8C1EB6-55DE-4794-B447-7FF21CD4777B}.exe

Filesize
372KB

MD5
29442a7dea4d7b39d66fe549b57f97ff

SHA1
13d956ada0575537caa9bd535a2685166dca9d43

SHA256
4c9a7346c9cba0a20e0ef82da9f4c8fd13e091a2f165ff54cc23ec98decc7323

SHA512
754d7b398778fdc9f6bd7a42620f87dccf1c1cd659f83a7d7f3c7cc382b150547fe70fd02d7fd4a9b9071d267aaf25f12cd1934053b0d9dbf26dc6d1f0ffb772

Download Submit
C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe

Filesize
372KB

MD5
0d1a2e45b48eb61ba531ee079eab1f59

SHA1
1568e9d9d7f65d8bd9d81653528f7f4700a74c3f

SHA256
62dcffbb0ebbd0bc7214b7ade132e70606ce1ff62e45494c72866be49bc49061

SHA512
27ce5b916b2ddfc6f7bdaa8e17bb358310a16676f19e283ed389e3dab41782208ccff2f766cc0f3b0bc206917079ed4daeba7fcb4c81dfd3ce89bf8e1319b381

Download Submit
C:\Windows\{8CA1994C-9760-40fa-BA8B-43A54DE6EBFF}.exe

Filesize
372KB

MD5
0d1a2e45b48eb61ba531ee079eab1f59

SHA1
1568e9d9d7f65d8bd9d81653528f7f4700a74c3f

SHA256
62dcffbb0ebbd0bc7214b7ade132e70606ce1ff62e45494c72866be49bc49061

SHA512
27ce5b916b2ddfc6f7bdaa8e17bb358310a16676f19e283ed389e3dab41782208ccff2f766cc0f3b0bc206917079ed4daeba7fcb4c81dfd3ce89bf8e1319b381

Download Submit
C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe

Filesize
372KB

MD5
a65b03e5c2b39f393f37391737a8b2de

SHA1
0b1d894b5f0e8e5700a602fad12eb114b7b35cec

SHA256
f49224fa7ab217c1a7fa70efcfdf7204c8341e15aaadc7bdca2c180b46689127

SHA512
30442a057fb43fe2ca86e3fb67354b0fa7a7f9735038878b890a30d3c8782566b343029310b259faf457ca4ae96ad1be9c98fc2fb364f26b1ec273cd3042ca65

Download Submit
C:\Windows\{AF07BE59-E86E-4f7e-9BB5-1B040C312739}.exe

Filesize
372KB

MD5
a65b03e5c2b39f393f37391737a8b2de

SHA1
0b1d894b5f0e8e5700a602fad12eb114b7b35cec

SHA256
f49224fa7ab217c1a7fa70efcfdf7204c8341e15aaadc7bdca2c180b46689127

SHA512
30442a057fb43fe2ca86e3fb67354b0fa7a7f9735038878b890a30d3c8782566b343029310b259faf457ca4ae96ad1be9c98fc2fb364f26b1ec273cd3042ca65

Download Submit
C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe

Filesize
372KB

MD5
c654a9b195b78751aa204e42eda40f48

SHA1
2dca3a2b5d3bee01c3e23e7995c1775a1cf6722e

SHA256
1300f9b731ed41f93b532f5e878fea0ed6597c8d8057ff573064d09a63ab4675

SHA512
c76751c474f3537b801b199ee313cd2a76a000fe798d1b3708bcc121c13a5e21efb4c0c77d0f0f65445f73c59eca306e4266fdb8d277393c417af79ee6d6a614

Download Submit
C:\Windows\{BD8847DD-085E-4379-AD90-0A7302C84A3F}.exe

Filesize
372KB

MD5
c654a9b195b78751aa204e42eda40f48

SHA1
2dca3a2b5d3bee01c3e23e7995c1775a1cf6722e

SHA256
1300f9b731ed41f93b532f5e878fea0ed6597c8d8057ff573064d09a63ab4675

SHA512
c76751c474f3537b801b199ee313cd2a76a000fe798d1b3708bcc121c13a5e21efb4c0c77d0f0f65445f73c59eca306e4266fdb8d277393c417af79ee6d6a614

Download Submit
C:\Windows\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe

Filesize
372KB

MD5
21cdf80272d8e1f4bfd09cf2b99d7962

SHA1
a54987c9d9730e021db387143dbb62a4fba8b1f9

SHA256
a62f2b4e1e2a425c0d6576e2a8aaacb6755f5d6e0aa0d3a6d0b6d84b5b5f3d4f

SHA512
315872db111e5f01ecaaab6aa082c98f45842b24900df2b84efadf0b28038e6d7ff5fd6e9cbb1c256a27d8d5b754f02fd52353d6a8e4c3f50914b8dc9296d8cd

Download Submit
C:\Windows\{C79B641A-55EF-4368-803C-72D905FCF0BD}.exe

Filesize
372KB

MD5
21cdf80272d8e1f4bfd09cf2b99d7962

SHA1
a54987c9d9730e021db387143dbb62a4fba8b1f9

SHA256
a62f2b4e1e2a425c0d6576e2a8aaacb6755f5d6e0aa0d3a6d0b6d84b5b5f3d4f

SHA512
315872db111e5f01ecaaab6aa082c98f45842b24900df2b84efadf0b28038e6d7ff5fd6e9cbb1c256a27d8d5b754f02fd52353d6a8e4c3f50914b8dc9296d8cd

Download Submit
C:\Windows\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe

Filesize
372KB

MD5
d3e04b10bcba265ec251e83a1279565b

SHA1
dbdf84748b3dac193284c176c24300e7f3217314

SHA256
30b499e4355ff011cda51d7781482e75d2ac1e4aea285710167965b35f13bdc1

SHA512
3821933d9e42e0bb71c90be459df3c6c3cf3e5b75f465e5119b7779f5b39cda3f8d29cea564d30ee2552c6d59d7215c526729ea58c5c592cb3aeeacee56adab4

Download Submit
C:\Windows\{D04A512A-739C-40e2-AC52-90FFCA36B2F8}.exe

Filesize
372KB

MD5
d3e04b10bcba265ec251e83a1279565b

SHA1
dbdf84748b3dac193284c176c24300e7f3217314

SHA256
30b499e4355ff011cda51d7781482e75d2ac1e4aea285710167965b35f13bdc1

SHA512
3821933d9e42e0bb71c90be459df3c6c3cf3e5b75f465e5119b7779f5b39cda3f8d29cea564d30ee2552c6d59d7215c526729ea58c5c592cb3aeeacee56adab4

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit
C:\Windows\{EB54906E-FB9A-4039-9E81-FF96F2ABD253}.exe

Filesize
372KB

MD5
1676a82cb16e075e6579f8d22d1463e2

SHA1
cf6e649ef46e722718c08ba6dba751f1374a73dd

SHA256
19440caaef129d0abeebf08feb22c8e78b44026ff6da39f1b2c8a6cb3577e102

SHA512
65c76696c522a3831f84920efcfe151309023e4e6fe96c1e11da9ff089a3babebb36a6bce1b6cc1caa78646be24dd5d1cf6e2adb9649dc6fb8f4f497e1bf0914

Download Submit