11d2d2ef470b9d8e0f29b5744b3e1969583ea40abf68eb7a337a156e4cd9fe77

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

917def1b61598bexeexeexeex.exe
Size

168KB
MD5

917def1b61598b2edca9cac59674196a
SHA1

088c2f15ec734b40daf74a1ace8d8be298e63406
SHA256

11d2d2ef470b9d8e0f29b5744b3e1969583ea40abf68eb7a337a156e4cd9fe77
SHA512

f72153cb216c8762beab5ecd1d344e983c9edbda573996333968f92988d2939b76e4d20cb243adcd1836a8290f394002ddf472938f37de53416ad9f46a200001
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}	{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}\stubpath = "C:\\Windows\\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe"	{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBEB7F-29CA-44fe-B734-635F38A96943}	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}\stubpath = "C:\\Windows\\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe"	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}	917def1b61598bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}\stubpath = "C:\\Windows\\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe"	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}\stubpath = "C:\\Windows\\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe"	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}\stubpath = "C:\\Windows\\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe"	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}\stubpath = "C:\\Windows\\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe"	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B19E39-1D6D-4794-8120-DF57443793C4}	{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}\stubpath = "C:\\Windows\\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe"	{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A391268C-DDF2-4735-8A4B-911689859689}\stubpath = "C:\\Windows\\{A391268C-DDF2-4735-8A4B-911689859689}.exe"	{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41271378-B5F4-4971-82C3-F3A738E56660}	{A391268C-DDF2-4735-8A4B-911689859689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}\stubpath = "C:\\Windows\\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe"	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBEB7F-29CA-44fe-B734-635F38A96943}\stubpath = "C:\\Windows\\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe"	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A391268C-DDF2-4735-8A4B-911689859689}	{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}\stubpath = "C:\\Windows\\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe"	917def1b61598bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B19E39-1D6D-4794-8120-DF57443793C4}\stubpath = "C:\\Windows\\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe"	{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}	{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41271378-B5F4-4971-82C3-F3A738E56660}\stubpath = "C:\\Windows\\{41271378-B5F4-4971-82C3-F3A738E56660}.exe"	{A391268C-DDF2-4735-8A4B-911689859689}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
872	{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
3068	{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
2576	{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
2600	{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
2728	{A391268C-DDF2-4735-8A4B-911689859689}.exe
2852	{41271378-B5F4-4971-82C3-F3A738E56660}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
File created	C:\Windows\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe	{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
File created	C:\Windows\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe	{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
File created	C:\Windows\{41271378-B5F4-4971-82C3-F3A738E56660}.exe	{A391268C-DDF2-4735-8A4B-911689859689}.exe
File created	C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	917def1b61598bexeexeexeex.exe
File created	C:\Windows\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
File created	C:\Windows\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
File created	C:\Windows\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
File created	C:\Windows\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe	{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
File created	C:\Windows\{A391268C-DDF2-4735-8A4B-911689859689}.exe	{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
File created	C:\Windows\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
File created	C:\Windows\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
File created	C:\Windows\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2280	917def1b61598bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
Token: SeIncBasePriorityPrivilege	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
Token: SeIncBasePriorityPrivilege	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
Token: SeIncBasePriorityPrivilege	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
Token: SeIncBasePriorityPrivilege	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
Token: SeIncBasePriorityPrivilege	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
Token: SeIncBasePriorityPrivilege	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
Token: SeIncBasePriorityPrivilege	872	{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
Token: SeIncBasePriorityPrivilege	3068	{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
Token: SeIncBasePriorityPrivilege	2576	{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
Token: SeIncBasePriorityPrivilege	2600	{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
Token: SeIncBasePriorityPrivilege	2728	{A391268C-DDF2-4735-8A4B-911689859689}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2304	2280	917def1b61598bexeexeexeex.exe	27
PID 2280 wrote to memory of 2304	2280	917def1b61598bexeexeexeex.exe	27
PID 2280 wrote to memory of 2304	2280	917def1b61598bexeexeexeex.exe	27
PID 2280 wrote to memory of 2304	2280	917def1b61598bexeexeexeex.exe	27
PID 2280 wrote to memory of 3060	2280	917def1b61598bexeexeexeex.exe	28
PID 2280 wrote to memory of 3060	2280	917def1b61598bexeexeexeex.exe	28
PID 2280 wrote to memory of 3060	2280	917def1b61598bexeexeexeex.exe	28
PID 2280 wrote to memory of 3060	2280	917def1b61598bexeexeexeex.exe	28
PID 2304 wrote to memory of 920	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	29
PID 2304 wrote to memory of 920	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	29
PID 2304 wrote to memory of 920	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	29
PID 2304 wrote to memory of 920	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	29
PID 2304 wrote to memory of 2384	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	30
PID 2304 wrote to memory of 2384	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	30
PID 2304 wrote to memory of 2384	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	30
PID 2304 wrote to memory of 2384	2304	{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe	30
PID 920 wrote to memory of 1308	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	31
PID 920 wrote to memory of 1308	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	31
PID 920 wrote to memory of 1308	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	31
PID 920 wrote to memory of 1308	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	31
PID 920 wrote to memory of 2952	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	32
PID 920 wrote to memory of 2952	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	32
PID 920 wrote to memory of 2952	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	32
PID 920 wrote to memory of 2952	920	{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe	32
PID 1308 wrote to memory of 1068	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	33
PID 1308 wrote to memory of 1068	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	33
PID 1308 wrote to memory of 1068	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	33
PID 1308 wrote to memory of 1068	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	33
PID 1308 wrote to memory of 1876	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	34
PID 1308 wrote to memory of 1876	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	34
PID 1308 wrote to memory of 1876	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	34
PID 1308 wrote to memory of 1876	1308	{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe	34
PID 1068 wrote to memory of 1636	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	36
PID 1068 wrote to memory of 1636	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	36
PID 1068 wrote to memory of 1636	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	36
PID 1068 wrote to memory of 1636	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	36
PID 1068 wrote to memory of 2192	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	35
PID 1068 wrote to memory of 2192	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	35
PID 1068 wrote to memory of 2192	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	35
PID 1068 wrote to memory of 2192	1068	{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe	35
PID 1636 wrote to memory of 1484	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	38
PID 1636 wrote to memory of 1484	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	38
PID 1636 wrote to memory of 1484	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	38
PID 1636 wrote to memory of 1484	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	38
PID 1636 wrote to memory of 548	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	37
PID 1636 wrote to memory of 548	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	37
PID 1636 wrote to memory of 548	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	37
PID 1636 wrote to memory of 548	1636	{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe	37
PID 1484 wrote to memory of 1624	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	39
PID 1484 wrote to memory of 1624	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	39
PID 1484 wrote to memory of 1624	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	39
PID 1484 wrote to memory of 1624	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	39
PID 1484 wrote to memory of 1364	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	40
PID 1484 wrote to memory of 1364	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	40
PID 1484 wrote to memory of 1364	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	40
PID 1484 wrote to memory of 1364	1484	{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe	40
PID 1624 wrote to memory of 872	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	41
PID 1624 wrote to memory of 872	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	41
PID 1624 wrote to memory of 872	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	41
PID 1624 wrote to memory of 872	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	41
PID 1624 wrote to memory of 2236	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	42
PID 1624 wrote to memory of 2236	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	42
PID 1624 wrote to memory of 2236	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	42
PID 1624 wrote to memory of 2236	1624	{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe	42

C:\Users\Admin\AppData\Local\Temp\917def1b61598bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\917def1b61598bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
  C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
    C:\Windows\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
      C:\Windows\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
        
        C:\Windows\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AEB2~1.EXE > nul
        6⤵
        
        PID:2192
      - C:\Windows\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
        
        C:\Windows\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A391~1.EXE > nul
        7⤵
        
        PID:548
        
        C:\Windows\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
        
        C:\Windows\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
        
        C:\Windows\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
        
        C:\Windows\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
        
        C:\Windows\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
        
        C:\Windows\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34C60~1.EXE > nul
        12⤵
        
        PID:2916
        
        C:\Windows\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
        
        C:\Windows\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A702~1.EXE > nul
        13⤵
        
        PID:2608
        
        C:\Windows\{A391268C-DDF2-4735-8A4B-911689859689}.exe
        
        C:\Windows\{A391268C-DDF2-4735-8A4B-911689859689}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{41271378-B5F4-4971-82C3-F3A738E56660}.exe
        
        C:\Windows\{41271378-B5F4-4971-82C3-F3A738E56660}.exe
        14⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3912~1.EXE > nul
        14⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B19~1.EXE > nul
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CD6~1.EXE > nul
        10⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41DBE~1.EXE > nul
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A39~1.EXE > nul
        8⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFACF~1.EXE > nul
        5⤵
        
        PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCCA~1.EXE > nul
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96F3D~1.EXE > nul
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\917DEF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe

Filesize
168KB

MD5
de4d3305b0e9db502bf6ce851b35ce2b

SHA1
821a414ec6ed9a49f488ac7a67665489bb76b778

SHA256
52630878717b758a61beeec1149091c16d212a4942ff131b97ddade1e83bcf92

SHA512
1e3ad84d65311b6b9aeb3bfcfd8f3b0506fb5d9a64c5226266fb1aa14c16107f0d1ed21aa3e1143810fa4353efcd0a3d18bf938ea888b940053fdc2ae1d6309e

Download Submit
C:\Windows\{34C60EE4-EA1B-43f8-9478-B7A72A784A23}.exe

Filesize
168KB

MD5
de4d3305b0e9db502bf6ce851b35ce2b

SHA1
821a414ec6ed9a49f488ac7a67665489bb76b778

SHA256
52630878717b758a61beeec1149091c16d212a4942ff131b97ddade1e83bcf92

SHA512
1e3ad84d65311b6b9aeb3bfcfd8f3b0506fb5d9a64c5226266fb1aa14c16107f0d1ed21aa3e1143810fa4353efcd0a3d18bf938ea888b940053fdc2ae1d6309e

Download Submit
C:\Windows\{41271378-B5F4-4971-82C3-F3A738E56660}.exe

Filesize
168KB

MD5
fa588c7cbabd2d7291421faf42339e28

SHA1
331d5547d401eb1d1159557e0f9e83478df9edaa

SHA256
6bed9653d10b20f7245b00ef0bb1e8b62b16546b4272062bd110c096df310753

SHA512
01193b335ac7e96bd0bf4ecaf4a151a8c5a6d6455745e23bc3c5b2f96429b68e992e854a81204bb80e6cc7cae7170559bbff15b2815a40751523033a07e0ad8d

Download Submit
C:\Windows\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe

Filesize
168KB

MD5
7f9f8ee3f588638eef02e6a8f4dbfa47

SHA1
43f999f37835a94fddd5658da9fc17c9777631c6

SHA256
c2b1aa3d2de80f124ee29470180beb71f974723a98cdd28d157ca96c1a921e77

SHA512
f5ccb8e560fe355c946e3bfc59ffab273fde3540970e83a54ec7b9d0121ee409675cfd314974301ac8c919bed3db69f290f4738ba9c0f5271991b0bd0a89dd51

Download Submit
C:\Windows\{41DBEB7F-29CA-44fe-B734-635F38A96943}.exe

Filesize
168KB

MD5
7f9f8ee3f588638eef02e6a8f4dbfa47

SHA1
43f999f37835a94fddd5658da9fc17c9777631c6

SHA256
c2b1aa3d2de80f124ee29470180beb71f974723a98cdd28d157ca96c1a921e77

SHA512
f5ccb8e560fe355c946e3bfc59ffab273fde3540970e83a54ec7b9d0121ee409675cfd314974301ac8c919bed3db69f290f4738ba9c0f5271991b0bd0a89dd51

Download Submit
C:\Windows\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe

Filesize
168KB

MD5
d1cf060cc4d7e47b0b9c23a68ae87411

SHA1
2f1462dc76a048777d185d19717c43d41e022ae3

SHA256
aec80710a172b32042fe7a287e1e17b8fa5ddf9de33796c791164335ac549838

SHA512
538a035028c7f7a9cb99386206717a6a3dbf6fdbd1838f7d3a1fefbd410fbfd82c837bac700b3809cf2e218bff6f7afd7f5bfdc5f8c4cbc15e3512597b45164d

Download Submit
C:\Windows\{48A39E48-ACE4-496e-8E5F-3CBC08716A28}.exe

Filesize
168KB

MD5
d1cf060cc4d7e47b0b9c23a68ae87411

SHA1
2f1462dc76a048777d185d19717c43d41e022ae3

SHA256
aec80710a172b32042fe7a287e1e17b8fa5ddf9de33796c791164335ac549838

SHA512
538a035028c7f7a9cb99386206717a6a3dbf6fdbd1838f7d3a1fefbd410fbfd82c837bac700b3809cf2e218bff6f7afd7f5bfdc5f8c4cbc15e3512597b45164d

Download Submit
C:\Windows\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe

Filesize
168KB

MD5
f3d2cd645f2b21d6741d42846bb9d8dd

SHA1
206befcded27ef7eb2b455af0c94773c7c133278

SHA256
061c7f6d1caf018e92606e146078f99ef1229c0f7a17b7287381ae899c8e00c0

SHA512
3890cab1cd477a724b0595537f5a86e687d8ca4121db42fbd6c29db4dafceefc2fa75b5bac9356c4451c5b36fab4a19772e680857ecd99f95a9a99858f6aefe3

Download Submit
C:\Windows\{4A391C4B-8073-4cb5-B066-8703ABEB77ED}.exe

Filesize
168KB

MD5
f3d2cd645f2b21d6741d42846bb9d8dd

SHA1
206befcded27ef7eb2b455af0c94773c7c133278

SHA256
061c7f6d1caf018e92606e146078f99ef1229c0f7a17b7287381ae899c8e00c0

SHA512
3890cab1cd477a724b0595537f5a86e687d8ca4121db42fbd6c29db4dafceefc2fa75b5bac9356c4451c5b36fab4a19772e680857ecd99f95a9a99858f6aefe3

Download Submit
C:\Windows\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe

Filesize
168KB

MD5
d736baedb128939e01cffa68fbf8c745

SHA1
31ff4799315bbad9f886f9400ffb551f70bb4ec9

SHA256
306218327c1ab2eb4944c0c46dea675c974841bc816459a4fafc0ca57e78e290

SHA512
40bd1f45b3840aa55d11ed607d88d2a8822b4b3cb072fadd8a71f4afd43c9f806e9f1a6080e9b0aaa8eae5ecf1aed2dde3896a10d3e9f99c297a47b4f6242023

Download Submit
C:\Windows\{4A702B6B-E7F0-4ec3-81D0-99CC1E21B929}.exe

Filesize
168KB

MD5
d736baedb128939e01cffa68fbf8c745

SHA1
31ff4799315bbad9f886f9400ffb551f70bb4ec9

SHA256
306218327c1ab2eb4944c0c46dea675c974841bc816459a4fafc0ca57e78e290

SHA512
40bd1f45b3840aa55d11ed607d88d2a8822b4b3cb072fadd8a71f4afd43c9f806e9f1a6080e9b0aaa8eae5ecf1aed2dde3896a10d3e9f99c297a47b4f6242023

Download Submit
C:\Windows\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe

Filesize
168KB

MD5
ef59fd52b6647f9802f7eafdf73a7f36

SHA1
16d9fc11b9dca19d1934d0604f543c332db87392

SHA256
d80d0ee58c4849557b1e0b418ec3c21e99dc4f8e1ee3c0ce86f6dace629d32c8

SHA512
7f6c002410c24b15ae473ab2c9ffef7aa6771c2d8df92fcfff9b5ecaa48a96c529965d9f96dce15f544e2242769c064179e11016bd6238cd4db21721a78d17ca

Download Submit
C:\Windows\{94B19E39-1D6D-4794-8120-DF57443793C4}.exe

Filesize
168KB

MD5
ef59fd52b6647f9802f7eafdf73a7f36

SHA1
16d9fc11b9dca19d1934d0604f543c332db87392

SHA256
d80d0ee58c4849557b1e0b418ec3c21e99dc4f8e1ee3c0ce86f6dace629d32c8

SHA512
7f6c002410c24b15ae473ab2c9ffef7aa6771c2d8df92fcfff9b5ecaa48a96c529965d9f96dce15f544e2242769c064179e11016bd6238cd4db21721a78d17ca

Download Submit
C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe

Filesize
168KB

MD5
31ddee09429bba6378e3c06d4e34a485

SHA1
1c25a01400721608d089fd9c989f50f4ff64de85

SHA256
1e3afd10e6f41a37cce48b4ee162781f5339fbe56b50e24cdfc30d84d8045674

SHA512
3301da0fa1c3f8553e4f4d521c9bb5686fcd869b4860f006c01ae638e895457a27c53b58ea0af8b24ea11818237343aadd8120a217cafc94d32e8301b762b5dc

Download Submit
C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe

Filesize
168KB

MD5
31ddee09429bba6378e3c06d4e34a485

SHA1
1c25a01400721608d089fd9c989f50f4ff64de85

SHA256
1e3afd10e6f41a37cce48b4ee162781f5339fbe56b50e24cdfc30d84d8045674

SHA512
3301da0fa1c3f8553e4f4d521c9bb5686fcd869b4860f006c01ae638e895457a27c53b58ea0af8b24ea11818237343aadd8120a217cafc94d32e8301b762b5dc

Download Submit
C:\Windows\{96F3D35A-78CF-41be-8E18-AE8B24EBD80B}.exe

Filesize
168KB

MD5
31ddee09429bba6378e3c06d4e34a485

SHA1
1c25a01400721608d089fd9c989f50f4ff64de85

SHA256
1e3afd10e6f41a37cce48b4ee162781f5339fbe56b50e24cdfc30d84d8045674

SHA512
3301da0fa1c3f8553e4f4d521c9bb5686fcd869b4860f006c01ae638e895457a27c53b58ea0af8b24ea11818237343aadd8120a217cafc94d32e8301b762b5dc

Download Submit
C:\Windows\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe

Filesize
168KB

MD5
0eb3d66ad6e19642105de3ad9e61986b

SHA1
2a315b06d9f8ed238f3ccd5e8fde97904db52a9d

SHA256
a9ea0c57df5b648dd0f645310da58b7f7dce9637ee829b732b1e8bc27315f807

SHA512
6aebb9125028703e6583b0e839dc53e7b42bb5efee29275d3d89009c8ba8b482c5a6e512f519e910a53ab43274b4967b840b33a2ca09e761e8cd42c2609aba8a

Download Submit
C:\Windows\{9AEB29AA-5BFA-438e-B6D0-3ED6C6F40BAD}.exe

Filesize
168KB

MD5
0eb3d66ad6e19642105de3ad9e61986b

SHA1
2a315b06d9f8ed238f3ccd5e8fde97904db52a9d

SHA256
a9ea0c57df5b648dd0f645310da58b7f7dce9637ee829b732b1e8bc27315f807

SHA512
6aebb9125028703e6583b0e839dc53e7b42bb5efee29275d3d89009c8ba8b482c5a6e512f519e910a53ab43274b4967b840b33a2ca09e761e8cd42c2609aba8a

Download Submit
C:\Windows\{A391268C-DDF2-4735-8A4B-911689859689}.exe

Filesize
168KB

MD5
5d42dea4b7a1aed38d77aefdd895f343

SHA1
d634ae3884fde3659a91292680c6d331f4682a35

SHA256
ee36c8da33e8b68eef8c92e3031df12c4f03324e863aa695e1479b8b9dc1f284

SHA512
6b518bba45c908e80e8114802a607f8de2290331a83f1ea7c29da12a2d35b3740506b518827c6b959cf855db348505b86cb93a5e2417db62728187e71a274483

Download Submit
C:\Windows\{A391268C-DDF2-4735-8A4B-911689859689}.exe

Filesize
168KB

MD5
5d42dea4b7a1aed38d77aefdd895f343

SHA1
d634ae3884fde3659a91292680c6d331f4682a35

SHA256
ee36c8da33e8b68eef8c92e3031df12c4f03324e863aa695e1479b8b9dc1f284

SHA512
6b518bba45c908e80e8114802a607f8de2290331a83f1ea7c29da12a2d35b3740506b518827c6b959cf855db348505b86cb93a5e2417db62728187e71a274483

Download Submit
C:\Windows\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe

Filesize
168KB

MD5
a288cc7f9fa7a61f93113efb395ab5c3

SHA1
32ceb081df085a82ca59e59f7b17134ed7410d7a

SHA256
ca4a9faecb3fd9e3cc712a202ba94039e6003324287f0dc7f4cd5a98d62848b5

SHA512
7ae9804c54a9a300c1e5f85c53b6a806c343ba300eb5719a6515150a467d566f4e2d9e0f86faba7c3f141303a48c1734ec1a61c1776bedfe7737fc41d4801f43

Download Submit
C:\Windows\{AFACFD6A-3D96-4eb2-877C-A92A45FC5574}.exe

Filesize
168KB

MD5
a288cc7f9fa7a61f93113efb395ab5c3

SHA1
32ceb081df085a82ca59e59f7b17134ed7410d7a

SHA256
ca4a9faecb3fd9e3cc712a202ba94039e6003324287f0dc7f4cd5a98d62848b5

SHA512
7ae9804c54a9a300c1e5f85c53b6a806c343ba300eb5719a6515150a467d566f4e2d9e0f86faba7c3f141303a48c1734ec1a61c1776bedfe7737fc41d4801f43

Download Submit
C:\Windows\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe

Filesize
168KB

MD5
cdf2730c08b76b7854f2781bffbacb5e

SHA1
3a91abff9c819b5933d6ff05fc3ba8f26ff60cb4

SHA256
04964d846dfd3beffb8f1c10e73de65fefd9a5f713ac15176ffcb3bbf79948c3

SHA512
a0a8eca0bb581dcd5f0be5ff1084b8a49e15ee0f545371556f6d535776d1bb8177cd78b3b14eea758fe779797ea177a0dadb2b8d266dc5b609bd467fca3c11a0

Download Submit
C:\Windows\{B7CD6A82-BE79-4b9a-B40D-CA782C3E1A05}.exe

Filesize
168KB

MD5
cdf2730c08b76b7854f2781bffbacb5e

SHA1
3a91abff9c819b5933d6ff05fc3ba8f26ff60cb4

SHA256
04964d846dfd3beffb8f1c10e73de65fefd9a5f713ac15176ffcb3bbf79948c3

SHA512
a0a8eca0bb581dcd5f0be5ff1084b8a49e15ee0f545371556f6d535776d1bb8177cd78b3b14eea758fe779797ea177a0dadb2b8d266dc5b609bd467fca3c11a0

Download Submit
C:\Windows\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe

Filesize
168KB

MD5
82e033aaf11c0198dcdfef5cb3de32fc

SHA1
bd69583e9d737c0419eb9dba5c32212476fce3df

SHA256
82de378a446b2176d3aa08fdc09b0212383f322288b74af547923599dcd0e446

SHA512
318f544333fd5602a5f24b2ca61d69417c5776f1ade3edbf0a4f00bf7e243eb9cdb9db43a616c06df29c66896d816842be10e1abc1989f334ec43de6ce073f46

Download Submit
C:\Windows\{FCCCAE3B-637E-4b75-842F-E64B9AEAC930}.exe

Filesize
168KB

MD5
82e033aaf11c0198dcdfef5cb3de32fc

SHA1
bd69583e9d737c0419eb9dba5c32212476fce3df

SHA256
82de378a446b2176d3aa08fdc09b0212383f322288b74af547923599dcd0e446

SHA512
318f544333fd5602a5f24b2ca61d69417c5776f1ade3edbf0a4f00bf7e243eb9cdb9db43a616c06df29c66896d816842be10e1abc1989f334ec43de6ce073f46

Download Submit