6902cd3ace53a5e4618ecfb7773311c7286f0fafdaa52ec8d2618d0c8ce24c95

Analysis

max time kernel
146s
max time network
75s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d9358f187020exeexeexeex.exe
Size

168KB
MD5

89d9358f187020d2f92f17a61ada49dd
SHA1

041b24dc05845a4cabc93f2af7db1959814fdbdd
SHA256

6902cd3ace53a5e4618ecfb7773311c7286f0fafdaa52ec8d2618d0c8ce24c95
SHA512

f4c1c902ed9198a5f6c2646bd1867337e0f095fbf06bb010ce61c2a0c8f40c64ab84a955c1cbd6afd1c7ac34ffc22bd96c689a9cffe6f17d7ebfe40f5f2f9b98
SSDEEP

1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7871C33E-F89F-4ebe-8EF7-715497B24502}	89d9358f187020exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}\stubpath = "C:\\Windows\\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe"	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}\stubpath = "C:\\Windows\\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe"	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB708E36-F580-43f4-858C-10FC446F12A2}	{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}\stubpath = "C:\\Windows\\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe"	{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7871C33E-F89F-4ebe-8EF7-715497B24502}\stubpath = "C:\\Windows\\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe"	89d9358f187020exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}\stubpath = "C:\\Windows\\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe"	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}\stubpath = "C:\\Windows\\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe"	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}\stubpath = "C:\\Windows\\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe"	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB708E36-F580-43f4-858C-10FC446F12A2}\stubpath = "C:\\Windows\\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe"	{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74348148-FAE1-477e-AB88-B730005FC4E6}	{14D1661C-E5E2-4315-916B-9D639147886C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}	{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A2E425-6173-45f3-B08A-EFF460647FC1}	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}\stubpath = "C:\\Windows\\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe"	{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}\stubpath = "C:\\Windows\\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe"	{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}	{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A2E425-6173-45f3-B08A-EFF460647FC1}\stubpath = "C:\\Windows\\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe"	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D1661C-E5E2-4315-916B-9D639147886C}	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D1661C-E5E2-4315-916B-9D639147886C}\stubpath = "C:\\Windows\\{14D1661C-E5E2-4315-916B-9D639147886C}.exe"	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74348148-FAE1-477e-AB88-B730005FC4E6}\stubpath = "C:\\Windows\\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe"	{14D1661C-E5E2-4315-916B-9D639147886C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}	{FB708E36-F580-43f4-858C-10FC446F12A2}.exe

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
2556	{14D1661C-E5E2-4315-916B-9D639147886C}.exe
2660	{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
2576	{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
2848	{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
2492	{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
2468	{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
File created	C:\Windows\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
File created	C:\Windows\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
File created	C:\Windows\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe	{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
File created	C:\Windows\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe	{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
File created	C:\Windows\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe	{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
File created	C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	89d9358f187020exeexeexeex.exe
File created	C:\Windows\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
File created	C:\Windows\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
File created	C:\Windows\{14D1661C-E5E2-4315-916B-9D639147886C}.exe	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
File created	C:\Windows\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe	{14D1661C-E5E2-4315-916B-9D639147886C}.exe
File created	C:\Windows\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe	{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
File created	C:\Windows\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	89d9358f187020exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
Token: SeIncBasePriorityPrivilege	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
Token: SeIncBasePriorityPrivilege	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
Token: SeIncBasePriorityPrivilege	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
Token: SeIncBasePriorityPrivilege	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
Token: SeIncBasePriorityPrivilege	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
Token: SeIncBasePriorityPrivilege	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
Token: SeIncBasePriorityPrivilege	2556	{14D1661C-E5E2-4315-916B-9D639147886C}.exe
Token: SeIncBasePriorityPrivilege	2660	{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
Token: SeIncBasePriorityPrivilege	2576	{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
Token: SeIncBasePriorityPrivilege	2848	{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
Token: SeIncBasePriorityPrivilege	2492	{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2296	2344	89d9358f187020exeexeexeex.exe	28
PID 2344 wrote to memory of 2296	2344	89d9358f187020exeexeexeex.exe	28
PID 2344 wrote to memory of 2296	2344	89d9358f187020exeexeexeex.exe	28
PID 2344 wrote to memory of 2296	2344	89d9358f187020exeexeexeex.exe	28
PID 2344 wrote to memory of 2248	2344	89d9358f187020exeexeexeex.exe	29
PID 2344 wrote to memory of 2248	2344	89d9358f187020exeexeexeex.exe	29
PID 2344 wrote to memory of 2248	2344	89d9358f187020exeexeexeex.exe	29
PID 2344 wrote to memory of 2248	2344	89d9358f187020exeexeexeex.exe	29
PID 2296 wrote to memory of 2236	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	30
PID 2296 wrote to memory of 2236	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	30
PID 2296 wrote to memory of 2236	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	30
PID 2296 wrote to memory of 2236	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	30
PID 2296 wrote to memory of 2896	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	31
PID 2296 wrote to memory of 2896	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	31
PID 2296 wrote to memory of 2896	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	31
PID 2296 wrote to memory of 2896	2296	{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe	31
PID 2236 wrote to memory of 1160	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	33
PID 2236 wrote to memory of 1160	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	33
PID 2236 wrote to memory of 1160	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	33
PID 2236 wrote to memory of 1160	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	33
PID 2236 wrote to memory of 2916	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	32
PID 2236 wrote to memory of 2916	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	32
PID 2236 wrote to memory of 2916	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	32
PID 2236 wrote to memory of 2916	2236	{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe	32
PID 1160 wrote to memory of 2984	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	35
PID 1160 wrote to memory of 2984	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	35
PID 1160 wrote to memory of 2984	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	35
PID 1160 wrote to memory of 2984	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	35
PID 1160 wrote to memory of 1752	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	34
PID 1160 wrote to memory of 1752	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	34
PID 1160 wrote to memory of 1752	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	34
PID 1160 wrote to memory of 1752	1160	{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe	34
PID 2984 wrote to memory of 2032	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	36
PID 2984 wrote to memory of 2032	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	36
PID 2984 wrote to memory of 2032	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	36
PID 2984 wrote to memory of 2032	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	36
PID 2984 wrote to memory of 2104	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	37
PID 2984 wrote to memory of 2104	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	37
PID 2984 wrote to memory of 2104	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	37
PID 2984 wrote to memory of 2104	2984	{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe	37
PID 2032 wrote to memory of 2108	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	39
PID 2032 wrote to memory of 2108	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	39
PID 2032 wrote to memory of 2108	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	39
PID 2032 wrote to memory of 2108	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	39
PID 2032 wrote to memory of 2268	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	38
PID 2032 wrote to memory of 2268	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	38
PID 2032 wrote to memory of 2268	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	38
PID 2032 wrote to memory of 2268	2032	{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe	38
PID 2108 wrote to memory of 1184	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	40
PID 2108 wrote to memory of 1184	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	40
PID 2108 wrote to memory of 1184	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	40
PID 2108 wrote to memory of 1184	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	40
PID 2108 wrote to memory of 1128	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	41
PID 2108 wrote to memory of 1128	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	41
PID 2108 wrote to memory of 1128	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	41
PID 2108 wrote to memory of 1128	2108	{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe	41
PID 1184 wrote to memory of 2556	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	42
PID 1184 wrote to memory of 2556	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	42
PID 1184 wrote to memory of 2556	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	42
PID 1184 wrote to memory of 2556	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	42
PID 1184 wrote to memory of 2832	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	43
PID 1184 wrote to memory of 2832	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	43
PID 1184 wrote to memory of 2832	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	43
PID 1184 wrote to memory of 2832	1184	{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe	43

C:\Users\Admin\AppData\Local\Temp\89d9358f187020exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\89d9358f187020exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
  C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
    C:\Windows\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FF149~1.EXE > nul
      4⤵
      PID:2916
  - - C:\Windows\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
      C:\Windows\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E8A7~1.EXE > nul
        5⤵
        
        PID:1752
    - - C:\Windows\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
        
        C:\Windows\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
        
        C:\Windows\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA5FA~1.EXE > nul
        7⤵
        
        PID:2268
        
        C:\Windows\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
        
        C:\Windows\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
        
        C:\Windows\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{14D1661C-E5E2-4315-916B-9D639147886C}.exe
        
        C:\Windows\{14D1661C-E5E2-4315-916B-9D639147886C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
        
        C:\Windows\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
        
        C:\Windows\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE5D0~1.EXE > nul
        12⤵
        
        PID:2680
        
        C:\Windows\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
        
        C:\Windows\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB708~1.EXE > nul
        13⤵
        
        PID:2636
        
        C:\Windows\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
        
        C:\Windows\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe
        
        C:\Windows\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe
        14⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{533CB~1.EXE > nul
        14⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74348~1.EXE > nul
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14D16~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F94C6~1.EXE > nul
        9⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A2E~1.EXE > nul
        8⤵
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58337~1.EXE > nul
        6⤵
        
        PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7871C~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\89D935~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14D1661C-E5E2-4315-916B-9D639147886C}.exe

Filesize
168KB

MD5
cf39d5bd2d22f060c04446853ac7c1b3

SHA1
69f8525c5dd28a63f0068dbc404d2aa485139816

SHA256
55fc7b119fc1fbf5e82128d4a2cf4929da97cee5ee950c68d6d7a985ca489d63

SHA512
5dc5a06758c3038f031990d91078a010344a3859a866f6b91233c541facc4452fa4f8b33cae411435530f6f3ed546eb0fcc345b8dadff38a8d67ba9c430e318f

Download Submit
C:\Windows\{14D1661C-E5E2-4315-916B-9D639147886C}.exe

Filesize
168KB

MD5
cf39d5bd2d22f060c04446853ac7c1b3

SHA1
69f8525c5dd28a63f0068dbc404d2aa485139816

SHA256
55fc7b119fc1fbf5e82128d4a2cf4929da97cee5ee950c68d6d7a985ca489d63

SHA512
5dc5a06758c3038f031990d91078a010344a3859a866f6b91233c541facc4452fa4f8b33cae411435530f6f3ed546eb0fcc345b8dadff38a8d67ba9c430e318f

Download Submit
C:\Windows\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe

Filesize
168KB

MD5
7dc86410ba15487864e17ca477977933

SHA1
9e5aa5c952970ccc9465a3dfc1d42a3c5f761b75

SHA256
275578f66664565b943d5e5ad9aa8805cab33231bcd51dbb989a5a7c995b197c

SHA512
d00fec49f37ebd9cabebd8a4ffb0ee8b96cc82a1ea9689c0bf3f0e5bfb968366f70dcaf0799c1f4fbf77397571de30c4774daa93337ba23496a281ada1af90b8

Download Submit
C:\Windows\{533CB867-7944-4209-9DB6-8C8AFAC7D27E}.exe

Filesize
168KB

MD5
7dc86410ba15487864e17ca477977933

SHA1
9e5aa5c952970ccc9465a3dfc1d42a3c5f761b75

SHA256
275578f66664565b943d5e5ad9aa8805cab33231bcd51dbb989a5a7c995b197c

SHA512
d00fec49f37ebd9cabebd8a4ffb0ee8b96cc82a1ea9689c0bf3f0e5bfb968366f70dcaf0799c1f4fbf77397571de30c4774daa93337ba23496a281ada1af90b8

Download Submit
C:\Windows\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe

Filesize
168KB

MD5
30dba62d322ed71b6c153ab4ba93c31b

SHA1
ff69c5bd9316309af4149a9b5b0ea325a91e67a1

SHA256
9201530227de78f25a3b044bec5fc7d98fbc6c769b390276746e6a235797f724

SHA512
00e26ab6664847233d93563d7138febe7882bcc5e93462ac66b360cec91ac5429ba8f3a0b2717f064ffd0b9b13d2e0e9465ebf2a95c5a7fc78ee06261fdf8132

Download Submit
C:\Windows\{583379D6-1FBA-4d41-B35D-FE89EF2B34E2}.exe

Filesize
168KB

MD5
30dba62d322ed71b6c153ab4ba93c31b

SHA1
ff69c5bd9316309af4149a9b5b0ea325a91e67a1

SHA256
9201530227de78f25a3b044bec5fc7d98fbc6c769b390276746e6a235797f724

SHA512
00e26ab6664847233d93563d7138febe7882bcc5e93462ac66b360cec91ac5429ba8f3a0b2717f064ffd0b9b13d2e0e9465ebf2a95c5a7fc78ee06261fdf8132

Download Submit
C:\Windows\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe

Filesize
168KB

MD5
bef1c51d4c3fc047727555d1eedf227f

SHA1
15bdf7ba48c189bfe7030c75b95b6efc03c4e9aa

SHA256
3bc78ec4604cd738be9dec6efdcacd0868e65e4fb4f204176120371f6071cd18

SHA512
b902ea583fcab32e27d007103b88cc1914567309f9b148df0b8433ec633364bb4fa56bf5a1b2acefaece65e765b1346fa3e395efa277db37f74aa5acce631ef5

Download Submit
C:\Windows\{74348148-FAE1-477e-AB88-B730005FC4E6}.exe

Filesize
168KB

MD5
bef1c51d4c3fc047727555d1eedf227f

SHA1
15bdf7ba48c189bfe7030c75b95b6efc03c4e9aa

SHA256
3bc78ec4604cd738be9dec6efdcacd0868e65e4fb4f204176120371f6071cd18

SHA512
b902ea583fcab32e27d007103b88cc1914567309f9b148df0b8433ec633364bb4fa56bf5a1b2acefaece65e765b1346fa3e395efa277db37f74aa5acce631ef5

Download Submit
C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe

Filesize
168KB

MD5
0942813423cc00f0b9a8c6887c5272bc

SHA1
44de5d943618a8bb7bfbaf000d875bcc38738aea

SHA256
73a11b089406b76d55ec7aaa7192fcca5ff3c19d7fe6086f7c1df3d45cd2dfb8

SHA512
4a017d511cd49cf6066f5e2392bf2d852b603c4b58f2078b45ee9d895559521a84b3166029cf4d37a53112f142e245753ed3dc22fa9e36ec6660b952274e10ac

Download Submit
C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe

Filesize
168KB

MD5
0942813423cc00f0b9a8c6887c5272bc

SHA1
44de5d943618a8bb7bfbaf000d875bcc38738aea

SHA256
73a11b089406b76d55ec7aaa7192fcca5ff3c19d7fe6086f7c1df3d45cd2dfb8

SHA512
4a017d511cd49cf6066f5e2392bf2d852b603c4b58f2078b45ee9d895559521a84b3166029cf4d37a53112f142e245753ed3dc22fa9e36ec6660b952274e10ac

Download Submit
C:\Windows\{7871C33E-F89F-4ebe-8EF7-715497B24502}.exe

Filesize
168KB

MD5
0942813423cc00f0b9a8c6887c5272bc

SHA1
44de5d943618a8bb7bfbaf000d875bcc38738aea

SHA256
73a11b089406b76d55ec7aaa7192fcca5ff3c19d7fe6086f7c1df3d45cd2dfb8

SHA512
4a017d511cd49cf6066f5e2392bf2d852b603c4b58f2078b45ee9d895559521a84b3166029cf4d37a53112f142e245753ed3dc22fa9e36ec6660b952274e10ac

Download Submit
C:\Windows\{7C49BBE8-2FCE-47e2-A74E-CD8346EE132A}.exe

Filesize
168KB

MD5
18a76297caaca3295c7040b3ec066095

SHA1
72f4459d5fc965d5aa4c7b76729208bf79b1eda1

SHA256
7eb7ff705b3bce962470091e15c58cc4e19c67601ff5d374af67dfb5c602233e

SHA512
98fdc5bdf9998de671996731a36962fa47005b7722dcf291fb73fae6a037dce92a93ac7c58093b088c17b97f9d941479912b414d0d0ebd565fd71f6bd000e61e

Download Submit
C:\Windows\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe

Filesize
168KB

MD5
0d190c575959ab7f048faa8ce264ac7b

SHA1
173afbcc84a247cbc9bbc8393002a631ff32cf27

SHA256
c7127619e314361c8160e4cd1044492744fdb60f7f0df1b7fbb4183dca3c45d2

SHA512
e5801c35393af6d78e1fd9e5cc0515802bf53ec564757f8c6405c3dfa9616190cd90304068546aa84b8588ef905b549a9103b54a5ca76a3a89fad6b0b759f1ba

Download Submit
C:\Windows\{8E8A75FC-EDE2-4766-9459-82DB09A17E4B}.exe

Filesize
168KB

MD5
0d190c575959ab7f048faa8ce264ac7b

SHA1
173afbcc84a247cbc9bbc8393002a631ff32cf27

SHA256
c7127619e314361c8160e4cd1044492744fdb60f7f0df1b7fbb4183dca3c45d2

SHA512
e5801c35393af6d78e1fd9e5cc0515802bf53ec564757f8c6405c3dfa9616190cd90304068546aa84b8588ef905b549a9103b54a5ca76a3a89fad6b0b759f1ba

Download Submit
C:\Windows\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe

Filesize
168KB

MD5
aeaf1e3d9bcd1cc4f37d2f8dd9df5fab

SHA1
d1433d51094be3420d87d9dbb4926f293947f4e9

SHA256
2047472e4493a6e2341aa13b1ca3a4751651c844e28b1099023e0e94d872d307

SHA512
b30a9c62d759d91bb4e92e35bc3409bff2382b73d7b1a7c31b034f7c196d1215368c08aebfec67e1daf8b8a84569fb5179e34062e1c703770456bcec4a76cff7

Download Submit
C:\Windows\{AE5D0FC9-0942-4c8a-905D-28A952CBB139}.exe

Filesize
168KB

MD5
aeaf1e3d9bcd1cc4f37d2f8dd9df5fab

SHA1
d1433d51094be3420d87d9dbb4926f293947f4e9

SHA256
2047472e4493a6e2341aa13b1ca3a4751651c844e28b1099023e0e94d872d307

SHA512
b30a9c62d759d91bb4e92e35bc3409bff2382b73d7b1a7c31b034f7c196d1215368c08aebfec67e1daf8b8a84569fb5179e34062e1c703770456bcec4a76cff7

Download Submit
C:\Windows\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe

Filesize
168KB

MD5
a6b7eb69ba23577678a7a59cdff213e9

SHA1
debd82e9e1fca1b448d22441cacca89bcbb667ab

SHA256
a44ba350d4e3020e8001e807981810af22464c59f19fe54323861d6134e5416a

SHA512
cebcebf1a1b8404544650beccfaac001d1428a9996377fc89a9bd41d661dcfc371634fb864c98613647415de4ee6a2bb3427808f50246e2a3e21a4c333384354

Download Submit
C:\Windows\{C7A2E425-6173-45f3-B08A-EFF460647FC1}.exe

Filesize
168KB

MD5
a6b7eb69ba23577678a7a59cdff213e9

SHA1
debd82e9e1fca1b448d22441cacca89bcbb667ab

SHA256
a44ba350d4e3020e8001e807981810af22464c59f19fe54323861d6134e5416a

SHA512
cebcebf1a1b8404544650beccfaac001d1428a9996377fc89a9bd41d661dcfc371634fb864c98613647415de4ee6a2bb3427808f50246e2a3e21a4c333384354

Download Submit
C:\Windows\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe

Filesize
168KB

MD5
bfc2e7ab8db64251bfa39efdceb647a4

SHA1
5b8259c180c052bbb98f969a4e52f55a2c250d5d

SHA256
addf8f6530889e9cb9b9ac03ef131114e566149366aca1988ed32f7ee6014efd

SHA512
172d1989f964989f53908210de19ce44c12e17b37ae162d4b400acfdc8d92e97ee4c616332782a49ca85d6d5cd8836dcd42512bd705549ed70ca28ac3eef1f93

Download Submit
C:\Windows\{F94C6DD8-3EE7-493f-90E3-7A6CB8006D6B}.exe

Filesize
168KB

MD5
bfc2e7ab8db64251bfa39efdceb647a4

SHA1
5b8259c180c052bbb98f969a4e52f55a2c250d5d

SHA256
addf8f6530889e9cb9b9ac03ef131114e566149366aca1988ed32f7ee6014efd

SHA512
172d1989f964989f53908210de19ce44c12e17b37ae162d4b400acfdc8d92e97ee4c616332782a49ca85d6d5cd8836dcd42512bd705549ed70ca28ac3eef1f93

Download Submit
C:\Windows\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe

Filesize
168KB

MD5
9c188f574b89fe90419a210a2bdd3b0f

SHA1
b06b26afa8211db5ade283a0f7a1eda66d841986

SHA256
c90bffa27e08e63d3422f13f85728c71e2230d8bfc2be0214e394297ec780239

SHA512
fac92b42e803af672a97a9965a721b847b53df1ae750ae528edb0e4c64dfce3240dbff5a064ac124190e21e6ff227dc01ae059c096480ba78e0696eedc6607d6

Download Submit
C:\Windows\{FA5FAF50-1198-4244-BF1C-F562012FEA3F}.exe

Filesize
168KB

MD5
9c188f574b89fe90419a210a2bdd3b0f

SHA1
b06b26afa8211db5ade283a0f7a1eda66d841986

SHA256
c90bffa27e08e63d3422f13f85728c71e2230d8bfc2be0214e394297ec780239

SHA512
fac92b42e803af672a97a9965a721b847b53df1ae750ae528edb0e4c64dfce3240dbff5a064ac124190e21e6ff227dc01ae059c096480ba78e0696eedc6607d6

Download Submit
C:\Windows\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe

Filesize
168KB

MD5
4692e626fe687c06e8ef8d49dc4de486

SHA1
5a37eebe8eb76684867a56f7cb82975a4c3f4dbf

SHA256
8f188889e5423796af0974637499bbf355773686e26c8ef80d4efe575d4343fb

SHA512
b0b5242a1a031f6031ae7ddeee6d923341d8faee7572ad0e3d46bbc5a188c3a52500700712a42b831a37023c11fd8404a58bd2d257c61421ec3dc4c726bb01f1

Download Submit
C:\Windows\{FB708E36-F580-43f4-858C-10FC446F12A2}.exe

Filesize
168KB

MD5
4692e626fe687c06e8ef8d49dc4de486

SHA1
5a37eebe8eb76684867a56f7cb82975a4c3f4dbf

SHA256
8f188889e5423796af0974637499bbf355773686e26c8ef80d4efe575d4343fb

SHA512
b0b5242a1a031f6031ae7ddeee6d923341d8faee7572ad0e3d46bbc5a188c3a52500700712a42b831a37023c11fd8404a58bd2d257c61421ec3dc4c726bb01f1

Download Submit
C:\Windows\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe

Filesize
168KB

MD5
256aa7184a0dd9b95372ea464728a163

SHA1
9f2b27cb255a1adb5e26c1aaddc9826cd5e3880c

SHA256
952b5799f0b9be68f8061d0dd8ab96e188e656555c09c52a77cd6e5cb2023d5b

SHA512
5ad33508f12e4064660de8c6c617692ae9f49cbd548b3845802dea98d37588acd1611f470626a6bf6f98177e4829b706f28a8526bc482ca8bab2708f8ee93a3d

Download Submit
C:\Windows\{FF149DD4-8A62-4ed0-B70C-3A13C1222063}.exe

Filesize
168KB

MD5
256aa7184a0dd9b95372ea464728a163

SHA1
9f2b27cb255a1adb5e26c1aaddc9826cd5e3880c

SHA256
952b5799f0b9be68f8061d0dd8ab96e188e656555c09c52a77cd6e5cb2023d5b

SHA512
5ad33508f12e4064660de8c6c617692ae9f49cbd548b3845802dea98d37588acd1611f470626a6bf6f98177e4829b706f28a8526bc482ca8bab2708f8ee93a3d

Download Submit