2fc78fefdf5992b54b40b9b6b01fac55ada2701b37d19b5a0e2845ca6f9ae37e

Analysis

max time kernel
145s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e070f83083882exeexeexeex.exe
Size

204KB
MD5

8e070f8308388270db2540c52627e0bd
SHA1

1c8b770ee07bc215a9199be4317f18e32afd4013
SHA256

2fc78fefdf5992b54b40b9b6b01fac55ada2701b37d19b5a0e2845ca6f9ae37e
SHA512

7ca39662e13615982779b5f4e800fbf9a5089797c7959b7822b08e6714d7dbfdbbd04464832ace8da9277b26c71f765cdd5767510f837b03e97ef06565f06315
SSDEEP

1536:1EGh0oQl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oQl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4129998E-8F48-41ed-BB1B-ED9F65411113}	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88468E0B-FCE2-411b-A700-096E39C574E3}\stubpath = "C:\\Windows\\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe"	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5427708F-D300-489c-837F-9F98D1459D04}	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}	{5427708F-D300-489c-837F-9F98D1459D04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}\stubpath = "C:\\Windows\\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe"	{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}	8e070f83083882exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{260A6857-8673-40fa-B0AC-583B9A2A7C74}	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}\stubpath = "C:\\Windows\\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe"	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}\stubpath = "C:\\Windows\\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe"	{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD82732C-F023-424f-825A-77B480742A89}	{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}	{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}\stubpath = "C:\\Windows\\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe"	{5427708F-D300-489c-837F-9F98D1459D04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}	{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}\stubpath = "C:\\Windows\\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe"	{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4129998E-8F48-41ed-BB1B-ED9F65411113}\stubpath = "C:\\Windows\\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe"	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}	{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD82732C-F023-424f-825A-77B480742A89}\stubpath = "C:\\Windows\\{FD82732C-F023-424f-825A-77B480742A89}.exe"	{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}\stubpath = "C:\\Windows\\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe"	8e070f83083882exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29488330-F37E-4e44-B5D2-90BE3929885A}\stubpath = "C:\\Windows\\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe"	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{260A6857-8673-40fa-B0AC-583B9A2A7C74}\stubpath = "C:\\Windows\\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe"	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}	{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}\stubpath = "C:\\Windows\\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe"	{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29488330-F37E-4e44-B5D2-90BE3929885A}	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88468E0B-FCE2-411b-A700-096E39C574E3}	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5427708F-D300-489c-837F-9F98D1459D04}\stubpath = "C:\\Windows\\{5427708F-D300-489c-837F-9F98D1459D04}.exe"	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe
2876	{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
2260	{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
2800	{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
2676	{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
2640	{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
2700	{FD82732C-F023-424f-825A-77B480742A89}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe	{5427708F-D300-489c-837F-9F98D1459D04}.exe
File created	C:\Windows\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe	{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
File created	C:\Windows\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe	{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
File created	C:\Windows\{FD82732C-F023-424f-825A-77B480742A89}.exe	{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
File created	C:\Windows\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
File created	C:\Windows\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
File created	C:\Windows\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
File created	C:\Windows\{5427708F-D300-489c-837F-9F98D1459D04}.exe	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
File created	C:\Windows\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe	{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
File created	C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	8e070f83083882exeexeexeex.exe
File created	C:\Windows\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
File created	C:\Windows\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
File created	C:\Windows\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe	{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2412	8e070f83083882exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
Token: SeIncBasePriorityPrivilege	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
Token: SeIncBasePriorityPrivilege	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
Token: SeIncBasePriorityPrivilege	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
Token: SeIncBasePriorityPrivilege	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
Token: SeIncBasePriorityPrivilege	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
Token: SeIncBasePriorityPrivilege	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe
Token: SeIncBasePriorityPrivilege	2876	{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
Token: SeIncBasePriorityPrivilege	2260	{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
Token: SeIncBasePriorityPrivilege	2800	{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
Token: SeIncBasePriorityPrivilege	2676	{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
Token: SeIncBasePriorityPrivilege	2640	{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3048	2412	8e070f83083882exeexeexeex.exe	28
PID 2412 wrote to memory of 3048	2412	8e070f83083882exeexeexeex.exe	28
PID 2412 wrote to memory of 3048	2412	8e070f83083882exeexeexeex.exe	28
PID 2412 wrote to memory of 3048	2412	8e070f83083882exeexeexeex.exe	28
PID 2412 wrote to memory of 2304	2412	8e070f83083882exeexeexeex.exe	29
PID 2412 wrote to memory of 2304	2412	8e070f83083882exeexeexeex.exe	29
PID 2412 wrote to memory of 2304	2412	8e070f83083882exeexeexeex.exe	29
PID 2412 wrote to memory of 2304	2412	8e070f83083882exeexeexeex.exe	29
PID 3048 wrote to memory of 2344	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	30
PID 3048 wrote to memory of 2344	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	30
PID 3048 wrote to memory of 2344	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	30
PID 3048 wrote to memory of 2344	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	30
PID 3048 wrote to memory of 1532	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	31
PID 3048 wrote to memory of 1532	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	31
PID 3048 wrote to memory of 1532	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	31
PID 3048 wrote to memory of 1532	3048	{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe	31
PID 2344 wrote to memory of 2436	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	32
PID 2344 wrote to memory of 2436	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	32
PID 2344 wrote to memory of 2436	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	32
PID 2344 wrote to memory of 2436	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	32
PID 2344 wrote to memory of 1792	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	33
PID 2344 wrote to memory of 1792	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	33
PID 2344 wrote to memory of 1792	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	33
PID 2344 wrote to memory of 1792	2344	{29488330-F37E-4e44-B5D2-90BE3929885A}.exe	33
PID 2436 wrote to memory of 2432	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	34
PID 2436 wrote to memory of 2432	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	34
PID 2436 wrote to memory of 2432	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	34
PID 2436 wrote to memory of 2432	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	34
PID 2436 wrote to memory of 1156	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	35
PID 2436 wrote to memory of 1156	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	35
PID 2436 wrote to memory of 1156	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	35
PID 2436 wrote to memory of 1156	2436	{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe	35
PID 2432 wrote to memory of 2924	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	36
PID 2432 wrote to memory of 2924	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	36
PID 2432 wrote to memory of 2924	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	36
PID 2432 wrote to memory of 2924	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	36
PID 2432 wrote to memory of 1900	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	37
PID 2432 wrote to memory of 1900	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	37
PID 2432 wrote to memory of 1900	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	37
PID 2432 wrote to memory of 1900	2432	{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe	37
PID 2924 wrote to memory of 2984	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	38
PID 2924 wrote to memory of 2984	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	38
PID 2924 wrote to memory of 2984	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	38
PID 2924 wrote to memory of 2984	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	38
PID 2924 wrote to memory of 3020	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	39
PID 2924 wrote to memory of 3020	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	39
PID 2924 wrote to memory of 3020	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	39
PID 2924 wrote to memory of 3020	2924	{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe	39
PID 2984 wrote to memory of 1664	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	40
PID 2984 wrote to memory of 1664	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	40
PID 2984 wrote to memory of 1664	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	40
PID 2984 wrote to memory of 1664	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	40
PID 2984 wrote to memory of 2244	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	41
PID 2984 wrote to memory of 2244	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	41
PID 2984 wrote to memory of 2244	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	41
PID 2984 wrote to memory of 2244	2984	{88468E0B-FCE2-411b-A700-096E39C574E3}.exe	41
PID 1664 wrote to memory of 2876	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	42
PID 1664 wrote to memory of 2876	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	42
PID 1664 wrote to memory of 2876	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	42
PID 1664 wrote to memory of 2876	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	42
PID 1664 wrote to memory of 2256	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	43
PID 1664 wrote to memory of 2256	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	43
PID 1664 wrote to memory of 2256	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	43
PID 1664 wrote to memory of 2256	1664	{5427708F-D300-489c-837F-9F98D1459D04}.exe	43

C:\Users\Admin\AppData\Local\Temp\8e070f83083882exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8e070f83083882exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
  C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
    C:\Windows\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
      C:\Windows\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
        
        C:\Windows\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
        
        C:\Windows\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
        
        C:\Windows\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{5427708F-D300-489c-837F-9F98D1459D04}.exe
        
        C:\Windows\{5427708F-D300-489c-837F-9F98D1459D04}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
        
        C:\Windows\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
        
        C:\Windows\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
        
        C:\Windows\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
        
        C:\Windows\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
        
        C:\Windows\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{FD82732C-F023-424f-825A-77B480742A89}.exe
        
        C:\Windows\{FD82732C-F023-424f-825A-77B480742A89}.exe
        14⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29D59~1.EXE > nul
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59992~1.EXE > nul
        13⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2CE~1.EXE > nul
        12⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF2E6~1.EXE > nul
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA4CB~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54277~1.EXE > nul
        9⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88468~1.EXE > nul
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41299~1.EXE > nul
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19600~1.EXE > nul
        6⤵
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{260A6~1.EXE > nul
        5⤵
        
        PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29488~1.EXE > nul
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18BB5~1.EXE > nul
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E070F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe

Filesize
204KB

MD5
2fcffc1240a936596a2ac528f2a35e1f

SHA1
742a722b3e3cba54e13b1836c841dfc528621ff9

SHA256
2bf30f6cfd23bdcbb68469923b02ee3b4d6cf84ba8bd6863e8faf041e4e94b83

SHA512
7065e18a67d1c3a6bf5fb2d8e40afd78bb12f79ffb8f691e6dba9d4bd580aedc9b621918bce5b25a852769f18bc32fb6f4d9b0fabd69a133c24b9b2efc6de18f

Download Submit
C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe

Filesize
204KB

MD5
2fcffc1240a936596a2ac528f2a35e1f

SHA1
742a722b3e3cba54e13b1836c841dfc528621ff9

SHA256
2bf30f6cfd23bdcbb68469923b02ee3b4d6cf84ba8bd6863e8faf041e4e94b83

SHA512
7065e18a67d1c3a6bf5fb2d8e40afd78bb12f79ffb8f691e6dba9d4bd580aedc9b621918bce5b25a852769f18bc32fb6f4d9b0fabd69a133c24b9b2efc6de18f

Download Submit
C:\Windows\{18BB5FC1-ADB3-4b31-A4C2-C7EA0B8E94B0}.exe

Filesize
204KB

MD5
2fcffc1240a936596a2ac528f2a35e1f

SHA1
742a722b3e3cba54e13b1836c841dfc528621ff9

SHA256
2bf30f6cfd23bdcbb68469923b02ee3b4d6cf84ba8bd6863e8faf041e4e94b83

SHA512
7065e18a67d1c3a6bf5fb2d8e40afd78bb12f79ffb8f691e6dba9d4bd580aedc9b621918bce5b25a852769f18bc32fb6f4d9b0fabd69a133c24b9b2efc6de18f

Download Submit
C:\Windows\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe

Filesize
204KB

MD5
581b5dbd84f0eece1861d37c0a521045

SHA1
1ccc706cd2cee5e5ee1a327ae8e595ce215f5a85

SHA256
4725e8ec9b6bd01b423013e49f7e68ac2417ddd5ab2d6bc007ceae2c7310dc3d

SHA512
84c7c0e97e7f5e3b894d9186e405cf4e2bb58bd1112bf14facb8e37947c5c1fdcf0e32d9728f070404dadeb45b3478f12ddc7450e763b6ad398956f9366a1d40

Download Submit
C:\Windows\{196007C4-DC4C-455e-84CC-B8AB7C4A7244}.exe

Filesize
204KB

MD5
581b5dbd84f0eece1861d37c0a521045

SHA1
1ccc706cd2cee5e5ee1a327ae8e595ce215f5a85

SHA256
4725e8ec9b6bd01b423013e49f7e68ac2417ddd5ab2d6bc007ceae2c7310dc3d

SHA512
84c7c0e97e7f5e3b894d9186e405cf4e2bb58bd1112bf14facb8e37947c5c1fdcf0e32d9728f070404dadeb45b3478f12ddc7450e763b6ad398956f9366a1d40

Download Submit
C:\Windows\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe

Filesize
204KB

MD5
f3e112fb1a29044c48f781856cc2e059

SHA1
620a78834f2768a4cff17fa45a6ce1d7625782f1

SHA256
e989171dd8a51aab1b9b55505ea60933b2d547e4de15b5b1fe5e07fa7f8dc8b4

SHA512
0f0a44daa77479068ec8a24d420e3bf43777976c7db8dc9140f22bff95e4e081138954a2005e6a5bb80ac2d7b4d71cd2e7c040a0427c2fccdcd5e06a5c5524bf

Download Submit
C:\Windows\{260A6857-8673-40fa-B0AC-583B9A2A7C74}.exe

Filesize
204KB

MD5
f3e112fb1a29044c48f781856cc2e059

SHA1
620a78834f2768a4cff17fa45a6ce1d7625782f1

SHA256
e989171dd8a51aab1b9b55505ea60933b2d547e4de15b5b1fe5e07fa7f8dc8b4

SHA512
0f0a44daa77479068ec8a24d420e3bf43777976c7db8dc9140f22bff95e4e081138954a2005e6a5bb80ac2d7b4d71cd2e7c040a0427c2fccdcd5e06a5c5524bf

Download Submit
C:\Windows\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe

Filesize
204KB

MD5
8bebe601a756b9f1c1513c6664aed012

SHA1
a279a699c11aab0bb0e18ef2e4c077760b9c69c2

SHA256
ff15e8864649745fd1d5cd8a7ec5fc630c651ca909f0d75ce0d01ad52b474939

SHA512
4a38cc9003666e7253126c77648c48090e631f999ae256933b0695be85904be3b86b90719903b7e8a208937d5c843e221d8ba39f75b4475453707b6b7dfe9a85

Download Submit
C:\Windows\{29488330-F37E-4e44-B5D2-90BE3929885A}.exe

Filesize
204KB

MD5
8bebe601a756b9f1c1513c6664aed012

SHA1
a279a699c11aab0bb0e18ef2e4c077760b9c69c2

SHA256
ff15e8864649745fd1d5cd8a7ec5fc630c651ca909f0d75ce0d01ad52b474939

SHA512
4a38cc9003666e7253126c77648c48090e631f999ae256933b0695be85904be3b86b90719903b7e8a208937d5c843e221d8ba39f75b4475453707b6b7dfe9a85

Download Submit
C:\Windows\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe

Filesize
204KB

MD5
1ef7a0dd90738b9d54cf8677409ef2e6

SHA1
4ec48e8d1e5dfa55f3a5dc17986980d7b97782e9

SHA256
e86a5cbd310685f2bce818cbe94f9ddfb274dd916a92215ef9cf44254273e14e

SHA512
94739246575a7eee5c9d8ecd2ccc6f14d04fab33eed7de8ba961b32dcd654c785e8053f42227869dbe01027184a08a5bd943ba4db1d8614560e9801ff84ddf62

Download Submit
C:\Windows\{29D5996F-BE5F-4e8c-AEAC-237C298BBCFD}.exe

Filesize
204KB

MD5
1ef7a0dd90738b9d54cf8677409ef2e6

SHA1
4ec48e8d1e5dfa55f3a5dc17986980d7b97782e9

SHA256
e86a5cbd310685f2bce818cbe94f9ddfb274dd916a92215ef9cf44254273e14e

SHA512
94739246575a7eee5c9d8ecd2ccc6f14d04fab33eed7de8ba961b32dcd654c785e8053f42227869dbe01027184a08a5bd943ba4db1d8614560e9801ff84ddf62

Download Submit
C:\Windows\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe

Filesize
204KB

MD5
70609504318ade94570d2055c4d4475e

SHA1
29bf72c92893e99aca3b32e8579c64cd29856fd6

SHA256
69426fbf9d40e16d6d71705013d32f4a3f3d9ce6bb276d1e2a868f5b800b038e

SHA512
f81933640123ab2a04393cfccdc532b5bfe1b71607153c0cacaf3d5ee80ff89f95e9982626f3ec5228a967e4ea97c4eaed20121fd182dbd253a3370089584b40

Download Submit
C:\Windows\{4129998E-8F48-41ed-BB1B-ED9F65411113}.exe

Filesize
204KB

MD5
70609504318ade94570d2055c4d4475e

SHA1
29bf72c92893e99aca3b32e8579c64cd29856fd6

SHA256
69426fbf9d40e16d6d71705013d32f4a3f3d9ce6bb276d1e2a868f5b800b038e

SHA512
f81933640123ab2a04393cfccdc532b5bfe1b71607153c0cacaf3d5ee80ff89f95e9982626f3ec5228a967e4ea97c4eaed20121fd182dbd253a3370089584b40

Download Submit
C:\Windows\{5427708F-D300-489c-837F-9F98D1459D04}.exe

Filesize
204KB

MD5
0a4db685cdaa3970d7816868a9189fa1

SHA1
f762e53b7452ff2ce986dd0eb49bee9971c64f00

SHA256
ae88a5966c46b3b5e75fefe171344e0f9ebd8db59753091ddfab035bed56080e

SHA512
9900731512e5cebae61da4942cf5ae2a51e5d2986febbd1674b9bd58a3c3bb33338d27f9e5026bb1df483c883d53ba1317a651235b7f8721237730a81ccb6151

Download Submit
C:\Windows\{5427708F-D300-489c-837F-9F98D1459D04}.exe

Filesize
204KB

MD5
0a4db685cdaa3970d7816868a9189fa1

SHA1
f762e53b7452ff2ce986dd0eb49bee9971c64f00

SHA256
ae88a5966c46b3b5e75fefe171344e0f9ebd8db59753091ddfab035bed56080e

SHA512
9900731512e5cebae61da4942cf5ae2a51e5d2986febbd1674b9bd58a3c3bb33338d27f9e5026bb1df483c883d53ba1317a651235b7f8721237730a81ccb6151

Download Submit
C:\Windows\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe

Filesize
204KB

MD5
d0d73fa5a4794d87c7487a6f85bbda08

SHA1
c5c8f3c80376129bd71070a5c14508d9a1f890dd

SHA256
56db02f8f4ebc6d924e6c368aa566ddd19cdf645927bfab97bcdff24bb7335d4

SHA512
e017b5b9da5bce7898b9f6ca21da5043e0b1a8a89b64296b5eadcdee5a76c7c1266a51754c0880575c7beedd9cdc8809c3a5762e1da5854058c7a19807f2220b

Download Submit
C:\Windows\{59992C8D-DE37-4750-8692-4AD0E3D68A5A}.exe

Filesize
204KB

MD5
d0d73fa5a4794d87c7487a6f85bbda08

SHA1
c5c8f3c80376129bd71070a5c14508d9a1f890dd

SHA256
56db02f8f4ebc6d924e6c368aa566ddd19cdf645927bfab97bcdff24bb7335d4

SHA512
e017b5b9da5bce7898b9f6ca21da5043e0b1a8a89b64296b5eadcdee5a76c7c1266a51754c0880575c7beedd9cdc8809c3a5762e1da5854058c7a19807f2220b

Download Submit
C:\Windows\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe

Filesize
204KB

MD5
91b22a56f4556157ec4aaa0371880ef4

SHA1
ac0e3d86af6d27ab4544e1d17ff69fcd8d68698a

SHA256
03d1ebfb0f9a41194a2d0ff13a6dce6aed2b2b1a6169921b16fa5fd538148dac

SHA512
2fd51ca73f666293c67d3fc873ccf5c03f36d995a5dc75b24ad4903d0c95f34b8ab1337a923b2fc72c38971af96300894eaeed980dfdf786291ce14a95066e15

Download Submit
C:\Windows\{6E2CEF92-4A9A-4532-A062-3F1BA6B34466}.exe

Filesize
204KB

MD5
91b22a56f4556157ec4aaa0371880ef4

SHA1
ac0e3d86af6d27ab4544e1d17ff69fcd8d68698a

SHA256
03d1ebfb0f9a41194a2d0ff13a6dce6aed2b2b1a6169921b16fa5fd538148dac

SHA512
2fd51ca73f666293c67d3fc873ccf5c03f36d995a5dc75b24ad4903d0c95f34b8ab1337a923b2fc72c38971af96300894eaeed980dfdf786291ce14a95066e15

Download Submit
C:\Windows\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe

Filesize
204KB

MD5
ccb962e46fdf42db7e9a722d4a22c2da

SHA1
bc3309069040a0e2a017d2cd0b96d61349a33c91

SHA256
430fcbbaca244815f854b79edef130e668a6f869857d342c5b70217f83253d37

SHA512
1110df30d5ab8ee3ff0baa668a3d766c5e50fb649819301db6181eddd191e2594ab76e8dd25efd096574be689499387e16f01a67c0aa83cbaca311878a4bef3f

Download Submit
C:\Windows\{88468E0B-FCE2-411b-A700-096E39C574E3}.exe

Filesize
204KB

MD5
ccb962e46fdf42db7e9a722d4a22c2da

SHA1
bc3309069040a0e2a017d2cd0b96d61349a33c91

SHA256
430fcbbaca244815f854b79edef130e668a6f869857d342c5b70217f83253d37

SHA512
1110df30d5ab8ee3ff0baa668a3d766c5e50fb649819301db6181eddd191e2594ab76e8dd25efd096574be689499387e16f01a67c0aa83cbaca311878a4bef3f

Download Submit
C:\Windows\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe

Filesize
204KB

MD5
d6421d13e424f7764ef71e5231d12e8a

SHA1
edc9db6b4ddf96367fa93215d7472274834d9c03

SHA256
6ec7041a69c55cf0beaf40db0633758f301a4a817f9ff55ae268e1a91928de33

SHA512
464d604003d185fb7030cd3196a07eb5408bf84e7ae50b347cda83dad7a9c864b3714631bc4804a99425fa5bd9d427ba4d5dcc548c501999b1fe1b0e67477da8

Download Submit
C:\Windows\{EF2E6A1D-7BEC-474d-8128-5915B739C6A5}.exe

Filesize
204KB

MD5
d6421d13e424f7764ef71e5231d12e8a

SHA1
edc9db6b4ddf96367fa93215d7472274834d9c03

SHA256
6ec7041a69c55cf0beaf40db0633758f301a4a817f9ff55ae268e1a91928de33

SHA512
464d604003d185fb7030cd3196a07eb5408bf84e7ae50b347cda83dad7a9c864b3714631bc4804a99425fa5bd9d427ba4d5dcc548c501999b1fe1b0e67477da8

Download Submit
C:\Windows\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe

Filesize
204KB

MD5
5988b2bce25b9908f4089b7c73836928

SHA1
59f9595cfc744616c695ab042c317b5650542b1d

SHA256
ef88f246f90de0252ca295d41bdede97e7c55e14c8f496d5e93a192b832cde9b

SHA512
699edf78b61a7dee935381b85142ec784afa3b5a7e73cfb8eac84708a4bdcc0602a4e388b9640253fa07ed7bb911855401546803edde7f7b58d727cba0894375

Download Submit
C:\Windows\{FA4CB3DB-1DF5-41bb-9031-58DEC9EEA049}.exe

Filesize
204KB

MD5
5988b2bce25b9908f4089b7c73836928

SHA1
59f9595cfc744616c695ab042c317b5650542b1d

SHA256
ef88f246f90de0252ca295d41bdede97e7c55e14c8f496d5e93a192b832cde9b

SHA512
699edf78b61a7dee935381b85142ec784afa3b5a7e73cfb8eac84708a4bdcc0602a4e388b9640253fa07ed7bb911855401546803edde7f7b58d727cba0894375

Download Submit
C:\Windows\{FD82732C-F023-424f-825A-77B480742A89}.exe

Filesize
204KB

MD5
319953ae9dc7c77d0fd34e37d7e1d80d

SHA1
db4815b4646693957ebf1cd467a6ef2d9d73cacd

SHA256
38dce94ef3de432b8bfac80df7991f4360e0449d4dd2090f0ded97d99e4a25d2

SHA512
44f3c5f33c810e958f55fe0d8a0adfe6033e998981cd405bccdac17d92dfea43119635916491fb764e4e08269a45282781675b970cbdfd1aa932afa3daecf32a

Download Submit