76d66c7485aa7cd185827904613d793ef8ecba88c02b30fbe30806aa4d69435d

Analysis

max time kernel
146s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a78f41573d24exeexeexeex.exe
Size

204KB
MD5

a1a78f41573d2439a550056b49c1fa98
SHA1

f1105bc9450c960dcf647dc153efee81997c4737
SHA256

76d66c7485aa7cd185827904613d793ef8ecba88c02b30fbe30806aa4d69435d
SHA512

2dc602e4bd9b5c0442a9ed9c1e3debb2d29bb9c5329bcd03cb0b9911ee1313ce096249e07a5f15a8da16a69f5ef9b2730296f04734e3fbc4f1b9718c64e9451b
SSDEEP

1536:1EGh0oFl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oFl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240B0660-DB18-4941-9387-A59BFF87BC0C}	{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240B0660-DB18-4941-9387-A59BFF87BC0C}\stubpath = "C:\\Windows\\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe"	{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF9D0034-796F-4c75-9F02-E08F108EDB24}	{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF9D0034-796F-4c75-9F02-E08F108EDB24}\stubpath = "C:\\Windows\\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe"	{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}	{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E332A1EB-234E-4b06-A678-59EE72CE8E53}\stubpath = "C:\\Windows\\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe"	a1a78f41573d24exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66450C62-25AD-4d3b-9C84-9571BA316DB2}\stubpath = "C:\\Windows\\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe"	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B764739-0B58-4056-BB2B-78CA75006C61}\stubpath = "C:\\Windows\\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe"	{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}\stubpath = "C:\\Windows\\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe"	{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}	{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}\stubpath = "C:\\Windows\\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe"	{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30C6E164-9814-4228-B77B-7A4CE778D6E7}	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209A2DEC-8F61-4712-9F04-845120C575B8}\stubpath = "C:\\Windows\\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe"	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B764739-0B58-4056-BB2B-78CA75006C61}	{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4057EFAF-D537-4800-90DE-87B8273EADE7}	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4057EFAF-D537-4800-90DE-87B8273EADE7}\stubpath = "C:\\Windows\\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe"	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}\stubpath = "C:\\Windows\\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe"	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30C6E164-9814-4228-B77B-7A4CE778D6E7}\stubpath = "C:\\Windows\\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe"	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}\stubpath = "C:\\Windows\\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe"	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D6DC70-8807-4f8b-BF76-028F75D93952}\stubpath = "C:\\Windows\\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe"	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209A2DEC-8F61-4712-9F04-845120C575B8}	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E332A1EB-234E-4b06-A678-59EE72CE8E53}	a1a78f41573d24exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66450C62-25AD-4d3b-9C84-9571BA316DB2}	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D6DC70-8807-4f8b-BF76-028F75D93952}	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
2232	{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
816	{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
2768	{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
2788	{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
2436	{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
1564	{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
File created	C:\Windows\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe	{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
File created	C:\Windows\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe	{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
File created	C:\Windows\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe	{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
File created	C:\Windows\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe	{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
File created	C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	a1a78f41573d24exeexeexeex.exe
File created	C:\Windows\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
File created	C:\Windows\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
File created	C:\Windows\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe	{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
File created	C:\Windows\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
File created	C:\Windows\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
File created	C:\Windows\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
File created	C:\Windows\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1312	a1a78f41573d24exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
Token: SeIncBasePriorityPrivilege	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
Token: SeIncBasePriorityPrivilege	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
Token: SeIncBasePriorityPrivilege	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
Token: SeIncBasePriorityPrivilege	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
Token: SeIncBasePriorityPrivilege	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
Token: SeIncBasePriorityPrivilege	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
Token: SeIncBasePriorityPrivilege	2232	{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
Token: SeIncBasePriorityPrivilege	816	{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
Token: SeIncBasePriorityPrivilege	2768	{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
Token: SeIncBasePriorityPrivilege	2788	{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
Token: SeIncBasePriorityPrivilege	2436	{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2180	1312	a1a78f41573d24exeexeexeex.exe	29
PID 1312 wrote to memory of 2180	1312	a1a78f41573d24exeexeexeex.exe	29
PID 1312 wrote to memory of 2180	1312	a1a78f41573d24exeexeexeex.exe	29
PID 1312 wrote to memory of 2180	1312	a1a78f41573d24exeexeexeex.exe	29
PID 1312 wrote to memory of 2292	1312	a1a78f41573d24exeexeexeex.exe	30
PID 1312 wrote to memory of 2292	1312	a1a78f41573d24exeexeexeex.exe	30
PID 1312 wrote to memory of 2292	1312	a1a78f41573d24exeexeexeex.exe	30
PID 1312 wrote to memory of 2292	1312	a1a78f41573d24exeexeexeex.exe	30
PID 2180 wrote to memory of 2304	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	31
PID 2180 wrote to memory of 2304	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	31
PID 2180 wrote to memory of 2304	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	31
PID 2180 wrote to memory of 2304	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	31
PID 2180 wrote to memory of 2968	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	32
PID 2180 wrote to memory of 2968	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	32
PID 2180 wrote to memory of 2968	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	32
PID 2180 wrote to memory of 2968	2180	{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe	32
PID 2304 wrote to memory of 2952	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	33
PID 2304 wrote to memory of 2952	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	33
PID 2304 wrote to memory of 2952	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	33
PID 2304 wrote to memory of 2952	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	33
PID 2304 wrote to memory of 3016	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	34
PID 2304 wrote to memory of 3016	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	34
PID 2304 wrote to memory of 3016	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	34
PID 2304 wrote to memory of 3016	2304	{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe	34
PID 2952 wrote to memory of 1724	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	35
PID 2952 wrote to memory of 1724	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	35
PID 2952 wrote to memory of 1724	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	35
PID 2952 wrote to memory of 1724	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	35
PID 2952 wrote to memory of 2244	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	36
PID 2952 wrote to memory of 2244	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	36
PID 2952 wrote to memory of 2244	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	36
PID 2952 wrote to memory of 2244	2952	{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe	36
PID 1724 wrote to memory of 2832	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	37
PID 1724 wrote to memory of 2832	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	37
PID 1724 wrote to memory of 2832	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	37
PID 1724 wrote to memory of 2832	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	37
PID 1724 wrote to memory of 268	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	38
PID 1724 wrote to memory of 268	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	38
PID 1724 wrote to memory of 268	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	38
PID 1724 wrote to memory of 268	1724	{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe	38
PID 2832 wrote to memory of 1776	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	39
PID 2832 wrote to memory of 1776	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	39
PID 2832 wrote to memory of 1776	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	39
PID 2832 wrote to memory of 1776	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	39
PID 2832 wrote to memory of 560	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	40
PID 2832 wrote to memory of 560	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	40
PID 2832 wrote to memory of 560	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	40
PID 2832 wrote to memory of 560	2832	{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe	40
PID 1776 wrote to memory of 872	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	41
PID 1776 wrote to memory of 872	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	41
PID 1776 wrote to memory of 872	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	41
PID 1776 wrote to memory of 872	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	41
PID 1776 wrote to memory of 1192	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	42
PID 1776 wrote to memory of 1192	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	42
PID 1776 wrote to memory of 1192	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	42
PID 1776 wrote to memory of 1192	1776	{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe	42
PID 872 wrote to memory of 2232	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	43
PID 872 wrote to memory of 2232	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	43
PID 872 wrote to memory of 2232	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	43
PID 872 wrote to memory of 2232	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	43
PID 872 wrote to memory of 1684	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	44
PID 872 wrote to memory of 1684	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	44
PID 872 wrote to memory of 1684	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	44
PID 872 wrote to memory of 1684	872	{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe	44

C:\Users\Admin\AppData\Local\Temp\a1a78f41573d24exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a1a78f41573d24exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
  C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
    C:\Windows\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
      C:\Windows\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
        
        C:\Windows\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
        
        C:\Windows\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
        
        C:\Windows\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
        
        C:\Windows\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
        
        C:\Windows\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
        
        C:\Windows\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
        
        C:\Windows\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
        
        C:\Windows\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
        
        C:\Windows\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe
        
        C:\Windows\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe
        14⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{092E5~1.EXE > nul
        14⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9D0~1.EXE > nul
        13⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240B0~1.EXE > nul
        12⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B764~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{209A2~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D6D~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCFA2~1.EXE > nul
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4057E~1.EXE > nul
        7⤵
        
        PID:560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DEE1~1.EXE > nul
        6⤵
        
        PID:268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30C6E~1.EXE > nul
        5⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66450~1.EXE > nul
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E332A~1.EXE > nul
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1A78F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe

Filesize
204KB

MD5
194afbf6c0ccb96196977eb4cdd87b2b

SHA1
f8f6af97e10dd830240a4f1e0e621b0d45eec702

SHA256
9be5759472f0448a11ec09fa85972c5c46794ab1e5d585895bf80662dbddbfab

SHA512
2b38c7a4095d7aef67b72442196879b3a21301a32b31fe15f1303b171765bdb9a36d8a048048f087c47da3ff749bf9bb2b4eee37fe3cfe99ed988a9b95d9bb28

Download Submit
C:\Windows\{092E55E6-A79D-4457-B16C-6D5E1B27D5AA}.exe

Filesize
204KB

MD5
194afbf6c0ccb96196977eb4cdd87b2b

SHA1
f8f6af97e10dd830240a4f1e0e621b0d45eec702

SHA256
9be5759472f0448a11ec09fa85972c5c46794ab1e5d585895bf80662dbddbfab

SHA512
2b38c7a4095d7aef67b72442196879b3a21301a32b31fe15f1303b171765bdb9a36d8a048048f087c47da3ff749bf9bb2b4eee37fe3cfe99ed988a9b95d9bb28

Download Submit
C:\Windows\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe

Filesize
204KB

MD5
3a4f528631eb577d65e05d69441e13aa

SHA1
b70a1ec2d1aed06a0e424f0291e56c616c5ee14e

SHA256
94a651a5081a169811090af6b4c32d299715d20d9c73d0cade9c880b697afaa2

SHA512
9176a6bb258d48f456872f83ec46588e4ebd944ed4917768c8fff7ce08d445177e9cfb58f13af05451077a1d24b1ec0b00e7452402915489f26eb977183749d5

Download Submit
C:\Windows\{209A2DEC-8F61-4712-9F04-845120C575B8}.exe

Filesize
204KB

MD5
3a4f528631eb577d65e05d69441e13aa

SHA1
b70a1ec2d1aed06a0e424f0291e56c616c5ee14e

SHA256
94a651a5081a169811090af6b4c32d299715d20d9c73d0cade9c880b697afaa2

SHA512
9176a6bb258d48f456872f83ec46588e4ebd944ed4917768c8fff7ce08d445177e9cfb58f13af05451077a1d24b1ec0b00e7452402915489f26eb977183749d5

Download Submit
C:\Windows\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe

Filesize
204KB

MD5
90357389ca738194918b4dcea7cd834b

SHA1
0a4aa14534840e702b7b1f635feac34e9672da5e

SHA256
9aab41b3e09f134979e008c1d1a1061b0f8d56e7ed4f83e98f7b91df4c254beb

SHA512
b1d29c9039d37cbfddf62d07d050f1347500b17b0db4afb72a34070771c623356ba1fe25390a2a1d1aa92cf68534bec9fda88185e5c66b16ae46431b609ba268

Download Submit
C:\Windows\{240B0660-DB18-4941-9387-A59BFF87BC0C}.exe

Filesize
204KB

MD5
90357389ca738194918b4dcea7cd834b

SHA1
0a4aa14534840e702b7b1f635feac34e9672da5e

SHA256
9aab41b3e09f134979e008c1d1a1061b0f8d56e7ed4f83e98f7b91df4c254beb

SHA512
b1d29c9039d37cbfddf62d07d050f1347500b17b0db4afb72a34070771c623356ba1fe25390a2a1d1aa92cf68534bec9fda88185e5c66b16ae46431b609ba268

Download Submit
C:\Windows\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe

Filesize
204KB

MD5
871ab1a9a92772454cccd4f017772e5c

SHA1
a5e844837032749a652ca0ce947222926696da82

SHA256
6ae902a25a760e4399946eff435013ddbec2c49b48b4da476e08a7fe3165d12d

SHA512
8fe89a7bad86668e7ca070269fd9dd46f5bd3a27c89aa609f759e4239a5cee69044075b964cc7bc183983748c601a5ac03b19d1f7daf4939d57bd2d40fee174b

Download Submit
C:\Windows\{30C6E164-9814-4228-B77B-7A4CE778D6E7}.exe

Filesize
204KB

MD5
871ab1a9a92772454cccd4f017772e5c

SHA1
a5e844837032749a652ca0ce947222926696da82

SHA256
6ae902a25a760e4399946eff435013ddbec2c49b48b4da476e08a7fe3165d12d

SHA512
8fe89a7bad86668e7ca070269fd9dd46f5bd3a27c89aa609f759e4239a5cee69044075b964cc7bc183983748c601a5ac03b19d1f7daf4939d57bd2d40fee174b

Download Submit
C:\Windows\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe

Filesize
204KB

MD5
3bb696f13d4f51f828d42f289ae42f18

SHA1
54b63750cf5bdf03f30e27a5bc6c7e2941337e79

SHA256
2881182ef221c545eb73bbacfbc29817d270c414a95dc1c97b73a8d8b30f636c

SHA512
557cf0966d181b276e3347a30b05245fe1c2ffb5bbbe1b9a2008e61aef68f7b68ca1ae7bd7af81399f880dab719dfc2f1f962a929198085c64d4490d6021ab41

Download Submit
C:\Windows\{38D6DC70-8807-4f8b-BF76-028F75D93952}.exe

Filesize
204KB

MD5
3bb696f13d4f51f828d42f289ae42f18

SHA1
54b63750cf5bdf03f30e27a5bc6c7e2941337e79

SHA256
2881182ef221c545eb73bbacfbc29817d270c414a95dc1c97b73a8d8b30f636c

SHA512
557cf0966d181b276e3347a30b05245fe1c2ffb5bbbe1b9a2008e61aef68f7b68ca1ae7bd7af81399f880dab719dfc2f1f962a929198085c64d4490d6021ab41

Download Submit
C:\Windows\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe

Filesize
204KB

MD5
20ed67f6d2e939fbabc547a5628802f8

SHA1
572b8c71996e9454a26d1ace4b594691628a1cc4

SHA256
f422640d608de36778902e049ee76de3ee022e32a5c414335887b763176dee69

SHA512
9e62d444b489cb03bb7402cc467d12dd39c0f106d9c3e5fcaaf8d4b8f2104b06a0f55808838522b6c738195ca96b41d382424f0cf8d0e8d8b9f0589f8e2fe4a2

Download Submit
C:\Windows\{4057EFAF-D537-4800-90DE-87B8273EADE7}.exe

Filesize
204KB

MD5
20ed67f6d2e939fbabc547a5628802f8

SHA1
572b8c71996e9454a26d1ace4b594691628a1cc4

SHA256
f422640d608de36778902e049ee76de3ee022e32a5c414335887b763176dee69

SHA512
9e62d444b489cb03bb7402cc467d12dd39c0f106d9c3e5fcaaf8d4b8f2104b06a0f55808838522b6c738195ca96b41d382424f0cf8d0e8d8b9f0589f8e2fe4a2

Download Submit
C:\Windows\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe

Filesize
204KB

MD5
5b9b28b689826e2baf7fb221106d82a3

SHA1
85cf0920728e93c706ac2feb74266630c34d4ed7

SHA256
4f9a53a00a018bd27d3c94ac3694ab7a119a2e46cdb06428a6d7dc4691437c7f

SHA512
6cd96a24145815ad183184996eacd657551cbd2968490946fce05f5dc2f4ab4433392bcd23f723253e058f52881b231c728e1e51d07fbe8db4ea1507928643c5

Download Submit
C:\Windows\{66450C62-25AD-4d3b-9C84-9571BA316DB2}.exe

Filesize
204KB

MD5
5b9b28b689826e2baf7fb221106d82a3

SHA1
85cf0920728e93c706ac2feb74266630c34d4ed7

SHA256
4f9a53a00a018bd27d3c94ac3694ab7a119a2e46cdb06428a6d7dc4691437c7f

SHA512
6cd96a24145815ad183184996eacd657551cbd2968490946fce05f5dc2f4ab4433392bcd23f723253e058f52881b231c728e1e51d07fbe8db4ea1507928643c5

Download Submit
C:\Windows\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe

Filesize
204KB

MD5
42316668310ed2a506042e305856965f

SHA1
a9eaf0207f6164e4dde77c3af69fd763acedea1b

SHA256
c4e3a6bad4ee11948d3a76cfd2625dfc395c54c7dc7f3dfa9fc61956edac83da

SHA512
9c4535f6b7ab0862be3d437ecdc7ffe17f207ea61acf8784bd55cf0fe3845b0b810d6116c55996408ae55ab78c3178c5b45b18e7bd198946abd3b3006720dd4c

Download Submit
C:\Windows\{7B764739-0B58-4056-BB2B-78CA75006C61}.exe

Filesize
204KB

MD5
42316668310ed2a506042e305856965f

SHA1
a9eaf0207f6164e4dde77c3af69fd763acedea1b

SHA256
c4e3a6bad4ee11948d3a76cfd2625dfc395c54c7dc7f3dfa9fc61956edac83da

SHA512
9c4535f6b7ab0862be3d437ecdc7ffe17f207ea61acf8784bd55cf0fe3845b0b810d6116c55996408ae55ab78c3178c5b45b18e7bd198946abd3b3006720dd4c

Download Submit
C:\Windows\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe

Filesize
204KB

MD5
e1bae08e90c52b897ff1115942effa8f

SHA1
1af9a45d0b84e87493782eea6532605471211f34

SHA256
209688469e00582e5913a3143254dfad6761fcfe42124a45cc25d89e9e01dd55

SHA512
d7a8f09418db60b5b2e664a4d5d9f287e21d345eb783d6365275471fd2ca454368fc53715d979b7485f3998ad16b8295adf09b6d5f37ea4d092aac0a92c22439

Download Submit
C:\Windows\{8DEE1237-AFA2-47b1-B9FD-4EDA59F7F7E6}.exe

Filesize
204KB

MD5
e1bae08e90c52b897ff1115942effa8f

SHA1
1af9a45d0b84e87493782eea6532605471211f34

SHA256
209688469e00582e5913a3143254dfad6761fcfe42124a45cc25d89e9e01dd55

SHA512
d7a8f09418db60b5b2e664a4d5d9f287e21d345eb783d6365275471fd2ca454368fc53715d979b7485f3998ad16b8295adf09b6d5f37ea4d092aac0a92c22439

Download Submit
C:\Windows\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe

Filesize
204KB

MD5
85245875c032f6ff842d58bebe745e05

SHA1
79c98d1944470191813519e6ec6f9d93e3fbcfd7

SHA256
6120bca3e97768cf25eef380e02f32d5eff6137f4467daae04f4e60e91c45e13

SHA512
9d0ff8c83fb94c9660039a59ea6b28413b079fd571f2cd045c4a0ad1ea8958b9b39ce9cf6b2e08c416c5597c0c7abac822e1e0412458908ea55ad6d8c22aeb8e

Download Submit
C:\Windows\{BCFA26D0-D884-403d-AB57-8D3A20E4405D}.exe

Filesize
204KB

MD5
85245875c032f6ff842d58bebe745e05

SHA1
79c98d1944470191813519e6ec6f9d93e3fbcfd7

SHA256
6120bca3e97768cf25eef380e02f32d5eff6137f4467daae04f4e60e91c45e13

SHA512
9d0ff8c83fb94c9660039a59ea6b28413b079fd571f2cd045c4a0ad1ea8958b9b39ce9cf6b2e08c416c5597c0c7abac822e1e0412458908ea55ad6d8c22aeb8e

Download Submit
C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe

Filesize
204KB

MD5
cd2dcefcdf2ce7ca12a2150275d2f2cf

SHA1
aad279d705828fceb9d85d5c92b6d20098c95685

SHA256
a1adaef458d3babbc7ec3ffa713bfe30ff3aa52fd299530dae00c03a948c8ea0

SHA512
1633319352e51eac2d64e6dcf1ef73a7a4afc3db3e1204f2d5723e096c7fbe4b2f7781b26703b5c44211d78d401ddf1ba740ae0d6da5b5036ebd0c9d974e5086

Download Submit
C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe

Filesize
204KB

MD5
cd2dcefcdf2ce7ca12a2150275d2f2cf

SHA1
aad279d705828fceb9d85d5c92b6d20098c95685

SHA256
a1adaef458d3babbc7ec3ffa713bfe30ff3aa52fd299530dae00c03a948c8ea0

SHA512
1633319352e51eac2d64e6dcf1ef73a7a4afc3db3e1204f2d5723e096c7fbe4b2f7781b26703b5c44211d78d401ddf1ba740ae0d6da5b5036ebd0c9d974e5086

Download Submit
C:\Windows\{E332A1EB-234E-4b06-A678-59EE72CE8E53}.exe

Filesize
204KB

MD5
cd2dcefcdf2ce7ca12a2150275d2f2cf

SHA1
aad279d705828fceb9d85d5c92b6d20098c95685

SHA256
a1adaef458d3babbc7ec3ffa713bfe30ff3aa52fd299530dae00c03a948c8ea0

SHA512
1633319352e51eac2d64e6dcf1ef73a7a4afc3db3e1204f2d5723e096c7fbe4b2f7781b26703b5c44211d78d401ddf1ba740ae0d6da5b5036ebd0c9d974e5086

Download Submit
C:\Windows\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe

Filesize
204KB

MD5
a8a878dac4a2de9c7dc283efc6534d12

SHA1
f9f454bf120e32d9e7e3a6c48d37f321a572572f

SHA256
fce645755df87ffcc8a60fb94ce487aae1e8c281fc7f04e14c50f401c5d4200b

SHA512
f0aeb0e99bac082c3ffed18e664b03883c953a15e58c1798baf80beb581acad96c0126f972e86590cb24dc74212c12616eb23ed3caf6f0f7f586d01d55db3b52

Download Submit
C:\Windows\{EF9D0034-796F-4c75-9F02-E08F108EDB24}.exe

Filesize
204KB

MD5
a8a878dac4a2de9c7dc283efc6534d12

SHA1
f9f454bf120e32d9e7e3a6c48d37f321a572572f

SHA256
fce645755df87ffcc8a60fb94ce487aae1e8c281fc7f04e14c50f401c5d4200b

SHA512
f0aeb0e99bac082c3ffed18e664b03883c953a15e58c1798baf80beb581acad96c0126f972e86590cb24dc74212c12616eb23ed3caf6f0f7f586d01d55db3b52

Download Submit
C:\Windows\{FA347CB3-C7D3-469f-B5B5-5DC4B0CB0D49}.exe

Filesize
204KB

MD5
55f77c67a15a0ed906066a62d59de705

SHA1
c79a19e848a9510b142538885834dd7fd2c64c4c

SHA256
8f0a68a81e57c54083993271178c5f147dac383d1968e3b4ecdc75272fea3872

SHA512
daf33d73f82d30f86e7dee98c945a29cb74f96a8680a624c7ef5ad2698ad02f2f689b375ba47585b76147afd765a99c3e6f04c095ea562ba9ebfac50e650213f

Download Submit