b6409c885b492ddc2ef03d35547f63bcd3bf394eaefacb57041dcfc7b7dfbb18

Analysis

max time kernel
145s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af90b8406018aaexeexeexeex.exe
Size

204KB
MD5

af90b8406018aa305589746c9fcf40a3
SHA1

dece8fcda324addd16eedd2def95242b31121545
SHA256

b6409c885b492ddc2ef03d35547f63bcd3bf394eaefacb57041dcfc7b7dfbb18
SHA512

6db483a50a61022d9c62384aa401f94cdcc1d34484291d23dbdfebc5bdbf346136ad9448ceb318d63b0c13cc223bff195292f104c11e03b819cef916c54715d6
SSDEEP

1536:1EGh0oHl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oHl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03C52297-8281-4604-94E0-E57C5085733D}	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2532160B-B831-42a5-BED2-5568C73B4DE8}\stubpath = "C:\\Windows\\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe"	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}\stubpath = "C:\\Windows\\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe"	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}\stubpath = "C:\\Windows\\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe"	{1259D480-E27B-4aac-978A-99F30398666F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BE0489-2340-457b-AD33-998D06A41A06}	{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2761D44-2F85-433a-BED3-D69941CAC234}\stubpath = "C:\\Windows\\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe"	{03C52297-8281-4604-94E0-E57C5085733D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2532160B-B831-42a5-BED2-5568C73B4DE8}	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BE0489-2340-457b-AD33-998D06A41A06}\stubpath = "C:\\Windows\\{53BE0489-2340-457b-AD33-998D06A41A06}.exe"	{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}	af90b8406018aaexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}\stubpath = "C:\\Windows\\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe"	af90b8406018aaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2761D44-2F85-433a-BED3-D69941CAC234}	{03C52297-8281-4604-94E0-E57C5085733D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}\stubpath = "C:\\Windows\\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe"	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}\stubpath = "C:\\Windows\\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe"	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1259D480-E27B-4aac-978A-99F30398666F}\stubpath = "C:\\Windows\\{1259D480-E27B-4aac-978A-99F30398666F}.exe"	{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}\stubpath = "C:\\Windows\\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe"	{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03C52297-8281-4604-94E0-E57C5085733D}\stubpath = "C:\\Windows\\{03C52297-8281-4604-94E0-E57C5085733D}.exe"	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}\stubpath = "C:\\Windows\\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe"	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1259D480-E27B-4aac-978A-99F30398666F}	{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}	{1259D480-E27B-4aac-978A-99F30398666F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD952032-02B9-4dcd-8558-0947B2A890C9}	{53BE0489-2340-457b-AD33-998D06A41A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD952032-02B9-4dcd-8558-0947B2A890C9}\stubpath = "C:\\Windows\\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe"	{53BE0489-2340-457b-AD33-998D06A41A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}	{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
776	{03C52297-8281-4604-94E0-E57C5085733D}.exe
2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
1500	{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
2624	{1259D480-E27B-4aac-978A-99F30398666F}.exe
2692	{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
2804	{53BE0489-2340-457b-AD33-998D06A41A06}.exe
2532	{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe
2664	{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	af90b8406018aaexeexeexeex.exe
File created	C:\Windows\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	{03C52297-8281-4604-94E0-E57C5085733D}.exe
File created	C:\Windows\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
File created	C:\Windows\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
File created	C:\Windows\{1259D480-E27B-4aac-978A-99F30398666F}.exe	{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
File created	C:\Windows\{53BE0489-2340-457b-AD33-998D06A41A06}.exe	{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
File created	C:\Windows\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe	{53BE0489-2340-457b-AD33-998D06A41A06}.exe
File created	C:\Windows\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe	{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe
File created	C:\Windows\{03C52297-8281-4604-94E0-E57C5085733D}.exe	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
File created	C:\Windows\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
File created	C:\Windows\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
File created	C:\Windows\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
File created	C:\Windows\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe	{1259D480-E27B-4aac-978A-99F30398666F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	af90b8406018aaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
Token: SeIncBasePriorityPrivilege	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe
Token: SeIncBasePriorityPrivilege	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
Token: SeIncBasePriorityPrivilege	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
Token: SeIncBasePriorityPrivilege	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
Token: SeIncBasePriorityPrivilege	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
Token: SeIncBasePriorityPrivilege	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
Token: SeIncBasePriorityPrivilege	1500	{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
Token: SeIncBasePriorityPrivilege	2624	{1259D480-E27B-4aac-978A-99F30398666F}.exe
Token: SeIncBasePriorityPrivilege	2692	{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
Token: SeIncBasePriorityPrivilege	2804	{53BE0489-2340-457b-AD33-998D06A41A06}.exe
Token: SeIncBasePriorityPrivilege	2532	{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2400	2340	af90b8406018aaexeexeexeex.exe	28
PID 2340 wrote to memory of 2400	2340	af90b8406018aaexeexeexeex.exe	28
PID 2340 wrote to memory of 2400	2340	af90b8406018aaexeexeexeex.exe	28
PID 2340 wrote to memory of 2400	2340	af90b8406018aaexeexeexeex.exe	28
PID 2340 wrote to memory of 948	2340	af90b8406018aaexeexeexeex.exe	29
PID 2340 wrote to memory of 948	2340	af90b8406018aaexeexeexeex.exe	29
PID 2340 wrote to memory of 948	2340	af90b8406018aaexeexeexeex.exe	29
PID 2340 wrote to memory of 948	2340	af90b8406018aaexeexeexeex.exe	29
PID 2400 wrote to memory of 776	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	30
PID 2400 wrote to memory of 776	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	30
PID 2400 wrote to memory of 776	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	30
PID 2400 wrote to memory of 776	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	30
PID 2400 wrote to memory of 2368	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	31
PID 2400 wrote to memory of 2368	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	31
PID 2400 wrote to memory of 2368	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	31
PID 2400 wrote to memory of 2368	2400	{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe	31
PID 776 wrote to memory of 2260	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	32
PID 776 wrote to memory of 2260	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	32
PID 776 wrote to memory of 2260	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	32
PID 776 wrote to memory of 2260	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	32
PID 776 wrote to memory of 1352	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	33
PID 776 wrote to memory of 1352	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	33
PID 776 wrote to memory of 1352	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	33
PID 776 wrote to memory of 1352	776	{03C52297-8281-4604-94E0-E57C5085733D}.exe	33
PID 2260 wrote to memory of 1040	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	35
PID 2260 wrote to memory of 1040	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	35
PID 2260 wrote to memory of 1040	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	35
PID 2260 wrote to memory of 1040	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	35
PID 2260 wrote to memory of 3024	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	34
PID 2260 wrote to memory of 3024	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	34
PID 2260 wrote to memory of 3024	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	34
PID 2260 wrote to memory of 3024	2260	{A2761D44-2F85-433a-BED3-D69941CAC234}.exe	34
PID 1040 wrote to memory of 1312	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	36
PID 1040 wrote to memory of 1312	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	36
PID 1040 wrote to memory of 1312	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	36
PID 1040 wrote to memory of 1312	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	36
PID 1040 wrote to memory of 1696	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	37
PID 1040 wrote to memory of 1696	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	37
PID 1040 wrote to memory of 1696	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	37
PID 1040 wrote to memory of 1696	1040	{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe	37
PID 1312 wrote to memory of 1416	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	38
PID 1312 wrote to memory of 1416	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	38
PID 1312 wrote to memory of 1416	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	38
PID 1312 wrote to memory of 1416	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	38
PID 1312 wrote to memory of 2020	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	39
PID 1312 wrote to memory of 2020	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	39
PID 1312 wrote to memory of 2020	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	39
PID 1312 wrote to memory of 2020	1312	{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe	39
PID 1416 wrote to memory of 2420	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	40
PID 1416 wrote to memory of 2420	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	40
PID 1416 wrote to memory of 2420	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	40
PID 1416 wrote to memory of 2420	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	40
PID 1416 wrote to memory of 868	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	41
PID 1416 wrote to memory of 868	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	41
PID 1416 wrote to memory of 868	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	41
PID 1416 wrote to memory of 868	1416	{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe	41
PID 2420 wrote to memory of 1500	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	42
PID 2420 wrote to memory of 1500	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	42
PID 2420 wrote to memory of 1500	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	42
PID 2420 wrote to memory of 1500	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	42
PID 2420 wrote to memory of 2240	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	43
PID 2420 wrote to memory of 2240	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	43
PID 2420 wrote to memory of 2240	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	43
PID 2420 wrote to memory of 2240	2420	{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe	43

C:\Users\Admin\AppData\Local\Temp\af90b8406018aaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\af90b8406018aaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
  C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{03C52297-8281-4604-94E0-E57C5085733D}.exe
    C:\Windows\{03C52297-8281-4604-94E0-E57C5085733D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
      C:\Windows\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2761~1.EXE > nul
        5⤵
        
        PID:3024
    - - C:\Windows\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
        
        C:\Windows\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
        
        C:\Windows\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
        
        C:\Windows\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
        
        C:\Windows\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
        
        C:\Windows\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E8EF~1.EXE > nul
        10⤵
        
        PID:2708
        
        C:\Windows\{1259D480-E27B-4aac-978A-99F30398666F}.exe
        
        C:\Windows\{1259D480-E27B-4aac-978A-99F30398666F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
        
        C:\Windows\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0717B~1.EXE > nul
        12⤵
        
        PID:2612
        
        C:\Windows\{53BE0489-2340-457b-AD33-998D06A41A06}.exe
        
        C:\Windows\{53BE0489-2340-457b-AD33-998D06A41A06}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe
        
        C:\Windows\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe
        
        C:\Windows\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe
        14⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD952~1.EXE > nul
        14⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BE0~1.EXE > nul
        13⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1259D~1.EXE > nul
        11⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A56CB~1.EXE > nul
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD8E~1.EXE > nul
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25321~1.EXE > nul
        7⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40730~1.EXE > nul
        6⤵
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{03C52~1.EXE > nul
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{54713~1.EXE > nul
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AF90B8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03C52297-8281-4604-94E0-E57C5085733D}.exe

Filesize
204KB

MD5
f10474ad313f34d361851ed740ed842d

SHA1
6f5d79c2abe7069c26c148c8c39eb4e41b22d633

SHA256
c16a059c8f3d123dfb3acd6be02340da013ed199a2a1f3fa158ba9d551b4078b

SHA512
657a0981239935e1214dbebfb557b6d79108319d8c9654260a758b3766b21391c7095a6c9b5c00d2b1fcbbeb0a0426073a32ab5c06ebeabcb5771d16aad3be7f

Download Submit
C:\Windows\{03C52297-8281-4604-94E0-E57C5085733D}.exe

Filesize
204KB

MD5
f10474ad313f34d361851ed740ed842d

SHA1
6f5d79c2abe7069c26c148c8c39eb4e41b22d633

SHA256
c16a059c8f3d123dfb3acd6be02340da013ed199a2a1f3fa158ba9d551b4078b

SHA512
657a0981239935e1214dbebfb557b6d79108319d8c9654260a758b3766b21391c7095a6c9b5c00d2b1fcbbeb0a0426073a32ab5c06ebeabcb5771d16aad3be7f

Download Submit
C:\Windows\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe

Filesize
204KB

MD5
49d224b468fa7027598c29a29c93942d

SHA1
9b0f77c3e14737423bdca8db7b787ffcc06edbbe

SHA256
ce604918a0c69f55c6d528877b38da160c1a176b8ba58f6f5bc242e7b8689601

SHA512
4a8f4658bbb03db4590a5fcd5621cc25746673bfad8749188304a900f45351147983be2654419369c999104f705e0839ac2315e4a133ac37a2316a58ac22154f

Download Submit
C:\Windows\{0717B168-7BDF-4dc9-B79A-F6CF0D6B00E9}.exe

Filesize
204KB

MD5
49d224b468fa7027598c29a29c93942d

SHA1
9b0f77c3e14737423bdca8db7b787ffcc06edbbe

SHA256
ce604918a0c69f55c6d528877b38da160c1a176b8ba58f6f5bc242e7b8689601

SHA512
4a8f4658bbb03db4590a5fcd5621cc25746673bfad8749188304a900f45351147983be2654419369c999104f705e0839ac2315e4a133ac37a2316a58ac22154f

Download Submit
C:\Windows\{1259D480-E27B-4aac-978A-99F30398666F}.exe

Filesize
204KB

MD5
60a551200894ceab355a53a5c5586f86

SHA1
bdfb362317c0c6c6e4e3f78753f0da510294da63

SHA256
a89e7bb341e52cdb226318d99bccba01779f4c705606337f91b426ff968f6cbd

SHA512
8cad93c7c9b33a2a8574750c79bfddffe0b9f7202e7630e655760350fda64f7b3e0f2506e75beb3e0cef1025ec4a4d947634fd211d0eb00e8f9caffff87ef401

Download Submit
C:\Windows\{1259D480-E27B-4aac-978A-99F30398666F}.exe

Filesize
204KB

MD5
60a551200894ceab355a53a5c5586f86

SHA1
bdfb362317c0c6c6e4e3f78753f0da510294da63

SHA256
a89e7bb341e52cdb226318d99bccba01779f4c705606337f91b426ff968f6cbd

SHA512
8cad93c7c9b33a2a8574750c79bfddffe0b9f7202e7630e655760350fda64f7b3e0f2506e75beb3e0cef1025ec4a4d947634fd211d0eb00e8f9caffff87ef401

Download Submit
C:\Windows\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe

Filesize
204KB

MD5
509999375d15d7b30da37a4fbb573322

SHA1
a13ec5e064a7c90137554a8c487c3ce8da365364

SHA256
57f73ea0381829d984770c462c1240fc5692443a741db5c29de3c1add682fff1

SHA512
bcbfcd2aa4019f3dbea4f368bc577186de2bade8d29c259364426d177842f80334f48b60694c1a6fcaa3bb9fe0a1a0bbfbb89ac932043143aac1234f1f80c7d8

Download Submit
C:\Windows\{2532160B-B831-42a5-BED2-5568C73B4DE8}.exe

Filesize
204KB

MD5
509999375d15d7b30da37a4fbb573322

SHA1
a13ec5e064a7c90137554a8c487c3ce8da365364

SHA256
57f73ea0381829d984770c462c1240fc5692443a741db5c29de3c1add682fff1

SHA512
bcbfcd2aa4019f3dbea4f368bc577186de2bade8d29c259364426d177842f80334f48b60694c1a6fcaa3bb9fe0a1a0bbfbb89ac932043143aac1234f1f80c7d8

Download Submit
C:\Windows\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe

Filesize
204KB

MD5
6c4d46eff11fe1ceb1774aeee06c9598

SHA1
f2d667e69bca570bad64f4ce88432cc5486f3910

SHA256
69cdffe81dc521b09b6b7d5fc590328eb50647151870b8198fd09383c2a023e7

SHA512
0b25d4a0bc1f66c8c5a1c81b0c030018746f7d4808bf44082814dc3d4e0444d99246cfe6c5edd0264b9eb38428918ee6a5f25904e9db723545e71e939d73e550

Download Submit
C:\Windows\{40730AE7-BB76-43f3-BD1D-A63AB9C9EB79}.exe

Filesize
204KB

MD5
6c4d46eff11fe1ceb1774aeee06c9598

SHA1
f2d667e69bca570bad64f4ce88432cc5486f3910

SHA256
69cdffe81dc521b09b6b7d5fc590328eb50647151870b8198fd09383c2a023e7

SHA512
0b25d4a0bc1f66c8c5a1c81b0c030018746f7d4808bf44082814dc3d4e0444d99246cfe6c5edd0264b9eb38428918ee6a5f25904e9db723545e71e939d73e550

Download Submit
C:\Windows\{53BE0489-2340-457b-AD33-998D06A41A06}.exe

Filesize
204KB

MD5
15d990324ce9aed7faecc396511903eb

SHA1
e111a816efe2f1b49c643359e3fac33ce6602c90

SHA256
89ce75e71f50781db6eb0be005abd8c45dd95bbedb9e98c5ccfcfa2516eb36c2

SHA512
588e936de5de72ec857969fe2f51aff43994e71592627ef14b2f572b32b6c5be3784318912aad9a20e04734d656d6195e4b69392925bb8dd08f47e9d96f90883

Download Submit
C:\Windows\{53BE0489-2340-457b-AD33-998D06A41A06}.exe

Filesize
204KB

MD5
15d990324ce9aed7faecc396511903eb

SHA1
e111a816efe2f1b49c643359e3fac33ce6602c90

SHA256
89ce75e71f50781db6eb0be005abd8c45dd95bbedb9e98c5ccfcfa2516eb36c2

SHA512
588e936de5de72ec857969fe2f51aff43994e71592627ef14b2f572b32b6c5be3784318912aad9a20e04734d656d6195e4b69392925bb8dd08f47e9d96f90883

Download Submit
C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe

Filesize
204KB

MD5
cadb285579e66756cc1a23495e293221

SHA1
69dd0a448a3c79f12ac1bfa05d1479adf887c453

SHA256
21ab911b660759cb716d74c693d6939e32e77c0ec8946a5ecbabcd6327b21622

SHA512
4f6f80e6356f181badc0207a75f88fa6fd3fa880c4638222ddcff804f58351563cffc0f12445d34fb78642ac6bbc3de431141cea700a3e94cc0d727c06e23b3d

Download Submit
C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe

Filesize
204KB

MD5
cadb285579e66756cc1a23495e293221

SHA1
69dd0a448a3c79f12ac1bfa05d1479adf887c453

SHA256
21ab911b660759cb716d74c693d6939e32e77c0ec8946a5ecbabcd6327b21622

SHA512
4f6f80e6356f181badc0207a75f88fa6fd3fa880c4638222ddcff804f58351563cffc0f12445d34fb78642ac6bbc3de431141cea700a3e94cc0d727c06e23b3d

Download Submit
C:\Windows\{5471383E-56A4-4f91-A0B8-FE49BBA3F988}.exe

Filesize
204KB

MD5
cadb285579e66756cc1a23495e293221

SHA1
69dd0a448a3c79f12ac1bfa05d1479adf887c453

SHA256
21ab911b660759cb716d74c693d6939e32e77c0ec8946a5ecbabcd6327b21622

SHA512
4f6f80e6356f181badc0207a75f88fa6fd3fa880c4638222ddcff804f58351563cffc0f12445d34fb78642ac6bbc3de431141cea700a3e94cc0d727c06e23b3d

Download Submit
C:\Windows\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe

Filesize
204KB

MD5
cf74d9684b1e20ac5e8d84f5eae5a486

SHA1
f224254f454cbe7687079b8e5aa7dfd04f0d9c0f

SHA256
7c4c8032b6a18acee5c45be1beafd58d9f967ec196e1dad185827f30235c1d0c

SHA512
4e0287d583b5d995a0b0ac6db1ef65a7798ce686b2ecd1831137b410a12b576fb70b967de0c9158fefee36e83e9a21c4dac924e06110e76d288be0afece9e92b

Download Submit
C:\Windows\{5DD8E12E-18A7-4de8-A2B9-151D1183F4CB}.exe

Filesize
204KB

MD5
cf74d9684b1e20ac5e8d84f5eae5a486

SHA1
f224254f454cbe7687079b8e5aa7dfd04f0d9c0f

SHA256
7c4c8032b6a18acee5c45be1beafd58d9f967ec196e1dad185827f30235c1d0c

SHA512
4e0287d583b5d995a0b0ac6db1ef65a7798ce686b2ecd1831137b410a12b576fb70b967de0c9158fefee36e83e9a21c4dac924e06110e76d288be0afece9e92b

Download Submit
C:\Windows\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe

Filesize
204KB

MD5
68620b16369c10df4abb204ce1b71cbc

SHA1
fab087074f8e14ce46f221ac378a6dbce111052a

SHA256
f385e2eb0553bd37ae7b761fe5db226d464596ca86ee2a8d93f6618e7bb5114d

SHA512
18ca5d53f2964731a541a165b5107364342a8c08c21ba557c6901b6a7e8e4ba48ec2d09a1e7983cd5ad3cd753ac710350f656896158842e2e8a0ce3b9f17f63e

Download Submit
C:\Windows\{6E8EF9B9-9CEB-4b15-90A9-F93DA26A820D}.exe

Filesize
204KB

MD5
68620b16369c10df4abb204ce1b71cbc

SHA1
fab087074f8e14ce46f221ac378a6dbce111052a

SHA256
f385e2eb0553bd37ae7b761fe5db226d464596ca86ee2a8d93f6618e7bb5114d

SHA512
18ca5d53f2964731a541a165b5107364342a8c08c21ba557c6901b6a7e8e4ba48ec2d09a1e7983cd5ad3cd753ac710350f656896158842e2e8a0ce3b9f17f63e

Download Submit
C:\Windows\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe

Filesize
204KB

MD5
920b0f82331082b454846e7bbe8610d5

SHA1
8d0f74478357f058b134a8e24d96b6d0b2961b83

SHA256
5cc84592db9a1a897d0f253b12ef004e7382501a3176980e32da431058f53347

SHA512
78f2630dc59ba0671fec2b248412d23a288f5260734a2ad6bda3f0babdf06283182251dfa0680f97a1be9083474c4d01456acb4eeccde97515f5f9ab8033bcda

Download Submit
C:\Windows\{A2761D44-2F85-433a-BED3-D69941CAC234}.exe

Filesize
204KB

MD5
920b0f82331082b454846e7bbe8610d5

SHA1
8d0f74478357f058b134a8e24d96b6d0b2961b83

SHA256
5cc84592db9a1a897d0f253b12ef004e7382501a3176980e32da431058f53347

SHA512
78f2630dc59ba0671fec2b248412d23a288f5260734a2ad6bda3f0babdf06283182251dfa0680f97a1be9083474c4d01456acb4eeccde97515f5f9ab8033bcda

Download Submit
C:\Windows\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe

Filesize
204KB

MD5
749544f233df08f72675dc63a2d7b08b

SHA1
20ff9dbbace23284c764e04951f33f01a3f9232f

SHA256
9abbb3ff8a2153aca3ec893ce7a43309cd0cd33eec538c2a4824332734c1580b

SHA512
637c18481d7af4143eb0c981402de44f7416b21c761ce96438a1417b36c6a1c3a5b75478e87663d8c36da60b2f6aa369b0ec28bafd45d2b43b69e6754a4cb094

Download Submit
C:\Windows\{A56CBB7A-54ED-4916-B2E2-74D35019F1DD}.exe

Filesize
204KB

MD5
749544f233df08f72675dc63a2d7b08b

SHA1
20ff9dbbace23284c764e04951f33f01a3f9232f

SHA256
9abbb3ff8a2153aca3ec893ce7a43309cd0cd33eec538c2a4824332734c1580b

SHA512
637c18481d7af4143eb0c981402de44f7416b21c761ce96438a1417b36c6a1c3a5b75478e87663d8c36da60b2f6aa369b0ec28bafd45d2b43b69e6754a4cb094

Download Submit
C:\Windows\{FBD0A67F-D3F7-40e5-BD5A-C5C668F1DAE9}.exe

Filesize
204KB

MD5
ea00cc4c75853d423f7390671e54f962

SHA1
41bec9e67db8a4dc6c5aa0b2d51ee98ec3f0d86a

SHA256
cff2b4df3a4564b570681b2e3a890bd9395010a8e592432760caab52f5e59993

SHA512
1ba8044e7306fd3b75603d45830468cbe38c9cf88cf34f577c4d1e9b635892ef95cdb18dc779d5ed8ef8b72365348131613c319a52f6aec70cd56b8f0731f45a

Download Submit
C:\Windows\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe

Filesize
204KB

MD5
723abe587c634836ec59382bce3fe86c

SHA1
96429e5656032c05b69d2ab22eb5821a241418fc

SHA256
9fbb765b910a6bd052468abcdb846869111469b2042b1d55e946a0a6dc2a97bb

SHA512
3457745eea03737572e73d5469abc30cb9a970d89dae2d4a8496d819c0314b8ebc9725c1237698f50daa6dac47f2b995e45129a0a5fc9b45c0790fce905cf61d

Download Submit
C:\Windows\{FD952032-02B9-4dcd-8558-0947B2A890C9}.exe

Filesize
204KB

MD5
723abe587c634836ec59382bce3fe86c

SHA1
96429e5656032c05b69d2ab22eb5821a241418fc

SHA256
9fbb765b910a6bd052468abcdb846869111469b2042b1d55e946a0a6dc2a97bb

SHA512
3457745eea03737572e73d5469abc30cb9a970d89dae2d4a8496d819c0314b8ebc9725c1237698f50daa6dac47f2b995e45129a0a5fc9b45c0790fce905cf61d

Download Submit