2a68ba8a9754856278973317092ee7d4ee5b8fd0fad8275377ea62331c7f4756

Analysis

max time kernel
150s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02c7d466fab23exeexeexeex.exe
Size

408KB
MD5

c02c7d466fab23ae070b96019fefaaab
SHA1

7d1a9d11b836f546b03d500a8583d9b50c9d57c1
SHA256

2a68ba8a9754856278973317092ee7d4ee5b8fd0fad8275377ea62331c7f4756
SHA512

266702496240e16b0057c2ad23790779048a344a11ebec7d346a78a1a679442c45e54d7074da6d17129f944bee2faa17589cf0c42dfdece86026edace00e376a
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGXldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}\stubpath = "C:\\Windows\\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe"	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A58493-2A8E-4d2d-99A3-44547330A4F5}\stubpath = "C:\\Windows\\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe"	{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}\stubpath = "C:\\Windows\\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe"	{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C89122-DE21-4c0f-9558-74A9BD411075}	{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}\stubpath = "C:\\Windows\\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe"	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2986EFFF-C815-4d06-BE49-C601850E2754}	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}\stubpath = "C:\\Windows\\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe"	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}	{35C89122-DE21-4c0f-9558-74A9BD411075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}	{804395A5-EA73-4015-AED2-63B9FD208292}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04C05CC-0B41-4782-86C8-C0D33D42861C}	{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04C05CC-0B41-4782-86C8-C0D33D42861C}\stubpath = "C:\\Windows\\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe"	{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C89122-DE21-4c0f-9558-74A9BD411075}\stubpath = "C:\\Windows\\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe"	{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}\stubpath = "C:\\Windows\\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe"	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2986EFFF-C815-4d06-BE49-C601850E2754}\stubpath = "C:\\Windows\\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe"	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}\stubpath = "C:\\Windows\\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe"	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}	{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{804395A5-EA73-4015-AED2-63B9FD208292}	c02c7d466fab23exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{804395A5-EA73-4015-AED2-63B9FD208292}\stubpath = "C:\\Windows\\{804395A5-EA73-4015-AED2-63B9FD208292}.exe"	c02c7d466fab23exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}\stubpath = "C:\\Windows\\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe"	{804395A5-EA73-4015-AED2-63B9FD208292}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A58493-2A8E-4d2d-99A3-44547330A4F5}	{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}\stubpath = "C:\\Windows\\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe"	{35C89122-DE21-4c0f-9558-74A9BD411075}.exe

Deletes itself 1 IoCs

pid	Process
764	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe
892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
636	{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
3000	{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
2668	{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
2796	{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
2600	{35C89122-DE21-4c0f-9558-74A9BD411075}.exe
2204	{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	{804395A5-EA73-4015-AED2-63B9FD208292}.exe
File created	C:\Windows\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
File created	C:\Windows\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
File created	C:\Windows\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe	{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
File created	C:\Windows\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe	{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
File created	C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe	c02c7d466fab23exeexeexeex.exe
File created	C:\Windows\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
File created	C:\Windows\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
File created	C:\Windows\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
File created	C:\Windows\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
File created	C:\Windows\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe	{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
File created	C:\Windows\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe	{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
File created	C:\Windows\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe	{35C89122-DE21-4c0f-9558-74A9BD411075}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	c02c7d466fab23exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe
Token: SeIncBasePriorityPrivilege	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
Token: SeIncBasePriorityPrivilege	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
Token: SeIncBasePriorityPrivilege	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
Token: SeIncBasePriorityPrivilege	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
Token: SeIncBasePriorityPrivilege	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
Token: SeIncBasePriorityPrivilege	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
Token: SeIncBasePriorityPrivilege	636	{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
Token: SeIncBasePriorityPrivilege	3000	{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
Token: SeIncBasePriorityPrivilege	2668	{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
Token: SeIncBasePriorityPrivilege	2796	{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
Token: SeIncBasePriorityPrivilege	2600	{35C89122-DE21-4c0f-9558-74A9BD411075}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2936	2336	c02c7d466fab23exeexeexeex.exe	28
PID 2336 wrote to memory of 2936	2336	c02c7d466fab23exeexeexeex.exe	28
PID 2336 wrote to memory of 2936	2336	c02c7d466fab23exeexeexeex.exe	28
PID 2336 wrote to memory of 2936	2336	c02c7d466fab23exeexeexeex.exe	28
PID 2336 wrote to memory of 764	2336	c02c7d466fab23exeexeexeex.exe	29
PID 2336 wrote to memory of 764	2336	c02c7d466fab23exeexeexeex.exe	29
PID 2336 wrote to memory of 764	2336	c02c7d466fab23exeexeexeex.exe	29
PID 2336 wrote to memory of 764	2336	c02c7d466fab23exeexeexeex.exe	29
PID 2936 wrote to memory of 892	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	30
PID 2936 wrote to memory of 892	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	30
PID 2936 wrote to memory of 892	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	30
PID 2936 wrote to memory of 892	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	30
PID 2936 wrote to memory of 2520	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	31
PID 2936 wrote to memory of 2520	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	31
PID 2936 wrote to memory of 2520	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	31
PID 2936 wrote to memory of 2520	2936	{804395A5-EA73-4015-AED2-63B9FD208292}.exe	31
PID 892 wrote to memory of 3064	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	32
PID 892 wrote to memory of 3064	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	32
PID 892 wrote to memory of 3064	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	32
PID 892 wrote to memory of 3064	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	32
PID 892 wrote to memory of 2836	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	33
PID 892 wrote to memory of 2836	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	33
PID 892 wrote to memory of 2836	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	33
PID 892 wrote to memory of 2836	892	{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe	33
PID 3064 wrote to memory of 2872	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	34
PID 3064 wrote to memory of 2872	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	34
PID 3064 wrote to memory of 2872	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	34
PID 3064 wrote to memory of 2872	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	34
PID 3064 wrote to memory of 304	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	35
PID 3064 wrote to memory of 304	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	35
PID 3064 wrote to memory of 304	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	35
PID 3064 wrote to memory of 304	3064	{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe	35
PID 2872 wrote to memory of 1328	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	36
PID 2872 wrote to memory of 1328	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	36
PID 2872 wrote to memory of 1328	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	36
PID 2872 wrote to memory of 1328	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	36
PID 2872 wrote to memory of 868	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	37
PID 2872 wrote to memory of 868	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	37
PID 2872 wrote to memory of 868	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	37
PID 2872 wrote to memory of 868	2872	{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe	37
PID 1328 wrote to memory of 872	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	38
PID 1328 wrote to memory of 872	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	38
PID 1328 wrote to memory of 872	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	38
PID 1328 wrote to memory of 872	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	38
PID 1328 wrote to memory of 1716	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	39
PID 1328 wrote to memory of 1716	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	39
PID 1328 wrote to memory of 1716	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	39
PID 1328 wrote to memory of 1716	1328	{2986EFFF-C815-4d06-BE49-C601850E2754}.exe	39
PID 872 wrote to memory of 2068	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	40
PID 872 wrote to memory of 2068	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	40
PID 872 wrote to memory of 2068	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	40
PID 872 wrote to memory of 2068	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	40
PID 872 wrote to memory of 1212	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	41
PID 872 wrote to memory of 1212	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	41
PID 872 wrote to memory of 1212	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	41
PID 872 wrote to memory of 1212	872	{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe	41
PID 2068 wrote to memory of 636	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	42
PID 2068 wrote to memory of 636	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	42
PID 2068 wrote to memory of 636	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	42
PID 2068 wrote to memory of 636	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	42
PID 2068 wrote to memory of 2056	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	43
PID 2068 wrote to memory of 2056	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	43
PID 2068 wrote to memory of 2056	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	43
PID 2068 wrote to memory of 2056	2068	{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe	43

C:\Users\Admin\AppData\Local\Temp\c02c7d466fab23exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c02c7d466fab23exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe
  C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
    C:\Windows\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
      C:\Windows\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
        
        C:\Windows\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
        
        C:\Windows\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
        
        C:\Windows\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
        
        C:\Windows\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
        
        C:\Windows\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
        
        C:\Windows\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
        
        C:\Windows\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
        
        C:\Windows\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe
        
        C:\Windows\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe
        
        C:\Windows\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe
        14⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C89~1.EXE > nul
        14⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A58~1.EXE > nul
        13⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A04C0~1.EXE > nul
        12⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5700~1.EXE > nul
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FFF3~1.EXE > nul
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27D96~1.EXE > nul
        9⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E64D7~1.EXE > nul
        8⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2986E~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C484E~1.EXE > nul
        6⤵
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE9F~1.EXE > nul
        5⤵
        
        PID:304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0824B~1.EXE > nul
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80439~1.EXE > nul
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C02C7D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe

Filesize
408KB

MD5
86cb1c0f167103ae6be625a8b0aa6961

SHA1
6b0d8b477fe568b404710fa862827e10df7abbb3

SHA256
c16a5ee2dc6bdfc607e7caa28fc8bcaf8c1c4d9c18f347538b1cc93af9828e32

SHA512
91d5048511ce45373a2adf62c26e288eef58c3e8eefada0189578cfea88ac1e5d49e91acd023a9936b15dd7dafc205dab19bcbef91c0361ad2dd336816ab5f44

Download Submit
C:\Windows\{04A58493-2A8E-4d2d-99A3-44547330A4F5}.exe

Filesize
408KB

MD5
86cb1c0f167103ae6be625a8b0aa6961

SHA1
6b0d8b477fe568b404710fa862827e10df7abbb3

SHA256
c16a5ee2dc6bdfc607e7caa28fc8bcaf8c1c4d9c18f347538b1cc93af9828e32

SHA512
91d5048511ce45373a2adf62c26e288eef58c3e8eefada0189578cfea88ac1e5d49e91acd023a9936b15dd7dafc205dab19bcbef91c0361ad2dd336816ab5f44

Download Submit
C:\Windows\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe

Filesize
408KB

MD5
9c1dc05bda623960bd62df6639c9f729

SHA1
295e7b165ce27b0815b7209c583c5aaf4b966195

SHA256
32b3bcf75cb274e7b38babaf7b3c313ac68b616d022968898e7afced2607daf1

SHA512
2c595c09317b55881a86bf4bbcb37e83486be0b3d98217a463a0684afe6fd8e6086dbb0120e0b00f85e5126b3c232461994518a1c92ae2e77603cb6cfcedd52c

Download Submit
C:\Windows\{0824BF8E-1E08-4c4e-A38A-DE80C6A8B469}.exe

Filesize
408KB

MD5
9c1dc05bda623960bd62df6639c9f729

SHA1
295e7b165ce27b0815b7209c583c5aaf4b966195

SHA256
32b3bcf75cb274e7b38babaf7b3c313ac68b616d022968898e7afced2607daf1

SHA512
2c595c09317b55881a86bf4bbcb37e83486be0b3d98217a463a0684afe6fd8e6086dbb0120e0b00f85e5126b3c232461994518a1c92ae2e77603cb6cfcedd52c

Download Submit
C:\Windows\{1D785C15-FE14-4b0b-9ACF-8268EA5B2887}.exe

Filesize
408KB

MD5
2ba0f571f0f4413d42ee96b345438094

SHA1
f3129bf4368ec4dc8dbb5eb2ed0182402087e8cd

SHA256
3389f7e51ea1121bc0f7fb978c0c0af4393ac7c8dbde37c401a94b0716dd7dcf

SHA512
882f0293b6c919520837723063e85455b6372892b7c8b65dbec2a7d11b732659b87247e3f1bcb36e5c0c1208c95378fd7c05f49289ac3135d33294ea909e72f4

Download Submit
C:\Windows\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe

Filesize
408KB

MD5
d044f98e83d7f71de4a038814dba2e4b

SHA1
634a36b1b9cdaffada5f080f3deef7d14a3c6640

SHA256
2a333309b1ccba02b80d5c69386ec32b001ec7d31ce9eb9bad70a85dff29394a

SHA512
c4429055bbaa153a7945c9313a142381f2becae2f1cf08f19f1453095713d88d84af18ce204ebae0a7de094d397db6b81f368cd5f93a1756053898515a2d7bc9

Download Submit
C:\Windows\{27D96362-45A5-4385-BEB9-A36C72FDAFFC}.exe

Filesize
408KB

MD5
d044f98e83d7f71de4a038814dba2e4b

SHA1
634a36b1b9cdaffada5f080f3deef7d14a3c6640

SHA256
2a333309b1ccba02b80d5c69386ec32b001ec7d31ce9eb9bad70a85dff29394a

SHA512
c4429055bbaa153a7945c9313a142381f2becae2f1cf08f19f1453095713d88d84af18ce204ebae0a7de094d397db6b81f368cd5f93a1756053898515a2d7bc9

Download Submit
C:\Windows\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe

Filesize
408KB

MD5
4e96943e7e1ce794eb98a68eb37e56f9

SHA1
4b84f1068e41a101fdb68cd5c2682bb855dd07b0

SHA256
4bcaa75fc05ce00d5c7b859da772794deb2b112769cb7fe17923f6cdb2f7bda8

SHA512
48bc5aa83abfdcc77e91c3781c945edfe233b171d399c14d4ac4b5d42027361256950a7eaa02139f8ee6e7eecaa2c785b67035c00974ad1c324c031d0c7d3c18

Download Submit
C:\Windows\{2986EFFF-C815-4d06-BE49-C601850E2754}.exe

Filesize
408KB

MD5
4e96943e7e1ce794eb98a68eb37e56f9

SHA1
4b84f1068e41a101fdb68cd5c2682bb855dd07b0

SHA256
4bcaa75fc05ce00d5c7b859da772794deb2b112769cb7fe17923f6cdb2f7bda8

SHA512
48bc5aa83abfdcc77e91c3781c945edfe233b171d399c14d4ac4b5d42027361256950a7eaa02139f8ee6e7eecaa2c785b67035c00974ad1c324c031d0c7d3c18

Download Submit
C:\Windows\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe

Filesize
408KB

MD5
13ff61c2c359c6c8ee4be9181dc71b48

SHA1
6c39bfabf0fe1d1c35ed0b32218dc866fd81969d

SHA256
bdfecf68787b5e44278fee0ceb440ebe3cb1b4bfe762d6cdd4c16f80d503f157

SHA512
d60cc94a1007dc663537051fc668e001fbbfa9e9ebf30f94429e50bccd33b4bec9ea5add58b7eb6c495d2f20504db2734b228ba764498d12d2591451aaeb65c6

Download Submit
C:\Windows\{2FFF3F0A-8630-4edc-87DC-C01CB95DC1E1}.exe

Filesize
408KB

MD5
13ff61c2c359c6c8ee4be9181dc71b48

SHA1
6c39bfabf0fe1d1c35ed0b32218dc866fd81969d

SHA256
bdfecf68787b5e44278fee0ceb440ebe3cb1b4bfe762d6cdd4c16f80d503f157

SHA512
d60cc94a1007dc663537051fc668e001fbbfa9e9ebf30f94429e50bccd33b4bec9ea5add58b7eb6c495d2f20504db2734b228ba764498d12d2591451aaeb65c6

Download Submit
C:\Windows\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe

Filesize
408KB

MD5
bd373f67e61828382349de55833c66f2

SHA1
08a4f91ff82da493e7598552fe8217cd24a16db9

SHA256
f3a02073abcab8f4f82c90e11d3179f6b12a318583b192325f4e0d7b989b8d0c

SHA512
5282ab29b1a543064b3d0dd8d07df62dfce6b301175182c543717e80a3c7023e1dc180d2b2e9fd397b1707e24014a25016f93cf38a85ba3846255cd9e3f21a84

Download Submit
C:\Windows\{35C89122-DE21-4c0f-9558-74A9BD411075}.exe

Filesize
408KB

MD5
bd373f67e61828382349de55833c66f2

SHA1
08a4f91ff82da493e7598552fe8217cd24a16db9

SHA256
f3a02073abcab8f4f82c90e11d3179f6b12a318583b192325f4e0d7b989b8d0c

SHA512
5282ab29b1a543064b3d0dd8d07df62dfce6b301175182c543717e80a3c7023e1dc180d2b2e9fd397b1707e24014a25016f93cf38a85ba3846255cd9e3f21a84

Download Submit
C:\Windows\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe

Filesize
408KB

MD5
a13c7b633b7b6df2f864216d2d97c54d

SHA1
7583aff0e13abe47bc984b3e7771550991d28eec

SHA256
074abd3f15aec0514b9cfbbc53e02b21eeb9c536a5c23e1e193197902d098cfc

SHA512
dd86c808747428b8b19b4b911d6726ba2de9927f4e97db0684d2fbb7d2aad6d636e4594fc95c5ee9a5b3c7c404bf9fef4296ddb14d1cca727cddf456812b70ce

Download Submit
C:\Windows\{6DE9F8CF-40C1-4356-B5E3-EECFF5FE06B3}.exe

Filesize
408KB

MD5
a13c7b633b7b6df2f864216d2d97c54d

SHA1
7583aff0e13abe47bc984b3e7771550991d28eec

SHA256
074abd3f15aec0514b9cfbbc53e02b21eeb9c536a5c23e1e193197902d098cfc

SHA512
dd86c808747428b8b19b4b911d6726ba2de9927f4e97db0684d2fbb7d2aad6d636e4594fc95c5ee9a5b3c7c404bf9fef4296ddb14d1cca727cddf456812b70ce

Download Submit
C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe

Filesize
408KB

MD5
041d4377eb92dd535851e235a360f374

SHA1
80ca8b1ef28120dd62a6bf69afd3515bba5413e5

SHA256
694c17fde948a8a58deb6e7ff100e5064681427653f762e2eab6a49a8b416c3a

SHA512
a61c330f5aeca67b995527aaac1485f340bcb533b4ce028a1980bc61794c04f141eb3ffed10121e066e402efa40f944b7b2ac131b45e3c93fc491bb6970c540a

Download Submit
C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe

Filesize
408KB

MD5
041d4377eb92dd535851e235a360f374

SHA1
80ca8b1ef28120dd62a6bf69afd3515bba5413e5

SHA256
694c17fde948a8a58deb6e7ff100e5064681427653f762e2eab6a49a8b416c3a

SHA512
a61c330f5aeca67b995527aaac1485f340bcb533b4ce028a1980bc61794c04f141eb3ffed10121e066e402efa40f944b7b2ac131b45e3c93fc491bb6970c540a

Download Submit
C:\Windows\{804395A5-EA73-4015-AED2-63B9FD208292}.exe

Filesize
408KB

MD5
041d4377eb92dd535851e235a360f374

SHA1
80ca8b1ef28120dd62a6bf69afd3515bba5413e5

SHA256
694c17fde948a8a58deb6e7ff100e5064681427653f762e2eab6a49a8b416c3a

SHA512
a61c330f5aeca67b995527aaac1485f340bcb533b4ce028a1980bc61794c04f141eb3ffed10121e066e402efa40f944b7b2ac131b45e3c93fc491bb6970c540a

Download Submit
C:\Windows\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe

Filesize
408KB

MD5
63a74773d1bf3d3abbc77865523eb88c

SHA1
802c781713826442bd3adc28d99a01eec66d2c1c

SHA256
dfaab29305f71f98aeb6a55a4b530f40205b04ec5f94c334b1da0e1c0929560b

SHA512
12d212f431fad0b6465a749fe8146effb93adf03ce887b22da9aae47d60d236a86aa86ef2d2f7b197c51dde5f4b5379893b93aafef7c4fc50d37cdde2d876b19

Download Submit
C:\Windows\{A04C05CC-0B41-4782-86C8-C0D33D42861C}.exe

Filesize
408KB

MD5
63a74773d1bf3d3abbc77865523eb88c

SHA1
802c781713826442bd3adc28d99a01eec66d2c1c

SHA256
dfaab29305f71f98aeb6a55a4b530f40205b04ec5f94c334b1da0e1c0929560b

SHA512
12d212f431fad0b6465a749fe8146effb93adf03ce887b22da9aae47d60d236a86aa86ef2d2f7b197c51dde5f4b5379893b93aafef7c4fc50d37cdde2d876b19

Download Submit
C:\Windows\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe

Filesize
408KB

MD5
80f71f84fd1c32e39c4164b7af4ad2e5

SHA1
1475b8aef40cdc6cce8f189073f9070106c52508

SHA256
9439a091f78d5daee04f114eeb4697afe4a1e263d158c0e5b0b36fa2779dae13

SHA512
d6ef480d97be9e1fa4dd582177cedc0134fb6fead777fa7ce8a938c8d86497ab533dff109aadf979087dd44ea0f034a16bfb6e81f46180c514c1aef803dc4dee

Download Submit
C:\Windows\{C484EE79-10A4-48f9-84CD-8DE2CAFD484B}.exe

Filesize
408KB

MD5
80f71f84fd1c32e39c4164b7af4ad2e5

SHA1
1475b8aef40cdc6cce8f189073f9070106c52508

SHA256
9439a091f78d5daee04f114eeb4697afe4a1e263d158c0e5b0b36fa2779dae13

SHA512
d6ef480d97be9e1fa4dd582177cedc0134fb6fead777fa7ce8a938c8d86497ab533dff109aadf979087dd44ea0f034a16bfb6e81f46180c514c1aef803dc4dee

Download Submit
C:\Windows\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe

Filesize
408KB

MD5
cdf91d348262e475f299db6506d55c4a

SHA1
226d241aa3c0fc9eb47c937661a9b7a2a16a0023

SHA256
1f20a5899bed76472d918e2280108ab321836bb21113dee7e8e3e99ee11a7ce4

SHA512
482549feda17449bb04e0c99dd31ef2d2909e0b5906980acb9fd49659e1ea519afe85bdaf6423a222ecdfbb8ada5abc672e20ca91e053c9272b22cfe69d9dc44

Download Submit
C:\Windows\{E64D7B55-A0F1-4afc-A570-B11EA7F9DA82}.exe

Filesize
408KB

MD5
cdf91d348262e475f299db6506d55c4a

SHA1
226d241aa3c0fc9eb47c937661a9b7a2a16a0023

SHA256
1f20a5899bed76472d918e2280108ab321836bb21113dee7e8e3e99ee11a7ce4

SHA512
482549feda17449bb04e0c99dd31ef2d2909e0b5906980acb9fd49659e1ea519afe85bdaf6423a222ecdfbb8ada5abc672e20ca91e053c9272b22cfe69d9dc44

Download Submit
C:\Windows\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe

Filesize
408KB

MD5
5a39e551f538979dc1320ff6ac1f1426

SHA1
3aeddbf7790b6fdc15fbe283af0dbec779bce3cd

SHA256
82810471583b5a67b91166e64e16cfd12e8e51c3fed748b301d2680618a7efdd

SHA512
08f6b7a14c27e582dc0fdc8880018153517d59d9b75f624c9bc650fbf493bbfd624d2000f966b6dac33e8abb4e046e0843b29af965d9252545cad095b8d1ddf0

Download Submit
C:\Windows\{F5700A6E-01DD-4eb6-91CC-7F60D2F659A4}.exe

Filesize
408KB

MD5
5a39e551f538979dc1320ff6ac1f1426

SHA1
3aeddbf7790b6fdc15fbe283af0dbec779bce3cd

SHA256
82810471583b5a67b91166e64e16cfd12e8e51c3fed748b301d2680618a7efdd

SHA512
08f6b7a14c27e582dc0fdc8880018153517d59d9b75f624c9bc650fbf493bbfd624d2000f966b6dac33e8abb4e046e0843b29af965d9252545cad095b8d1ddf0

Download Submit