d75db434c647632b372ae2c20dfd6a4722387689d73da9598bdb814702d0e3e7

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b9fe1d160660exeexeexeex.exe
Size

372KB
MD5

c3b9fe1d160660519ea0ab5776dec981
SHA1

5d3e70c21c1e4e001f0404beb05f7387b827ddb9
SHA256

d75db434c647632b372ae2c20dfd6a4722387689d73da9598bdb814702d0e3e7
SHA512

9cef8ec9bbf53978a1cecddb26e7b3e1db6f32a4301208781736e838deafa76b7bfb51fa746a1d997d6e87b7347ebfcf1ce4c15d2710175a1d4aa9833074100b
SSDEEP

3072:CEGh0oNmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGil/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D29391-5046-4e33-8E2E-0586F31BD28E}	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}\stubpath = "C:\\Windows\\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe"	{B918147E-42E5-4a27-8C00-19090E564A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E0836A5-2D31-414e-A12B-4C89A613577E}	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{907FD254-7C63-4c4a-BFCD-584C1918088F}	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{907FD254-7C63-4c4a-BFCD-584C1918088F}\stubpath = "C:\\Windows\\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe"	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DE46AB-8531-42e8-AACA-1908AC306940}\stubpath = "C:\\Windows\\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe"	{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951FD35A-6072-4695-BB50-22E11C98F26F}	{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}	{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}	c3b9fe1d160660exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D29391-5046-4e33-8E2E-0586F31BD28E}\stubpath = "C:\\Windows\\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe"	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{176E56CC-B709-4898-98F6-4F90FD5780EE}\stubpath = "C:\\Windows\\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe"	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}	{B918147E-42E5-4a27-8C00-19090E564A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{260CBEB7-0690-4cf4-BCE7-04761AF40519}	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}	{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DE46AB-8531-42e8-AACA-1908AC306940}	{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}\stubpath = "C:\\Windows\\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe"	{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A409C09-BACF-4c9b-A294-54D4F00806FD}\stubpath = "C:\\Windows\\{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe"	{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}\stubpath = "C:\\Windows\\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe"	c3b9fe1d160660exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{176E56CC-B709-4898-98F6-4F90FD5780EE}	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B918147E-42E5-4a27-8C00-19090E564A74}\stubpath = "C:\\Windows\\{B918147E-42E5-4a27-8C00-19090E564A74}.exe"	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E0836A5-2D31-414e-A12B-4C89A613577E}\stubpath = "C:\\Windows\\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe"	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}\stubpath = "C:\\Windows\\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe"	{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B918147E-42E5-4a27-8C00-19090E564A74}	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{260CBEB7-0690-4cf4-BCE7-04761AF40519}\stubpath = "C:\\Windows\\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe"	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951FD35A-6072-4695-BB50-22E11C98F26F}\stubpath = "C:\\Windows\\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe"	{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A409C09-BACF-4c9b-A294-54D4F00806FD}	{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe
2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
2352	{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
2276	{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
2720	{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
2708	{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
1644	{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe
2764	{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe	{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
File created	C:\Windows\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe	{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
File created	C:\Windows\{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe	{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe
File created	C:\Windows\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
File created	C:\Windows\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
File created	C:\Windows\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
File created	C:\Windows\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
File created	C:\Windows\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe	{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
File created	C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	c3b9fe1d160660exeexeexeex.exe
File created	C:\Windows\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
File created	C:\Windows\{B918147E-42E5-4a27-8C00-19090E564A74}.exe	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
File created	C:\Windows\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	{B918147E-42E5-4a27-8C00-19090E564A74}.exe
File created	C:\Windows\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe	{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2300	c3b9fe1d160660exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
Token: SeIncBasePriorityPrivilege	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
Token: SeIncBasePriorityPrivilege	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
Token: SeIncBasePriorityPrivilege	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe
Token: SeIncBasePriorityPrivilege	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
Token: SeIncBasePriorityPrivilege	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
Token: SeIncBasePriorityPrivilege	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
Token: SeIncBasePriorityPrivilege	2352	{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
Token: SeIncBasePriorityPrivilege	2276	{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
Token: SeIncBasePriorityPrivilege	2720	{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
Token: SeIncBasePriorityPrivilege	2708	{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
Token: SeIncBasePriorityPrivilege	1644	{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1160	2300	c3b9fe1d160660exeexeexeex.exe	29
PID 2300 wrote to memory of 1160	2300	c3b9fe1d160660exeexeexeex.exe	29
PID 2300 wrote to memory of 1160	2300	c3b9fe1d160660exeexeexeex.exe	29
PID 2300 wrote to memory of 1160	2300	c3b9fe1d160660exeexeexeex.exe	29
PID 2300 wrote to memory of 2436	2300	c3b9fe1d160660exeexeexeex.exe	30
PID 2300 wrote to memory of 2436	2300	c3b9fe1d160660exeexeexeex.exe	30
PID 2300 wrote to memory of 2436	2300	c3b9fe1d160660exeexeexeex.exe	30
PID 2300 wrote to memory of 2436	2300	c3b9fe1d160660exeexeexeex.exe	30
PID 1160 wrote to memory of 2364	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	32
PID 1160 wrote to memory of 2364	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	32
PID 1160 wrote to memory of 2364	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	32
PID 1160 wrote to memory of 2364	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	32
PID 1160 wrote to memory of 1300	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	31
PID 1160 wrote to memory of 1300	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	31
PID 1160 wrote to memory of 1300	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	31
PID 1160 wrote to memory of 1300	1160	{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe	31
PID 2364 wrote to memory of 1772	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	34
PID 2364 wrote to memory of 1772	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	34
PID 2364 wrote to memory of 1772	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	34
PID 2364 wrote to memory of 1772	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	34
PID 2364 wrote to memory of 584	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	33
PID 2364 wrote to memory of 584	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	33
PID 2364 wrote to memory of 584	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	33
PID 2364 wrote to memory of 584	2364	{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe	33
PID 1772 wrote to memory of 440	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	35
PID 1772 wrote to memory of 440	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	35
PID 1772 wrote to memory of 440	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	35
PID 1772 wrote to memory of 440	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	35
PID 1772 wrote to memory of 2248	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	36
PID 1772 wrote to memory of 2248	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	36
PID 1772 wrote to memory of 2248	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	36
PID 1772 wrote to memory of 2248	1772	{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe	36
PID 440 wrote to memory of 2976	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	37
PID 440 wrote to memory of 2976	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	37
PID 440 wrote to memory of 2976	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	37
PID 440 wrote to memory of 2976	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	37
PID 440 wrote to memory of 2264	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	38
PID 440 wrote to memory of 2264	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	38
PID 440 wrote to memory of 2264	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	38
PID 440 wrote to memory of 2264	440	{B918147E-42E5-4a27-8C00-19090E564A74}.exe	38
PID 2976 wrote to memory of 608	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	40
PID 2976 wrote to memory of 608	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	40
PID 2976 wrote to memory of 608	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	40
PID 2976 wrote to memory of 608	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	40
PID 2976 wrote to memory of 932	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	39
PID 2976 wrote to memory of 932	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	39
PID 2976 wrote to memory of 932	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	39
PID 2976 wrote to memory of 932	2976	{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe	39
PID 608 wrote to memory of 2144	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	41
PID 608 wrote to memory of 2144	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	41
PID 608 wrote to memory of 2144	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	41
PID 608 wrote to memory of 2144	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	41
PID 608 wrote to memory of 268	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	42
PID 608 wrote to memory of 268	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	42
PID 608 wrote to memory of 268	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	42
PID 608 wrote to memory of 268	608	{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe	42
PID 2144 wrote to memory of 2352	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	44
PID 2144 wrote to memory of 2352	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	44
PID 2144 wrote to memory of 2352	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	44
PID 2144 wrote to memory of 2352	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	44
PID 2144 wrote to memory of 2232	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	43
PID 2144 wrote to memory of 2232	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	43
PID 2144 wrote to memory of 2232	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	43
PID 2144 wrote to memory of 2232	2144	{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe	43

C:\Users\Admin\AppData\Local\Temp\c3b9fe1d160660exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c3b9fe1d160660exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
  C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CC636~1.EXE > nul
    3⤵
    PID:1300
- - C:\Windows\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
    C:\Windows\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55D29~1.EXE > nul
      4⤵
      PID:584
  - - C:\Windows\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
      C:\Windows\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\{B918147E-42E5-4a27-8C00-19090E564A74}.exe
        
        C:\Windows\{B918147E-42E5-4a27-8C00-19090E564A74}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
        
        C:\Windows\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CC67~1.EXE > nul
        7⤵
        
        PID:932
        
        C:\Windows\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
        
        C:\Windows\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
        
        C:\Windows\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{907FD~1.EXE > nul
        9⤵
        
        PID:2232
        
        C:\Windows\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
        
        C:\Windows\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{260CB~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
        
        C:\Windows\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5888~1.EXE > nul
        11⤵
        
        PID:2956
        
        C:\Windows\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
        
        C:\Windows\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
        
        C:\Windows\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{951FD~1.EXE > nul
        13⤵
        
        PID:2268
        
        C:\Windows\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe
        
        C:\Windows\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B95~1.EXE > nul
        14⤵
        
        PID:2540
        
        C:\Windows\{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe
        
        C:\Windows\{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe
        14⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1DE4~1.EXE > nul
        12⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E083~1.EXE > nul
        8⤵
        
        PID:268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9181~1.EXE > nul
        6⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{176E5~1.EXE > nul
        5⤵
        
        PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C3B9FE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe

Filesize
372KB

MD5
e736a9fcddaea6b240a5a4dcdb5d045d

SHA1
ed78af23ab57badb41e4ee2676e9361db1e3db6f

SHA256
42526c998e43978e75668e4b0368dcd630f07caf257f71f5536d441067d8012d

SHA512
cf66ff7d357115536b635f0f4065410d5dfdfcffbfdf842c799f91aecf59423a71dd3c9a4261ec185afc3b30fcc6c9e0b04cbc5da225a4bcfed73ad23650f3a5

Download Submit
C:\Windows\{176E56CC-B709-4898-98F6-4F90FD5780EE}.exe

Filesize
372KB

MD5
e736a9fcddaea6b240a5a4dcdb5d045d

SHA1
ed78af23ab57badb41e4ee2676e9361db1e3db6f

SHA256
42526c998e43978e75668e4b0368dcd630f07caf257f71f5536d441067d8012d

SHA512
cf66ff7d357115536b635f0f4065410d5dfdfcffbfdf842c799f91aecf59423a71dd3c9a4261ec185afc3b30fcc6c9e0b04cbc5da225a4bcfed73ad23650f3a5

Download Submit
C:\Windows\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe

Filesize
372KB

MD5
7c6a2a2008afe8ec310b942e61713fff

SHA1
4ccdefa753386d4605faa1d6074233546ceef149

SHA256
d461e141a837e38df7c5d03f95d16457f7cb3aca7999e9fc36a5915ed1dddcc2

SHA512
a950a56927f8431fa4844ca2bcee02d6f56c204fe1872cde1b60b1f8cecb84e31e9a15d18ef82a4fa32d732fc98fb6c1b83065f0a9cfec4ff175e7bbf0c7d201

Download Submit
C:\Windows\{1E0836A5-2D31-414e-A12B-4C89A613577E}.exe

Filesize
372KB

MD5
7c6a2a2008afe8ec310b942e61713fff

SHA1
4ccdefa753386d4605faa1d6074233546ceef149

SHA256
d461e141a837e38df7c5d03f95d16457f7cb3aca7999e9fc36a5915ed1dddcc2

SHA512
a950a56927f8431fa4844ca2bcee02d6f56c204fe1872cde1b60b1f8cecb84e31e9a15d18ef82a4fa32d732fc98fb6c1b83065f0a9cfec4ff175e7bbf0c7d201

Download Submit
C:\Windows\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe

Filesize
372KB

MD5
717fe073fadf35fe0e93671933908f60

SHA1
c5fe4992ca5668ca0422e9e99f7992398549062e

SHA256
c5215c180d44757ff59ac01a2934fc1bae73a8838dc1bcde2a04a92555b8841e

SHA512
b677625cb5d1653724a5190359b5a6bd56bd9eac2366245eb20dba4771e914aabd7e8ed6a2b0d3196038adcd73314ee22ceccee465131f7e6eefd1bc7a26deb6

Download Submit
C:\Windows\{260CBEB7-0690-4cf4-BCE7-04761AF40519}.exe

Filesize
372KB

MD5
717fe073fadf35fe0e93671933908f60

SHA1
c5fe4992ca5668ca0422e9e99f7992398549062e

SHA256
c5215c180d44757ff59ac01a2934fc1bae73a8838dc1bcde2a04a92555b8841e

SHA512
b677625cb5d1653724a5190359b5a6bd56bd9eac2366245eb20dba4771e914aabd7e8ed6a2b0d3196038adcd73314ee22ceccee465131f7e6eefd1bc7a26deb6

Download Submit
C:\Windows\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe

Filesize
372KB

MD5
db304c0ac347aaa516a5df98b32e35c3

SHA1
e8f5b7634467c0fff817e0ac93132f7c6777b808

SHA256
4eba78a58c9c9cd1fd77d593da5628a5eb89d62ce2a8c1edbaca146dc3010111

SHA512
250e80dfcd066a8b400a97c2e8baad36da2867476275c622f5a7de225f015a0c2e603a587d2396e3b792dc93b904c06dcd8b55d8ad47cd0762d194465374f907

Download Submit
C:\Windows\{55D29391-5046-4e33-8E2E-0586F31BD28E}.exe

Filesize
372KB

MD5
db304c0ac347aaa516a5df98b32e35c3

SHA1
e8f5b7634467c0fff817e0ac93132f7c6777b808

SHA256
4eba78a58c9c9cd1fd77d593da5628a5eb89d62ce2a8c1edbaca146dc3010111

SHA512
250e80dfcd066a8b400a97c2e8baad36da2867476275c622f5a7de225f015a0c2e603a587d2396e3b792dc93b904c06dcd8b55d8ad47cd0762d194465374f907

Download Submit
C:\Windows\{6A409C09-BACF-4c9b-A294-54D4F00806FD}.exe

Filesize
372KB

MD5
bbeb79150f507e3560ea16256924837f

SHA1
ee2ec085222723291c886870f6a51220a5448f94

SHA256
ea57188eaa37b11f52c8ab4909e1654228c1237f3bfb1c349f535e34697450ff

SHA512
a994b2b395d0401d8f9ac92e52fe61b9effd945009262b42544af61b6c90e6c4f514ee4dcb48dbe3779f2443112b66b6bdc8b57f888263b5a2807003747edb53

Download Submit
C:\Windows\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe

Filesize
372KB

MD5
a8aae1f619431ad16cd673ff8597de44

SHA1
dbca162b2684563bede6356baa97058b973bae21

SHA256
c4a894de2293f221ed8601080014d7475d499ce09fdc58e411269a220fde273a

SHA512
08faf97f8aa47a11b7e6568e4bd0609fc250403360ae6d28b50bebbf41c4b58aa75a83c1c2228398f95fcca12ad43efd2ef37c32435054eb0eafb8c617af6aa1

Download Submit
C:\Windows\{907FD254-7C63-4c4a-BFCD-584C1918088F}.exe

Filesize
372KB

MD5
a8aae1f619431ad16cd673ff8597de44

SHA1
dbca162b2684563bede6356baa97058b973bae21

SHA256
c4a894de2293f221ed8601080014d7475d499ce09fdc58e411269a220fde273a

SHA512
08faf97f8aa47a11b7e6568e4bd0609fc250403360ae6d28b50bebbf41c4b58aa75a83c1c2228398f95fcca12ad43efd2ef37c32435054eb0eafb8c617af6aa1

Download Submit
C:\Windows\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe

Filesize
372KB

MD5
9a0f948a6b8dffd0a03680ed7ae34eaa

SHA1
9aafc901333c9ce3835f6e09773b0f36f5daf9bf

SHA256
01d565ae9fb57d83e2f9e7df51c25d664bf42aebced2d95f251293247faaa030

SHA512
9bd008d5282b971671cde9dd7f3ee018f5b4a7c6051c91b8dff00024a2a633637c6caee71dcf97ca4cc455dfd25fc2a2b62012709dbb004c1c3f8f0aa17ab49f

Download Submit
C:\Windows\{951FD35A-6072-4695-BB50-22E11C98F26F}.exe

Filesize
372KB

MD5
9a0f948a6b8dffd0a03680ed7ae34eaa

SHA1
9aafc901333c9ce3835f6e09773b0f36f5daf9bf

SHA256
01d565ae9fb57d83e2f9e7df51c25d664bf42aebced2d95f251293247faaa030

SHA512
9bd008d5282b971671cde9dd7f3ee018f5b4a7c6051c91b8dff00024a2a633637c6caee71dcf97ca4cc455dfd25fc2a2b62012709dbb004c1c3f8f0aa17ab49f

Download Submit
C:\Windows\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe

Filesize
372KB

MD5
aadf90338742abff5f5af00fa6362fac

SHA1
68ecfa13c61bbe6838dfd310fc96283f336957bb

SHA256
4bb7368163cf258997c444a6f6dd4eb20b5a82a207a803af488572bba2d68a55

SHA512
2e35035273fd94af80944ff48ff2a26fa372020bad3782f2a4ca58e09b93b34bea15a810151d411cedd45f3b24e4f538e28b40c0fc2990fd521c085c12f9190a

Download Submit
C:\Windows\{9CC67FB1-505D-4eaf-B180-E4F80CD500AC}.exe

Filesize
372KB

MD5
aadf90338742abff5f5af00fa6362fac

SHA1
68ecfa13c61bbe6838dfd310fc96283f336957bb

SHA256
4bb7368163cf258997c444a6f6dd4eb20b5a82a207a803af488572bba2d68a55

SHA512
2e35035273fd94af80944ff48ff2a26fa372020bad3782f2a4ca58e09b93b34bea15a810151d411cedd45f3b24e4f538e28b40c0fc2990fd521c085c12f9190a

Download Submit
C:\Windows\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe

Filesize
372KB

MD5
76c2d71214f62b01d85609bb37040f7a

SHA1
6f522c177566c14ceb3c8dae70832aa9ef5c9f88

SHA256
54ef4a627b70565630f45ae6413b1eee7a6c7319ed4dc8a7ade478efcc607805

SHA512
ba56ce8036f6b8779f667639ebf243118fb704837c102f3a2af43480a6e538a15c700ca826066688b7914912982e9478eda13a69c1dab73ee618fa4f2f9053dc

Download Submit
C:\Windows\{B1DE46AB-8531-42e8-AACA-1908AC306940}.exe

Filesize
372KB

MD5
76c2d71214f62b01d85609bb37040f7a

SHA1
6f522c177566c14ceb3c8dae70832aa9ef5c9f88

SHA256
54ef4a627b70565630f45ae6413b1eee7a6c7319ed4dc8a7ade478efcc607805

SHA512
ba56ce8036f6b8779f667639ebf243118fb704837c102f3a2af43480a6e538a15c700ca826066688b7914912982e9478eda13a69c1dab73ee618fa4f2f9053dc

Download Submit
C:\Windows\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe

Filesize
372KB

MD5
de28441eff6af72ba1e3c6d8ea7950b0

SHA1
d34fb1ea4a411689f35f753e72d4a0ec3d44efb4

SHA256
5a9742f2afd49b42d2be2e2ebda4eb3f561159fb0abc88aa329a139449dfdebe

SHA512
bd583337b0c0c903b421d3d8bd83aa5ed34007e4a33c77936cf7cffe11ff98a1db8c648e6a5365decde7df47e6c7e0247d641afed908d75de5ad1da6a767cdd1

Download Submit
C:\Windows\{B6B95E87-695D-418a-8DCC-E5ED44FAB54E}.exe

Filesize
372KB

MD5
de28441eff6af72ba1e3c6d8ea7950b0

SHA1
d34fb1ea4a411689f35f753e72d4a0ec3d44efb4

SHA256
5a9742f2afd49b42d2be2e2ebda4eb3f561159fb0abc88aa329a139449dfdebe

SHA512
bd583337b0c0c903b421d3d8bd83aa5ed34007e4a33c77936cf7cffe11ff98a1db8c648e6a5365decde7df47e6c7e0247d641afed908d75de5ad1da6a767cdd1

Download Submit
C:\Windows\{B918147E-42E5-4a27-8C00-19090E564A74}.exe

Filesize
372KB

MD5
0d50c40e56017a3499638b3d791f77c7

SHA1
20f8b18fa7b846919c3c6243fb6908f429e27e02

SHA256
62278770205e447f82c0add0652ac9d1015cf1293472aa0d571a522884db56eb

SHA512
794e1c8185b41c30a2fe25bb9baf03dd26e8a8b14b9d540306bb2aaf21d546ff64f3a575d2c8b054e5a75c0743a0862b41f809ff0af1ee7467854ff1722f5612

Download Submit
C:\Windows\{B918147E-42E5-4a27-8C00-19090E564A74}.exe

Filesize
372KB

MD5
0d50c40e56017a3499638b3d791f77c7

SHA1
20f8b18fa7b846919c3c6243fb6908f429e27e02

SHA256
62278770205e447f82c0add0652ac9d1015cf1293472aa0d571a522884db56eb

SHA512
794e1c8185b41c30a2fe25bb9baf03dd26e8a8b14b9d540306bb2aaf21d546ff64f3a575d2c8b054e5a75c0743a0862b41f809ff0af1ee7467854ff1722f5612

Download Submit
C:\Windows\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe

Filesize
372KB

MD5
a38502b083abf75cc25432201928a9ea

SHA1
fb22bcd20079d109c3c70ed47097c774e69587d9

SHA256
c487da056bf44d745f9fe040137e3208d5c6285f49340bc2db68b8048b492444

SHA512
dabc1f5fc8f4a32750a62328b2ebaa39f274fdd969f207f085a8aaccc2fc68c31988c873773db0c298d42845e0140a4c15b3b0c1dbd93211827ed5e872beb231

Download Submit
C:\Windows\{C58884D2-0C6F-4e47-A4DD-56FD580853B8}.exe

Filesize
372KB

MD5
a38502b083abf75cc25432201928a9ea

SHA1
fb22bcd20079d109c3c70ed47097c774e69587d9

SHA256
c487da056bf44d745f9fe040137e3208d5c6285f49340bc2db68b8048b492444

SHA512
dabc1f5fc8f4a32750a62328b2ebaa39f274fdd969f207f085a8aaccc2fc68c31988c873773db0c298d42845e0140a4c15b3b0c1dbd93211827ed5e872beb231

Download Submit
C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe

Filesize
372KB

MD5
0ee07a624871208194e67d57884f8c29

SHA1
c53e70a7486957b4e079dd8da2b30bb023c95ae2

SHA256
ffeb87694c867c07f5b43e85535755fb2c2a3b5c62623fe2825fa778e795bf30

SHA512
4a555162d535b3ab9b832624c527efa35c30cf5c3147659fbcaa5602077e5bffe61693d805615735576d121397137e396f7dea82d6d50257451f3f00b0ba9993

Download Submit
C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe

Filesize
372KB

MD5
0ee07a624871208194e67d57884f8c29

SHA1
c53e70a7486957b4e079dd8da2b30bb023c95ae2

SHA256
ffeb87694c867c07f5b43e85535755fb2c2a3b5c62623fe2825fa778e795bf30

SHA512
4a555162d535b3ab9b832624c527efa35c30cf5c3147659fbcaa5602077e5bffe61693d805615735576d121397137e396f7dea82d6d50257451f3f00b0ba9993

Download Submit
C:\Windows\{CC636FAA-FD36-4952-9755-D3BBA1B9BE47}.exe

Filesize
372KB

MD5
0ee07a624871208194e67d57884f8c29

SHA1
c53e70a7486957b4e079dd8da2b30bb023c95ae2

SHA256
ffeb87694c867c07f5b43e85535755fb2c2a3b5c62623fe2825fa778e795bf30

SHA512
4a555162d535b3ab9b832624c527efa35c30cf5c3147659fbcaa5602077e5bffe61693d805615735576d121397137e396f7dea82d6d50257451f3f00b0ba9993

Download Submit