19c3cc608f162405fe9418bf1e9c145d6a8ca362d90cce54a44f053f51a5ffa3

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef1f90f78a45f9exeexeexeex.exe
Size

204KB
MD5

ef1f90f78a45f945919b4ed120f85cc5
SHA1

1e3953899c53d7e54f4381de2079b3fa17d43986
SHA256

19c3cc608f162405fe9418bf1e9c145d6a8ca362d90cce54a44f053f51a5ffa3
SHA512

009985bd2fc23d8ddb4488304ba96fbf6fa0bd37144d063996ab515c42c6ea1c0d7c77945f4317b570a1071ea8a511bde3be61a3f7bb98b4eaed83c42e2bfb14
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}	{41C51CE7-1C29-4765-A250-ED6972725280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE77A9CC-A671-4c03-9DA0-C3230065D598}\stubpath = "C:\\Windows\\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe"	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3328D994-6F09-4aca-A0DF-841E22E7254A}	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}\stubpath = "C:\\Windows\\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe"	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6453861-FB58-45c8-87C6-86C341419833}\stubpath = "C:\\Windows\\{C6453861-FB58-45c8-87C6-86C341419833}.exe"	{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C51CE7-1C29-4765-A250-ED6972725280}	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}\stubpath = "C:\\Windows\\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe"	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}\stubpath = "C:\\Windows\\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe"	{C6453861-FB58-45c8-87C6-86C341419833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}\stubpath = "C:\\Windows\\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe"	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}\stubpath = "C:\\Windows\\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe"	{41C51CE7-1C29-4765-A250-ED6972725280}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6453861-FB58-45c8-87C6-86C341419833}	{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F60990-2450-4fa9-A044-18855052BF2F}\stubpath = "C:\\Windows\\{39F60990-2450-4fa9-A044-18855052BF2F}.exe"	{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72C84817-7C2D-4888-BABE-46FBC6B5D347}	ef1f90f78a45f9exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72C84817-7C2D-4888-BABE-46FBC6B5D347}\stubpath = "C:\\Windows\\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe"	ef1f90f78a45f9exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41C51CE7-1C29-4765-A250-ED6972725280}\stubpath = "C:\\Windows\\{41C51CE7-1C29-4765-A250-ED6972725280}.exe"	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE77A9CC-A671-4c03-9DA0-C3230065D598}	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3328D994-6F09-4aca-A0DF-841E22E7254A}\stubpath = "C:\\Windows\\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe"	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}	{C6453861-FB58-45c8-87C6-86C341419833}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}	{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}\stubpath = "C:\\Windows\\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe"	{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F60990-2450-4fa9-A044-18855052BF2F}	{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C55A156-5120-4ba5-A0FC-D60F68102769}	{39F60990-2450-4fa9-A044-18855052BF2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C55A156-5120-4ba5-A0FC-D60F68102769}\stubpath = "C:\\Windows\\{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe"	{39F60990-2450-4fa9-A044-18855052BF2F}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe
2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
2212	{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
2560	{C6453861-FB58-45c8-87C6-86C341419833}.exe
2712	{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
2488	{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
2680	{39F60990-2450-4fa9-A044-18855052BF2F}.exe
2968	{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe	{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
File created	C:\Windows\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
File created	C:\Windows\{41C51CE7-1C29-4765-A250-ED6972725280}.exe	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
File created	C:\Windows\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	{41C51CE7-1C29-4765-A250-ED6972725280}.exe
File created	C:\Windows\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
File created	C:\Windows\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
File created	C:\Windows\{C6453861-FB58-45c8-87C6-86C341419833}.exe	{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
File created	C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	ef1f90f78a45f9exeexeexeex.exe
File created	C:\Windows\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
File created	C:\Windows\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
File created	C:\Windows\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe	{C6453861-FB58-45c8-87C6-86C341419833}.exe
File created	C:\Windows\{39F60990-2450-4fa9-A044-18855052BF2F}.exe	{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
File created	C:\Windows\{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe	{39F60990-2450-4fa9-A044-18855052BF2F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	ef1f90f78a45f9exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
Token: SeIncBasePriorityPrivilege	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
Token: SeIncBasePriorityPrivilege	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe
Token: SeIncBasePriorityPrivilege	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
Token: SeIncBasePriorityPrivilege	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
Token: SeIncBasePriorityPrivilege	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
Token: SeIncBasePriorityPrivilege	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
Token: SeIncBasePriorityPrivilege	2212	{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
Token: SeIncBasePriorityPrivilege	2560	{C6453861-FB58-45c8-87C6-86C341419833}.exe
Token: SeIncBasePriorityPrivilege	2712	{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
Token: SeIncBasePriorityPrivilege	2488	{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
Token: SeIncBasePriorityPrivilege	2680	{39F60990-2450-4fa9-A044-18855052BF2F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3028	2408	ef1f90f78a45f9exeexeexeex.exe	29
PID 2408 wrote to memory of 3028	2408	ef1f90f78a45f9exeexeexeex.exe	29
PID 2408 wrote to memory of 3028	2408	ef1f90f78a45f9exeexeexeex.exe	29
PID 2408 wrote to memory of 3028	2408	ef1f90f78a45f9exeexeexeex.exe	29
PID 2408 wrote to memory of 3060	2408	ef1f90f78a45f9exeexeexeex.exe	30
PID 2408 wrote to memory of 3060	2408	ef1f90f78a45f9exeexeexeex.exe	30
PID 2408 wrote to memory of 3060	2408	ef1f90f78a45f9exeexeexeex.exe	30
PID 2408 wrote to memory of 3060	2408	ef1f90f78a45f9exeexeexeex.exe	30
PID 3028 wrote to memory of 2324	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	31
PID 3028 wrote to memory of 2324	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	31
PID 3028 wrote to memory of 2324	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	31
PID 3028 wrote to memory of 2324	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	31
PID 3028 wrote to memory of 2996	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	32
PID 3028 wrote to memory of 2996	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	32
PID 3028 wrote to memory of 2996	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	32
PID 3028 wrote to memory of 2996	3028	{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe	32
PID 2324 wrote to memory of 2856	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	33
PID 2324 wrote to memory of 2856	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	33
PID 2324 wrote to memory of 2856	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	33
PID 2324 wrote to memory of 2856	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	33
PID 2324 wrote to memory of 2272	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	34
PID 2324 wrote to memory of 2272	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	34
PID 2324 wrote to memory of 2272	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	34
PID 2324 wrote to memory of 2272	2324	{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe	34
PID 2856 wrote to memory of 2160	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	35
PID 2856 wrote to memory of 2160	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	35
PID 2856 wrote to memory of 2160	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	35
PID 2856 wrote to memory of 2160	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	35
PID 2856 wrote to memory of 1284	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	36
PID 2856 wrote to memory of 1284	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	36
PID 2856 wrote to memory of 1284	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	36
PID 2856 wrote to memory of 1284	2856	{41C51CE7-1C29-4765-A250-ED6972725280}.exe	36
PID 2160 wrote to memory of 2188	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	37
PID 2160 wrote to memory of 2188	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	37
PID 2160 wrote to memory of 2188	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	37
PID 2160 wrote to memory of 2188	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	37
PID 2160 wrote to memory of 1016	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	38
PID 2160 wrote to memory of 1016	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	38
PID 2160 wrote to memory of 1016	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	38
PID 2160 wrote to memory of 1016	2160	{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe	38
PID 2188 wrote to memory of 1516	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	39
PID 2188 wrote to memory of 1516	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	39
PID 2188 wrote to memory of 1516	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	39
PID 2188 wrote to memory of 1516	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	39
PID 2188 wrote to memory of 2940	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	40
PID 2188 wrote to memory of 2940	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	40
PID 2188 wrote to memory of 2940	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	40
PID 2188 wrote to memory of 2940	2188	{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe	40
PID 1516 wrote to memory of 2984	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	41
PID 1516 wrote to memory of 2984	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	41
PID 1516 wrote to memory of 2984	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	41
PID 1516 wrote to memory of 2984	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	41
PID 1516 wrote to memory of 108	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	42
PID 1516 wrote to memory of 108	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	42
PID 1516 wrote to memory of 108	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	42
PID 1516 wrote to memory of 108	1516	{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe	42
PID 2984 wrote to memory of 2212	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	43
PID 2984 wrote to memory of 2212	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	43
PID 2984 wrote to memory of 2212	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	43
PID 2984 wrote to memory of 2212	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	43
PID 2984 wrote to memory of 2236	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	44
PID 2984 wrote to memory of 2236	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	44
PID 2984 wrote to memory of 2236	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	44
PID 2984 wrote to memory of 2236	2984	{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe	44

C:\Users\Admin\AppData\Local\Temp\ef1f90f78a45f9exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ef1f90f78a45f9exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
  C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
    C:\Windows\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\{41C51CE7-1C29-4765-A250-ED6972725280}.exe
      C:\Windows\{41C51CE7-1C29-4765-A250-ED6972725280}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
        
        C:\Windows\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
        
        C:\Windows\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
        
        C:\Windows\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
        
        C:\Windows\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
        
        C:\Windows\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{C6453861-FB58-45c8-87C6-86C341419833}.exe
        
        C:\Windows\{C6453861-FB58-45c8-87C6-86C341419833}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
        
        C:\Windows\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
        
        C:\Windows\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\{39F60990-2450-4fa9-A044-18855052BF2F}.exe
        
        C:\Windows\{39F60990-2450-4fa9-A044-18855052BF2F}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe
        
        C:\Windows\{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe
        14⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F60~1.EXE > nul
        14⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{116BB~1.EXE > nul
        13⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD2BF~1.EXE > nul
        12⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6453~1.EXE > nul
        11⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA11A~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3328D~1.EXE > nul
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80DBE~1.EXE > nul
        8⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE77A~1.EXE > nul
        7⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C0B~1.EXE > nul
        6⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41C51~1.EXE > nul
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE67~1.EXE > nul
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72C84~1.EXE > nul
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EF1F90~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe

Filesize
204KB

MD5
557c0a0fafded150383c58bb9c429dab

SHA1
9d48f1efe0535a42f2a83226a5321c9c54b9b4ba

SHA256
2423754f4b0a8c216054430a1d70e44413b7d403e3149fc04d89a4954d043170

SHA512
cbfab1b58a445b3489130f8ff766a34e27b7b9315143fb402473d67ff915fc54fdc58bbd0e2cb26c322a40e3b8ffd35e31ef0f0aa46480df409ecb7c725f8917

Download Submit
C:\Windows\{116BB4FF-CAB4-4d9f-BBE1-C18F03E5ABDB}.exe

Filesize
204KB

MD5
557c0a0fafded150383c58bb9c429dab

SHA1
9d48f1efe0535a42f2a83226a5321c9c54b9b4ba

SHA256
2423754f4b0a8c216054430a1d70e44413b7d403e3149fc04d89a4954d043170

SHA512
cbfab1b58a445b3489130f8ff766a34e27b7b9315143fb402473d67ff915fc54fdc58bbd0e2cb26c322a40e3b8ffd35e31ef0f0aa46480df409ecb7c725f8917

Download Submit
C:\Windows\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe

Filesize
204KB

MD5
967aceb8f38c33bce38008c1b6ce5fea

SHA1
253c1a09ee6940b73f7ebd8126dbe4301df4a864

SHA256
325dcfdfb5efee16455b15b765551e2db586f381ce046128ee56e1b991550eec

SHA512
33484de26da054eecd199fe872e1c3802a68d490426157ce16319934be992334e487415e1e377e870bdd7f84bf04655a6f6579965db6dea07643dc0d3e4a8e95

Download Submit
C:\Windows\{3328D994-6F09-4aca-A0DF-841E22E7254A}.exe

Filesize
204KB

MD5
967aceb8f38c33bce38008c1b6ce5fea

SHA1
253c1a09ee6940b73f7ebd8126dbe4301df4a864

SHA256
325dcfdfb5efee16455b15b765551e2db586f381ce046128ee56e1b991550eec

SHA512
33484de26da054eecd199fe872e1c3802a68d490426157ce16319934be992334e487415e1e377e870bdd7f84bf04655a6f6579965db6dea07643dc0d3e4a8e95

Download Submit
C:\Windows\{39F60990-2450-4fa9-A044-18855052BF2F}.exe

Filesize
204KB

MD5
4168f777a0bc30106b30a3e5579ea01d

SHA1
c28da493a79e31dd46f2024d5db29953db4edabd

SHA256
67c3528b056ea8beeacf3eb1060b6b6bf45ead3e3372ba75a7bba4220ee12207

SHA512
29af10cc3a75f7c370ce445a0a768ea5e7e89bf186fc126ac02fbbfc21e8f68aac0df5374abb24a03a3e3fa2afb5c7a5ec3fe4008fcaf1efbe07aeceba30919d

Download Submit
C:\Windows\{39F60990-2450-4fa9-A044-18855052BF2F}.exe

Filesize
204KB

MD5
4168f777a0bc30106b30a3e5579ea01d

SHA1
c28da493a79e31dd46f2024d5db29953db4edabd

SHA256
67c3528b056ea8beeacf3eb1060b6b6bf45ead3e3372ba75a7bba4220ee12207

SHA512
29af10cc3a75f7c370ce445a0a768ea5e7e89bf186fc126ac02fbbfc21e8f68aac0df5374abb24a03a3e3fa2afb5c7a5ec3fe4008fcaf1efbe07aeceba30919d

Download Submit
C:\Windows\{41C51CE7-1C29-4765-A250-ED6972725280}.exe

Filesize
204KB

MD5
9ef44f3418fbe9149f55f3d70168a381

SHA1
dcac0de7214b1f15019f619192ca4a4e0a69b9d6

SHA256
24f44ed0ef32fe0b584a8d8446384e0cde52bbdb83654de414b6601d152e558d

SHA512
8b74362c4ce3b3a7bcf9edf7580841363945933ed50d1ee6e9cf7764126f1fa0eb310b29afe2c0347892312da260e78f7ba9d3099f9e40cbd594b7866c04b8a9

Download Submit
C:\Windows\{41C51CE7-1C29-4765-A250-ED6972725280}.exe

Filesize
204KB

MD5
9ef44f3418fbe9149f55f3d70168a381

SHA1
dcac0de7214b1f15019f619192ca4a4e0a69b9d6

SHA256
24f44ed0ef32fe0b584a8d8446384e0cde52bbdb83654de414b6601d152e558d

SHA512
8b74362c4ce3b3a7bcf9edf7580841363945933ed50d1ee6e9cf7764126f1fa0eb310b29afe2c0347892312da260e78f7ba9d3099f9e40cbd594b7866c04b8a9

Download Submit
C:\Windows\{4C55A156-5120-4ba5-A0FC-D60F68102769}.exe

Filesize
204KB

MD5
829d0b340b231422ca593501dd8d050d

SHA1
eb0cbe83fb27e86864065b7f9f58b3b7de32b406

SHA256
a24e9c0e748e2b699675ad367f12c9791dac53cd902a7214b6ce0fc30c81109b

SHA512
eae7f362a2537101437948c52fdfc92608791c35bd29ef4f710a49c3486a1ecb73778ddd69276efc683acdad952e820b93aec0a965af7fbe281193322a580cb1

Download Submit
C:\Windows\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe

Filesize
204KB

MD5
1e2fb6d039e4c03def8585151b47aa77

SHA1
d7e51a46a09e86880742cb5350c6efe97f70c35d

SHA256
7f366e14f2da769180b7eee918fe84b372c57009eca878aa94bcbd75b36971cc

SHA512
d525dcd21415c511ed432f6cd4293ada3f5b029365ac673ecc919f67f06ed07c3cc799739e5f509ffcd3ac97eb8c06f64ff680afbaee7e69f7e2861a389db8b3

Download Submit
C:\Windows\{62C0B1C8-5BDF-4755-A6BE-ED7A80438C12}.exe

Filesize
204KB

MD5
1e2fb6d039e4c03def8585151b47aa77

SHA1
d7e51a46a09e86880742cb5350c6efe97f70c35d

SHA256
7f366e14f2da769180b7eee918fe84b372c57009eca878aa94bcbd75b36971cc

SHA512
d525dcd21415c511ed432f6cd4293ada3f5b029365ac673ecc919f67f06ed07c3cc799739e5f509ffcd3ac97eb8c06f64ff680afbaee7e69f7e2861a389db8b3

Download Submit
C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe

Filesize
204KB

MD5
098104995994bdb5099311f4a62af989

SHA1
7a3601b04b6128e1ff54c97e59f9d9c5c89dbb9f

SHA256
1d956fb8f75ca53f95e36cf4915a98aa1fef41a7fab52fdef50f54c643ec0c7b

SHA512
613f8f817c358eb2f9d14590030512ab65b6d1a27d834c29409181421d325b88507f9f0d7ec8fe780db6861092bc6427b6b47be5142f96b696468b39c0d8f7d4

Download Submit
C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe

Filesize
204KB

MD5
098104995994bdb5099311f4a62af989

SHA1
7a3601b04b6128e1ff54c97e59f9d9c5c89dbb9f

SHA256
1d956fb8f75ca53f95e36cf4915a98aa1fef41a7fab52fdef50f54c643ec0c7b

SHA512
613f8f817c358eb2f9d14590030512ab65b6d1a27d834c29409181421d325b88507f9f0d7ec8fe780db6861092bc6427b6b47be5142f96b696468b39c0d8f7d4

Download Submit
C:\Windows\{72C84817-7C2D-4888-BABE-46FBC6B5D347}.exe

Filesize
204KB

MD5
098104995994bdb5099311f4a62af989

SHA1
7a3601b04b6128e1ff54c97e59f9d9c5c89dbb9f

SHA256
1d956fb8f75ca53f95e36cf4915a98aa1fef41a7fab52fdef50f54c643ec0c7b

SHA512
613f8f817c358eb2f9d14590030512ab65b6d1a27d834c29409181421d325b88507f9f0d7ec8fe780db6861092bc6427b6b47be5142f96b696468b39c0d8f7d4

Download Submit
C:\Windows\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe

Filesize
204KB

MD5
8494652268430776e75179051b393462

SHA1
0a5c6b32a6f5c3439ef36786cad5648f334ec1ed

SHA256
8921a5aa36fe7dc0ff293cbe95e45d86ebe960e1b1dc7060a4381a3b1e6e280a

SHA512
fb26b4f6ef52668f71a8443292e3322464a37eb368e6cb51485c5287a92204fb283d3689358e8e54b1f3a3e44b1857f9b9a00795083f4864e801edcf7ff64d4e

Download Submit
C:\Windows\{80DBE406-913E-4d2e-90A2-E5A4B13105D6}.exe

Filesize
204KB

MD5
8494652268430776e75179051b393462

SHA1
0a5c6b32a6f5c3439ef36786cad5648f334ec1ed

SHA256
8921a5aa36fe7dc0ff293cbe95e45d86ebe960e1b1dc7060a4381a3b1e6e280a

SHA512
fb26b4f6ef52668f71a8443292e3322464a37eb368e6cb51485c5287a92204fb283d3689358e8e54b1f3a3e44b1857f9b9a00795083f4864e801edcf7ff64d4e

Download Submit
C:\Windows\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe

Filesize
204KB

MD5
48ffe8e1cafbdfc7cb78bd77a9891246

SHA1
954e4bb2edaf084560b15c24a69daa36dceb5fb3

SHA256
fba482f27296c9fce9df36ec7d7e6b9ec9526b0dd9b5e575f3a7ec1165d23177

SHA512
05df814e80605fe3ee130a4b70c6d9bedfe6e8ed3c4f1d12bb06215a14f7c0964203b477df9b954af2f1006c7f4fe987935de850847e020f0a16aada74659ff0

Download Submit
C:\Windows\{9FE675FC-AF7E-4517-A545-7BFBF2EE6616}.exe

Filesize
204KB

MD5
48ffe8e1cafbdfc7cb78bd77a9891246

SHA1
954e4bb2edaf084560b15c24a69daa36dceb5fb3

SHA256
fba482f27296c9fce9df36ec7d7e6b9ec9526b0dd9b5e575f3a7ec1165d23177

SHA512
05df814e80605fe3ee130a4b70c6d9bedfe6e8ed3c4f1d12bb06215a14f7c0964203b477df9b954af2f1006c7f4fe987935de850847e020f0a16aada74659ff0

Download Submit
C:\Windows\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe

Filesize
204KB

MD5
21104b3c123038a9758a21154be2d6d4

SHA1
78c769b11c61433b571c360b6ad3c0de767a15c9

SHA256
b2688dfb84a17db6e3354c42bcdd4fa01161799b4b8b169887d17441039022bb

SHA512
4b7a38a60506120b5544fd5b2e0999296a0f8bd3c953e02c66931689799f1f8b858f8b1a6b70cab2a6dd86e7ebade1d63e0aecc66533bf1117c2bcfb6c6c42a6

Download Submit
C:\Windows\{BD2BFEE7-F49D-4f79-AAD4-4251D9839489}.exe

Filesize
204KB

MD5
21104b3c123038a9758a21154be2d6d4

SHA1
78c769b11c61433b571c360b6ad3c0de767a15c9

SHA256
b2688dfb84a17db6e3354c42bcdd4fa01161799b4b8b169887d17441039022bb

SHA512
4b7a38a60506120b5544fd5b2e0999296a0f8bd3c953e02c66931689799f1f8b858f8b1a6b70cab2a6dd86e7ebade1d63e0aecc66533bf1117c2bcfb6c6c42a6

Download Submit
C:\Windows\{C6453861-FB58-45c8-87C6-86C341419833}.exe

Filesize
204KB

MD5
3e5a77e5d3d63e57770cf6b3e175c082

SHA1
0a16e71b3eb06df28b33e5fe4a2865e5c19f91d1

SHA256
266d2c09b456af1a35bab1e5f423ecb350a9572538721dc48040535dcfb0c601

SHA512
dc058d3417820d18de1615d37dada013bada4bc4d23d9cc5096aec6a4b68a7632dbde46dff3f299014319ac480f279bac43d3ee87324b51bd9953b4b22db4fbf

Download Submit
C:\Windows\{C6453861-FB58-45c8-87C6-86C341419833}.exe

Filesize
204KB

MD5
3e5a77e5d3d63e57770cf6b3e175c082

SHA1
0a16e71b3eb06df28b33e5fe4a2865e5c19f91d1

SHA256
266d2c09b456af1a35bab1e5f423ecb350a9572538721dc48040535dcfb0c601

SHA512
dc058d3417820d18de1615d37dada013bada4bc4d23d9cc5096aec6a4b68a7632dbde46dff3f299014319ac480f279bac43d3ee87324b51bd9953b4b22db4fbf

Download Submit
C:\Windows\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe

Filesize
204KB

MD5
bb3cb700f8c26971b9b5d08994b66383

SHA1
574b8657b5f214a214bf83d6409d0ba018eb4f9b

SHA256
888f23440abe05401ee3869ee2c04e6246cae6192e01f354d5235ea62be770cb

SHA512
9a3e83391569932bfedfb2cf46ec198f83a52f9222b8c284e5369928ada279ca56b7c53ac93267f825cb026a3dcd591ef9b5e3af9581239871687d3ba9687f1c

Download Submit
C:\Windows\{EE77A9CC-A671-4c03-9DA0-C3230065D598}.exe

Filesize
204KB

MD5
bb3cb700f8c26971b9b5d08994b66383

SHA1
574b8657b5f214a214bf83d6409d0ba018eb4f9b

SHA256
888f23440abe05401ee3869ee2c04e6246cae6192e01f354d5235ea62be770cb

SHA512
9a3e83391569932bfedfb2cf46ec198f83a52f9222b8c284e5369928ada279ca56b7c53ac93267f825cb026a3dcd591ef9b5e3af9581239871687d3ba9687f1c

Download Submit
C:\Windows\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe

Filesize
204KB

MD5
9d376ea8f31f37728c3bb2950fdc1d1e

SHA1
4723206921ef1f4451da2ec83305b009b5a4095a

SHA256
c75917fd5f50434a9c778d85bff80e0db178546469217f81ffc74bdfb5a618f5

SHA512
0f7cbb1b8a29cb5f366cf1c671db5493192640c15feff228e5ea6b2afb38b7b8ca1d805dd683a3df12064fb80dfbbfef6a2109e848c523027f4eac3889625f25

Download Submit
C:\Windows\{FA11A3DE-CBCF-4349-A035-E2A3047A4514}.exe

Filesize
204KB

MD5
9d376ea8f31f37728c3bb2950fdc1d1e

SHA1
4723206921ef1f4451da2ec83305b009b5a4095a

SHA256
c75917fd5f50434a9c778d85bff80e0db178546469217f81ffc74bdfb5a618f5

SHA512
0f7cbb1b8a29cb5f366cf1c671db5493192640c15feff228e5ea6b2afb38b7b8ca1d805dd683a3df12064fb80dfbbfef6a2109e848c523027f4eac3889625f25

Download Submit