b8bcd7862c8d1d41c40e3dec3b4988b3c443cc62ca3b43d235fc3cc456699a47

Analysis

max time kernel
146s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06151047b4390exeexeexeex.exe
Size

372KB
MD5

f06151047b4390b87b5f683cb315add1
SHA1

eeafdf08781682912822bd2375127c46d60ec20a
SHA256

b8bcd7862c8d1d41c40e3dec3b4988b3c443cc62ca3b43d235fc3cc456699a47
SHA512

61c349208cbd2d1d41c0bc6b004d6fc2838dc9b54b6e0856c124f342f62097c8c1ffc70a669a169d58e0bde77421f39066d02c539f14837349d7dbc70b8ecfe4
SSDEEP

3072:CEGh0oSmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}	{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}	{4A477830-644B-452f-8B50-95AFD1243677}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}\stubpath = "C:\\Windows\\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe"	{4A477830-644B-452f-8B50-95AFD1243677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23AE3A0-723E-41b9-8519-BC619282797F}	f06151047b4390exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}\stubpath = "C:\\Windows\\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe"	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}\stubpath = "C:\\Windows\\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe"	{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14D7997-E74E-431d-9A43-754D6259C529}	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}	{D14D7997-E74E-431d-9A43-754D6259C529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}\stubpath = "C:\\Windows\\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe"	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}	{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAAC3A16-3399-49a0-97AA-54B553AC907F}\stubpath = "C:\\Windows\\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe"	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}\stubpath = "C:\\Windows\\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe"	{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A477830-644B-452f-8B50-95AFD1243677}	{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A477830-644B-452f-8B50-95AFD1243677}\stubpath = "C:\\Windows\\{4A477830-644B-452f-8B50-95AFD1243677}.exe"	{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD24860-2140-4997-A9E6-2638D3A53019}\stubpath = "C:\\Windows\\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe"	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}\stubpath = "C:\\Windows\\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe"	{D14D7997-E74E-431d-9A43-754D6259C529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9486FE0A-8540-492b-9728-F8677E4D64D9}\stubpath = "C:\\Windows\\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe"	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{113125F9-69E4-4437-AF33-53D3CE31B679}\stubpath = "C:\\Windows\\{113125F9-69E4-4437-AF33-53D3CE31B679}.exe"	{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAAC3A16-3399-49a0-97AA-54B553AC907F}	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{113125F9-69E4-4437-AF33-53D3CE31B679}	{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23AE3A0-723E-41b9-8519-BC619282797F}\stubpath = "C:\\Windows\\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe"	f06151047b4390exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD24860-2140-4997-A9E6-2638D3A53019}	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14D7997-E74E-431d-9A43-754D6259C529}\stubpath = "C:\\Windows\\{D14D7997-E74E-431d-9A43-754D6259C529}.exe"	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9486FE0A-8540-492b-9728-F8677E4D64D9}	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe

Deletes itself 1 IoCs

pid	Process
932	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe
2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
2604	{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
2712	{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
2624	{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
2804	{4A477830-644B-452f-8B50-95AFD1243677}.exe
2860	{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
2632	{113125F9-69E4-4437-AF33-53D3CE31B679}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe	{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
File created	C:\Windows\{4A477830-644B-452f-8B50-95AFD1243677}.exe	{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
File created	C:\Windows\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe	{4A477830-644B-452f-8B50-95AFD1243677}.exe
File created	C:\Windows\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
File created	C:\Windows\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
File created	C:\Windows\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
File created	C:\Windows\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
File created	C:\Windows\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe	{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
File created	C:\Windows\{113125F9-69E4-4437-AF33-53D3CE31B679}.exe	{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
File created	C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	f06151047b4390exeexeexeex.exe
File created	C:\Windows\{D14D7997-E74E-431d-9A43-754D6259C529}.exe	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
File created	C:\Windows\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	{D14D7997-E74E-431d-9A43-754D6259C529}.exe
File created	C:\Windows\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	f06151047b4390exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
Token: SeIncBasePriorityPrivilege	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
Token: SeIncBasePriorityPrivilege	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
Token: SeIncBasePriorityPrivilege	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe
Token: SeIncBasePriorityPrivilege	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
Token: SeIncBasePriorityPrivilege	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
Token: SeIncBasePriorityPrivilege	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
Token: SeIncBasePriorityPrivilege	2604	{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
Token: SeIncBasePriorityPrivilege	2712	{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
Token: SeIncBasePriorityPrivilege	2624	{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
Token: SeIncBasePriorityPrivilege	2804	{4A477830-644B-452f-8B50-95AFD1243677}.exe
Token: SeIncBasePriorityPrivilege	2860	{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1688	2408	f06151047b4390exeexeexeex.exe	28
PID 2408 wrote to memory of 1688	2408	f06151047b4390exeexeexeex.exe	28
PID 2408 wrote to memory of 1688	2408	f06151047b4390exeexeexeex.exe	28
PID 2408 wrote to memory of 1688	2408	f06151047b4390exeexeexeex.exe	28
PID 2408 wrote to memory of 932	2408	f06151047b4390exeexeexeex.exe	29
PID 2408 wrote to memory of 932	2408	f06151047b4390exeexeexeex.exe	29
PID 2408 wrote to memory of 932	2408	f06151047b4390exeexeexeex.exe	29
PID 2408 wrote to memory of 932	2408	f06151047b4390exeexeexeex.exe	29
PID 1688 wrote to memory of 604	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	30
PID 1688 wrote to memory of 604	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	30
PID 1688 wrote to memory of 604	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	30
PID 1688 wrote to memory of 604	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	30
PID 1688 wrote to memory of 2264	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	31
PID 1688 wrote to memory of 2264	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	31
PID 1688 wrote to memory of 2264	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	31
PID 1688 wrote to memory of 2264	1688	{F23AE3A0-723E-41b9-8519-BC619282797F}.exe	31
PID 604 wrote to memory of 2916	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	32
PID 604 wrote to memory of 2916	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	32
PID 604 wrote to memory of 2916	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	32
PID 604 wrote to memory of 2916	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	32
PID 604 wrote to memory of 2020	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	33
PID 604 wrote to memory of 2020	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	33
PID 604 wrote to memory of 2020	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	33
PID 604 wrote to memory of 2020	604	{0BD24860-2140-4997-A9E6-2638D3A53019}.exe	33
PID 2916 wrote to memory of 1096	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	34
PID 2916 wrote to memory of 1096	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	34
PID 2916 wrote to memory of 1096	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	34
PID 2916 wrote to memory of 1096	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	34
PID 2916 wrote to memory of 2256	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	35
PID 2916 wrote to memory of 2256	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	35
PID 2916 wrote to memory of 2256	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	35
PID 2916 wrote to memory of 2256	2916	{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe	35
PID 1096 wrote to memory of 2944	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	36
PID 1096 wrote to memory of 2944	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	36
PID 1096 wrote to memory of 2944	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	36
PID 1096 wrote to memory of 2944	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	36
PID 1096 wrote to memory of 2984	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	37
PID 1096 wrote to memory of 2984	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	37
PID 1096 wrote to memory of 2984	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	37
PID 1096 wrote to memory of 2984	1096	{D14D7997-E74E-431d-9A43-754D6259C529}.exe	37
PID 2944 wrote to memory of 3028	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	38
PID 2944 wrote to memory of 3028	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	38
PID 2944 wrote to memory of 3028	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	38
PID 2944 wrote to memory of 3028	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	38
PID 2944 wrote to memory of 2140	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	39
PID 2944 wrote to memory of 2140	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	39
PID 2944 wrote to memory of 2140	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	39
PID 2944 wrote to memory of 2140	2944	{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe	39
PID 3028 wrote to memory of 2160	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	40
PID 3028 wrote to memory of 2160	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	40
PID 3028 wrote to memory of 2160	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	40
PID 3028 wrote to memory of 2160	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	40
PID 3028 wrote to memory of 1596	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	41
PID 3028 wrote to memory of 1596	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	41
PID 3028 wrote to memory of 1596	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	41
PID 3028 wrote to memory of 1596	3028	{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe	41
PID 2160 wrote to memory of 2604	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	42
PID 2160 wrote to memory of 2604	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	42
PID 2160 wrote to memory of 2604	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	42
PID 2160 wrote to memory of 2604	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	42
PID 2160 wrote to memory of 3040	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	43
PID 2160 wrote to memory of 3040	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	43
PID 2160 wrote to memory of 3040	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	43
PID 2160 wrote to memory of 3040	2160	{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe	43

C:\Users\Admin\AppData\Local\Temp\f06151047b4390exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f06151047b4390exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
  C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
    C:\Windows\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
      C:\Windows\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{D14D7997-E74E-431d-9A43-754D6259C529}.exe
        
        C:\Windows\{D14D7997-E74E-431d-9A43-754D6259C529}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
        
        C:\Windows\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
        
        C:\Windows\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
        
        C:\Windows\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
        
        C:\Windows\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
        
        C:\Windows\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
        
        C:\Windows\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\{4A477830-644B-452f-8B50-95AFD1243677}.exe
        
        C:\Windows\{4A477830-644B-452f-8B50-95AFD1243677}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
        
        C:\Windows\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{113125F9-69E4-4437-AF33-53D3CE31B679}.exe
        
        C:\Windows\{113125F9-69E4-4437-AF33-53D3CE31B679}.exe
        14⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C05~1.EXE > nul
        14⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A477~1.EXE > nul
        13⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49AE8~1.EXE > nul
        12⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED87~1.EXE > nul
        11⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAAC3~1.EXE > nul
        10⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9486F~1.EXE > nul
        9⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F77~1.EXE > nul
        8⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DEA3~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D14D7~1.EXE > nul
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A30DD~1.EXE > nul
        5⤵
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0BD24~1.EXE > nul
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F23AE~1.EXE > nul
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F06151~1.EXE > nul
  2⤵
  - Deletes itself
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe

Filesize
372KB

MD5
888e7147fd567cdb9bbc51dd6fbab09a

SHA1
0acafd5cb1e67ce1c24ae8002471ea366f88bdfe

SHA256
fc23d89ff6585f935605dc65ef25a331bda5a890e0392d76f79de4ecfef574a1

SHA512
2482e02abd45a57aab408547859065d5fe3a4ff8fab2636323ec91537e02258d546207a0950344566871378853ed085665d106e99d70eb970aaeb969e1f4065a

Download Submit
C:\Windows\{0BD24860-2140-4997-A9E6-2638D3A53019}.exe

Filesize
372KB

MD5
888e7147fd567cdb9bbc51dd6fbab09a

SHA1
0acafd5cb1e67ce1c24ae8002471ea366f88bdfe

SHA256
fc23d89ff6585f935605dc65ef25a331bda5a890e0392d76f79de4ecfef574a1

SHA512
2482e02abd45a57aab408547859065d5fe3a4ff8fab2636323ec91537e02258d546207a0950344566871378853ed085665d106e99d70eb970aaeb969e1f4065a

Download Submit
C:\Windows\{113125F9-69E4-4437-AF33-53D3CE31B679}.exe

Filesize
372KB

MD5
3e10f1427f272a7aff4e2a01fbd016ab

SHA1
6f845fb3bc0409f68f96d68ecdb4523d6b81a967

SHA256
9bdfeadac8dada55473357b8dddbbbaad8a15b53139537b6e1a85a45cd4b95ff

SHA512
6d414dd33fb0ac3c671cd709f0ba461662de44a10bfad10b6f87ef9c1b0d3a3da5d3b16adbfaa6fa910d5f4a3654085a73bf6709858c60b6245e0f1fe2df9114

Download Submit
C:\Windows\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe

Filesize
372KB

MD5
8986004d997d666eb1977a6e20ffa09f

SHA1
cd55b64efce9481bdd894b7df79208909fe18b31

SHA256
9c148e87dfdc91f9e1266e602c51614c90e04198e730c3117752e305008cd7a6

SHA512
841272208b28630a2cde470f65043a75e16c301dd46c8aeb51471339fe2af8b9e8f73e623efc06e006fc33bafcb15eaf7e174e3781c94065f839aac13e6327aa

Download Submit
C:\Windows\{49AE8909-7B92-4d64-A1C9-0FCE47F14566}.exe

Filesize
372KB

MD5
8986004d997d666eb1977a6e20ffa09f

SHA1
cd55b64efce9481bdd894b7df79208909fe18b31

SHA256
9c148e87dfdc91f9e1266e602c51614c90e04198e730c3117752e305008cd7a6

SHA512
841272208b28630a2cde470f65043a75e16c301dd46c8aeb51471339fe2af8b9e8f73e623efc06e006fc33bafcb15eaf7e174e3781c94065f839aac13e6327aa

Download Submit
C:\Windows\{4A477830-644B-452f-8B50-95AFD1243677}.exe

Filesize
372KB

MD5
75d7736f8de0b741cb4763eb81af21c8

SHA1
a82640bc3aa7de867bc332704e287e26faba7dfc

SHA256
f7a113df1c59313c7f8cdc14ef0bfe0202a10fc27996e8e5bb6c0d21ff5ae889

SHA512
cc9991c10fe06737fbfdcc3a91f7b3ec2a2993f580edd6d44483c7b4c5ec968feac03c3c64a9b43c4e85405b3d3ab0be2c79904a061f8ed173a8c8f4d7528980

Download Submit
C:\Windows\{4A477830-644B-452f-8B50-95AFD1243677}.exe

Filesize
372KB

MD5
75d7736f8de0b741cb4763eb81af21c8

SHA1
a82640bc3aa7de867bc332704e287e26faba7dfc

SHA256
f7a113df1c59313c7f8cdc14ef0bfe0202a10fc27996e8e5bb6c0d21ff5ae889

SHA512
cc9991c10fe06737fbfdcc3a91f7b3ec2a2993f580edd6d44483c7b4c5ec968feac03c3c64a9b43c4e85405b3d3ab0be2c79904a061f8ed173a8c8f4d7528980

Download Submit
C:\Windows\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe

Filesize
372KB

MD5
9d2179206f5fefcd02f112951a92aea0

SHA1
edcbe2393c0f3687ff238d51cb5b58adbcdc5262

SHA256
7872e2229b274ab29062a4a3770178539d514f007a1402552636e01176d03cea

SHA512
a5514be59dce1e49567eee4c3e72be1bd73302b40942ec536cfb19ddf17bd4671dc20526476f883263e100ea5e7519b43d1832a59d0f238839750df040fe0f1e

Download Submit
C:\Windows\{4ED87A71-8EAB-4fb9-8CAB-D70EA461C027}.exe

Filesize
372KB

MD5
9d2179206f5fefcd02f112951a92aea0

SHA1
edcbe2393c0f3687ff238d51cb5b58adbcdc5262

SHA256
7872e2229b274ab29062a4a3770178539d514f007a1402552636e01176d03cea

SHA512
a5514be59dce1e49567eee4c3e72be1bd73302b40942ec536cfb19ddf17bd4671dc20526476f883263e100ea5e7519b43d1832a59d0f238839750df040fe0f1e

Download Submit
C:\Windows\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe

Filesize
372KB

MD5
7e9b038ac8eb881f932c6f6ffd2b7f77

SHA1
e6e6fc3f322b7078e3284350da4b3a6224b50bbc

SHA256
6a103aa4b73b65f76a9da398c826e04e9db169f611524bb4dd75ce55bcd81d34

SHA512
fa365126610b4d30252b02418d6b98ef239bccee77047f4787cd709e08479df829eac7678a97d6d0119d9f2d0d76c13e9f1f46f98a1da64d22624d52d25faa34

Download Submit
C:\Windows\{52C05EB6-2693-4e11-BE06-64BB324E8FDC}.exe

Filesize
372KB

MD5
7e9b038ac8eb881f932c6f6ffd2b7f77

SHA1
e6e6fc3f322b7078e3284350da4b3a6224b50bbc

SHA256
6a103aa4b73b65f76a9da398c826e04e9db169f611524bb4dd75ce55bcd81d34

SHA512
fa365126610b4d30252b02418d6b98ef239bccee77047f4787cd709e08479df829eac7678a97d6d0119d9f2d0d76c13e9f1f46f98a1da64d22624d52d25faa34

Download Submit
C:\Windows\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe

Filesize
372KB

MD5
a2d42535462a4364abb5eca1608c825f

SHA1
d70845348eca3aa87ca78a24406ead190efc7fd3

SHA256
1cc84b02fec992d9e71d944bb97dcb1a87975dbf4241c3a35f823cfaeb2f2e8a

SHA512
692f035e16f013dd5d62a3589a82352bcee5e4648146e24ae971a8dbf7692e3669dd79c0458134f0c5afed24c11e72ad5ca0b9d360ac657851441d50259004c2

Download Submit
C:\Windows\{8DEA3E54-C94E-4de8-BBB2-871125B8F87C}.exe

Filesize
372KB

MD5
a2d42535462a4364abb5eca1608c825f

SHA1
d70845348eca3aa87ca78a24406ead190efc7fd3

SHA256
1cc84b02fec992d9e71d944bb97dcb1a87975dbf4241c3a35f823cfaeb2f2e8a

SHA512
692f035e16f013dd5d62a3589a82352bcee5e4648146e24ae971a8dbf7692e3669dd79c0458134f0c5afed24c11e72ad5ca0b9d360ac657851441d50259004c2

Download Submit
C:\Windows\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe

Filesize
372KB

MD5
322d885c2fca2b6c3280c3f1fe9f4461

SHA1
be3a8c9490ec2e4c3013814da0f911147f133cab

SHA256
f8e00ab013125224033df54a1f17b1b367b7174e3b2b740b27780a85832e80e1

SHA512
3af20ec3084302fbea07915f6d4947ded098b821ec8dcbaf995feee7e2c34a06b16759d5907735c1ed7ea15a2aedb05e5d1dcb8a5d27fac29f5403e4179bfd0f

Download Submit
C:\Windows\{9486FE0A-8540-492b-9728-F8677E4D64D9}.exe

Filesize
372KB

MD5
322d885c2fca2b6c3280c3f1fe9f4461

SHA1
be3a8c9490ec2e4c3013814da0f911147f133cab

SHA256
f8e00ab013125224033df54a1f17b1b367b7174e3b2b740b27780a85832e80e1

SHA512
3af20ec3084302fbea07915f6d4947ded098b821ec8dcbaf995feee7e2c34a06b16759d5907735c1ed7ea15a2aedb05e5d1dcb8a5d27fac29f5403e4179bfd0f

Download Submit
C:\Windows\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe

Filesize
372KB

MD5
69c1b8605c2a5f547fc6f6c19d61bb6c

SHA1
64cce57b66027ed16c5b1a2cfa1aaf93a66d99f7

SHA256
03ad0ed3f39da8d204140bb3b5d1460fca0a1e732c5f07f92231f8d7ee55a844

SHA512
b75b31b5549c830c587f24025ecf59edfec9ec5e45825335cb314b7c82fea19f5edc76e0fc7b899adc06f235138391994b99324440ae338f226ff43e172a7d23

Download Submit
C:\Windows\{A30DD47A-D8DC-4256-9528-3E3410CC10E3}.exe

Filesize
372KB

MD5
69c1b8605c2a5f547fc6f6c19d61bb6c

SHA1
64cce57b66027ed16c5b1a2cfa1aaf93a66d99f7

SHA256
03ad0ed3f39da8d204140bb3b5d1460fca0a1e732c5f07f92231f8d7ee55a844

SHA512
b75b31b5549c830c587f24025ecf59edfec9ec5e45825335cb314b7c82fea19f5edc76e0fc7b899adc06f235138391994b99324440ae338f226ff43e172a7d23

Download Submit
C:\Windows\{D14D7997-E74E-431d-9A43-754D6259C529}.exe

Filesize
372KB

MD5
fa3c6ed2e9cc2a7e6dc878298f36135c

SHA1
5937d51507c60b9eb5d991a65b4c1077a054f3bb

SHA256
f3dc14edc88b98a3bd01c42b7e00a31803fa4c66d2e041e71bf23e6daad59cda

SHA512
7757864d620c66cf5bec7d52105677a798cc9a0aeef53c132d988670726501d0d46f8d469be739e734374f63f13a99c2b5462b673c8bfd80d0bad30a8d3b74a4

Download Submit
C:\Windows\{D14D7997-E74E-431d-9A43-754D6259C529}.exe

Filesize
372KB

MD5
fa3c6ed2e9cc2a7e6dc878298f36135c

SHA1
5937d51507c60b9eb5d991a65b4c1077a054f3bb

SHA256
f3dc14edc88b98a3bd01c42b7e00a31803fa4c66d2e041e71bf23e6daad59cda

SHA512
7757864d620c66cf5bec7d52105677a798cc9a0aeef53c132d988670726501d0d46f8d469be739e734374f63f13a99c2b5462b673c8bfd80d0bad30a8d3b74a4

Download Submit
C:\Windows\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe

Filesize
372KB

MD5
4e844a78d39cce238b471e760d82b0df

SHA1
47c35bc93e40d2b849644337915e392cba090c46

SHA256
60bf8c4e3e5b4e511c5c4f1521d5f36241ea3292bc8c1ed28f1b8309e872fe13

SHA512
4da7a138208bda8e05fe377d66a854f700f72161a3339418e96d598fac88981278b35ff46879960f527fc272b28c6dc73a1ddd17d588a15852b524bc8fabc6c7

Download Submit
C:\Windows\{D5F77333-5EB9-45a3-9FC6-B16B5ECBDABE}.exe

Filesize
372KB

MD5
4e844a78d39cce238b471e760d82b0df

SHA1
47c35bc93e40d2b849644337915e392cba090c46

SHA256
60bf8c4e3e5b4e511c5c4f1521d5f36241ea3292bc8c1ed28f1b8309e872fe13

SHA512
4da7a138208bda8e05fe377d66a854f700f72161a3339418e96d598fac88981278b35ff46879960f527fc272b28c6dc73a1ddd17d588a15852b524bc8fabc6c7

Download Submit
C:\Windows\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe

Filesize
372KB

MD5
070c96230f0ee8e61f1bbc39272ab128

SHA1
5ed34771eb05ca55b2acfff80c77d4483a5f6b19

SHA256
3cc7d585b1ae2b517bdab52a0e4e41783911598d14ceb2d8f97f7c94a79f2d52

SHA512
c5bb996512b8389c518318f902ef63a9793712d9d91641a402d32af0e7c6e9031c8217c9b8f93757018277a90cfe279982be56a5ae925031fbcaf363b86b72c2

Download Submit
C:\Windows\{EAAC3A16-3399-49a0-97AA-54B553AC907F}.exe

Filesize
372KB

MD5
070c96230f0ee8e61f1bbc39272ab128

SHA1
5ed34771eb05ca55b2acfff80c77d4483a5f6b19

SHA256
3cc7d585b1ae2b517bdab52a0e4e41783911598d14ceb2d8f97f7c94a79f2d52

SHA512
c5bb996512b8389c518318f902ef63a9793712d9d91641a402d32af0e7c6e9031c8217c9b8f93757018277a90cfe279982be56a5ae925031fbcaf363b86b72c2

Download Submit
C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe

Filesize
372KB

MD5
c3b15f789348f25fdd655aad9dea1fde

SHA1
ed2a5905448c6964e4ed3b44f7e29ae05ccdcc7f

SHA256
9465606c2e4faed943ab1b9119beec655b9ea206891b54b92198ce6538457fb7

SHA512
1db7acecfd3bb8191f7e02b2cabb34502d4bbc614eba5d7f1765dd8893becfaccd544cd591abd64c59988b56ee578139dff390be6c6b7fcf2645a1c814f3020a

Download Submit
C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe

Filesize
372KB

MD5
c3b15f789348f25fdd655aad9dea1fde

SHA1
ed2a5905448c6964e4ed3b44f7e29ae05ccdcc7f

SHA256
9465606c2e4faed943ab1b9119beec655b9ea206891b54b92198ce6538457fb7

SHA512
1db7acecfd3bb8191f7e02b2cabb34502d4bbc614eba5d7f1765dd8893becfaccd544cd591abd64c59988b56ee578139dff390be6c6b7fcf2645a1c814f3020a

Download Submit
C:\Windows\{F23AE3A0-723E-41b9-8519-BC619282797F}.exe

Filesize
372KB

MD5
c3b15f789348f25fdd655aad9dea1fde

SHA1
ed2a5905448c6964e4ed3b44f7e29ae05ccdcc7f

SHA256
9465606c2e4faed943ab1b9119beec655b9ea206891b54b92198ce6538457fb7

SHA512
1db7acecfd3bb8191f7e02b2cabb34502d4bbc614eba5d7f1765dd8893becfaccd544cd591abd64c59988b56ee578139dff390be6c6b7fcf2645a1c814f3020a

Download Submit