9e76b62df00f904edc27aab1c573b7e4fd072dde1aa81de4f8b59fe345fcd03c

Analysis

max time kernel
146s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9f0ef35ea160exeexeexeex.exe
Size

372KB
MD5

ff9f0ef35ea160d6de71758636f86957
SHA1

44adaa40988a3f42ca003db964d7cc205ff13296
SHA256

9e76b62df00f904edc27aab1c573b7e4fd072dde1aa81de4f8b59fe345fcd03c
SHA512

fa3f57db89e3341c7f81d8ce91bf968e2a684460776e7c4851cf88a2bdcdb7de142be79eaf4de168838aae7588a4d4d4da00d841e957bfbbac7ffabe49b34889
SSDEEP

3072:CEGh0oRmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0D4D3B-5093-46da-A3BB-20F34130F150}\stubpath = "C:\\Windows\\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe"	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}\stubpath = "C:\\Windows\\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe"	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B9E334-E710-4249-B39A-33D3FE16486A}	{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B9E334-E710-4249-B39A-33D3FE16486A}\stubpath = "C:\\Windows\\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe"	{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC797756-8A30-4cbc-BE96-4087B6A75A19}	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA40F0AE-76F1-4604-90ED-67A25C78A207}	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{783D057E-7D88-422c-9293-ACD568B7496D}	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{783D057E-7D88-422c-9293-ACD568B7496D}\stubpath = "C:\\Windows\\{783D057E-7D88-422c-9293-ACD568B7496D}.exe"	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}	{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}\stubpath = "C:\\Windows\\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe"	{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011D93B6-0503-45b1-A4F5-4812D167D9DB}	{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36588DDD-283F-408f-9C50-0AC4D7062FCF}\stubpath = "C:\\Windows\\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe"	{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6815A187-D984-43d6-AB78-6772EC6FADBE}	ff9f0ef35ea160exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6815A187-D984-43d6-AB78-6772EC6FADBE}\stubpath = "C:\\Windows\\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe"	ff9f0ef35ea160exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA40F0AE-76F1-4604-90ED-67A25C78A207}\stubpath = "C:\\Windows\\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe"	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}\stubpath = "C:\\Windows\\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe"	{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36588DDD-283F-408f-9C50-0AC4D7062FCF}	{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC797756-8A30-4cbc-BE96-4087B6A75A19}\stubpath = "C:\\Windows\\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe"	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80284951-3784-4cbf-B8A5-B395C5F5327C}	{783D057E-7D88-422c-9293-ACD568B7496D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0D4D3B-5093-46da-A3BB-20F34130F150}	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}\stubpath = "C:\\Windows\\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe"	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80284951-3784-4cbf-B8A5-B395C5F5327C}\stubpath = "C:\\Windows\\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe"	{783D057E-7D88-422c-9293-ACD568B7496D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}	{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011D93B6-0503-45b1-A4F5-4812D167D9DB}\stubpath = "C:\\Windows\\{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe"	{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe

Deletes itself 1 IoCs

pid	Process
316	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe
1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
2788	{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
2768	{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
1364	{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
2896	{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
2656	{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe
2512	{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	{783D057E-7D88-422c-9293-ACD568B7496D}.exe
File created	C:\Windows\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
File created	C:\Windows\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe	{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
File created	C:\Windows\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe	{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
File created	C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	ff9f0ef35ea160exeexeexeex.exe
File created	C:\Windows\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
File created	C:\Windows\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
File created	C:\Windows\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
File created	C:\Windows\{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe	{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe
File created	C:\Windows\{783D057E-7D88-422c-9293-ACD568B7496D}.exe	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
File created	C:\Windows\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
File created	C:\Windows\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe	{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
File created	C:\Windows\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe	{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2352	ff9f0ef35ea160exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
Token: SeIncBasePriorityPrivilege	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
Token: SeIncBasePriorityPrivilege	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
Token: SeIncBasePriorityPrivilege	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
Token: SeIncBasePriorityPrivilege	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe
Token: SeIncBasePriorityPrivilege	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
Token: SeIncBasePriorityPrivilege	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
Token: SeIncBasePriorityPrivilege	2788	{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
Token: SeIncBasePriorityPrivilege	2768	{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
Token: SeIncBasePriorityPrivilege	1364	{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
Token: SeIncBasePriorityPrivilege	2896	{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
Token: SeIncBasePriorityPrivilege	2656	{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1464	2352	ff9f0ef35ea160exeexeexeex.exe	29
PID 2352 wrote to memory of 1464	2352	ff9f0ef35ea160exeexeexeex.exe	29
PID 2352 wrote to memory of 1464	2352	ff9f0ef35ea160exeexeexeex.exe	29
PID 2352 wrote to memory of 1464	2352	ff9f0ef35ea160exeexeexeex.exe	29
PID 2352 wrote to memory of 316	2352	ff9f0ef35ea160exeexeexeex.exe	30
PID 2352 wrote to memory of 316	2352	ff9f0ef35ea160exeexeexeex.exe	30
PID 2352 wrote to memory of 316	2352	ff9f0ef35ea160exeexeexeex.exe	30
PID 2352 wrote to memory of 316	2352	ff9f0ef35ea160exeexeexeex.exe	30
PID 1464 wrote to memory of 2216	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	31
PID 1464 wrote to memory of 2216	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	31
PID 1464 wrote to memory of 2216	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	31
PID 1464 wrote to memory of 2216	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	31
PID 1464 wrote to memory of 1044	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	32
PID 1464 wrote to memory of 1044	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	32
PID 1464 wrote to memory of 1044	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	32
PID 1464 wrote to memory of 1044	1464	{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe	32
PID 2216 wrote to memory of 2128	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	34
PID 2216 wrote to memory of 2128	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	34
PID 2216 wrote to memory of 2128	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	34
PID 2216 wrote to memory of 2128	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	34
PID 2216 wrote to memory of 1968	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	33
PID 2216 wrote to memory of 1968	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	33
PID 2216 wrote to memory of 1968	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	33
PID 2216 wrote to memory of 1968	2216	{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe	33
PID 2128 wrote to memory of 1156	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	36
PID 2128 wrote to memory of 1156	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	36
PID 2128 wrote to memory of 1156	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	36
PID 2128 wrote to memory of 1156	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	36
PID 2128 wrote to memory of 1484	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	35
PID 2128 wrote to memory of 1484	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	35
PID 2128 wrote to memory of 1484	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	35
PID 2128 wrote to memory of 1484	2128	{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe	35
PID 1156 wrote to memory of 2272	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	37
PID 1156 wrote to memory of 2272	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	37
PID 1156 wrote to memory of 2272	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	37
PID 1156 wrote to memory of 2272	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	37
PID 1156 wrote to memory of 2164	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	38
PID 1156 wrote to memory of 2164	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	38
PID 1156 wrote to memory of 2164	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	38
PID 1156 wrote to memory of 2164	1156	{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe	38
PID 2272 wrote to memory of 1644	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	40
PID 2272 wrote to memory of 1644	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	40
PID 2272 wrote to memory of 1644	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	40
PID 2272 wrote to memory of 1644	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	40
PID 2272 wrote to memory of 2784	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	39
PID 2272 wrote to memory of 2784	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	39
PID 2272 wrote to memory of 2784	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	39
PID 2272 wrote to memory of 2784	2272	{783D057E-7D88-422c-9293-ACD568B7496D}.exe	39
PID 1644 wrote to memory of 2084	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	42
PID 1644 wrote to memory of 2084	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	42
PID 1644 wrote to memory of 2084	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	42
PID 1644 wrote to memory of 2084	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	42
PID 1644 wrote to memory of 2404	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	41
PID 1644 wrote to memory of 2404	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	41
PID 1644 wrote to memory of 2404	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	41
PID 1644 wrote to memory of 2404	1644	{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe	41
PID 2084 wrote to memory of 2788	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	43
PID 2084 wrote to memory of 2788	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	43
PID 2084 wrote to memory of 2788	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	43
PID 2084 wrote to memory of 2788	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	43
PID 2084 wrote to memory of 748	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	44
PID 2084 wrote to memory of 748	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	44
PID 2084 wrote to memory of 748	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	44
PID 2084 wrote to memory of 748	2084	{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe	44

C:\Users\Admin\AppData\Local\Temp\ff9f0ef35ea160exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ff9f0ef35ea160exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
  C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
    C:\Windows\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC797~1.EXE > nul
      4⤵
      PID:1968
  - - C:\Windows\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
      C:\Windows\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14F0E~1.EXE > nul
        5⤵
        
        PID:1484
    - - C:\Windows\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
        
        C:\Windows\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{783D057E-7D88-422c-9293-ACD568B7496D}.exe
        
        C:\Windows\{783D057E-7D88-422c-9293-ACD568B7496D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{783D0~1.EXE > nul
        7⤵
        
        PID:2784
        
        C:\Windows\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
        
        C:\Windows\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80284~1.EXE > nul
        8⤵
        
        PID:2404
        
        C:\Windows\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
        
        C:\Windows\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
        
        C:\Windows\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
        
        C:\Windows\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
        
        C:\Windows\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
        
        C:\Windows\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF9C~1.EXE > nul
        13⤵
        
        PID:2484
        
        C:\Windows\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe
        
        C:\Windows\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36588~1.EXE > nul
        14⤵
        
        PID:2612
        
        C:\Windows\{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe
        
        C:\Windows\{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe
        14⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05FE6~1.EXE > nul
        12⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51B9E~1.EXE > nul
        11⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1DC4~1.EXE > nul
        10⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF0D4~1.EXE > nul
        9⤵
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA40F~1.EXE > nul
        6⤵
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6815A~1.EXE > nul
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FF9F0E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011D93B6-0503-45b1-A4F5-4812D167D9DB}.exe

Filesize
372KB

MD5
d3349f43d9f400993cff1e7d4dbe9658

SHA1
fd016a8033572c8d81ae4838bd1b2b43b7f74b5d

SHA256
85878dd4e1ac8fd12c35cdc6dfe1a6548d07475e6c036dcbdf6733734f603455

SHA512
1772177f3c119b9e95ace8c5451f2291fce3f495b6be4c72be67812399a4b6b791defbfeb6bb341f6cb3b941f429dc203d5587caaf1c89776b18b3ed33ccf866

Download Submit
C:\Windows\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe

Filesize
372KB

MD5
2ca0ada53e1de692f4137a6f12b1e15b

SHA1
2323f9a76b573d3ed4b3cd33c9621997ea383ec7

SHA256
b973fbd6043b6499d65ad71e707e538989b9d52d4e2c98b95439147bb6be99dc

SHA512
22835147588faefea0b743591170dd0f77e05fa92f0ffb3801cfd2452fb0cdc298ee65610eb49732538c9951c477acdcdb2b64ee4083238b831ea3fd37acbecf

Download Submit
C:\Windows\{05FE6FDB-9D1A-4c58-938A-ED35A764982A}.exe

Filesize
372KB

MD5
2ca0ada53e1de692f4137a6f12b1e15b

SHA1
2323f9a76b573d3ed4b3cd33c9621997ea383ec7

SHA256
b973fbd6043b6499d65ad71e707e538989b9d52d4e2c98b95439147bb6be99dc

SHA512
22835147588faefea0b743591170dd0f77e05fa92f0ffb3801cfd2452fb0cdc298ee65610eb49732538c9951c477acdcdb2b64ee4083238b831ea3fd37acbecf

Download Submit
C:\Windows\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe

Filesize
372KB

MD5
eced3d6a79e7082dbafc568405182e2a

SHA1
ebaded296706996b1c381accae3ffe9bb772895a

SHA256
45476cc7b87e39e1d4d75b836c621dd5c9e477777775c7f483d67530eb512558

SHA512
603de81e489e2d56a2abf20068b5a026564e5e94089306b32aa4e50a7e22dc837ec414fa6bdc6460c4701a487ab44d5dd02346942a589c448a2032b3106dc142

Download Submit
C:\Windows\{14F0E35C-E423-4b96-8FE9-1C0AEFA821F8}.exe

Filesize
372KB

MD5
eced3d6a79e7082dbafc568405182e2a

SHA1
ebaded296706996b1c381accae3ffe9bb772895a

SHA256
45476cc7b87e39e1d4d75b836c621dd5c9e477777775c7f483d67530eb512558

SHA512
603de81e489e2d56a2abf20068b5a026564e5e94089306b32aa4e50a7e22dc837ec414fa6bdc6460c4701a487ab44d5dd02346942a589c448a2032b3106dc142

Download Submit
C:\Windows\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe

Filesize
372KB

MD5
d5805c99024284b68fb3435fa6455d84

SHA1
e4353e8a58adc70b499b591b8b25b4115739f9a4

SHA256
e052d607c0d0b2ad64e1afcc20aa94f3404b7cac51c3a5de01c6c5a8f2dace1a

SHA512
318f054589faf045c602fc16ccca1d0ef79837ee6f21a2afb89041ed02fc79754b09affde7262c7910772f5c44e828563cd40e8517460daa6e494f4a99dbac6b

Download Submit
C:\Windows\{36588DDD-283F-408f-9C50-0AC4D7062FCF}.exe

Filesize
372KB

MD5
d5805c99024284b68fb3435fa6455d84

SHA1
e4353e8a58adc70b499b591b8b25b4115739f9a4

SHA256
e052d607c0d0b2ad64e1afcc20aa94f3404b7cac51c3a5de01c6c5a8f2dace1a

SHA512
318f054589faf045c602fc16ccca1d0ef79837ee6f21a2afb89041ed02fc79754b09affde7262c7910772f5c44e828563cd40e8517460daa6e494f4a99dbac6b

Download Submit
C:\Windows\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe

Filesize
372KB

MD5
6a232e7cbb25fe7ea013b63f886ea0d6

SHA1
fcec5418f413c7f4f92be50788fdbc40d9a9ce4d

SHA256
b3c2baf6fcc3fc5fc8ce3de17e2f9c975cd712dda57a2ab574765a105f451974

SHA512
f4492afaf7f19f296f8802fd800672ac2d20f277196745dd82616f1552c950de8dd884ae3db0168194a08fc74e2a3e7d1e0cdb7ca25e9f3d57ac4565748193ed

Download Submit
C:\Windows\{3EF9CBB6-E6E5-4e5e-9CBC-EECA82090770}.exe

Filesize
372KB

MD5
6a232e7cbb25fe7ea013b63f886ea0d6

SHA1
fcec5418f413c7f4f92be50788fdbc40d9a9ce4d

SHA256
b3c2baf6fcc3fc5fc8ce3de17e2f9c975cd712dda57a2ab574765a105f451974

SHA512
f4492afaf7f19f296f8802fd800672ac2d20f277196745dd82616f1552c950de8dd884ae3db0168194a08fc74e2a3e7d1e0cdb7ca25e9f3d57ac4565748193ed

Download Submit
C:\Windows\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe

Filesize
372KB

MD5
6c4c346a8518b45fba4c561ae6de7c47

SHA1
b7435e4df6bfd4552edc6bb9cec22b67b6ecb3d1

SHA256
528be53b6ed76ebb4487173ba8bbf28df2ded2beb560afeb4f18d7cd86ef4395

SHA512
5c9a9ccb845ec794dba55fee9a54186e9935a1d9c9ef23ffed67fb86966b7b4f0eefd6781d3f17f2d56ca2fe62eb5109f8f0d1f92cf3ea2482c6d4fb85f386ab

Download Submit
C:\Windows\{51B9E334-E710-4249-B39A-33D3FE16486A}.exe

Filesize
372KB

MD5
6c4c346a8518b45fba4c561ae6de7c47

SHA1
b7435e4df6bfd4552edc6bb9cec22b67b6ecb3d1

SHA256
528be53b6ed76ebb4487173ba8bbf28df2ded2beb560afeb4f18d7cd86ef4395

SHA512
5c9a9ccb845ec794dba55fee9a54186e9935a1d9c9ef23ffed67fb86966b7b4f0eefd6781d3f17f2d56ca2fe62eb5109f8f0d1f92cf3ea2482c6d4fb85f386ab

Download Submit
C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe

Filesize
372KB

MD5
c3020e3c084f9b8c77fb582e262cd050

SHA1
8ac1b43f25386b42321d2b0c1ac1529548892802

SHA256
3f58b0f0482950afc0f6a560a0545903bc94aa439e64b4bd69a12a71d80631f9

SHA512
5aca652683cd61e4a31840511567fd6569cc05319a75d839f24d1dda29ee7d954397fead395567449f56c08485459717cf94ac70485c1012139c7ef3d6157d84

Download Submit
C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe

Filesize
372KB

MD5
c3020e3c084f9b8c77fb582e262cd050

SHA1
8ac1b43f25386b42321d2b0c1ac1529548892802

SHA256
3f58b0f0482950afc0f6a560a0545903bc94aa439e64b4bd69a12a71d80631f9

SHA512
5aca652683cd61e4a31840511567fd6569cc05319a75d839f24d1dda29ee7d954397fead395567449f56c08485459717cf94ac70485c1012139c7ef3d6157d84

Download Submit
C:\Windows\{6815A187-D984-43d6-AB78-6772EC6FADBE}.exe

Filesize
372KB

MD5
c3020e3c084f9b8c77fb582e262cd050

SHA1
8ac1b43f25386b42321d2b0c1ac1529548892802

SHA256
3f58b0f0482950afc0f6a560a0545903bc94aa439e64b4bd69a12a71d80631f9

SHA512
5aca652683cd61e4a31840511567fd6569cc05319a75d839f24d1dda29ee7d954397fead395567449f56c08485459717cf94ac70485c1012139c7ef3d6157d84

Download Submit
C:\Windows\{783D057E-7D88-422c-9293-ACD568B7496D}.exe

Filesize
372KB

MD5
88f916a1f9a2e65ee22b47ed637744eb

SHA1
84f1a8990e480e18bd23fd5805068dcd59bd5bab

SHA256
358d0573ba9ded7ce579e9346c673bab65b5c7ad4230d0c9f356651a76e4e2b4

SHA512
367fe76b524f83b29b5e2999f541d4e9ff4f6398ea75e96eebd0b0c171199071282c6d724a7bd8f5bb54b99190c44c88762b7df1050ca70a08eefdeb9cf6dfc9

Download Submit
C:\Windows\{783D057E-7D88-422c-9293-ACD568B7496D}.exe

Filesize
372KB

MD5
88f916a1f9a2e65ee22b47ed637744eb

SHA1
84f1a8990e480e18bd23fd5805068dcd59bd5bab

SHA256
358d0573ba9ded7ce579e9346c673bab65b5c7ad4230d0c9f356651a76e4e2b4

SHA512
367fe76b524f83b29b5e2999f541d4e9ff4f6398ea75e96eebd0b0c171199071282c6d724a7bd8f5bb54b99190c44c88762b7df1050ca70a08eefdeb9cf6dfc9

Download Submit
C:\Windows\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe

Filesize
372KB

MD5
12cdb653835e9df69171da7559b09d5c

SHA1
72d55257a84b58b7dff0220a7b1cf5f8debd7329

SHA256
0ae94141d4b9a5bab73949d1e9c056142cd0749b3fa8bd77688fe747c16f2167

SHA512
afdd0a7ec2b1aa91949e0832fb66e1f06463a4df02bf6eacad221d37fcacf540cb6b6420d07b4fae900683e1796ce08e818fdbd4df53260af0bdc1374b68782f

Download Submit
C:\Windows\{80284951-3784-4cbf-B8A5-B395C5F5327C}.exe

Filesize
372KB

MD5
12cdb653835e9df69171da7559b09d5c

SHA1
72d55257a84b58b7dff0220a7b1cf5f8debd7329

SHA256
0ae94141d4b9a5bab73949d1e9c056142cd0749b3fa8bd77688fe747c16f2167

SHA512
afdd0a7ec2b1aa91949e0832fb66e1f06463a4df02bf6eacad221d37fcacf540cb6b6420d07b4fae900683e1796ce08e818fdbd4df53260af0bdc1374b68782f

Download Submit
C:\Windows\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe

Filesize
372KB

MD5
84f0d37c7effcb21eb8f1b9282532c8f

SHA1
14d46f6698233c44cc179b60e6aca84641a7ba98

SHA256
8148ea46939e9a3ca9bcab9b6d9d875771742d8685a9d18cb0232dbfc121f875

SHA512
ab1fab55f5e284d8c337ffa227fdd06db2ce55e7aca33894481d83ab6692447713932fba0d0c66555f1b9d9523c4f258642b2a83628879d6178532b667166e47

Download Submit
C:\Windows\{CF0D4D3B-5093-46da-A3BB-20F34130F150}.exe

Filesize
372KB

MD5
84f0d37c7effcb21eb8f1b9282532c8f

SHA1
14d46f6698233c44cc179b60e6aca84641a7ba98

SHA256
8148ea46939e9a3ca9bcab9b6d9d875771742d8685a9d18cb0232dbfc121f875

SHA512
ab1fab55f5e284d8c337ffa227fdd06db2ce55e7aca33894481d83ab6692447713932fba0d0c66555f1b9d9523c4f258642b2a83628879d6178532b667166e47

Download Submit
C:\Windows\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe

Filesize
372KB

MD5
bbe586380cd491a98f3eadc2d60d863c

SHA1
378712783ed581d984baaec42458ee3f6299b1f8

SHA256
85f6632d8c1878790f6d781b4ee55dddffe654096daf22694616ba49ae75c9ae

SHA512
185f6b6c43c02eb4952a64b994072bd037fa18fe64806912aa7963ce42158fd603c764789fd9a5a211ad12723dec89c2030be0421bab63f371ac4636bc08d4a0

Download Submit
C:\Windows\{D1DC4FC7-BD04-49b0-98A5-CA1BBA8C9D77}.exe

Filesize
372KB

MD5
bbe586380cd491a98f3eadc2d60d863c

SHA1
378712783ed581d984baaec42458ee3f6299b1f8

SHA256
85f6632d8c1878790f6d781b4ee55dddffe654096daf22694616ba49ae75c9ae

SHA512
185f6b6c43c02eb4952a64b994072bd037fa18fe64806912aa7963ce42158fd603c764789fd9a5a211ad12723dec89c2030be0421bab63f371ac4636bc08d4a0

Download Submit
C:\Windows\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe

Filesize
372KB

MD5
7890491e0daf2e4778e9291e8d68ca5c

SHA1
259491e3366e22206dab64f525da7fe1084dae37

SHA256
423ea57fbdcfb7684a47df9ec1831566fe292fbfbe0766e86af49738c1174410

SHA512
fcfaf51100a78fca9d2a123f5140fba05c781098203d6cb60b1198f05541609c63bc36f0e49c7ec6e1cf96c3e5da8ad3f39ec4502cbdb13241490d60b4173784

Download Submit
C:\Windows\{EA40F0AE-76F1-4604-90ED-67A25C78A207}.exe

Filesize
372KB

MD5
7890491e0daf2e4778e9291e8d68ca5c

SHA1
259491e3366e22206dab64f525da7fe1084dae37

SHA256
423ea57fbdcfb7684a47df9ec1831566fe292fbfbe0766e86af49738c1174410

SHA512
fcfaf51100a78fca9d2a123f5140fba05c781098203d6cb60b1198f05541609c63bc36f0e49c7ec6e1cf96c3e5da8ad3f39ec4502cbdb13241490d60b4173784

Download Submit
C:\Windows\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe

Filesize
372KB

MD5
8b898a4592d81a4e30851424c584c32d

SHA1
273900e04d2d75717204a155d8617b7393e4d613

SHA256
d1041d11e83a7f2d53576d55cd52e2891927753728dc3d4c50b1a41c22aaa38f

SHA512
fea1f170abb9bff13cac8b8648cd0352bcce17255b935bb526f7e6fcec524664645d82801deca0032a6c758cd2a8f112238e71d7c2d3412f468be8e1a5381743

Download Submit
C:\Windows\{FC797756-8A30-4cbc-BE96-4087B6A75A19}.exe

Filesize
372KB

MD5
8b898a4592d81a4e30851424c584c32d

SHA1
273900e04d2d75717204a155d8617b7393e4d613

SHA256
d1041d11e83a7f2d53576d55cd52e2891927753728dc3d4c50b1a41c22aaa38f

SHA512
fea1f170abb9bff13cac8b8648cd0352bcce17255b935bb526f7e6fcec524664645d82801deca0032a6c758cd2a8f112238e71d7c2d3412f468be8e1a5381743

Download Submit