580e2e9d0c621e34b4b433709659bd192479d52f5af891abf6cdc2b92f0ff88c

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffde0b696fc811exeexeexeex.exe
Size

168KB
MD5

ffde0b696fc81160a43da5a7da860e41
SHA1

4331f75f55f3cbc370f22d58b70da380334ed017
SHA256

580e2e9d0c621e34b4b433709659bd192479d52f5af891abf6cdc2b92f0ff88c
SHA512

a73479411b88aec3d745391eb423c90b68a771fd61c6e4f67a4f8b521f46e35607439282bcdd5a08e47128f26bd7c827118ad5dc46f6fb2e844ba2ab556fd71b
SSDEEP

1536:1EGh0oulq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oulqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}\stubpath = "C:\\Windows\\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe"	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8A92D4-7622-4084-9410-786B51C6C8F7}	{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}	{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}\stubpath = "C:\\Windows\\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe"	{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}\stubpath = "C:\\Windows\\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe"	{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}	{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}\stubpath = "C:\\Windows\\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe"	{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}\stubpath = "C:\\Windows\\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe"	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DDB33A8-03BD-42a4-A839-6083A584DA26}	{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DDB33A8-03BD-42a4-A839-6083A584DA26}\stubpath = "C:\\Windows\\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe"	{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}	{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}\stubpath = "C:\\Windows\\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe"	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}\stubpath = "C:\\Windows\\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe"	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}\stubpath = "C:\\Windows\\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe"	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}\stubpath = "C:\\Windows\\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe"	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}\stubpath = "C:\\Windows\\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe"	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE8A92D4-7622-4084-9410-786B51C6C8F7}\stubpath = "C:\\Windows\\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe"	{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}	ffde0b696fc811exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}\stubpath = "C:\\Windows\\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe"	ffde0b696fc811exeexeexeex.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
1412	{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
268	{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
2680	{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
2576	{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
2024	{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
2792	{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe	{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
File created	C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	ffde0b696fc811exeexeexeex.exe
File created	C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
File created	C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
File created	C:\Windows\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
File created	C:\Windows\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
File created	C:\Windows\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
File created	C:\Windows\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
File created	C:\Windows\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe	{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
File created	C:\Windows\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe	{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
File created	C:\Windows\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
File created	C:\Windows\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe	{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
File created	C:\Windows\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe	{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	ffde0b696fc811exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Token: SeIncBasePriorityPrivilege	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Token: SeIncBasePriorityPrivilege	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Token: SeIncBasePriorityPrivilege	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
Token: SeIncBasePriorityPrivilege	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
Token: SeIncBasePriorityPrivilege	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
Token: SeIncBasePriorityPrivilege	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
Token: SeIncBasePriorityPrivilege	1412	{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
Token: SeIncBasePriorityPrivilege	268	{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
Token: SeIncBasePriorityPrivilege	2680	{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
Token: SeIncBasePriorityPrivilege	2576	{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
Token: SeIncBasePriorityPrivilege	2024	{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1204	2384	ffde0b696fc811exeexeexeex.exe	28
PID 2384 wrote to memory of 1204	2384	ffde0b696fc811exeexeexeex.exe	28
PID 2384 wrote to memory of 1204	2384	ffde0b696fc811exeexeexeex.exe	28
PID 2384 wrote to memory of 1204	2384	ffde0b696fc811exeexeexeex.exe	28
PID 2384 wrote to memory of 3068	2384	ffde0b696fc811exeexeexeex.exe	29
PID 2384 wrote to memory of 3068	2384	ffde0b696fc811exeexeexeex.exe	29
PID 2384 wrote to memory of 3068	2384	ffde0b696fc811exeexeexeex.exe	29
PID 2384 wrote to memory of 3068	2384	ffde0b696fc811exeexeexeex.exe	29
PID 1204 wrote to memory of 2936	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 1204 wrote to memory of 2936	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 1204 wrote to memory of 2936	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 1204 wrote to memory of 2936	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 1204 wrote to memory of 3048	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 1204 wrote to memory of 3048	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 1204 wrote to memory of 3048	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 1204 wrote to memory of 3048	1204	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 2936 wrote to memory of 2928	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2936 wrote to memory of 2928	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2936 wrote to memory of 2928	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2936 wrote to memory of 2928	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2936 wrote to memory of 1272	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2936 wrote to memory of 1272	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2936 wrote to memory of 1272	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2936 wrote to memory of 1272	2936	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2928 wrote to memory of 1912	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 2928 wrote to memory of 1912	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 2928 wrote to memory of 1912	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 2928 wrote to memory of 1912	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 2928 wrote to memory of 2900	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 2928 wrote to memory of 2900	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 2928 wrote to memory of 2900	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 2928 wrote to memory of 2900	2928	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 1912 wrote to memory of 2092	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	36
PID 1912 wrote to memory of 2092	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	36
PID 1912 wrote to memory of 2092	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	36
PID 1912 wrote to memory of 2092	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	36
PID 1912 wrote to memory of 392	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	37
PID 1912 wrote to memory of 392	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	37
PID 1912 wrote to memory of 392	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	37
PID 1912 wrote to memory of 392	1912	{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe	37
PID 2092 wrote to memory of 2212	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	38
PID 2092 wrote to memory of 2212	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	38
PID 2092 wrote to memory of 2212	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	38
PID 2092 wrote to memory of 2212	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	38
PID 2092 wrote to memory of 2268	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	39
PID 2092 wrote to memory of 2268	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	39
PID 2092 wrote to memory of 2268	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	39
PID 2092 wrote to memory of 2268	2092	{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe	39
PID 2212 wrote to memory of 2108	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	40
PID 2212 wrote to memory of 2108	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	40
PID 2212 wrote to memory of 2108	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	40
PID 2212 wrote to memory of 2108	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	40
PID 2212 wrote to memory of 2428	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	41
PID 2212 wrote to memory of 2428	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	41
PID 2212 wrote to memory of 2428	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	41
PID 2212 wrote to memory of 2428	2212	{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe	41
PID 2108 wrote to memory of 1412	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	42
PID 2108 wrote to memory of 1412	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	42
PID 2108 wrote to memory of 1412	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	42
PID 2108 wrote to memory of 1412	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	42
PID 2108 wrote to memory of 2204	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	43
PID 2108 wrote to memory of 2204	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	43
PID 2108 wrote to memory of 2204	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	43
PID 2108 wrote to memory of 2204	2108	{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe	43

C:\Users\Admin\AppData\Local\Temp\ffde0b696fc811exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ffde0b696fc811exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
  C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
    C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
      C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
        
        C:\Windows\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
        
        C:\Windows\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
        
        C:\Windows\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
        
        C:\Windows\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
        
        C:\Windows\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
        
        C:\Windows\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
        
        C:\Windows\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
        
        C:\Windows\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
        
        C:\Windows\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe
        
        C:\Windows\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe
        14⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE94~1.EXE > nul
        14⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DDB3~1.EXE > nul
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2D2~1.EXE > nul
        12⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8A9~1.EXE > nul
        11⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA13~1.EXE > nul
        10⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95F2F~1.EXE > nul
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4DFD~1.EXE > nul
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59ED2~1.EXE > nul
        7⤵
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75935~1.EXE > nul
        6⤵
        
        PID:392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F21~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{882EC~1.EXE > nul
      4⤵
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17CFE~1.EXE > nul
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FFDE0B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0629DDD3-8EA0-48e7-BB8C-E0F765E58E7F}.exe

Filesize
168KB

MD5
7b36da7360a44c7d2676ebbc024f642b

SHA1
38ae567b2db6d3843970698812de2d46399e5949

SHA256
c8c3a1d43e6f69a29e31a60ea94719a552b4d3d90f9a15a50a05ca9a844a43da

SHA512
08ca101d3afcf531d6fee8aaac059d03f8da2fcacf600c2bef07e19572fc5d4eca1ea5a1c5fb74c552a7c3e85d6c6fd121fcfc2cd111e67b40b6d9a64a6eec02

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
168KB

MD5
b6548622d156d0a3575a6f1e2b5a9496

SHA1
59565c60f9225c519d8c845e07a212bba794837f

SHA256
3dd8cef020273e63a8b34586773be752a6c640453ef5574c60b00072433e655b

SHA512
6d5789088482d7394c772b8952afdc6388f7200eff9166de67eb08995e0bf429c83b6292fbbb3fc09f4cf64f6fc9e6b1a7ef7b9721f245ac7888d84fa2ed624b

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
168KB

MD5
b6548622d156d0a3575a6f1e2b5a9496

SHA1
59565c60f9225c519d8c845e07a212bba794837f

SHA256
3dd8cef020273e63a8b34586773be752a6c640453ef5574c60b00072433e655b

SHA512
6d5789088482d7394c772b8952afdc6388f7200eff9166de67eb08995e0bf429c83b6292fbbb3fc09f4cf64f6fc9e6b1a7ef7b9721f245ac7888d84fa2ed624b

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
168KB

MD5
b6548622d156d0a3575a6f1e2b5a9496

SHA1
59565c60f9225c519d8c845e07a212bba794837f

SHA256
3dd8cef020273e63a8b34586773be752a6c640453ef5574c60b00072433e655b

SHA512
6d5789088482d7394c772b8952afdc6388f7200eff9166de67eb08995e0bf429c83b6292fbbb3fc09f4cf64f6fc9e6b1a7ef7b9721f245ac7888d84fa2ed624b

Download Submit
C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe

Filesize
168KB

MD5
c4293d9ab80b1a59451db3c997830030

SHA1
06baa013db7c5158c56ba18ef5d1ae5aa27b2802

SHA256
e7c0d4f285f1b97b118aef226626a5fe44c59365ebdc39ccfec436dea83a0275

SHA512
12fc82abe8e1bde3d7993ea7194567908777091ddb4a76fdd918e20c7261113eb17deb60f34d7281887656872838749f0e941409aff8f87efad7ec6e03cae6b4

Download Submit
C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe

Filesize
168KB

MD5
c4293d9ab80b1a59451db3c997830030

SHA1
06baa013db7c5158c56ba18ef5d1ae5aa27b2802

SHA256
e7c0d4f285f1b97b118aef226626a5fe44c59365ebdc39ccfec436dea83a0275

SHA512
12fc82abe8e1bde3d7993ea7194567908777091ddb4a76fdd918e20c7261113eb17deb60f34d7281887656872838749f0e941409aff8f87efad7ec6e03cae6b4

Download Submit
C:\Windows\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe

Filesize
168KB

MD5
2c226d83614357712ac430966dd20a3a

SHA1
8057a0ef19fe3fc0b9fc3005b5b0e5229431b07a

SHA256
9029db86d204bfb0b32cad4ba565685f3d46d3854ba3cd99ac1207f7742382a1

SHA512
bf6538fd32d0e0ddcb2d69640618cd6be57b04980dcfcf057223b52d3ce554df953ebec6ac03f8aea01b75b71ff100b53c6f50a5a317489acc0ab1ac89bed3ba

Download Submit
C:\Windows\{59ED2E0B-3C96-4fb2-9D4D-F43C4A8516D4}.exe

Filesize
168KB

MD5
2c226d83614357712ac430966dd20a3a

SHA1
8057a0ef19fe3fc0b9fc3005b5b0e5229431b07a

SHA256
9029db86d204bfb0b32cad4ba565685f3d46d3854ba3cd99ac1207f7742382a1

SHA512
bf6538fd32d0e0ddcb2d69640618cd6be57b04980dcfcf057223b52d3ce554df953ebec6ac03f8aea01b75b71ff100b53c6f50a5a317489acc0ab1ac89bed3ba

Download Submit
C:\Windows\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe

Filesize
168KB

MD5
689d81f37e64813d37f4a9f3792831be

SHA1
e68e366666dcd4b6994c590937649e5a200a03ca

SHA256
6f035f1d9d28acdd600cafccd87cb9ccc4cf8c7729a73c85f285155f9fac6ea3

SHA512
f2a180e80f0c8d679d81b190cac3a7ca335716dfdbad23aaae6af4e63084699271fa2d4db988ac202537d312d09a3bb40df8d83fb4df5b385e7296ccf4cbcfd0

Download Submit
C:\Windows\{6DA13731-0D87-4e9e-A3F1-B9D7D8711255}.exe

Filesize
168KB

MD5
689d81f37e64813d37f4a9f3792831be

SHA1
e68e366666dcd4b6994c590937649e5a200a03ca

SHA256
6f035f1d9d28acdd600cafccd87cb9ccc4cf8c7729a73c85f285155f9fac6ea3

SHA512
f2a180e80f0c8d679d81b190cac3a7ca335716dfdbad23aaae6af4e63084699271fa2d4db988ac202537d312d09a3bb40df8d83fb4df5b385e7296ccf4cbcfd0

Download Submit
C:\Windows\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe

Filesize
168KB

MD5
403bbb5c3dfdefd314a98707c6d96ba1

SHA1
d550ef261a8567de1e72c6ec797d34ee9a84bd93

SHA256
9d7982f1e5f63cd82ebde05191f9cf30b88945085717496a663e45c254ce0644

SHA512
7dce6d2986395f161bd57530f9fb5db1a8eef5866b273228f8d3b37fa5bab04bcefcb4bf7aa802f83a9bbc0210cd24c43e0f47322b3727679287a623a99d2806

Download Submit
C:\Windows\{75935922-94F9-4b6f-8C27-D4F7FDAE4C89}.exe

Filesize
168KB

MD5
403bbb5c3dfdefd314a98707c6d96ba1

SHA1
d550ef261a8567de1e72c6ec797d34ee9a84bd93

SHA256
9d7982f1e5f63cd82ebde05191f9cf30b88945085717496a663e45c254ce0644

SHA512
7dce6d2986395f161bd57530f9fb5db1a8eef5866b273228f8d3b37fa5bab04bcefcb4bf7aa802f83a9bbc0210cd24c43e0f47322b3727679287a623a99d2806

Download Submit
C:\Windows\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe

Filesize
168KB

MD5
6431b3b3450c9732eff9eb5b3b4109f0

SHA1
7c6e899a3e38d877ce3c3f8b86ec74d2b6f0c972

SHA256
6dff2e7f944f667f702f76dc5e43308b27ebadfb561f62b51a80156599bb6a84

SHA512
c63285b0d9987f402d75a06acbc4df4b57fb5fd7d9ba4e35edab82ba6f52dbcd693f7312eece50098d08932ae00a23777b973fc243e4f221a18f5c7d31bd0cd7

Download Submit
C:\Windows\{7DDB33A8-03BD-42a4-A839-6083A584DA26}.exe

Filesize
168KB

MD5
6431b3b3450c9732eff9eb5b3b4109f0

SHA1
7c6e899a3e38d877ce3c3f8b86ec74d2b6f0c972

SHA256
6dff2e7f944f667f702f76dc5e43308b27ebadfb561f62b51a80156599bb6a84

SHA512
c63285b0d9987f402d75a06acbc4df4b57fb5fd7d9ba4e35edab82ba6f52dbcd693f7312eece50098d08932ae00a23777b973fc243e4f221a18f5c7d31bd0cd7

Download Submit
C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe

Filesize
168KB

MD5
f4be3c88a7412dd279b176ecd82926fd

SHA1
57ddd9bf48750ed6c184383308576b544a86a93b

SHA256
211f0af9352fd1ae14fad8da9823ab0e78d284ba0d3f4788d6498b30f44ce1d6

SHA512
83b4bc215d2cb726208fb5c004beee652a078b7c4ed4dbcae0dd799cc79f33429b5250bb803adc1a0012422b6e3f86930879f6a941e06e12485999402c77f725

Download Submit
C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe

Filesize
168KB

MD5
f4be3c88a7412dd279b176ecd82926fd

SHA1
57ddd9bf48750ed6c184383308576b544a86a93b

SHA256
211f0af9352fd1ae14fad8da9823ab0e78d284ba0d3f4788d6498b30f44ce1d6

SHA512
83b4bc215d2cb726208fb5c004beee652a078b7c4ed4dbcae0dd799cc79f33429b5250bb803adc1a0012422b6e3f86930879f6a941e06e12485999402c77f725

Download Submit
C:\Windows\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe

Filesize
168KB

MD5
105edc4ac2da0bc3d2bcf9395c70cdf0

SHA1
eeec4053aec2179e327000e3db533ef3b563b378

SHA256
19c250845760bd70fb67c55e6d08d5b47f98c3a9c3709557f3fa4be8ae67c824

SHA512
7d1a622add12b7db2b3a6f9614b17b5f620cfca8e3cd657da8bfbaa61ca21650643492a58098c8ab6281ea2ff22c2168cda8f57dd315677ef94db36d7ee05f19

Download Submit
C:\Windows\{8FE94888-A0A3-4a0f-88CC-D4BF41ADEF3A}.exe

Filesize
168KB

MD5
105edc4ac2da0bc3d2bcf9395c70cdf0

SHA1
eeec4053aec2179e327000e3db533ef3b563b378

SHA256
19c250845760bd70fb67c55e6d08d5b47f98c3a9c3709557f3fa4be8ae67c824

SHA512
7d1a622add12b7db2b3a6f9614b17b5f620cfca8e3cd657da8bfbaa61ca21650643492a58098c8ab6281ea2ff22c2168cda8f57dd315677ef94db36d7ee05f19

Download Submit
C:\Windows\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe

Filesize
168KB

MD5
00022db0f310395f75adba3dc566adf0

SHA1
b03b1b97e0ad3c69d7ced24a7ca17a9379084e5d

SHA256
ed73c61d7dccf325e3c9fc85436ec6150ec619c4190f3cd906ad07173fab64a3

SHA512
27fc20fc72acdb4aebf03c158b67fbd2747c25f462cb6ee8f5c4cbf70043723005e8423b6b5f85477bf21d52baf50f885c772cd1c9efd7dafbf5bb51241b326c

Download Submit
C:\Windows\{95F2F9D7-19E4-4643-A8FD-1130F939DDB2}.exe

Filesize
168KB

MD5
00022db0f310395f75adba3dc566adf0

SHA1
b03b1b97e0ad3c69d7ced24a7ca17a9379084e5d

SHA256
ed73c61d7dccf325e3c9fc85436ec6150ec619c4190f3cd906ad07173fab64a3

SHA512
27fc20fc72acdb4aebf03c158b67fbd2747c25f462cb6ee8f5c4cbf70043723005e8423b6b5f85477bf21d52baf50f885c772cd1c9efd7dafbf5bb51241b326c

Download Submit
C:\Windows\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe

Filesize
168KB

MD5
866074ba9c064f1c151d6efea55bc4e7

SHA1
0aa97ccc606a8923f910217d00db92e717e3cad3

SHA256
87a13363f8c7fd8c791b94a7603b6674aae7b3b5a842fb7bdbffacff55e14609

SHA512
a720b2fb16a06e6d8094353bc21589f172e466690345ff1875089773ab1850c2fece141bed9a14751cc94296c5d804728082425e8a98f29f616baacdfa8a6263

Download Submit
C:\Windows\{A4DFD266-3854-4bee-BDDE-4A280E7E9C59}.exe

Filesize
168KB

MD5
866074ba9c064f1c151d6efea55bc4e7

SHA1
0aa97ccc606a8923f910217d00db92e717e3cad3

SHA256
87a13363f8c7fd8c791b94a7603b6674aae7b3b5a842fb7bdbffacff55e14609

SHA512
a720b2fb16a06e6d8094353bc21589f172e466690345ff1875089773ab1850c2fece141bed9a14751cc94296c5d804728082425e8a98f29f616baacdfa8a6263

Download Submit
C:\Windows\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe

Filesize
168KB

MD5
2398121fb7618c31b0f762c7084c4773

SHA1
7bac003dc4c2bcb8323d18bbf41396524d27d5a8

SHA256
fdf17a54971af6a991c43f497de662010f6cdc347444aef257a9251daa302b7c

SHA512
89af9ec9c5e7d89f9682f18d4e3612202f361ccf2bf16b709413c5d176fc9847f080aac884cf17ad575d24f9e18a26cb4dc25be143ed067ebc65d8bf32f12e05

Download Submit
C:\Windows\{AE8A92D4-7622-4084-9410-786B51C6C8F7}.exe

Filesize
168KB

MD5
2398121fb7618c31b0f762c7084c4773

SHA1
7bac003dc4c2bcb8323d18bbf41396524d27d5a8

SHA256
fdf17a54971af6a991c43f497de662010f6cdc347444aef257a9251daa302b7c

SHA512
89af9ec9c5e7d89f9682f18d4e3612202f361ccf2bf16b709413c5d176fc9847f080aac884cf17ad575d24f9e18a26cb4dc25be143ed067ebc65d8bf32f12e05

Download Submit
C:\Windows\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe

Filesize
168KB

MD5
1347a0d363c7303e15a4041970012c9c

SHA1
8c2663691e0ebf853c41dd9b6e440fc386c4b6f6

SHA256
b59feed304e13d85896a02955eb57a639f6116c50015ba289ace2533caeefdbc

SHA512
442cab9f301e6587306d86a7dc0e6b8b63b13152bc0879ab8c2268fd6a14db27419a7a67c9553de1436494b946823b6ecb27b04a954685215d618758a394ca42

Download Submit
C:\Windows\{EC2D2BA1-6C7E-42e6-BC0C-415608563908}.exe

Filesize
168KB

MD5
1347a0d363c7303e15a4041970012c9c

SHA1
8c2663691e0ebf853c41dd9b6e440fc386c4b6f6

SHA256
b59feed304e13d85896a02955eb57a639f6116c50015ba289ace2533caeefdbc

SHA512
442cab9f301e6587306d86a7dc0e6b8b63b13152bc0879ab8c2268fd6a14db27419a7a67c9553de1436494b946823b6ecb27b04a954685215d618758a394ca42

Download Submit