7a72e8d6b921e4752fa436b5fc232413a8e4b660164e929831c8c3d87ed62b08

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1248c0a39b1615exeexeexeex.exe
Size

168KB
MD5

1248c0a39b16150e33bad441d6a65ecc
SHA1

8b0461933e5ed775984a5d781cc7e29fd46a8513
SHA256

7a72e8d6b921e4752fa436b5fc232413a8e4b660164e929831c8c3d87ed62b08
SHA512

f0e289c67393138ef30d615f79b4b4a80cc7ebe9273ebee31049ee7c8c7bcae9f39cbbc3babf827e4df12876f3f46c10c1063487ff3f85bffe2e4d6146b67055
SSDEEP

1536:1EGh0oalq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oalqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB98D98-09B8-4059-9163-565FCF2E0C35}	{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}	{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA088BB-C470-40a1-AA62-10950D21F333}	1248c0a39b1615exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7201251E-0433-4208-8170-E7EEFBB6B642}\stubpath = "C:\\Windows\\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe"	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}\stubpath = "C:\\Windows\\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe"	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A754F180-6D61-421b-B70A-2461AABC2210}	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D8EA30-7641-410e-96B4-45B7D6080C7A}	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA57D28B-3B1E-4297-84BA-684773F12E77}	{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA088BB-C470-40a1-AA62-10950D21F333}\stubpath = "C:\\Windows\\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe"	1248c0a39b1615exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}\stubpath = "C:\\Windows\\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe"	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A754F180-6D61-421b-B70A-2461AABC2210}\stubpath = "C:\\Windows\\{A754F180-6D61-421b-B70A-2461AABC2210}.exe"	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D8EA30-7641-410e-96B4-45B7D6080C7A}\stubpath = "C:\\Windows\\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe"	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}	{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7057BAF-D27E-4970-9A89-10829019F1F9}\stubpath = "C:\\Windows\\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe"	{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}\stubpath = "C:\\Windows\\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe"	{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7201251E-0433-4208-8170-E7EEFBB6B642}	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}\stubpath = "C:\\Windows\\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe"	{A754F180-6D61-421b-B70A-2461AABC2210}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA57D28B-3B1E-4297-84BA-684773F12E77}\stubpath = "C:\\Windows\\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe"	{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB98D98-09B8-4059-9163-565FCF2E0C35}\stubpath = "C:\\Windows\\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe"	{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7057BAF-D27E-4970-9A89-10829019F1F9}	{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}\stubpath = "C:\\Windows\\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe"	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}	{A754F180-6D61-421b-B70A-2461AABC2210}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}\stubpath = "C:\\Windows\\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe"	{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe
2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
676	{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
2968	{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
2668	{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
2976	{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
2736	{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe
2632	{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe	{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
File created	C:\Windows\{A754F180-6D61-421b-B70A-2461AABC2210}.exe	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
File created	C:\Windows\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	{A754F180-6D61-421b-B70A-2461AABC2210}.exe
File created	C:\Windows\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
File created	C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
File created	C:\Windows\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
File created	C:\Windows\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe	{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
File created	C:\Windows\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe	{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
File created	C:\Windows\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe	{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
File created	C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	1248c0a39b1615exeexeexeex.exe
File created	C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
File created	C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
File created	C:\Windows\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe	{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	1248c0a39b1615exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
Token: SeIncBasePriorityPrivilege	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
Token: SeIncBasePriorityPrivilege	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
Token: SeIncBasePriorityPrivilege	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
Token: SeIncBasePriorityPrivilege	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
Token: SeIncBasePriorityPrivilege	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe
Token: SeIncBasePriorityPrivilege	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
Token: SeIncBasePriorityPrivilege	676	{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
Token: SeIncBasePriorityPrivilege	2968	{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
Token: SeIncBasePriorityPrivilege	2668	{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
Token: SeIncBasePriorityPrivilege	2976	{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
Token: SeIncBasePriorityPrivilege	2736	{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1356	3028	1248c0a39b1615exeexeexeex.exe	28
PID 3028 wrote to memory of 1356	3028	1248c0a39b1615exeexeexeex.exe	28
PID 3028 wrote to memory of 1356	3028	1248c0a39b1615exeexeexeex.exe	28
PID 3028 wrote to memory of 1356	3028	1248c0a39b1615exeexeexeex.exe	28
PID 3028 wrote to memory of 2068	3028	1248c0a39b1615exeexeexeex.exe	29
PID 3028 wrote to memory of 2068	3028	1248c0a39b1615exeexeexeex.exe	29
PID 3028 wrote to memory of 2068	3028	1248c0a39b1615exeexeexeex.exe	29
PID 3028 wrote to memory of 2068	3028	1248c0a39b1615exeexeexeex.exe	29
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2304	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	30
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 1356 wrote to memory of 2932	1356	{5DA088BB-C470-40a1-AA62-10950D21F333}.exe	31
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 2812	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	32
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2304 wrote to memory of 732	2304	{7201251E-0433-4208-8170-E7EEFBB6B642}.exe	33
PID 2812 wrote to memory of 2128	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 2128	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 2128	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 2128	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	34
PID 2812 wrote to memory of 876	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 876	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 876	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2812 wrote to memory of 876	2812	{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe	35
PID 2128 wrote to memory of 1488	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 2128 wrote to memory of 1488	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 2128 wrote to memory of 1488	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 2128 wrote to memory of 1488	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	36
PID 2128 wrote to memory of 856	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 2128 wrote to memory of 856	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 2128 wrote to memory of 856	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 2128 wrote to memory of 856	2128	{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe	37
PID 1488 wrote to memory of 2388	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	38
PID 1488 wrote to memory of 2388	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	38
PID 1488 wrote to memory of 2388	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	38
PID 1488 wrote to memory of 2388	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	38
PID 1488 wrote to memory of 2852	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	39
PID 1488 wrote to memory of 2852	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	39
PID 1488 wrote to memory of 2852	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	39
PID 1488 wrote to memory of 2852	1488	{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe	39
PID 2388 wrote to memory of 2916	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	40
PID 2388 wrote to memory of 2916	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	40
PID 2388 wrote to memory of 2916	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	40
PID 2388 wrote to memory of 2916	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	40
PID 2388 wrote to memory of 1256	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	41
PID 2388 wrote to memory of 1256	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	41
PID 2388 wrote to memory of 1256	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	41
PID 2388 wrote to memory of 1256	2388	{A754F180-6D61-421b-B70A-2461AABC2210}.exe	41
PID 2916 wrote to memory of 676	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	42
PID 2916 wrote to memory of 676	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	42
PID 2916 wrote to memory of 676	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	42
PID 2916 wrote to memory of 676	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	42
PID 2916 wrote to memory of 2080	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	43
PID 2916 wrote to memory of 2080	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	43
PID 2916 wrote to memory of 2080	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	43
PID 2916 wrote to memory of 2080	2916	{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe	43

C:\Users\Admin\AppData\Local\Temp\1248c0a39b1615exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\1248c0a39b1615exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
  C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
    C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
      C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
        
        C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
        
        C:\Windows\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{A754F180-6D61-421b-B70A-2461AABC2210}.exe
        
        C:\Windows\{A754F180-6D61-421b-B70A-2461AABC2210}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
        
        C:\Windows\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
        
        C:\Windows\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
        
        C:\Windows\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
        
        C:\Windows\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
        
        C:\Windows\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe
        
        C:\Windows\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe
        
        C:\Windows\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe
        14⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26297~1.EXE > nul
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7057~1.EXE > nul
        13⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB98~1.EXE > nul
        12⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA57D~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27D8E~1.EXE > nul
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A63~1.EXE > nul
        9⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A754F~1.EXE > nul
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD64~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A4D~1.EXE > nul
        6⤵
        
        PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFD6~1.EXE > nul
        5⤵
        
        PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72012~1.EXE > nul
      4⤵
      PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA08~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1248C0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe

Filesize
168KB

MD5
bb65f636c8e5c84df68d22b9febf9fc0

SHA1
8bf80b62e36fcda46c2aebfe5ae49101187cfed0

SHA256
b45438628c26928776c5c1f038556817aed4fe2facfaa721f34b7b9a72cb116e

SHA512
0bf89f2d8f837d7cadde2be8bee72657af7b5c7b4b3e8d8a1f6273462723fc6e10a2682575076761e7cfe29ab3539c22e6ba1767847c07da34cda1b04a0d1024

Download Submit
C:\Windows\{17A4D027-ADA3-4a4d-99D3-82A1EB8DCE8D}.exe

Filesize
168KB

MD5
bb65f636c8e5c84df68d22b9febf9fc0

SHA1
8bf80b62e36fcda46c2aebfe5ae49101187cfed0

SHA256
b45438628c26928776c5c1f038556817aed4fe2facfaa721f34b7b9a72cb116e

SHA512
0bf89f2d8f837d7cadde2be8bee72657af7b5c7b4b3e8d8a1f6273462723fc6e10a2682575076761e7cfe29ab3539c22e6ba1767847c07da34cda1b04a0d1024

Download Submit
C:\Windows\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe

Filesize
168KB

MD5
3af0fc9fccb3969b6799c36a6a75b814

SHA1
2c7886ac9ff05f0c42f1ba1e3a828000f5d77b93

SHA256
7d6d677aa675626385245431a979e3358e3dcdd710e8c228d2979107585e8ef5

SHA512
d2044052c0efa6c6a7ec52a603c5e5413d8af29a6c0cd499d4c798c654e04fd8225fa90ae8b4878b73032971409ad0ec7a7de637629f3d0e17dc2e2a18b687c0

Download Submit
C:\Windows\{26297DAA-BD79-4a61-B40E-4B74FD569FBE}.exe

Filesize
168KB

MD5
3af0fc9fccb3969b6799c36a6a75b814

SHA1
2c7886ac9ff05f0c42f1ba1e3a828000f5d77b93

SHA256
7d6d677aa675626385245431a979e3358e3dcdd710e8c228d2979107585e8ef5

SHA512
d2044052c0efa6c6a7ec52a603c5e5413d8af29a6c0cd499d4c798c654e04fd8225fa90ae8b4878b73032971409ad0ec7a7de637629f3d0e17dc2e2a18b687c0

Download Submit
C:\Windows\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe

Filesize
168KB

MD5
3aad289a953fc2a3fc9563540dc97684

SHA1
87dbbb5e265e35b4928c2b55b0947939ae6fbbb0

SHA256
dbaf3e0ca90b5174f2c7e48f63d794e54793abb097272f9de6ccd0126bca6ac0

SHA512
89fea0112013edd6a513b0b404e7f7794b23073e2a2c2c4a86de59b36666b6df54b56c392455cace479f1382af609692584c42b3827426b865c9a8d51d0693ff

Download Submit
C:\Windows\{27D8EA30-7641-410e-96B4-45B7D6080C7A}.exe

Filesize
168KB

MD5
3aad289a953fc2a3fc9563540dc97684

SHA1
87dbbb5e265e35b4928c2b55b0947939ae6fbbb0

SHA256
dbaf3e0ca90b5174f2c7e48f63d794e54793abb097272f9de6ccd0126bca6ac0

SHA512
89fea0112013edd6a513b0b404e7f7794b23073e2a2c2c4a86de59b36666b6df54b56c392455cace479f1382af609692584c42b3827426b865c9a8d51d0693ff

Download Submit
C:\Windows\{4491B07F-EEA1-49b3-BB8A-B353F6F6E1F1}.exe

Filesize
168KB

MD5
888b7cd8b01fb78d6b973d04bee2eeda

SHA1
77f114530ebcbddf709e4a4ab1bc6aaae1dd16a8

SHA256
3dc141babc2eba7e069a31283e60a85eb6f8548866e6693d6fd1feae7158931f

SHA512
d5d2ee34cdd4df2ba9f09578ddb7041cf74f7a807dc28d5dcbe78dd690f12a47e75b5f78036bded2e1772cd86d2ec09a4eb8f41d75fb7ebbd1723fc93ce25e13

Download Submit
C:\Windows\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe

Filesize
168KB

MD5
047d3fb8f0f34f91470f9ebe05b13bf2

SHA1
8171560af3b06291884521be74f42f374830236a

SHA256
427395524ca7da05e02291de66dcd228d4cdbf0a2a12c278c655d05c0432d5ae

SHA512
3c34a5fe5916f39ade3d3aa8ccd6814146878d0110c31f23ea61f941e49592d71c2ee6c1127e629a4ce87a9b3477f35723c7f682481144744b49cbc7b06b0a32

Download Submit
C:\Windows\{4DD64402-A7EE-4c1e-B2A7-71D6D9231B29}.exe

Filesize
168KB

MD5
047d3fb8f0f34f91470f9ebe05b13bf2

SHA1
8171560af3b06291884521be74f42f374830236a

SHA256
427395524ca7da05e02291de66dcd228d4cdbf0a2a12c278c655d05c0432d5ae

SHA512
3c34a5fe5916f39ade3d3aa8ccd6814146878d0110c31f23ea61f941e49592d71c2ee6c1127e629a4ce87a9b3477f35723c7f682481144744b49cbc7b06b0a32

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
168KB

MD5
fd34e6c5d33b3bea5f8d0e0738dbda8d

SHA1
d4a09a526609b76c5e257b2b85d4f6842a46abb9

SHA256
f07ccd7d9e59d52d582d5167d3ca271484456d896cd7e4375b8a92226a0622f6

SHA512
63521819fb5e0203fd8ba19265b9cfa677fb5aaa60c14928c89e351a75bb5bc52a528c6019ce71083e1e1dcb4ff96523bbb65c7911d22f88f0cd61748ac0db86

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
168KB

MD5
fd34e6c5d33b3bea5f8d0e0738dbda8d

SHA1
d4a09a526609b76c5e257b2b85d4f6842a46abb9

SHA256
f07ccd7d9e59d52d582d5167d3ca271484456d896cd7e4375b8a92226a0622f6

SHA512
63521819fb5e0203fd8ba19265b9cfa677fb5aaa60c14928c89e351a75bb5bc52a528c6019ce71083e1e1dcb4ff96523bbb65c7911d22f88f0cd61748ac0db86

Download Submit
C:\Windows\{5DA088BB-C470-40a1-AA62-10950D21F333}.exe

Filesize
168KB

MD5
fd34e6c5d33b3bea5f8d0e0738dbda8d

SHA1
d4a09a526609b76c5e257b2b85d4f6842a46abb9

SHA256
f07ccd7d9e59d52d582d5167d3ca271484456d896cd7e4375b8a92226a0622f6

SHA512
63521819fb5e0203fd8ba19265b9cfa677fb5aaa60c14928c89e351a75bb5bc52a528c6019ce71083e1e1dcb4ff96523bbb65c7911d22f88f0cd61748ac0db86

Download Submit
C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe

Filesize
168KB

MD5
87535ecaf07ee4fcb370fe16f8547111

SHA1
4e498d8f82df132a38aaba3c2ee1cbc148f2b4d6

SHA256
4491d1a0efa0e37dddc3cb866fd529ef6074b10d513861b9f1214e50d9b36145

SHA512
59204d0e299a424c843e4b2ee8a749ce6f0fc2dc31094cbdc26b9ffdf4361ffbff1a7ab1cde7523887aef563a1a0471bd8080eb76e158cf0398b74d148c849bf

Download Submit
C:\Windows\{7201251E-0433-4208-8170-E7EEFBB6B642}.exe

Filesize
168KB

MD5
87535ecaf07ee4fcb370fe16f8547111

SHA1
4e498d8f82df132a38aaba3c2ee1cbc148f2b4d6

SHA256
4491d1a0efa0e37dddc3cb866fd529ef6074b10d513861b9f1214e50d9b36145

SHA512
59204d0e299a424c843e4b2ee8a749ce6f0fc2dc31094cbdc26b9ffdf4361ffbff1a7ab1cde7523887aef563a1a0471bd8080eb76e158cf0398b74d148c849bf

Download Submit
C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe

Filesize
168KB

MD5
95f84b32560cf3ddde1b2bed19e3bcaf

SHA1
9f0a6c1d2b189d8afb81e3419b888488748b5dab

SHA256
4e1c4d46cba4f1295f36b6c0851eba71c7c68044a4ea24d92212894f288a8971

SHA512
641bc82609a3b507e14870618abda1ad11d2b3b6c694aea58d96d07d6b5742bff33c0bef0a6de87bd4bda5c5e568b554a725dacbbad676a966a89fec6635f485

Download Submit
C:\Windows\{8CFD6184-8C55-4b31-AFF1-8C72FC93F42B}.exe

Filesize
168KB

MD5
95f84b32560cf3ddde1b2bed19e3bcaf

SHA1
9f0a6c1d2b189d8afb81e3419b888488748b5dab

SHA256
4e1c4d46cba4f1295f36b6c0851eba71c7c68044a4ea24d92212894f288a8971

SHA512
641bc82609a3b507e14870618abda1ad11d2b3b6c694aea58d96d07d6b5742bff33c0bef0a6de87bd4bda5c5e568b554a725dacbbad676a966a89fec6635f485

Download Submit
C:\Windows\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe

Filesize
168KB

MD5
d9f032f8ad705852e961135a086b22d9

SHA1
28da883af6dae0dea93edc70feabad9c9b3c13e6

SHA256
b43388f79951e6e935e56544a1557b462e14a440c542bda8ff723609bc2af90f

SHA512
81fbae2677d669ee448d23d80acd467632ef070f77e2607d63c8c890db7b029925055af59836e9c8f83301aad7e9be605586b2ea8422fb22bea36090ee02a7e3

Download Submit
C:\Windows\{9AB98D98-09B8-4059-9163-565FCF2E0C35}.exe

Filesize
168KB

MD5
d9f032f8ad705852e961135a086b22d9

SHA1
28da883af6dae0dea93edc70feabad9c9b3c13e6

SHA256
b43388f79951e6e935e56544a1557b462e14a440c542bda8ff723609bc2af90f

SHA512
81fbae2677d669ee448d23d80acd467632ef070f77e2607d63c8c890db7b029925055af59836e9c8f83301aad7e9be605586b2ea8422fb22bea36090ee02a7e3

Download Submit
C:\Windows\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe

Filesize
168KB

MD5
04100bd11773cbd882c25b51eb7d212c

SHA1
55a8cabc6584b469bd7a2fd49570b0547cf7952e

SHA256
58f25c25bb3ea93ed0be309fae11728fbc7ff51cbd6b9e89e300c61ee78c5c4c

SHA512
ff68fcbac2a07e75be01a7c63526b951607d47306b96c1daa7f4935990f5b6c089438b48ef711bf7affc7fe445df87223055846b115773d59e7c035c321f9cf7

Download Submit
C:\Windows\{A3A63027-6415-4cfa-ACB4-9676AB8883BF}.exe

Filesize
168KB

MD5
04100bd11773cbd882c25b51eb7d212c

SHA1
55a8cabc6584b469bd7a2fd49570b0547cf7952e

SHA256
58f25c25bb3ea93ed0be309fae11728fbc7ff51cbd6b9e89e300c61ee78c5c4c

SHA512
ff68fcbac2a07e75be01a7c63526b951607d47306b96c1daa7f4935990f5b6c089438b48ef711bf7affc7fe445df87223055846b115773d59e7c035c321f9cf7

Download Submit
C:\Windows\{A754F180-6D61-421b-B70A-2461AABC2210}.exe

Filesize
168KB

MD5
f78571462a47ad94626d514ade4021ba

SHA1
9c8d74b4fe221367e9aade4bba6965fe3c04b1fd

SHA256
0aeb8b437efb7e4ae1710fa88225b393742f9b0f539d51da9e6f562d93765d31

SHA512
9f4948e8912dcd783e35d0aa3b55372b15f1a7504612170948cbf6a79f83af7f40b72dc99e674be9e30bcfc402ca4246422a7a9f9e48a4ebfc37894c79d25343

Download Submit
C:\Windows\{A754F180-6D61-421b-B70A-2461AABC2210}.exe

Filesize
168KB

MD5
f78571462a47ad94626d514ade4021ba

SHA1
9c8d74b4fe221367e9aade4bba6965fe3c04b1fd

SHA256
0aeb8b437efb7e4ae1710fa88225b393742f9b0f539d51da9e6f562d93765d31

SHA512
9f4948e8912dcd783e35d0aa3b55372b15f1a7504612170948cbf6a79f83af7f40b72dc99e674be9e30bcfc402ca4246422a7a9f9e48a4ebfc37894c79d25343

Download Submit
C:\Windows\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe

Filesize
168KB

MD5
76e74d29b64ce0982dc849f8a987f863

SHA1
e063907aea64744299bc8313b8b9698ae704018e

SHA256
c3aeeaea8548fcc1b5bf4e1d8d85c3a27e638b71ca97d6297716c6e54432475e

SHA512
89377f01af0175b03397e14f980db24c9069ee8f94c49ba312a26d0b5a957471fa1ba74aa51513449c72f060063f050ac194a4062853895308e9155318d6dee1

Download Submit
C:\Windows\{CA57D28B-3B1E-4297-84BA-684773F12E77}.exe

Filesize
168KB

MD5
76e74d29b64ce0982dc849f8a987f863

SHA1
e063907aea64744299bc8313b8b9698ae704018e

SHA256
c3aeeaea8548fcc1b5bf4e1d8d85c3a27e638b71ca97d6297716c6e54432475e

SHA512
89377f01af0175b03397e14f980db24c9069ee8f94c49ba312a26d0b5a957471fa1ba74aa51513449c72f060063f050ac194a4062853895308e9155318d6dee1

Download Submit
C:\Windows\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe

Filesize
168KB

MD5
c952340bc37198acfd8e497e2afe678f

SHA1
467c46c8c6d53b40ef2016776bcc6b0d2a667f43

SHA256
c5721bb151a0fc9511f1e4947510c50b787ec871282014de45857ea5aab55da7

SHA512
ac75fe6ef57ab9c11e182446061336b5d274a908f96852ab13bfa5efe3464f7e538c5dab22eb00a5c77f5a087cb92efadb0f276c8d68396a66537f1931d17ccd

Download Submit
C:\Windows\{D7057BAF-D27E-4970-9A89-10829019F1F9}.exe

Filesize
168KB

MD5
c952340bc37198acfd8e497e2afe678f

SHA1
467c46c8c6d53b40ef2016776bcc6b0d2a667f43

SHA256
c5721bb151a0fc9511f1e4947510c50b787ec871282014de45857ea5aab55da7

SHA512
ac75fe6ef57ab9c11e182446061336b5d274a908f96852ab13bfa5efe3464f7e538c5dab22eb00a5c77f5a087cb92efadb0f276c8d68396a66537f1931d17ccd

Download Submit