2fadaa4596ebbc92ea37b065e14fb4da546d688ff75fbd246cbe0c05aebc3ac5

Analysis

max time kernel
150s
max time network
35s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f584105c6ef8exeexeexeex.exe
Size

168KB
MD5

58f584105c6ef8e5e3fac1c1294065c3
SHA1

ee30f3840f962930be33cdee4ea79bde44295a06
SHA256

2fadaa4596ebbc92ea37b065e14fb4da546d688ff75fbd246cbe0c05aebc3ac5
SHA512

b916cbc780fc39e6199223fc59d8d7d6829376fdc50d2b0a0d4e9a0d94afb9cce98396fac81af42f03b48c9e33e702d561ab9e156f7fb406e60f615adcb5ae90
SSDEEP

1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28D4494E-366F-4930-8849-91E56570BC92}\stubpath = "C:\\Windows\\{28D4494E-366F-4930-8849-91E56570BC92}.exe"	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F48F1-6961-4e52-830B-D7852711A374}	{28D4494E-366F-4930-8849-91E56570BC92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A24582-9371-4aa5-ABC0-338424EC2B03}\stubpath = "C:\\Windows\\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe"	{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}	{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}	{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}	58f584105c6ef8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71580A83-B59D-4db3-92D5-9F953980C283}	{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}\stubpath = "C:\\Windows\\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe"	{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}\stubpath = "C:\\Windows\\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe"	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}	{397F48F1-6961-4e52-830B-D7852711A374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}\stubpath = "C:\\Windows\\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe"	{71580A83-B59D-4db3-92D5-9F953980C283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}\stubpath = "C:\\Windows\\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe"	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}\stubpath = "C:\\Windows\\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe"	{397F48F1-6961-4e52-830B-D7852711A374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71580A83-B59D-4db3-92D5-9F953980C283}\stubpath = "C:\\Windows\\{71580A83-B59D-4db3-92D5-9F953980C283}.exe"	{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F252F2-AB96-4ea3-BBBE-858153490824}\stubpath = "C:\\Windows\\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe"	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}\stubpath = "C:\\Windows\\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe"	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F252F2-AB96-4ea3-BBBE-858153490824}	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28D4494E-366F-4930-8849-91E56570BC92}	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F48F1-6961-4e52-830B-D7852711A374}\stubpath = "C:\\Windows\\{397F48F1-6961-4e52-830B-D7852711A374}.exe"	{28D4494E-366F-4930-8849-91E56570BC92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A24582-9371-4aa5-ABC0-338424EC2B03}	{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}\stubpath = "C:\\Windows\\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe"	{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}	{71580A83-B59D-4db3-92D5-9F953980C283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}\stubpath = "C:\\Windows\\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe"	58f584105c6ef8exeexeexeex.exe

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe
948	{397F48F1-6961-4e52-830B-D7852711A374}.exe
2840	{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
2280	{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
1496	{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
2608	{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
2540	{71580A83-B59D-4db3-92D5-9F953980C283}.exe
2512	{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe	{397F48F1-6961-4e52-830B-D7852711A374}.exe
File created	C:\Windows\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe	{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
File created	C:\Windows\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe	{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
File created	C:\Windows\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe	{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
File created	C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	58f584105c6ef8exeexeexeex.exe
File created	C:\Windows\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
File created	C:\Windows\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
File created	C:\Windows\{397F48F1-6961-4e52-830B-D7852711A374}.exe	{28D4494E-366F-4930-8849-91E56570BC92}.exe
File created	C:\Windows\{71580A83-B59D-4db3-92D5-9F953980C283}.exe	{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
File created	C:\Windows\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe	{71580A83-B59D-4db3-92D5-9F953980C283}.exe
File created	C:\Windows\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
File created	C:\Windows\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
File created	C:\Windows\{28D4494E-366F-4930-8849-91E56570BC92}.exe	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3020	58f584105c6ef8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
Token: SeIncBasePriorityPrivilege	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
Token: SeIncBasePriorityPrivilege	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
Token: SeIncBasePriorityPrivilege	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
Token: SeIncBasePriorityPrivilege	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
Token: SeIncBasePriorityPrivilege	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe
Token: SeIncBasePriorityPrivilege	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe
Token: SeIncBasePriorityPrivilege	2840	{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
Token: SeIncBasePriorityPrivilege	2280	{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
Token: SeIncBasePriorityPrivilege	1496	{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
Token: SeIncBasePriorityPrivilege	2608	{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
Token: SeIncBasePriorityPrivilege	2540	{71580A83-B59D-4db3-92D5-9F953980C283}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2004	3020	58f584105c6ef8exeexeexeex.exe	27
PID 3020 wrote to memory of 2004	3020	58f584105c6ef8exeexeexeex.exe	27
PID 3020 wrote to memory of 2004	3020	58f584105c6ef8exeexeexeex.exe	27
PID 3020 wrote to memory of 2004	3020	58f584105c6ef8exeexeexeex.exe	27
PID 3020 wrote to memory of 2092	3020	58f584105c6ef8exeexeexeex.exe	28
PID 3020 wrote to memory of 2092	3020	58f584105c6ef8exeexeexeex.exe	28
PID 3020 wrote to memory of 2092	3020	58f584105c6ef8exeexeexeex.exe	28
PID 3020 wrote to memory of 2092	3020	58f584105c6ef8exeexeexeex.exe	28
PID 2004 wrote to memory of 2236	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	29
PID 2004 wrote to memory of 2236	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	29
PID 2004 wrote to memory of 2236	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	29
PID 2004 wrote to memory of 2236	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	29
PID 2004 wrote to memory of 3036	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	30
PID 2004 wrote to memory of 3036	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	30
PID 2004 wrote to memory of 3036	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	30
PID 2004 wrote to memory of 3036	2004	{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe	30
PID 2236 wrote to memory of 568	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	31
PID 2236 wrote to memory of 568	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	31
PID 2236 wrote to memory of 568	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	31
PID 2236 wrote to memory of 568	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	31
PID 2236 wrote to memory of 1696	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	32
PID 2236 wrote to memory of 1696	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	32
PID 2236 wrote to memory of 1696	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	32
PID 2236 wrote to memory of 1696	2236	{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe	32
PID 568 wrote to memory of 1452	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	33
PID 568 wrote to memory of 1452	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	33
PID 568 wrote to memory of 1452	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	33
PID 568 wrote to memory of 1452	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	33
PID 568 wrote to memory of 1128	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	34
PID 568 wrote to memory of 1128	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	34
PID 568 wrote to memory of 1128	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	34
PID 568 wrote to memory of 1128	568	{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe	34
PID 1452 wrote to memory of 2296	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	35
PID 1452 wrote to memory of 2296	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	35
PID 1452 wrote to memory of 2296	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	35
PID 1452 wrote to memory of 2296	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	35
PID 1452 wrote to memory of 964	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	36
PID 1452 wrote to memory of 964	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	36
PID 1452 wrote to memory of 964	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	36
PID 1452 wrote to memory of 964	1452	{02F252F2-AB96-4ea3-BBBE-858153490824}.exe	36
PID 2296 wrote to memory of 2348	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	38
PID 2296 wrote to memory of 2348	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	38
PID 2296 wrote to memory of 2348	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	38
PID 2296 wrote to memory of 2348	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	38
PID 2296 wrote to memory of 3032	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	37
PID 2296 wrote to memory of 3032	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	37
PID 2296 wrote to memory of 3032	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	37
PID 2296 wrote to memory of 3032	2296	{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe	37
PID 2348 wrote to memory of 948	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	39
PID 2348 wrote to memory of 948	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	39
PID 2348 wrote to memory of 948	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	39
PID 2348 wrote to memory of 948	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	39
PID 2348 wrote to memory of 892	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	40
PID 2348 wrote to memory of 892	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	40
PID 2348 wrote to memory of 892	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	40
PID 2348 wrote to memory of 892	2348	{28D4494E-366F-4930-8849-91E56570BC92}.exe	40
PID 948 wrote to memory of 2840	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	41
PID 948 wrote to memory of 2840	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	41
PID 948 wrote to memory of 2840	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	41
PID 948 wrote to memory of 2840	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	41
PID 948 wrote to memory of 2912	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	42
PID 948 wrote to memory of 2912	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	42
PID 948 wrote to memory of 2912	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	42
PID 948 wrote to memory of 2912	948	{397F48F1-6961-4e52-830B-D7852711A374}.exe	42

C:\Users\Admin\AppData\Local\Temp\58f584105c6ef8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\58f584105c6ef8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
  C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
    C:\Windows\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
      C:\Windows\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
        
        C:\Windows\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
        
        C:\Windows\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8468~1.EXE > nul
        7⤵
        
        PID:3032
        
        C:\Windows\{28D4494E-366F-4930-8849-91E56570BC92}.exe
        
        C:\Windows\{28D4494E-366F-4930-8849-91E56570BC92}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{397F48F1-6961-4e52-830B-D7852711A374}.exe
        
        C:\Windows\{397F48F1-6961-4e52-830B-D7852711A374}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
        
        C:\Windows\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
        
        C:\Windows\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5A24~1.EXE > nul
        11⤵
        
        PID:2980
        
        C:\Windows\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
        
        C:\Windows\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{191AF~1.EXE > nul
        12⤵
        
        PID:2632
        
        C:\Windows\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
        
        C:\Windows\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{71580A83-B59D-4db3-92D5-9F953980C283}.exe
        
        C:\Windows\{71580A83-B59D-4db3-92D5-9F953980C283}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71580~1.EXE > nul
        14⤵
        
        PID:2188
        
        C:\Windows\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe
        
        C:\Windows\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe
        14⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D846~1.EXE > nul
        13⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C9A~1.EXE > nul
        10⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{397F4~1.EXE > nul
        9⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28D44~1.EXE > nul
        8⤵
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02F25~1.EXE > nul
        6⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AE4~1.EXE > nul
        5⤵
        
        PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04043~1.EXE > nul
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7035~1.EXE > nul
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58F584~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe

Filesize
168KB

MD5
cdeb5fa85e7fcec13893461c3562e303

SHA1
56f67a20ce39cf47fcfe5105954f5500370922be

SHA256
ca5187b781c2d01de40734579923d5c97e0d1f59c8ecd0346e556efa5f99eaeb

SHA512
f4c7c7e6b8073d53834f5e721309f3d1ffbbb86559aa938033571df8cc2cead14a3bf0a2420d8c0551264ef3c267ebc1984d89e5e019614975e28a60a02d7551

Download Submit
C:\Windows\{02F252F2-AB96-4ea3-BBBE-858153490824}.exe

Filesize
168KB

MD5
cdeb5fa85e7fcec13893461c3562e303

SHA1
56f67a20ce39cf47fcfe5105954f5500370922be

SHA256
ca5187b781c2d01de40734579923d5c97e0d1f59c8ecd0346e556efa5f99eaeb

SHA512
f4c7c7e6b8073d53834f5e721309f3d1ffbbb86559aa938033571df8cc2cead14a3bf0a2420d8c0551264ef3c267ebc1984d89e5e019614975e28a60a02d7551

Download Submit
C:\Windows\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe

Filesize
168KB

MD5
01b86eeebfe6531e6c7a569d0c004ba9

SHA1
b897029c5212b155a0bb75df49c51ad9abdbd10e

SHA256
62a14e0e9a192b2ea6eaf87644ac0e5730da2bd5111a00f599da38ab829bb3e4

SHA512
f0c84967d6b2206e9fd959fceea653ba60e6ad1985531db458fa303a30771a7e0d58d9e0351f590ed9c7d3692a1dd771fa9c80884a7ad0ecfd210e18834eaafa

Download Submit
C:\Windows\{040437C4-C031-44b6-A7DB-AB8FDC96AB0C}.exe

Filesize
168KB

MD5
01b86eeebfe6531e6c7a569d0c004ba9

SHA1
b897029c5212b155a0bb75df49c51ad9abdbd10e

SHA256
62a14e0e9a192b2ea6eaf87644ac0e5730da2bd5111a00f599da38ab829bb3e4

SHA512
f0c84967d6b2206e9fd959fceea653ba60e6ad1985531db458fa303a30771a7e0d58d9e0351f590ed9c7d3692a1dd771fa9c80884a7ad0ecfd210e18834eaafa

Download Submit
C:\Windows\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe

Filesize
168KB

MD5
1e6b23bfc2f6d5606b7bdd8f81b16dc0

SHA1
c2d71e7f90b3b21dc29e3ad20a164726bec8ca47

SHA256
07d5d9ae40503e03bed1b652b37140d3f3d5ecef4f26d3b988e45c35a5c8d854

SHA512
dbb7f294271ece854a047503a01b7ea5aee37dd325e111a804c0d9bb45bcc8a3b7ab01bc7222294989b3693beac9d65dadf794d8cdf2416da60621626adaed43

Download Submit
C:\Windows\{191AF83F-1969-4ba7-BE7C-5BA9D47A1F50}.exe

Filesize
168KB

MD5
1e6b23bfc2f6d5606b7bdd8f81b16dc0

SHA1
c2d71e7f90b3b21dc29e3ad20a164726bec8ca47

SHA256
07d5d9ae40503e03bed1b652b37140d3f3d5ecef4f26d3b988e45c35a5c8d854

SHA512
dbb7f294271ece854a047503a01b7ea5aee37dd325e111a804c0d9bb45bcc8a3b7ab01bc7222294989b3693beac9d65dadf794d8cdf2416da60621626adaed43

Download Submit
C:\Windows\{28D4494E-366F-4930-8849-91E56570BC92}.exe

Filesize
168KB

MD5
5bb455f6d758d022f3815e074db81fd5

SHA1
5364d5b070a2d9d62783a691177f104a31e78d2b

SHA256
04ccdea867b3e22fccc5045936ce7d9c3dc198362e3201cf95acf7e95aeb76d0

SHA512
557f43c4d66aad3d896606c34d860d79383609bc65fc832c6888d63412802e3d011a71cd58249f64c20916aa033d2708b37ffc2966852d231ed7269e32ea508b

Download Submit
C:\Windows\{28D4494E-366F-4930-8849-91E56570BC92}.exe

Filesize
168KB

MD5
5bb455f6d758d022f3815e074db81fd5

SHA1
5364d5b070a2d9d62783a691177f104a31e78d2b

SHA256
04ccdea867b3e22fccc5045936ce7d9c3dc198362e3201cf95acf7e95aeb76d0

SHA512
557f43c4d66aad3d896606c34d860d79383609bc65fc832c6888d63412802e3d011a71cd58249f64c20916aa033d2708b37ffc2966852d231ed7269e32ea508b

Download Submit
C:\Windows\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe

Filesize
168KB

MD5
7809dc760e334a7bc1b3a992614d61f6

SHA1
6479ec83902271e15a7040ad67b68184ff40bf9a

SHA256
d3f1f89625efc894ed56cd743d38a904f3bc3918782fadc09a834d219ce160d4

SHA512
561113aa9d3e211f9ace66d004dbd84e7926671672dabba740bfb26540eb34c9c21243efa2ef7817f4164fe96a781de0f9c4297ce51b6cff37b1a6235298b135

Download Submit
C:\Windows\{2D846E99-6C9B-4c8b-A8FD-18F55D294698}.exe

Filesize
168KB

MD5
7809dc760e334a7bc1b3a992614d61f6

SHA1
6479ec83902271e15a7040ad67b68184ff40bf9a

SHA256
d3f1f89625efc894ed56cd743d38a904f3bc3918782fadc09a834d219ce160d4

SHA512
561113aa9d3e211f9ace66d004dbd84e7926671672dabba740bfb26540eb34c9c21243efa2ef7817f4164fe96a781de0f9c4297ce51b6cff37b1a6235298b135

Download Submit
C:\Windows\{2EBCD3B4-ECBA-4e6b-A57E-3E256C4407CC}.exe

Filesize
168KB

MD5
cc9fd89af3ef5013c639e3a449e52360

SHA1
243a66ad1b9a3fe6eb5ad7c78bd1aa2e6bd803db

SHA256
36ab8fc43d7b1b114fd162f1cac8173c70afa904cf5fbaced58edd1cf49ba7df

SHA512
28b1616765649f1581dbb5fd7c0ce15a3575a88064e3f6c1040fc5933012c063e19bb335c1a59bc325c0e2b782ca09c7a8a6a955d695c90772ac8a96df7edf67

Download Submit
C:\Windows\{397F48F1-6961-4e52-830B-D7852711A374}.exe

Filesize
168KB

MD5
f26d35aa6cd659b142e5f2390827be75

SHA1
64ac7faa3504019b83c0dd3a939130260a5583ea

SHA256
c672de2ceadcffad5e363f117a7a7e6dc9ca31ee10b288b9eccc51b6c62c3923

SHA512
cd7b140a38ce0f8515e891447cd02e992c86225874a5d9034e3db13694cfbcd05a0e5cc39d14f0d93a86011888b9ff988080a5355f975a4d67bbb45bb019ce7b

Download Submit
C:\Windows\{397F48F1-6961-4e52-830B-D7852711A374}.exe

Filesize
168KB

MD5
f26d35aa6cd659b142e5f2390827be75

SHA1
64ac7faa3504019b83c0dd3a939130260a5583ea

SHA256
c672de2ceadcffad5e363f117a7a7e6dc9ca31ee10b288b9eccc51b6c62c3923

SHA512
cd7b140a38ce0f8515e891447cd02e992c86225874a5d9034e3db13694cfbcd05a0e5cc39d14f0d93a86011888b9ff988080a5355f975a4d67bbb45bb019ce7b

Download Submit
C:\Windows\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe

Filesize
168KB

MD5
8942916939729638dc0bf50f4568d213

SHA1
a50193e892a150ac03c4a3793b3d594c82f06564

SHA256
76a3c80b6dcde450666c9407be26f84292cd991a6783ef60d33f03eb36dd7ef7

SHA512
1c134d19ea5b465a2f304ae0dcde8e522ce9cf6e79a1dce3c17c2a922fffbaf10ebc9284c2041402caf1e96b307b67512a5a83136f8709f01596efdc3461cc44

Download Submit
C:\Windows\{64C9A6FA-1186-44fc-BC73-413C8CB3DDAB}.exe

Filesize
168KB

MD5
8942916939729638dc0bf50f4568d213

SHA1
a50193e892a150ac03c4a3793b3d594c82f06564

SHA256
76a3c80b6dcde450666c9407be26f84292cd991a6783ef60d33f03eb36dd7ef7

SHA512
1c134d19ea5b465a2f304ae0dcde8e522ce9cf6e79a1dce3c17c2a922fffbaf10ebc9284c2041402caf1e96b307b67512a5a83136f8709f01596efdc3461cc44

Download Submit
C:\Windows\{71580A83-B59D-4db3-92D5-9F953980C283}.exe

Filesize
168KB

MD5
2fade83138e3577ffb30a55bb0b85d50

SHA1
d2f390cf1572ec04bae9fcc98748b07bc8e97077

SHA256
6c5014c4c591f4538bd12d657e1298dab47fea3d650b3cd801adba0e4576bf39

SHA512
467bd7387eb81d1af6443909cb8618445ef76985861169d37c7ab08c1d8b1ebdd4088ac204e12042a05b898a231f7a4145ccb21cf274b4f31e8b21668f9efaa6

Download Submit
C:\Windows\{71580A83-B59D-4db3-92D5-9F953980C283}.exe

Filesize
168KB

MD5
2fade83138e3577ffb30a55bb0b85d50

SHA1
d2f390cf1572ec04bae9fcc98748b07bc8e97077

SHA256
6c5014c4c591f4538bd12d657e1298dab47fea3d650b3cd801adba0e4576bf39

SHA512
467bd7387eb81d1af6443909cb8618445ef76985861169d37c7ab08c1d8b1ebdd4088ac204e12042a05b898a231f7a4145ccb21cf274b4f31e8b21668f9efaa6

Download Submit
C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe

Filesize
168KB

MD5
278da04d803dbc5771ef07d4fa13e472

SHA1
45bd5bb3af6bc7878d18a93aae020933408990e6

SHA256
36327b19bde10bb7ff01440a9146e54b2559ae9fbda1c0fc4758e586edd5f1f5

SHA512
b971d9094f48826117e98cdc469b1ccd124fb8cd67b7ac4e8e68efd68f20dc248cdd042c90cce823c89640724afc975a1eb09b9723bed6e5bad20a9dca1c7b67

Download Submit
C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe

Filesize
168KB

MD5
278da04d803dbc5771ef07d4fa13e472

SHA1
45bd5bb3af6bc7878d18a93aae020933408990e6

SHA256
36327b19bde10bb7ff01440a9146e54b2559ae9fbda1c0fc4758e586edd5f1f5

SHA512
b971d9094f48826117e98cdc469b1ccd124fb8cd67b7ac4e8e68efd68f20dc248cdd042c90cce823c89640724afc975a1eb09b9723bed6e5bad20a9dca1c7b67

Download Submit
C:\Windows\{A7035270-3552-4b39-8FB7-E4C1BDEF4BCB}.exe

Filesize
168KB

MD5
278da04d803dbc5771ef07d4fa13e472

SHA1
45bd5bb3af6bc7878d18a93aae020933408990e6

SHA256
36327b19bde10bb7ff01440a9146e54b2559ae9fbda1c0fc4758e586edd5f1f5

SHA512
b971d9094f48826117e98cdc469b1ccd124fb8cd67b7ac4e8e68efd68f20dc248cdd042c90cce823c89640724afc975a1eb09b9723bed6e5bad20a9dca1c7b67

Download Submit
C:\Windows\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe

Filesize
168KB

MD5
ff5fa58597fe846f928abd2a410756f8

SHA1
9ab4b099efc930ff3f08e0671f213b128ca3e738

SHA256
655952877ae31a87eb704d39b99a8a6fb65d62cdea4fa4db0ad0f8fcc2dbe730

SHA512
4846abc2b97936c21028eae392b54dbd82827d72478e9e11595aef9f744739bd1ab54ab7f229d4175cd09d95e04012545191760fbdffb48c885b008d56ae2473

Download Submit
C:\Windows\{A8AE4BA6-CB91-48cc-8F5D-93B35345C9A9}.exe

Filesize
168KB

MD5
ff5fa58597fe846f928abd2a410756f8

SHA1
9ab4b099efc930ff3f08e0671f213b128ca3e738

SHA256
655952877ae31a87eb704d39b99a8a6fb65d62cdea4fa4db0ad0f8fcc2dbe730

SHA512
4846abc2b97936c21028eae392b54dbd82827d72478e9e11595aef9f744739bd1ab54ab7f229d4175cd09d95e04012545191760fbdffb48c885b008d56ae2473

Download Submit
C:\Windows\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe

Filesize
168KB

MD5
087bf578e0ee21ec1ead48ab20c758f1

SHA1
125fe6402b148d1049e5db7e268a53a21197b7f8

SHA256
95d17cf907af45b9b64e682b55687288451b082901888e3fe95d99972076f2fb

SHA512
5dc0a876a66ca524d1cff9e005346a3093eca3e8652d4e9add507f61fb8d613275140950ed343bb8f0c9c5bf8f1ee69a384e694b4d10992addae59477ff8c2d2

Download Submit
C:\Windows\{B5A24582-9371-4aa5-ABC0-338424EC2B03}.exe

Filesize
168KB

MD5
087bf578e0ee21ec1ead48ab20c758f1

SHA1
125fe6402b148d1049e5db7e268a53a21197b7f8

SHA256
95d17cf907af45b9b64e682b55687288451b082901888e3fe95d99972076f2fb

SHA512
5dc0a876a66ca524d1cff9e005346a3093eca3e8652d4e9add507f61fb8d613275140950ed343bb8f0c9c5bf8f1ee69a384e694b4d10992addae59477ff8c2d2

Download Submit
C:\Windows\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe

Filesize
168KB

MD5
4df811a30a7b12896372006e45b0ede1

SHA1
b6ccc14b3c088b573dcf010ee3015f418a9bd286

SHA256
bf23f2812bd97a41c758c88e8c7b4dbfc200f56d0a45161d1956c9cc99d977bf

SHA512
4c694e6f193222b252fd289b4159d1e93897f72c74720b8e2d09c5fa8280f3d2b0062a15204df20ef20b42d226b5367a78a1bbbdbf71289adb0a0021ebbf7588

Download Submit
C:\Windows\{E8468BB8-F337-4d5d-A4A1-F53FB4B8EB1E}.exe

Filesize
168KB

MD5
4df811a30a7b12896372006e45b0ede1

SHA1
b6ccc14b3c088b573dcf010ee3015f418a9bd286

SHA256
bf23f2812bd97a41c758c88e8c7b4dbfc200f56d0a45161d1956c9cc99d977bf

SHA512
4c694e6f193222b252fd289b4159d1e93897f72c74720b8e2d09c5fa8280f3d2b0062a15204df20ef20b42d226b5367a78a1bbbdbf71289adb0a0021ebbf7588

Download Submit