5d2bb704b990afb5bb9113d40a556ac9a8e064eee7c7c847711a5cbca26485fa

Analysis

max time kernel
148s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3747ed29810f54exeexeexeex.exe
Size

372KB
MD5

3747ed29810f549253d26e99517d7a04
SHA1

b5f9e48763ace7f037865a08b098416ba8c12f4a
SHA256

5d2bb704b990afb5bb9113d40a556ac9a8e064eee7c7c847711a5cbca26485fa
SHA512

083554135e60656b973c931f86dde8004afa540fe63128e108aec715aa41c1b2798b74c4ea9a885ee94ff6b79c2c968327a19a1fabc1bb15ec8e20e0288c7061
SSDEEP

3072:CEGh0o6mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGtl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}\stubpath = "C:\\Windows\\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe"	{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}\stubpath = "C:\\Windows\\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe"	{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}\stubpath = "C:\\Windows\\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe"	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}\stubpath = "C:\\Windows\\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe"	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}	{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}	{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}	{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}\stubpath = "C:\\Windows\\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe"	{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}\stubpath = "C:\\Windows\\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe"	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE83E9B0-A6F9-4358-B166-F475B5428885}\stubpath = "C:\\Windows\\{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe"	{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE83E9B0-A6F9-4358-B166-F475B5428885}	{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}\stubpath = "C:\\Windows\\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe"	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}\stubpath = "C:\\Windows\\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe"	{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}	{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F545DED9-E784-4497-B02C-A63B710CF05A}\stubpath = "C:\\Windows\\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe"	3747ed29810f54exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015248B5-E945-4d67-9F7C-41667B5858E3}	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015248B5-E945-4d67-9F7C-41667B5858E3}\stubpath = "C:\\Windows\\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe"	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}\stubpath = "C:\\Windows\\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe"	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}\stubpath = "C:\\Windows\\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe"	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F545DED9-E784-4497-B02C-A63B710CF05A}	3747ed29810f54exeexeexeex.exe

Deletes itself 1 IoCs

pid	Process
884	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
548	{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
2620	{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
2820	{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
3020	{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
2796	{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe
2648	{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
File created	C:\Windows\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
File created	C:\Windows\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
File created	C:\Windows\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
File created	C:\Windows\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
File created	C:\Windows\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
File created	C:\Windows\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe	{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
File created	C:\Windows\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe	{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
File created	C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	3747ed29810f54exeexeexeex.exe
File created	C:\Windows\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
File created	C:\Windows\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe	{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
File created	C:\Windows\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe	{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
File created	C:\Windows\{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe	{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	3747ed29810f54exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
Token: SeIncBasePriorityPrivilege	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
Token: SeIncBasePriorityPrivilege	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
Token: SeIncBasePriorityPrivilege	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
Token: SeIncBasePriorityPrivilege	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
Token: SeIncBasePriorityPrivilege	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
Token: SeIncBasePriorityPrivilege	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
Token: SeIncBasePriorityPrivilege	548	{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
Token: SeIncBasePriorityPrivilege	2620	{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
Token: SeIncBasePriorityPrivilege	2820	{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
Token: SeIncBasePriorityPrivilege	3020	{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
Token: SeIncBasePriorityPrivilege	2796	{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2892	1184	3747ed29810f54exeexeexeex.exe	29
PID 1184 wrote to memory of 2892	1184	3747ed29810f54exeexeexeex.exe	29
PID 1184 wrote to memory of 2892	1184	3747ed29810f54exeexeexeex.exe	29
PID 1184 wrote to memory of 2892	1184	3747ed29810f54exeexeexeex.exe	29
PID 1184 wrote to memory of 884	1184	3747ed29810f54exeexeexeex.exe	30
PID 1184 wrote to memory of 884	1184	3747ed29810f54exeexeexeex.exe	30
PID 1184 wrote to memory of 884	1184	3747ed29810f54exeexeexeex.exe	30
PID 1184 wrote to memory of 884	1184	3747ed29810f54exeexeexeex.exe	30
PID 2892 wrote to memory of 1148	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	31
PID 2892 wrote to memory of 1148	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	31
PID 2892 wrote to memory of 1148	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	31
PID 2892 wrote to memory of 1148	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	31
PID 2892 wrote to memory of 1748	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	32
PID 2892 wrote to memory of 1748	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	32
PID 2892 wrote to memory of 1748	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	32
PID 2892 wrote to memory of 1748	2892	{F545DED9-E784-4497-B02C-A63B710CF05A}.exe	32
PID 1148 wrote to memory of 3068	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	33
PID 1148 wrote to memory of 3068	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	33
PID 1148 wrote to memory of 3068	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	33
PID 1148 wrote to memory of 3068	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	33
PID 1148 wrote to memory of 2928	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	34
PID 1148 wrote to memory of 2928	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	34
PID 1148 wrote to memory of 2928	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	34
PID 1148 wrote to memory of 2928	1148	{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe	34
PID 3068 wrote to memory of 2996	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	36
PID 3068 wrote to memory of 2996	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	36
PID 3068 wrote to memory of 2996	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	36
PID 3068 wrote to memory of 2996	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	36
PID 3068 wrote to memory of 2564	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	35
PID 3068 wrote to memory of 2564	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	35
PID 3068 wrote to memory of 2564	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	35
PID 3068 wrote to memory of 2564	3068	{015248B5-E945-4d67-9F7C-41667B5858E3}.exe	35
PID 2996 wrote to memory of 1716	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	38
PID 2996 wrote to memory of 1716	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	38
PID 2996 wrote to memory of 1716	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	38
PID 2996 wrote to memory of 1716	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	38
PID 2996 wrote to memory of 2408	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	37
PID 2996 wrote to memory of 2408	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	37
PID 2996 wrote to memory of 2408	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	37
PID 2996 wrote to memory of 2408	2996	{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe	37
PID 1716 wrote to memory of 2872	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	40
PID 1716 wrote to memory of 2872	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	40
PID 1716 wrote to memory of 2872	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	40
PID 1716 wrote to memory of 2872	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	40
PID 1716 wrote to memory of 588	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	39
PID 1716 wrote to memory of 588	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	39
PID 1716 wrote to memory of 588	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	39
PID 1716 wrote to memory of 588	1716	{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe	39
PID 2872 wrote to memory of 1344	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	41
PID 2872 wrote to memory of 1344	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	41
PID 2872 wrote to memory of 1344	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	41
PID 2872 wrote to memory of 1344	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	41
PID 2872 wrote to memory of 1176	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	42
PID 2872 wrote to memory of 1176	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	42
PID 2872 wrote to memory of 1176	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	42
PID 2872 wrote to memory of 1176	2872	{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe	42
PID 1344 wrote to memory of 548	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	43
PID 1344 wrote to memory of 548	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	43
PID 1344 wrote to memory of 548	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	43
PID 1344 wrote to memory of 548	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	43
PID 1344 wrote to memory of 2124	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	44
PID 1344 wrote to memory of 2124	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	44
PID 1344 wrote to memory of 2124	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	44
PID 1344 wrote to memory of 2124	1344	{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe	44

C:\Users\Admin\AppData\Local\Temp\3747ed29810f54exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3747ed29810f54exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
  C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
    C:\Windows\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
      C:\Windows\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01524~1.EXE > nul
        5⤵
        
        PID:2564
    - - C:\Windows\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
        
        C:\Windows\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87BBD~1.EXE > nul
        6⤵
        
        PID:2408
      - C:\Windows\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
        
        C:\Windows\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC42~1.EXE > nul
        7⤵
        
        PID:588
        
        C:\Windows\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
        
        C:\Windows\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
        
        C:\Windows\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
        
        C:\Windows\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
        
        C:\Windows\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3415D~1.EXE > nul
        11⤵
        
        PID:2580
        
        C:\Windows\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
        
        C:\Windows\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7FFC~1.EXE > nul
        12⤵
        
        PID:2636
        
        C:\Windows\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
        
        C:\Windows\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe
        
        C:\Windows\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4829~1.EXE > nul
        14⤵
        
        PID:2824
        
        C:\Windows\{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe
        
        C:\Windows\{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe
        14⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B5D3~1.EXE > nul
        13⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EABB~1.EXE > nul
        10⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BBB5~1.EXE > nul
        9⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522A1~1.EXE > nul
        8⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9A99~1.EXE > nul
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F545D~1.EXE > nul
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3747ED~1.EXE > nul
  2⤵
  - Deletes itself
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe

Filesize
372KB

MD5
3f97783f9f85304b0bc0375beb3b3681

SHA1
ea2c851883b393ed9c54b6d87b065a6fad06d20d

SHA256
257743c89f292fc58567cab5f925f3e90899f09ce88c72d11e2c1a8f96db1a91

SHA512
f3f7c0f832fd8128cb9b9299831111a901afa7fca6f8e25006eb53bde066fe3e00102277b706e024e024ccb2a93c89935c4b276f2b6ca7baf3c2f042097c05dc

Download Submit
C:\Windows\{015248B5-E945-4d67-9F7C-41667B5858E3}.exe

Filesize
372KB

MD5
3f97783f9f85304b0bc0375beb3b3681

SHA1
ea2c851883b393ed9c54b6d87b065a6fad06d20d

SHA256
257743c89f292fc58567cab5f925f3e90899f09ce88c72d11e2c1a8f96db1a91

SHA512
f3f7c0f832fd8128cb9b9299831111a901afa7fca6f8e25006eb53bde066fe3e00102277b706e024e024ccb2a93c89935c4b276f2b6ca7baf3c2f042097c05dc

Download Submit
C:\Windows\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe

Filesize
372KB

MD5
41e96026858c11c0fe5a00ad13eee533

SHA1
35c75d4d7309540d16067441c8708e72beac6a07

SHA256
452cb4b9723fd7a27acd8b982906c0e03fc4f44c24a131270dd069e5a13f04ef

SHA512
af547e75f98fcc57ae270d42fdebd2445df78bc98ede2e71ced5871f07789a5f9d261d195a1bb7a30ab9d8248c2abcead83ea8e30ccb9d76e7440c8244fa2fb9

Download Submit
C:\Windows\{2B5D3027-7E5D-4540-A00B-044B38AD3A12}.exe

Filesize
372KB

MD5
41e96026858c11c0fe5a00ad13eee533

SHA1
35c75d4d7309540d16067441c8708e72beac6a07

SHA256
452cb4b9723fd7a27acd8b982906c0e03fc4f44c24a131270dd069e5a13f04ef

SHA512
af547e75f98fcc57ae270d42fdebd2445df78bc98ede2e71ced5871f07789a5f9d261d195a1bb7a30ab9d8248c2abcead83ea8e30ccb9d76e7440c8244fa2fb9

Download Submit
C:\Windows\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe

Filesize
372KB

MD5
d8a8eb5bc5d26224e553b6eacd981b12

SHA1
e6e8f2f8cf189a9c9af79e8708ed17b1dd4c7c81

SHA256
3c9b02301a38d1f0247e4e516c64500a9917f1565b40ad8f77f5f80e5c64da39

SHA512
9adb16042a4e4e2ced523726c1bb434b46e3509d34a2a5fe15a1c386ade81c8ba960dc5129b2262752fe5d42a2054df56e48dc3a15d885f6db084a01e79274a1

Download Submit
C:\Windows\{3415D198-B0C2-449c-8EC9-C10B68F6BFDB}.exe

Filesize
372KB

MD5
d8a8eb5bc5d26224e553b6eacd981b12

SHA1
e6e8f2f8cf189a9c9af79e8708ed17b1dd4c7c81

SHA256
3c9b02301a38d1f0247e4e516c64500a9917f1565b40ad8f77f5f80e5c64da39

SHA512
9adb16042a4e4e2ced523726c1bb434b46e3509d34a2a5fe15a1c386ade81c8ba960dc5129b2262752fe5d42a2054df56e48dc3a15d885f6db084a01e79274a1

Download Submit
C:\Windows\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe

Filesize
372KB

MD5
4f473cd4fe8121a0f196907bafbe70a5

SHA1
61186a156707dbe6989a797550202aec3f9f8ef1

SHA256
5abcb8839b6153e9685bbb9d81757b314a4c4f2492809c4d6306bd3c9a6df25b

SHA512
ac8c29ff19911fc0519c422a2a35bb4efd6044c3185279aef710c4a645513a709fa4062e2d43b85e6eaf151effc54a45d8f1a8b062b3d7fc2f10c5ce5924cddc

Download Submit
C:\Windows\{3EABBCF0-91A7-41c7-87FF-742E469B3DAA}.exe

Filesize
372KB

MD5
4f473cd4fe8121a0f196907bafbe70a5

SHA1
61186a156707dbe6989a797550202aec3f9f8ef1

SHA256
5abcb8839b6153e9685bbb9d81757b314a4c4f2492809c4d6306bd3c9a6df25b

SHA512
ac8c29ff19911fc0519c422a2a35bb4efd6044c3185279aef710c4a645513a709fa4062e2d43b85e6eaf151effc54a45d8f1a8b062b3d7fc2f10c5ce5924cddc

Download Submit
C:\Windows\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe

Filesize
372KB

MD5
41661d3fd5e8a14be91ffdb687306245

SHA1
9b80878148623b73b9f03eb147400d4c9b3e90f3

SHA256
5a5ff14ec8cd198d0f8a2460e64c9bbf57638feca155d8e7bd4f8b35caa7c4c7

SHA512
b33ac36e6b7381efc9028f35e5307179570318b4f12d095989b46af63ca90bf362aded7dd51229b1d971aab9816281f01d5eb99b8093a6794c640f08f34001c8

Download Submit
C:\Windows\{522A12A6-A0D6-4cde-B784-EE63FFF5FDD1}.exe

Filesize
372KB

MD5
41661d3fd5e8a14be91ffdb687306245

SHA1
9b80878148623b73b9f03eb147400d4c9b3e90f3

SHA256
5a5ff14ec8cd198d0f8a2460e64c9bbf57638feca155d8e7bd4f8b35caa7c4c7

SHA512
b33ac36e6b7381efc9028f35e5307179570318b4f12d095989b46af63ca90bf362aded7dd51229b1d971aab9816281f01d5eb99b8093a6794c640f08f34001c8

Download Submit
C:\Windows\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe

Filesize
372KB

MD5
0cfcfcc398e9d6aa40d27f931cd54065

SHA1
7307d6781d004e6c08924a8c6fc7c8de41084011

SHA256
8516045cc0de2574bb7e7a0d0378d13cf8ea993d6378233a9c37957a5b395e99

SHA512
cc55983c1ecfc38d7879eda9227237b1d172555f6391d9345e5a0a8c28a2ee8ade859d2bcdff6cbf1369aa121498ee499be45ffa479798149b7ecb3d8fb596cd

Download Submit
C:\Windows\{7BBB5AD6-5446-4260-BE13-C2B6BF02659A}.exe

Filesize
372KB

MD5
0cfcfcc398e9d6aa40d27f931cd54065

SHA1
7307d6781d004e6c08924a8c6fc7c8de41084011

SHA256
8516045cc0de2574bb7e7a0d0378d13cf8ea993d6378233a9c37957a5b395e99

SHA512
cc55983c1ecfc38d7879eda9227237b1d172555f6391d9345e5a0a8c28a2ee8ade859d2bcdff6cbf1369aa121498ee499be45ffa479798149b7ecb3d8fb596cd

Download Submit
C:\Windows\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe

Filesize
372KB

MD5
d10d8152f9fac3e815d47c796686e961

SHA1
e4f926edc107ac2327994b0180d0c6fa930c2564

SHA256
c11f9554044fc7a91e1f94614cb926c38f9d8c0556550699f3143c3121da4e4d

SHA512
83cfe150d1557868184dd8a3f53bcb14f788a890655de70e09cd5524dbad735d9069242673bad4de89ce9b3f752e99134367f5f44a5be3501715886932ad398a

Download Submit
C:\Windows\{87BBD317-7ADA-4074-BFFD-49D0272E96B8}.exe

Filesize
372KB

MD5
d10d8152f9fac3e815d47c796686e961

SHA1
e4f926edc107ac2327994b0180d0c6fa930c2564

SHA256
c11f9554044fc7a91e1f94614cb926c38f9d8c0556550699f3143c3121da4e4d

SHA512
83cfe150d1557868184dd8a3f53bcb14f788a890655de70e09cd5524dbad735d9069242673bad4de89ce9b3f752e99134367f5f44a5be3501715886932ad398a

Download Submit
C:\Windows\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe

Filesize
372KB

MD5
afeeded4b76ad814559a789e05357eb9

SHA1
322a483481407db400bf9fb7512c738e05da34bb

SHA256
b4b13c82a0671ac56dc97e6d3783c895487d3154819625cf3e0c63a96aa20d66

SHA512
1d9cb18551ff71c11d5fc41c3b05573ffd935d64db2c6bb01f1821018470edad71a98dbf605656b771659b7bf94ecc26f90ee89e31418fd2010133c40a4508c2

Download Submit
C:\Windows\{A9A999EB-0A28-4f6b-8D7A-A5EB4D1F8085}.exe

Filesize
372KB

MD5
afeeded4b76ad814559a789e05357eb9

SHA1
322a483481407db400bf9fb7512c738e05da34bb

SHA256
b4b13c82a0671ac56dc97e6d3783c895487d3154819625cf3e0c63a96aa20d66

SHA512
1d9cb18551ff71c11d5fc41c3b05573ffd935d64db2c6bb01f1821018470edad71a98dbf605656b771659b7bf94ecc26f90ee89e31418fd2010133c40a4508c2

Download Submit
C:\Windows\{AE83E9B0-A6F9-4358-B166-F475B5428885}.exe

Filesize
372KB

MD5
07957a1ece2660a5673b8e42ca6d5520

SHA1
897e81fddfd1b347871d836b15985a27eb325377

SHA256
108a19cc15473b0ae7ad046781f78493c3aca4d4b3341c76a2d57bb694db8403

SHA512
ec564ca6e68fefd9d30655577d993373d2b4e4d26c26aa1ce45acdccb4ea3431742ddcd0f310fd23ce491fe7c656267be5e3e5ef9622d060d878752325c35d45

Download Submit
C:\Windows\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe

Filesize
372KB

MD5
a63217a7cd0de4814e3dd0c4a0f26b68

SHA1
60a98fa7f2f70f2da0f3b4dc5d70adda69457d02

SHA256
1ad875cd244490b3a6b3822f6447a79e620dd7be778323ced9fcc011a6b2abfe

SHA512
aea769752b0e3c609f83a6eed3b83f091240a147999b31ae3cd9ec6c4eb0267a826c154874b9876108fce407dec0b59baa9f4cab790577b596b08d5ccbfb8d01

Download Submit
C:\Windows\{BFC4233A-01F9-4ec7-B26F-6FC3E98B0979}.exe

Filesize
372KB

MD5
a63217a7cd0de4814e3dd0c4a0f26b68

SHA1
60a98fa7f2f70f2da0f3b4dc5d70adda69457d02

SHA256
1ad875cd244490b3a6b3822f6447a79e620dd7be778323ced9fcc011a6b2abfe

SHA512
aea769752b0e3c609f83a6eed3b83f091240a147999b31ae3cd9ec6c4eb0267a826c154874b9876108fce407dec0b59baa9f4cab790577b596b08d5ccbfb8d01

Download Submit
C:\Windows\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe

Filesize
372KB

MD5
9d14f907444580ff7e7e420aa141c139

SHA1
0f0c71b8342644138fb7525b176fb3cc4b118582

SHA256
579fd2a23e16c5677643ad7d4d0bf3d10b54d5f32bf4769ef8c27516a4ddc862

SHA512
13cd83d8d829475896c8d1a9dd44e822f928fa83298d1e51e802276e631435ef560775ab128bf73bf21caf95be3634d9bf0c574a02cc0d428d3bc375e7dda1db

Download Submit
C:\Windows\{D4829B94-1941-4c71-8C4C-2BAD5C4B1ADA}.exe

Filesize
372KB

MD5
9d14f907444580ff7e7e420aa141c139

SHA1
0f0c71b8342644138fb7525b176fb3cc4b118582

SHA256
579fd2a23e16c5677643ad7d4d0bf3d10b54d5f32bf4769ef8c27516a4ddc862

SHA512
13cd83d8d829475896c8d1a9dd44e822f928fa83298d1e51e802276e631435ef560775ab128bf73bf21caf95be3634d9bf0c574a02cc0d428d3bc375e7dda1db

Download Submit
C:\Windows\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe

Filesize
372KB

MD5
2d02b88f2cdb419c774b1e7183cbc6c9

SHA1
8baf36ec73a7606edc8011fe95c2df4068c90c96

SHA256
addcf96537b6b71f3dfd9e4188e99ba77525e309f9f0e80eeee79a09fdbc3e4f

SHA512
71b76b4ef23f8743bcb9567643cf55938906775cf25cab75c3266e5198b7cad460f15fd5701a0f026fcb3b51f5ff74435870fb89e1a90b73d9a1d4159c7a55cc

Download Submit
C:\Windows\{E7FFC1C5-D4D7-4d61-93B1-32D2C6CF0C3D}.exe

Filesize
372KB

MD5
2d02b88f2cdb419c774b1e7183cbc6c9

SHA1
8baf36ec73a7606edc8011fe95c2df4068c90c96

SHA256
addcf96537b6b71f3dfd9e4188e99ba77525e309f9f0e80eeee79a09fdbc3e4f

SHA512
71b76b4ef23f8743bcb9567643cf55938906775cf25cab75c3266e5198b7cad460f15fd5701a0f026fcb3b51f5ff74435870fb89e1a90b73d9a1d4159c7a55cc

Download Submit
C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe

Filesize
372KB

MD5
27a18f0ba5bbaf1db6c049cd3daccb5f

SHA1
c9cb09fc1a3bb172aaedc8c89a969eeff3afa497

SHA256
975e0012af03c0b626db0630f7eb4400c271263971c371ce564ab3ae95900e2e

SHA512
40936e4fdd0f7cd9444078cdc5f911fca82807b6677864f218e61b90cb7dc4b80d6be28ff3c2580963091b890778d384e1e7e803bf5635fb83e4298894a60ab9

Download Submit
C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe

Filesize
372KB

MD5
27a18f0ba5bbaf1db6c049cd3daccb5f

SHA1
c9cb09fc1a3bb172aaedc8c89a969eeff3afa497

SHA256
975e0012af03c0b626db0630f7eb4400c271263971c371ce564ab3ae95900e2e

SHA512
40936e4fdd0f7cd9444078cdc5f911fca82807b6677864f218e61b90cb7dc4b80d6be28ff3c2580963091b890778d384e1e7e803bf5635fb83e4298894a60ab9

Download Submit
C:\Windows\{F545DED9-E784-4497-B02C-A63B710CF05A}.exe

Filesize
372KB

MD5
27a18f0ba5bbaf1db6c049cd3daccb5f

SHA1
c9cb09fc1a3bb172aaedc8c89a969eeff3afa497

SHA256
975e0012af03c0b626db0630f7eb4400c271263971c371ce564ab3ae95900e2e

SHA512
40936e4fdd0f7cd9444078cdc5f911fca82807b6677864f218e61b90cb7dc4b80d6be28ff3c2580963091b890778d384e1e7e803bf5635fb83e4298894a60ab9

Download Submit