fef755fa5e250d8cbf7c993e513aac8eed6c86c845182f2eae84ecce02969a4b

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3849260a82017aexeexeexeex.exe
Size

372KB
MD5

3849260a82017a748a164b40d3c6228f
SHA1

686de56a5dd5b3571518c4fa1034b57eab2dcabe
SHA256

fef755fa5e250d8cbf7c993e513aac8eed6c86c845182f2eae84ecce02969a4b
SHA512

ed8af92f8ea65715e956ec8aa8e6f90e5d2d18d1a9cfa1059348a2eb29aa296b6ea3247a2c76bc6483027b598cbe1c168730c763a9b7ae4dee254fe832ee38fb
SSDEEP

3072:CEGh0osmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGHl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}\stubpath = "C:\\Windows\\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe"	{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5375C0C1-426C-4cb1-874C-372C03317FC2}	{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5189A71E-D691-4b30-974B-4101690BE6C6}\stubpath = "C:\\Windows\\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe"	{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D589B528-BA92-45f6-B717-1BD52501DCAE}\stubpath = "C:\\Windows\\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe"	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}\stubpath = "C:\\Windows\\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe"	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}\stubpath = "C:\\Windows\\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe"	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67F6451-1F0E-480a-A931-77A49848F2FF}\stubpath = "C:\\Windows\\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe"	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}	{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}	{5189A71E-D691-4b30-974B-4101690BE6C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5189A71E-D691-4b30-974B-4101690BE6C6}	{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}	3849260a82017aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C99959-BF8D-4eee-A580-9AF4E83878C7}\stubpath = "C:\\Windows\\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe"	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67F6451-1F0E-480a-A931-77A49848F2FF}	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB440007-5B49-46b3-BFD3-773A1999A80D}	{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}\stubpath = "C:\\Windows\\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe"	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB412B6F-3985-412c-B620-4D8B649D8911}	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5375C0C1-426C-4cb1-874C-372C03317FC2}\stubpath = "C:\\Windows\\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe"	{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB440007-5B49-46b3-BFD3-773A1999A80D}\stubpath = "C:\\Windows\\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe"	{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}\stubpath = "C:\\Windows\\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe"	{5189A71E-D691-4b30-974B-4101690BE6C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}\stubpath = "C:\\Windows\\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe"	3849260a82017aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C99959-BF8D-4eee-A580-9AF4E83878C7}	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D589B528-BA92-45f6-B717-1BD52501DCAE}	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB412B6F-3985-412c-B620-4D8B649D8911}\stubpath = "C:\\Windows\\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe"	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
2260	{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
2592	{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
2756	{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
2616	{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
2700	{5189A71E-D691-4b30-974B-4101690BE6C6}.exe
2656	{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	3849260a82017aexeexeexeex.exe
File created	C:\Windows\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
File created	C:\Windows\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
File created	C:\Windows\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe	{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
File created	C:\Windows\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe	{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
File created	C:\Windows\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
File created	C:\Windows\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
File created	C:\Windows\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
File created	C:\Windows\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
File created	C:\Windows\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
File created	C:\Windows\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe	{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
File created	C:\Windows\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe	{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
File created	C:\Windows\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe	{5189A71E-D691-4b30-974B-4101690BE6C6}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	568	3849260a82017aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
Token: SeIncBasePriorityPrivilege	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
Token: SeIncBasePriorityPrivilege	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
Token: SeIncBasePriorityPrivilege	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
Token: SeIncBasePriorityPrivilege	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
Token: SeIncBasePriorityPrivilege	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
Token: SeIncBasePriorityPrivilege	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
Token: SeIncBasePriorityPrivilege	2260	{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
Token: SeIncBasePriorityPrivilege	2592	{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
Token: SeIncBasePriorityPrivilege	2756	{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
Token: SeIncBasePriorityPrivilege	2616	{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
Token: SeIncBasePriorityPrivilege	2700	{5189A71E-D691-4b30-974B-4101690BE6C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 3068	568	3849260a82017aexeexeexeex.exe	28
PID 568 wrote to memory of 3068	568	3849260a82017aexeexeexeex.exe	28
PID 568 wrote to memory of 3068	568	3849260a82017aexeexeexeex.exe	28
PID 568 wrote to memory of 3068	568	3849260a82017aexeexeexeex.exe	28
PID 568 wrote to memory of 2396	568	3849260a82017aexeexeexeex.exe	29
PID 568 wrote to memory of 2396	568	3849260a82017aexeexeexeex.exe	29
PID 568 wrote to memory of 2396	568	3849260a82017aexeexeexeex.exe	29
PID 568 wrote to memory of 2396	568	3849260a82017aexeexeexeex.exe	29
PID 3068 wrote to memory of 2348	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	30
PID 3068 wrote to memory of 2348	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	30
PID 3068 wrote to memory of 2348	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	30
PID 3068 wrote to memory of 2348	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	30
PID 3068 wrote to memory of 1680	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	31
PID 3068 wrote to memory of 1680	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	31
PID 3068 wrote to memory of 1680	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	31
PID 3068 wrote to memory of 1680	3068	{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe	31
PID 2348 wrote to memory of 1484	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	32
PID 2348 wrote to memory of 1484	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	32
PID 2348 wrote to memory of 1484	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	32
PID 2348 wrote to memory of 1484	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	32
PID 2348 wrote to memory of 2116	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	33
PID 2348 wrote to memory of 2116	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	33
PID 2348 wrote to memory of 2116	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	33
PID 2348 wrote to memory of 2116	2348	{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe	33
PID 1484 wrote to memory of 2040	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	35
PID 1484 wrote to memory of 2040	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	35
PID 1484 wrote to memory of 2040	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	35
PID 1484 wrote to memory of 2040	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	35
PID 1484 wrote to memory of 920	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	34
PID 1484 wrote to memory of 920	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	34
PID 1484 wrote to memory of 920	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	34
PID 1484 wrote to memory of 920	1484	{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe	34
PID 2040 wrote to memory of 2952	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	37
PID 2040 wrote to memory of 2952	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	37
PID 2040 wrote to memory of 2952	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	37
PID 2040 wrote to memory of 2952	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	37
PID 2040 wrote to memory of 684	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	36
PID 2040 wrote to memory of 684	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	36
PID 2040 wrote to memory of 684	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	36
PID 2040 wrote to memory of 684	2040	{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe	36
PID 2952 wrote to memory of 2220	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	39
PID 2952 wrote to memory of 2220	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	39
PID 2952 wrote to memory of 2220	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	39
PID 2952 wrote to memory of 2220	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	39
PID 2952 wrote to memory of 2208	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	38
PID 2952 wrote to memory of 2208	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	38
PID 2952 wrote to memory of 2208	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	38
PID 2952 wrote to memory of 2208	2952	{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe	38
PID 2220 wrote to memory of 1368	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	41
PID 2220 wrote to memory of 1368	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	41
PID 2220 wrote to memory of 1368	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	41
PID 2220 wrote to memory of 1368	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	41
PID 2220 wrote to memory of 2092	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	40
PID 2220 wrote to memory of 2092	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	40
PID 2220 wrote to memory of 2092	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	40
PID 2220 wrote to memory of 2092	2220	{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe	40
PID 1368 wrote to memory of 2260	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	43
PID 1368 wrote to memory of 2260	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	43
PID 1368 wrote to memory of 2260	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	43
PID 1368 wrote to memory of 2260	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	43
PID 1368 wrote to memory of 1724	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	42
PID 1368 wrote to memory of 1724	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	42
PID 1368 wrote to memory of 1724	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	42
PID 1368 wrote to memory of 1724	1368	{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe	42

C:\Users\Admin\AppData\Local\Temp\3849260a82017aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3849260a82017aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
  C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
    C:\Windows\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
      C:\Windows\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35D9A~1.EXE > nul
        5⤵
        
        PID:920
    - - C:\Windows\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
        
        C:\Windows\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D589B~1.EXE > nul
        6⤵
        
        PID:684
      - C:\Windows\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
        
        C:\Windows\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4875~1.EXE > nul
        7⤵
        
        PID:2208
        
        C:\Windows\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
        
        C:\Windows\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC4C~1.EXE > nul
        8⤵
        
        PID:2092
        
        C:\Windows\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
        
        C:\Windows\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C67F6~1.EXE > nul
        9⤵
        
        PID:1724
        
        C:\Windows\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
        
        C:\Windows\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB412~1.EXE > nul
        10⤵
        
        PID:2728
        
        C:\Windows\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
        
        C:\Windows\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D96~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
        
        C:\Windows\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
        
        C:\Windows\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB440~1.EXE > nul
        13⤵
        
        PID:2828
        
        C:\Windows\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe
        
        C:\Windows\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5189A~1.EXE > nul
        14⤵
        
        PID:2760
        
        C:\Windows\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe
        
        C:\Windows\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe
        14⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5375C~1.EXE > nul
        12⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{28C99~1.EXE > nul
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26C6D~1.EXE > nul
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\384926~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe

Filesize
372KB

MD5
5d5a2c267d0660c2ff06630c8762c981

SHA1
2fe87ae790ee5ac305bf2c0881c3add1140dc563

SHA256
dcd3bc9b46354117a3dc074cd9a511ce8500530ca0c6e055a770c627a0284fd5

SHA512
e2943dd5ae1216f03be1ea28ccf188a898c1b308aca28c7e7347dd185dc0e9ce88a54fc587093c257013751e92b4a34634fa13784cd536622040971babe53415

Download Submit
C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe

Filesize
372KB

MD5
5d5a2c267d0660c2ff06630c8762c981

SHA1
2fe87ae790ee5ac305bf2c0881c3add1140dc563

SHA256
dcd3bc9b46354117a3dc074cd9a511ce8500530ca0c6e055a770c627a0284fd5

SHA512
e2943dd5ae1216f03be1ea28ccf188a898c1b308aca28c7e7347dd185dc0e9ce88a54fc587093c257013751e92b4a34634fa13784cd536622040971babe53415

Download Submit
C:\Windows\{26C6D0F3-C99C-408a-A794-EED0168D3AB0}.exe

Filesize
372KB

MD5
5d5a2c267d0660c2ff06630c8762c981

SHA1
2fe87ae790ee5ac305bf2c0881c3add1140dc563

SHA256
dcd3bc9b46354117a3dc074cd9a511ce8500530ca0c6e055a770c627a0284fd5

SHA512
e2943dd5ae1216f03be1ea28ccf188a898c1b308aca28c7e7347dd185dc0e9ce88a54fc587093c257013751e92b4a34634fa13784cd536622040971babe53415

Download Submit
C:\Windows\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe

Filesize
372KB

MD5
90836aaca03ba94d946d204fa3ba870e

SHA1
110deab7a64c5b073f78c95d221ef7ecfcd9cf3c

SHA256
1ae4b043d3273da20e87bf4542026c7114edcc3d13a29742220815b821af24a8

SHA512
1f3bb0b8752d286cbc51c7b4ee126c78ef78b9b384ac8b444f56d8c409a747202b52931fd546e096f92f9da7f51e452067c12fd6dc2d49b9fdcc84515b6bd4c8

Download Submit
C:\Windows\{28C99959-BF8D-4eee-A580-9AF4E83878C7}.exe

Filesize
372KB

MD5
90836aaca03ba94d946d204fa3ba870e

SHA1
110deab7a64c5b073f78c95d221ef7ecfcd9cf3c

SHA256
1ae4b043d3273da20e87bf4542026c7114edcc3d13a29742220815b821af24a8

SHA512
1f3bb0b8752d286cbc51c7b4ee126c78ef78b9b384ac8b444f56d8c409a747202b52931fd546e096f92f9da7f51e452067c12fd6dc2d49b9fdcc84515b6bd4c8

Download Submit
C:\Windows\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe

Filesize
372KB

MD5
12c52f3051506d0272e9ccaabf360adb

SHA1
fa717955464c6d82eb0d3214b97e19ab1f30e4eb

SHA256
86cc3fa7e6d6389e205b66d02bd55b2b123356b228c415d72053d0e246f9d6e6

SHA512
a40f21056fdbe241256f5926f654fe9cfcbebbf184ff60b41cfd4aa5936299d5957d990b6332356c6e12b1d509419e79f75a1ef44e05ed9e01f96425440a3e5b

Download Submit
C:\Windows\{35D9A24D-3ADA-46ad-A366-DCF7D6A29E6D}.exe

Filesize
372KB

MD5
12c52f3051506d0272e9ccaabf360adb

SHA1
fa717955464c6d82eb0d3214b97e19ab1f30e4eb

SHA256
86cc3fa7e6d6389e205b66d02bd55b2b123356b228c415d72053d0e246f9d6e6

SHA512
a40f21056fdbe241256f5926f654fe9cfcbebbf184ff60b41cfd4aa5936299d5957d990b6332356c6e12b1d509419e79f75a1ef44e05ed9e01f96425440a3e5b

Download Submit
C:\Windows\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe

Filesize
372KB

MD5
0b66c42bf55464252cdd7681d9c8e8a9

SHA1
e5dc62ef82ac377aeca6db168d9c1acad54c34f4

SHA256
9a021c3bb1a69f5e4c8c861a55b4e096b32818192884ee0fdcdb32946249e089

SHA512
34ff427e2c2fc96f663ed2b7f5784c4e79eca31fa8921ef9908f11a0731f68ffba25fbabbf91035171a90d00f5455ca12bf3afb1bdac1e8a66e51aa26eba5f48

Download Submit
C:\Windows\{5189A71E-D691-4b30-974B-4101690BE6C6}.exe

Filesize
372KB

MD5
0b66c42bf55464252cdd7681d9c8e8a9

SHA1
e5dc62ef82ac377aeca6db168d9c1acad54c34f4

SHA256
9a021c3bb1a69f5e4c8c861a55b4e096b32818192884ee0fdcdb32946249e089

SHA512
34ff427e2c2fc96f663ed2b7f5784c4e79eca31fa8921ef9908f11a0731f68ffba25fbabbf91035171a90d00f5455ca12bf3afb1bdac1e8a66e51aa26eba5f48

Download Submit
C:\Windows\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe

Filesize
372KB

MD5
918fb9bd7e674b96a0959f2eeefe68bd

SHA1
1b6eded1b4e3f193cc583b7404a0f2193fb44315

SHA256
c7af1d5a188afd218d9b64144d333356839f7bdc4e1e47bb04881808d0c44739

SHA512
fac815d857a2d7daaa70d3d3d570a1b7e97434231071333c3517a865e26d63eeb887fc680c500d1d75e10bd183e77248c35deb67460aed5cffaee5e4272ffc7e

Download Submit
C:\Windows\{5375C0C1-426C-4cb1-874C-372C03317FC2}.exe

Filesize
372KB

MD5
918fb9bd7e674b96a0959f2eeefe68bd

SHA1
1b6eded1b4e3f193cc583b7404a0f2193fb44315

SHA256
c7af1d5a188afd218d9b64144d333356839f7bdc4e1e47bb04881808d0c44739

SHA512
fac815d857a2d7daaa70d3d3d570a1b7e97434231071333c3517a865e26d63eeb887fc680c500d1d75e10bd183e77248c35deb67460aed5cffaee5e4272ffc7e

Download Submit
C:\Windows\{603B10D1-397F-4dc7-AE5E-9D6D899DD02B}.exe

Filesize
372KB

MD5
040f97fd5bd060cadf1fd1315a864d50

SHA1
2cb2020f459c536c532820d9c37931fe84512054

SHA256
53c7b40ca0a1c7dafc25832f72644f51b85eee15aadf5213ffe54a7f9c3d5862

SHA512
3f3770fd121a5780887515dc830b36fb62249b4283b281e6df17d2833763830791f3a0210c7a437e3bea689b8a5402b6d168085fc56380618d9731b926c80156

Download Submit
C:\Windows\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe

Filesize
372KB

MD5
6b14ddf747847d09cabbff70b83c4d35

SHA1
4aa67b817f11fb3c29f78465e52bd2fa75c0efad

SHA256
497d816ed2f3f0b4093f8e185d8513c40d4c520b0af38f0347cad7fc46068146

SHA512
7dcc958ddf5e403dc9056dc8619971ddd7839127494c883c3667251ee0b00c5dee5b5695b19edc83c9c727a6d12fa9057867f298f8ba2173f346c9035800827d

Download Submit
C:\Windows\{C67F6451-1F0E-480a-A931-77A49848F2FF}.exe

Filesize
372KB

MD5
6b14ddf747847d09cabbff70b83c4d35

SHA1
4aa67b817f11fb3c29f78465e52bd2fa75c0efad

SHA256
497d816ed2f3f0b4093f8e185d8513c40d4c520b0af38f0347cad7fc46068146

SHA512
7dcc958ddf5e403dc9056dc8619971ddd7839127494c883c3667251ee0b00c5dee5b5695b19edc83c9c727a6d12fa9057867f298f8ba2173f346c9035800827d

Download Submit
C:\Windows\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe

Filesize
372KB

MD5
1d90465b83313dcfbdec9d6859dd01b0

SHA1
47e11aea12d4502ab837daf2147e3665219b9601

SHA256
9878d0e0d873c7d1a136183a97623661a5366a51e67fbac35708f802cc922bf7

SHA512
074194cb8ee662114c2be6c6a622dcd925e60a43bc207020c840967d0704d6999012901d0e0acbb2e537aa0eb642139cbed7d4d6388ec0968f5ec89587602604

Download Submit
C:\Windows\{CB412B6F-3985-412c-B620-4D8B649D8911}.exe

Filesize
372KB

MD5
1d90465b83313dcfbdec9d6859dd01b0

SHA1
47e11aea12d4502ab837daf2147e3665219b9601

SHA256
9878d0e0d873c7d1a136183a97623661a5366a51e67fbac35708f802cc922bf7

SHA512
074194cb8ee662114c2be6c6a622dcd925e60a43bc207020c840967d0704d6999012901d0e0acbb2e537aa0eb642139cbed7d4d6388ec0968f5ec89587602604

Download Submit
C:\Windows\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe

Filesize
372KB

MD5
d16cda6402645da283c01977db5c036b

SHA1
7a894c5aa25cb090f0233b66000074c741a93f27

SHA256
cc92efd861cf32f54024567ee6543c0912197f94c11c279de91b613ac1c23744

SHA512
0565074d34038d99619c28743ee0b13fd90652e1411146fbd8908bf055923d4917e7e90f1e3e2c61206074f926320c7a350394bbe7c1c86a98f3e5db5b597aba

Download Submit
C:\Windows\{CB440007-5B49-46b3-BFD3-773A1999A80D}.exe

Filesize
372KB

MD5
d16cda6402645da283c01977db5c036b

SHA1
7a894c5aa25cb090f0233b66000074c741a93f27

SHA256
cc92efd861cf32f54024567ee6543c0912197f94c11c279de91b613ac1c23744

SHA512
0565074d34038d99619c28743ee0b13fd90652e1411146fbd8908bf055923d4917e7e90f1e3e2c61206074f926320c7a350394bbe7c1c86a98f3e5db5b597aba

Download Submit
C:\Windows\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe

Filesize
372KB

MD5
b7293a35a8da97bc95289912d3cc8fb6

SHA1
125ad459d922df5f294021f1d97c8cb2880e6f9f

SHA256
b1b352b300698abe52de85f2d5f172d9cff522aac71e99874b879edc2a9c2600

SHA512
117cbf1898df950cd875e4e932b52dd36516a4e8f19d711e60b1a3903951b6dbb679713d6a2c7a384aa769506c14ee028f6b83e97427c1a729dfa7b1811dbae9

Download Submit
C:\Windows\{D589B528-BA92-45f6-B717-1BD52501DCAE}.exe

Filesize
372KB

MD5
b7293a35a8da97bc95289912d3cc8fb6

SHA1
125ad459d922df5f294021f1d97c8cb2880e6f9f

SHA256
b1b352b300698abe52de85f2d5f172d9cff522aac71e99874b879edc2a9c2600

SHA512
117cbf1898df950cd875e4e932b52dd36516a4e8f19d711e60b1a3903951b6dbb679713d6a2c7a384aa769506c14ee028f6b83e97427c1a729dfa7b1811dbae9

Download Submit
C:\Windows\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe

Filesize
372KB

MD5
3328e22a21e3ebb9ac44b95ef505c7b0

SHA1
df3d16bd206273025a6428cba21f701373c0277d

SHA256
49e338dcc1e1d1be04f9bb3b36f4cafa38273a5c4a86cdc9c9b627fa32cabe22

SHA512
cfee78f4da5874dd3079bedfbcfdac04bc0ec9f9af188c2a0879cc61517c2939f43d31cf1c1bb6960e9fc25a049c5fdc013a9343f8b58170252833241382d8cb

Download Submit
C:\Windows\{EDC4CB0F-3D25-474b-A799-B45BC686D34D}.exe

Filesize
372KB

MD5
3328e22a21e3ebb9ac44b95ef505c7b0

SHA1
df3d16bd206273025a6428cba21f701373c0277d

SHA256
49e338dcc1e1d1be04f9bb3b36f4cafa38273a5c4a86cdc9c9b627fa32cabe22

SHA512
cfee78f4da5874dd3079bedfbcfdac04bc0ec9f9af188c2a0879cc61517c2939f43d31cf1c1bb6960e9fc25a049c5fdc013a9343f8b58170252833241382d8cb

Download Submit
C:\Windows\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe

Filesize
372KB

MD5
6430d01abec320704172232d0228b9cc

SHA1
398e829e6ee3f37acf2d482f498ec1392d450af2

SHA256
75ffcc36cb2611bed5c118ce4e98a9adfb40a46c534363eb46591a7ca6dc1173

SHA512
ee64b8617cb9416d313900750348ee7e71c2066db2c5185759a8d493b099e134aeaa3d1858bd719e606c3d39bf50bd7cd1b1bb285490f1ca2c8497cea717a403

Download Submit
C:\Windows\{F2D96341-0BBD-411a-BCEA-D2F9C8C141CD}.exe

Filesize
372KB

MD5
6430d01abec320704172232d0228b9cc

SHA1
398e829e6ee3f37acf2d482f498ec1392d450af2

SHA256
75ffcc36cb2611bed5c118ce4e98a9adfb40a46c534363eb46591a7ca6dc1173

SHA512
ee64b8617cb9416d313900750348ee7e71c2066db2c5185759a8d493b099e134aeaa3d1858bd719e606c3d39bf50bd7cd1b1bb285490f1ca2c8497cea717a403

Download Submit
C:\Windows\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe

Filesize
372KB

MD5
856603061388ba698a6c57bf875de31b

SHA1
6a778e4fc1fe66f3d7f3739cac2e734a2e0d1bb6

SHA256
b5b070cb1c59ad2490ad5e1161c041d3fcbe9ef302d1ad3774fd6d3e6f14d7b7

SHA512
ac3f065f1f43b1586a19c1da5d671cc0d78e5fa8a74793eac36e5263d5e4ed1581ce65fd8d9048e820311c85a6cc5e112fa4ef033913ca134f00a590d9032b7f

Download Submit
C:\Windows\{F4875E52-351E-4bc3-82C4-AFC65BDCD8AC}.exe

Filesize
372KB

MD5
856603061388ba698a6c57bf875de31b

SHA1
6a778e4fc1fe66f3d7f3739cac2e734a2e0d1bb6

SHA256
b5b070cb1c59ad2490ad5e1161c041d3fcbe9ef302d1ad3774fd6d3e6f14d7b7

SHA512
ac3f065f1f43b1586a19c1da5d671cc0d78e5fa8a74793eac36e5263d5e4ed1581ce65fd8d9048e820311c85a6cc5e112fa4ef033913ca134f00a590d9032b7f

Download Submit