85bb8692ae698ac838e200f2911a3d09b92c592e8158079b51d37daabd692f5c

Analysis

max time kernel
146s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a43b9e7ef7495exeexeexeex.exe
Size

168KB
MD5

3a43b9e7ef7495be86863cbdd936b33d
SHA1

a5e966b9fd048b8060aef3f4fe022e21b887a2ad
SHA256

85bb8692ae698ac838e200f2911a3d09b92c592e8158079b51d37daabd692f5c
SHA512

bf112acf6d35e41ef86c61a85d15294e6641969c65352901d6699887dbebe7647a3c458818f745304649b228cc6bfd9c3f6b89592a0558c458329490c5b0e1e9
SSDEEP

1536:1EGh0o/lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{241EA065-8309-4afc-AF26-BD707999495B}\stubpath = "C:\\Windows\\{241EA065-8309-4afc-AF26-BD707999495B}.exe"	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66847CCA-C219-475c-955E-9BAD8E0DA946}	{241EA065-8309-4afc-AF26-BD707999495B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66847CCA-C219-475c-955E-9BAD8E0DA946}\stubpath = "C:\\Windows\\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe"	{241EA065-8309-4afc-AF26-BD707999495B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8980A087-9BAE-4510-BD52-3AF683B39335}\stubpath = "C:\\Windows\\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe"	{A863D292-2F8F-478a-A235-543FC812A771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C25971-CC4A-466e-A9DF-550A60B42352}\stubpath = "C:\\Windows\\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe"	{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E411D24C-D675-4977-8C48-073D24C92A9D}	{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{241EA065-8309-4afc-AF26-BD707999495B}	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E411D24C-D675-4977-8C48-073D24C92A9D}\stubpath = "C:\\Windows\\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe"	{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8980A087-9BAE-4510-BD52-3AF683B39335}	{A863D292-2F8F-478a-A235-543FC812A771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D35B84-93CD-4161-BC87-FFD65C1EA290}	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}\stubpath = "C:\\Windows\\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe"	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}	{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}	{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}	3a43b9e7ef7495exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A863D292-2F8F-478a-A235-543FC812A771}\stubpath = "C:\\Windows\\{A863D292-2F8F-478a-A235-543FC812A771}.exe"	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D35B84-93CD-4161-BC87-FFD65C1EA290}\stubpath = "C:\\Windows\\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe"	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}\stubpath = "C:\\Windows\\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe"	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}\stubpath = "C:\\Windows\\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe"	{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}	{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A863D292-2F8F-478a-A235-543FC812A771}	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C25971-CC4A-466e-A9DF-550A60B42352}	{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}\stubpath = "C:\\Windows\\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe"	{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}\stubpath = "C:\\Windows\\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe"	{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}\stubpath = "C:\\Windows\\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe"	3a43b9e7ef7495exeexeexeex.exe

Executes dropped EXE 13 IoCs

pid	Process
2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe
752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe
2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
1864	{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
2736	{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
2796	{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
2416	{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
2508	{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
2536	{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe	{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
File created	C:\Windows\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe	{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
File created	C:\Windows\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	{A863D292-2F8F-478a-A235-543FC812A771}.exe
File created	C:\Windows\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
File created	C:\Windows\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
File created	C:\Windows\{A863D292-2F8F-478a-A235-543FC812A771}.exe	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
File created	C:\Windows\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
File created	C:\Windows\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe	{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
File created	C:\Windows\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe	{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
File created	C:\Windows\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe	{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
File created	C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	3a43b9e7ef7495exeexeexeex.exe
File created	C:\Windows\{241EA065-8309-4afc-AF26-BD707999495B}.exe	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
File created	C:\Windows\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	{241EA065-8309-4afc-AF26-BD707999495B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	3a43b9e7ef7495exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
Token: SeIncBasePriorityPrivilege	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe
Token: SeIncBasePriorityPrivilege	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
Token: SeIncBasePriorityPrivilege	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe
Token: SeIncBasePriorityPrivilege	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
Token: SeIncBasePriorityPrivilege	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
Token: SeIncBasePriorityPrivilege	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
Token: SeIncBasePriorityPrivilege	1864	{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
Token: SeIncBasePriorityPrivilege	2736	{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
Token: SeIncBasePriorityPrivilege	2796	{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
Token: SeIncBasePriorityPrivilege	2416	{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
Token: SeIncBasePriorityPrivilege	2508	{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2184	2196	3a43b9e7ef7495exeexeexeex.exe	29
PID 2196 wrote to memory of 2184	2196	3a43b9e7ef7495exeexeexeex.exe	29
PID 2196 wrote to memory of 2184	2196	3a43b9e7ef7495exeexeexeex.exe	29
PID 2196 wrote to memory of 2184	2196	3a43b9e7ef7495exeexeexeex.exe	29
PID 2196 wrote to memory of 1652	2196	3a43b9e7ef7495exeexeexeex.exe	30
PID 2196 wrote to memory of 1652	2196	3a43b9e7ef7495exeexeexeex.exe	30
PID 2196 wrote to memory of 1652	2196	3a43b9e7ef7495exeexeexeex.exe	30
PID 2196 wrote to memory of 1652	2196	3a43b9e7ef7495exeexeexeex.exe	30
PID 2184 wrote to memory of 1576	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	31
PID 2184 wrote to memory of 1576	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	31
PID 2184 wrote to memory of 1576	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	31
PID 2184 wrote to memory of 1576	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	31
PID 2184 wrote to memory of 656	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	32
PID 2184 wrote to memory of 656	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	32
PID 2184 wrote to memory of 656	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	32
PID 2184 wrote to memory of 656	2184	{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe	32
PID 1576 wrote to memory of 752	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	33
PID 1576 wrote to memory of 752	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	33
PID 1576 wrote to memory of 752	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	33
PID 1576 wrote to memory of 752	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	33
PID 1576 wrote to memory of 2892	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	34
PID 1576 wrote to memory of 2892	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	34
PID 1576 wrote to memory of 2892	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	34
PID 1576 wrote to memory of 2892	1576	{241EA065-8309-4afc-AF26-BD707999495B}.exe	34
PID 752 wrote to memory of 2948	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	35
PID 752 wrote to memory of 2948	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	35
PID 752 wrote to memory of 2948	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	35
PID 752 wrote to memory of 2948	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	35
PID 752 wrote to memory of 3048	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	36
PID 752 wrote to memory of 3048	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	36
PID 752 wrote to memory of 3048	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	36
PID 752 wrote to memory of 3048	752	{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe	36
PID 2948 wrote to memory of 2064	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	37
PID 2948 wrote to memory of 2064	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	37
PID 2948 wrote to memory of 2064	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	37
PID 2948 wrote to memory of 2064	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	37
PID 2948 wrote to memory of 2092	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	38
PID 2948 wrote to memory of 2092	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	38
PID 2948 wrote to memory of 2092	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	38
PID 2948 wrote to memory of 2092	2948	{A863D292-2F8F-478a-A235-543FC812A771}.exe	38
PID 2064 wrote to memory of 2264	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	40
PID 2064 wrote to memory of 2264	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	40
PID 2064 wrote to memory of 2264	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	40
PID 2064 wrote to memory of 2264	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	40
PID 2064 wrote to memory of 1020	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	39
PID 2064 wrote to memory of 1020	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	39
PID 2064 wrote to memory of 1020	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	39
PID 2064 wrote to memory of 1020	2064	{8980A087-9BAE-4510-BD52-3AF683B39335}.exe	39
PID 2264 wrote to memory of 2564	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	41
PID 2264 wrote to memory of 2564	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	41
PID 2264 wrote to memory of 2564	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	41
PID 2264 wrote to memory of 2564	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	41
PID 2264 wrote to memory of 2148	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	42
PID 2264 wrote to memory of 2148	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	42
PID 2264 wrote to memory of 2148	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	42
PID 2264 wrote to memory of 2148	2264	{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe	42
PID 2564 wrote to memory of 1864	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	44
PID 2564 wrote to memory of 1864	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	44
PID 2564 wrote to memory of 1864	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	44
PID 2564 wrote to memory of 1864	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	44
PID 2564 wrote to memory of 1416	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	43
PID 2564 wrote to memory of 1416	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	43
PID 2564 wrote to memory of 1416	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	43
PID 2564 wrote to memory of 1416	2564	{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe	43

C:\Users\Admin\AppData\Local\Temp\3a43b9e7ef7495exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3a43b9e7ef7495exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
  C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\{241EA065-8309-4afc-AF26-BD707999495B}.exe
    C:\Windows\{241EA065-8309-4afc-AF26-BD707999495B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
      C:\Windows\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\{A863D292-2F8F-478a-A235-543FC812A771}.exe
        
        C:\Windows\{A863D292-2F8F-478a-A235-543FC812A771}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
        
        C:\Windows\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8980A~1.EXE > nul
        7⤵
        
        PID:1020
        
        C:\Windows\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
        
        C:\Windows\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
        
        C:\Windows\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6FB8~1.EXE > nul
        9⤵
        
        PID:1416
        
        C:\Windows\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
        
        C:\Windows\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
        
        C:\Windows\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{266C8~1.EXE > nul
        11⤵
        
        PID:2768
        
        C:\Windows\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
        
        C:\Windows\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2C25~1.EXE > nul
        12⤵
        
        PID:2724
        
        C:\Windows\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
        
        C:\Windows\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E411D~1.EXE > nul
        13⤵
        
        PID:2504
        
        C:\Windows\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
        
        C:\Windows\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe
        
        C:\Windows\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe
        14⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{320A1~1.EXE > nul
        14⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDD8~1.EXE > nul
        10⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25D35~1.EXE > nul
        8⤵
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A863D~1.EXE > nul
        6⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66847~1.EXE > nul
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{241EA~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C5B~1.EXE > nul
    3⤵
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A43B9~1.EXE > nul
  2⤵
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{241EA065-8309-4afc-AF26-BD707999495B}.exe

Filesize
168KB

MD5
ce686341e5adf851b904382adc2d80b8

SHA1
c327c4237282b59ba0a0c15eba7ea3478ae4e9c2

SHA256
68053c6d28d2e4259fffccf334459ee0d3b362aa3d54f05e32f53cda323c20a8

SHA512
694a8bbad2bade80d920a1f10c4a66d3743679f69fdc5bdaf9600daba0d701ae378d4e98735cdd76ec00477ead0c87f752b287320dceb681697873383ed5ed8f

Download Submit
C:\Windows\{241EA065-8309-4afc-AF26-BD707999495B}.exe

Filesize
168KB

MD5
ce686341e5adf851b904382adc2d80b8

SHA1
c327c4237282b59ba0a0c15eba7ea3478ae4e9c2

SHA256
68053c6d28d2e4259fffccf334459ee0d3b362aa3d54f05e32f53cda323c20a8

SHA512
694a8bbad2bade80d920a1f10c4a66d3743679f69fdc5bdaf9600daba0d701ae378d4e98735cdd76ec00477ead0c87f752b287320dceb681697873383ed5ed8f

Download Submit
C:\Windows\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe

Filesize
168KB

MD5
2dc1c35210366dc16fd8c424e17a8616

SHA1
945cd3998af87b57997c005ac8d83e69d301d63c

SHA256
9ddae908b904ab104acde85a7cd99465d9c9398f9ba9eb1b382d27def0bdf9d3

SHA512
2dea756348d478387c88ec38b7b9fa8adafae57e33f7727f144b96cafd688fe7b45761f64be305e50f3053a5affde4d9663b876abc019904f1f8afcfb95cad4a

Download Submit
C:\Windows\{25D35B84-93CD-4161-BC87-FFD65C1EA290}.exe

Filesize
168KB

MD5
2dc1c35210366dc16fd8c424e17a8616

SHA1
945cd3998af87b57997c005ac8d83e69d301d63c

SHA256
9ddae908b904ab104acde85a7cd99465d9c9398f9ba9eb1b382d27def0bdf9d3

SHA512
2dea756348d478387c88ec38b7b9fa8adafae57e33f7727f144b96cafd688fe7b45761f64be305e50f3053a5affde4d9663b876abc019904f1f8afcfb95cad4a

Download Submit
C:\Windows\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe

Filesize
168KB

MD5
1dd71cf3df0581553658914b0a5520a2

SHA1
6b3d52fda3f70c2db723861f1195c85662083f5d

SHA256
a9986b1cf6ebfd788bfe29745af8a6c88cc8ad5139e824e305a70dbf0964b253

SHA512
02f980576abdb05aff0876fd9b98b27df7a5f2b31b485dc0798ed0c3f8b3b639181eb55271a21d5b5b67d90e3b0827e952c36ec4f8d6967b5eed5f6a68a31d27

Download Submit
C:\Windows\{266C82BF-3D34-4ba0-9CED-57AEB78B3D55}.exe

Filesize
168KB

MD5
1dd71cf3df0581553658914b0a5520a2

SHA1
6b3d52fda3f70c2db723861f1195c85662083f5d

SHA256
a9986b1cf6ebfd788bfe29745af8a6c88cc8ad5139e824e305a70dbf0964b253

SHA512
02f980576abdb05aff0876fd9b98b27df7a5f2b31b485dc0798ed0c3f8b3b639181eb55271a21d5b5b67d90e3b0827e952c36ec4f8d6967b5eed5f6a68a31d27

Download Submit
C:\Windows\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe

Filesize
168KB

MD5
624b9a65f2ee4854beeb3d248a53e0ad

SHA1
84e49199a05e73b8cbc51aca9ad45db3541a981f

SHA256
03a719b1af0522ff9a63c8d0bb2a7066420576c3c919849e93c8250422940170

SHA512
577b4153fa148fe4f61133c7d58609f5787e30d210c9be18d2cb30a2933afac050753b6dd0b77ba40d1ec87a152728021092847f7c9ae7a3362ab1bce7d14423

Download Submit
C:\Windows\{320A1948-1E89-46df-9B2C-FC33AD6BCE03}.exe

Filesize
168KB

MD5
624b9a65f2ee4854beeb3d248a53e0ad

SHA1
84e49199a05e73b8cbc51aca9ad45db3541a981f

SHA256
03a719b1af0522ff9a63c8d0bb2a7066420576c3c919849e93c8250422940170

SHA512
577b4153fa148fe4f61133c7d58609f5787e30d210c9be18d2cb30a2933afac050753b6dd0b77ba40d1ec87a152728021092847f7c9ae7a3362ab1bce7d14423

Download Submit
C:\Windows\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe

Filesize
168KB

MD5
4c44f83b73a48c8edc3215202c601e0f

SHA1
dee092eea9d599f02e5d9820ecef623fa66a1d23

SHA256
a50ce29a632a101bdb2cb199bcb502f0781c90e998321f0b9a5adf3459b71598

SHA512
0f134f6859ab534bb7c6f3ea5129e2a6d0c0355f75c14d6eb64a70ebe9afe6012095b919471823b68963546317821f8f72ad0ed74dc62ce743177fd7877106fa

Download Submit
C:\Windows\{66847CCA-C219-475c-955E-9BAD8E0DA946}.exe

Filesize
168KB

MD5
4c44f83b73a48c8edc3215202c601e0f

SHA1
dee092eea9d599f02e5d9820ecef623fa66a1d23

SHA256
a50ce29a632a101bdb2cb199bcb502f0781c90e998321f0b9a5adf3459b71598

SHA512
0f134f6859ab534bb7c6f3ea5129e2a6d0c0355f75c14d6eb64a70ebe9afe6012095b919471823b68963546317821f8f72ad0ed74dc62ce743177fd7877106fa

Download Submit
C:\Windows\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe

Filesize
168KB

MD5
cc7c8ea3cfec7d1c211d5b80ad258b8c

SHA1
5bf36c23818fe58e9b302f915debcfc631462699

SHA256
b232f597e324b4a14dcb43ac19f0f07b5607b0eee05d315d07b43cabbfa831c5

SHA512
0e1267c3cc8a684c7183b1fead27080af4a7513354534d8e5c681a11754b3f8a76dbf4c4e0058c4840ae4f1f3ae950428cfba5a5cc931f2762d6119f1fe5a803

Download Submit
C:\Windows\{8980A087-9BAE-4510-BD52-3AF683B39335}.exe

Filesize
168KB

MD5
cc7c8ea3cfec7d1c211d5b80ad258b8c

SHA1
5bf36c23818fe58e9b302f915debcfc631462699

SHA256
b232f597e324b4a14dcb43ac19f0f07b5607b0eee05d315d07b43cabbfa831c5

SHA512
0e1267c3cc8a684c7183b1fead27080af4a7513354534d8e5c681a11754b3f8a76dbf4c4e0058c4840ae4f1f3ae950428cfba5a5cc931f2762d6119f1fe5a803

Download Submit
C:\Windows\{A863D292-2F8F-478a-A235-543FC812A771}.exe

Filesize
168KB

MD5
9445495e3cf98988d439153e824aaa83

SHA1
dcb11d8cfbbf5b662863bcf7b4da3f6201040240

SHA256
b8fb9b26e1127eb91eb3c7ebaf17371928206a10ec3db04806f52e39fc123e08

SHA512
a135b3eea57e7b306723f386bd5ae7116b4a47cd9e4453aa4bad7de2002e525b59c99e646049b242327f09b023a0a7b7fcb1393a6051ca129e0e9a404ba10e50

Download Submit
C:\Windows\{A863D292-2F8F-478a-A235-543FC812A771}.exe

Filesize
168KB

MD5
9445495e3cf98988d439153e824aaa83

SHA1
dcb11d8cfbbf5b662863bcf7b4da3f6201040240

SHA256
b8fb9b26e1127eb91eb3c7ebaf17371928206a10ec3db04806f52e39fc123e08

SHA512
a135b3eea57e7b306723f386bd5ae7116b4a47cd9e4453aa4bad7de2002e525b59c99e646049b242327f09b023a0a7b7fcb1393a6051ca129e0e9a404ba10e50

Download Submit
C:\Windows\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe

Filesize
168KB

MD5
82f8fbbcf7aa1d93c436b9b48d670535

SHA1
eba4c266e0fc33c24c150a9092227e17a8c4e2a1

SHA256
a0d3353115f31b4a9baa08ac390f66627554eab6a4de6bcceaa87b5b2787ab5f

SHA512
2eb757d7e41cb355640104a56d63a228a10feb85fae23e4e38b2540a0eadd2acde030e083dc325927efe446ae94f3b8dc0847808bae741c413b5d43609c86698

Download Submit
C:\Windows\{D2C25971-CC4A-466e-A9DF-550A60B42352}.exe

Filesize
168KB

MD5
82f8fbbcf7aa1d93c436b9b48d670535

SHA1
eba4c266e0fc33c24c150a9092227e17a8c4e2a1

SHA256
a0d3353115f31b4a9baa08ac390f66627554eab6a4de6bcceaa87b5b2787ab5f

SHA512
2eb757d7e41cb355640104a56d63a228a10feb85fae23e4e38b2540a0eadd2acde030e083dc325927efe446ae94f3b8dc0847808bae741c413b5d43609c86698

Download Submit
C:\Windows\{D53662D1-BD4C-407e-82B2-1AA85FE727FB}.exe

Filesize
168KB

MD5
251d4c2d0ae5cf1315d33aeef3d53f6d

SHA1
93b795ef3256dd171e8caa50065fdb5dcdc6ed3c

SHA256
ba2e550cbc1750a8d0fc599f6da85e904ac3348ad5d8ed890c69130377ad315a

SHA512
f31fdd0808feaee67cfaf73481bc32e588cb5718c5d01b8e5f449ef0f98a81dd333497fb608d61f45dbcb7e61fea5d41264b5da39223cffdfda6f4dd19d6fb8d

Download Submit
C:\Windows\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe

Filesize
168KB

MD5
56eca3aa53d1f27e3c8b93e1a2a76200

SHA1
93ad0f9b2190f8d206a916107140bddef5833943

SHA256
f0930372c16611bd3b775484e55c636e2ef180b925e7ae15f2dcc10953ef46cd

SHA512
296fd6077b223244e1f1d7ef7d3eb27be2f224eef086652574bf977d382451a8efee9a7c670027ec6d03fabcbaffe01773d8029aaa1c9e441deafdbcc82d146f

Download Submit
C:\Windows\{E411D24C-D675-4977-8C48-073D24C92A9D}.exe

Filesize
168KB

MD5
56eca3aa53d1f27e3c8b93e1a2a76200

SHA1
93ad0f9b2190f8d206a916107140bddef5833943

SHA256
f0930372c16611bd3b775484e55c636e2ef180b925e7ae15f2dcc10953ef46cd

SHA512
296fd6077b223244e1f1d7ef7d3eb27be2f224eef086652574bf977d382451a8efee9a7c670027ec6d03fabcbaffe01773d8029aaa1c9e441deafdbcc82d146f

Download Submit
C:\Windows\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe

Filesize
168KB

MD5
997e18c3e0ec25cf317d6d0b71a04b17

SHA1
3ce52033efc299d392bb7d2486320cbcb6a22850

SHA256
1a65b2d16c10e31ef666c02c3b73085f3cf6c8a2aa2e00f94128e5281df4df99

SHA512
92a907b79b27352eb5ecda344d246ea57d5237b02074fce70114e8b1a7652fd052eb26bf260568b4ef82abeba67e2865c7f233296c2599b19934f128a28bdc71

Download Submit
C:\Windows\{E6FB826E-9E97-41bd-A6DE-5FE7A469DFF6}.exe

Filesize
168KB

MD5
997e18c3e0ec25cf317d6d0b71a04b17

SHA1
3ce52033efc299d392bb7d2486320cbcb6a22850

SHA256
1a65b2d16c10e31ef666c02c3b73085f3cf6c8a2aa2e00f94128e5281df4df99

SHA512
92a907b79b27352eb5ecda344d246ea57d5237b02074fce70114e8b1a7652fd052eb26bf260568b4ef82abeba67e2865c7f233296c2599b19934f128a28bdc71

Download Submit
C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe

Filesize
168KB

MD5
a60a760bd9b6d8f1697700234c0fcfbf

SHA1
5c3a3d0db56e756c53bd83609ba9e4a57625f38e

SHA256
977a32643669964a3973bc7575128ad1dd5f2ac60ceee266308be8bc80019058

SHA512
6e0f83bd6655cc3366e28a63bbc2a10ea53252cefb82fd0d7ea740360ad76b90ce5035a649a6e78efe9a5d2f102a44833b951abcde2c80c414a5663aaa908a20

Download Submit
C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe

Filesize
168KB

MD5
a60a760bd9b6d8f1697700234c0fcfbf

SHA1
5c3a3d0db56e756c53bd83609ba9e4a57625f38e

SHA256
977a32643669964a3973bc7575128ad1dd5f2ac60ceee266308be8bc80019058

SHA512
6e0f83bd6655cc3366e28a63bbc2a10ea53252cefb82fd0d7ea740360ad76b90ce5035a649a6e78efe9a5d2f102a44833b951abcde2c80c414a5663aaa908a20

Download Submit
C:\Windows\{F9C5BAED-1A03-49d5-88CA-B804D1A005D5}.exe

Filesize
168KB

MD5
a60a760bd9b6d8f1697700234c0fcfbf

SHA1
5c3a3d0db56e756c53bd83609ba9e4a57625f38e

SHA256
977a32643669964a3973bc7575128ad1dd5f2ac60ceee266308be8bc80019058

SHA512
6e0f83bd6655cc3366e28a63bbc2a10ea53252cefb82fd0d7ea740360ad76b90ce5035a649a6e78efe9a5d2f102a44833b951abcde2c80c414a5663aaa908a20

Download Submit
C:\Windows\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe

Filesize
168KB

MD5
0cb6ab9eab358394712cc4176e72dc09

SHA1
5c5fc9b3c2ac800dc8a3f41849ce6bce6bfd5012

SHA256
41a1fa03eab689e3f6a33695478e1f1c3e26c330affa415aaa62c700b5b402ba

SHA512
f1a94a0843458e98cc71824c3e420778f92e3dc71e113409de6f3afe89e838c81649bf750ee1a6c7d105bae23de3e04a030eaf6635c4caf270c72cb0dbf1722d

Download Submit
C:\Windows\{FBDD899C-E547-4e3f-AC81-E89332F68D1E}.exe

Filesize
168KB

MD5
0cb6ab9eab358394712cc4176e72dc09

SHA1
5c5fc9b3c2ac800dc8a3f41849ce6bce6bfd5012

SHA256
41a1fa03eab689e3f6a33695478e1f1c3e26c330affa415aaa62c700b5b402ba

SHA512
f1a94a0843458e98cc71824c3e420778f92e3dc71e113409de6f3afe89e838c81649bf750ee1a6c7d105bae23de3e04a030eaf6635c4caf270c72cb0dbf1722d

Download Submit