e8e3b66977c05a5f1ecd407846ad7a5c149a80778f55d24fa6cf495d4e475300

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5124a6b4e2ffc7exeexeexeex.exe
Size

168KB
MD5

5124a6b4e2ffc7feb2fb89f0c7c3b84a
SHA1

eb3dc6bb6cf20e8211110c4559898203e850eb36
SHA256

e8e3b66977c05a5f1ecd407846ad7a5c149a80778f55d24fa6cf495d4e475300
SHA512

031c0199c8ffd2fc0e067b8bf52bdd66d66e1ec4a72597b0cf1db9512a758a30590ed7f5c03553163358b4a40e88258507e364a4e65cf5813dc70baba12bfc19
SSDEEP

1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E726804-DE38-4a2d-A930-75AD53953C51}\stubpath = "C:\\Windows\\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe"	5124a6b4e2ffc7exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88DFB1A5-6944-40a6-942B-053BEDAC032B}	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E58F620-2DE2-4969-AF47-464A63ADF745}	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}\stubpath = "C:\\Windows\\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe"	{680F4801-F491-4411-9502-5463ED768A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}\stubpath = "C:\\Windows\\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe"	{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}	{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E58F620-2DE2-4969-AF47-464A63ADF745}\stubpath = "C:\\Windows\\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe"	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C682CA2A-6218-4baf-947C-31956D9B3F0C}	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}\stubpath = "C:\\Windows\\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe"	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}\stubpath = "C:\\Windows\\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe"	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}\stubpath = "C:\\Windows\\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe"	{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}\stubpath = "C:\\Windows\\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe"	{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E726804-DE38-4a2d-A930-75AD53953C51}	5124a6b4e2ffc7exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}\stubpath = "C:\\Windows\\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe"	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680F4801-F491-4411-9502-5463ED768A06}\stubpath = "C:\\Windows\\{680F4801-F491-4411-9502-5463ED768A06}.exe"	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}	{680F4801-F491-4411-9502-5463ED768A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}	{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}	{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88DFB1A5-6944-40a6-942B-053BEDAC032B}\stubpath = "C:\\Windows\\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe"	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C682CA2A-6218-4baf-947C-31956D9B3F0C}\stubpath = "C:\\Windows\\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe"	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680F4801-F491-4411-9502-5463ED768A06}	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E159D7-060D-4974-86A6-BD3778A934EF}	{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E159D7-060D-4974-86A6-BD3778A934EF}\stubpath = "C:\\Windows\\{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe"	{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
2720	{680F4801-F491-4411-9502-5463ED768A06}.exe
1576	{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
2000	{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
2924	{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
2592	{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe
1648	{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
File created	C:\Windows\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe	{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
File created	C:\Windows\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
File created	C:\Windows\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
File created	C:\Windows\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
File created	C:\Windows\{680F4801-F491-4411-9502-5463ED768A06}.exe	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
File created	C:\Windows\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe	{680F4801-F491-4411-9502-5463ED768A06}.exe
File created	C:\Windows\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe	{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
File created	C:\Windows\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe	{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
File created	C:\Windows\{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe	{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe
File created	C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	5124a6b4e2ffc7exeexeexeex.exe
File created	C:\Windows\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
File created	C:\Windows\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2724	5124a6b4e2ffc7exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
Token: SeIncBasePriorityPrivilege	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
Token: SeIncBasePriorityPrivilege	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
Token: SeIncBasePriorityPrivilege	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
Token: SeIncBasePriorityPrivilege	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
Token: SeIncBasePriorityPrivilege	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
Token: SeIncBasePriorityPrivilege	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
Token: SeIncBasePriorityPrivilege	2720	{680F4801-F491-4411-9502-5463ED768A06}.exe
Token: SeIncBasePriorityPrivilege	1576	{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
Token: SeIncBasePriorityPrivilege	2000	{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
Token: SeIncBasePriorityPrivilege	2924	{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
Token: SeIncBasePriorityPrivilege	2592	{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2872	2724	5124a6b4e2ffc7exeexeexeex.exe	27
PID 2724 wrote to memory of 2872	2724	5124a6b4e2ffc7exeexeexeex.exe	27
PID 2724 wrote to memory of 2872	2724	5124a6b4e2ffc7exeexeexeex.exe	27
PID 2724 wrote to memory of 2872	2724	5124a6b4e2ffc7exeexeexeex.exe	27
PID 2724 wrote to memory of 2912	2724	5124a6b4e2ffc7exeexeexeex.exe	28
PID 2724 wrote to memory of 2912	2724	5124a6b4e2ffc7exeexeexeex.exe	28
PID 2724 wrote to memory of 2912	2724	5124a6b4e2ffc7exeexeexeex.exe	28
PID 2724 wrote to memory of 2912	2724	5124a6b4e2ffc7exeexeexeex.exe	28
PID 2872 wrote to memory of 2988	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	29
PID 2872 wrote to memory of 2988	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	29
PID 2872 wrote to memory of 2988	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	29
PID 2872 wrote to memory of 2988	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	29
PID 2872 wrote to memory of 3048	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	30
PID 2872 wrote to memory of 3048	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	30
PID 2872 wrote to memory of 3048	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	30
PID 2872 wrote to memory of 3048	2872	{3E726804-DE38-4a2d-A930-75AD53953C51}.exe	30
PID 2988 wrote to memory of 2968	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	31
PID 2988 wrote to memory of 2968	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	31
PID 2988 wrote to memory of 2968	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	31
PID 2988 wrote to memory of 2968	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	31
PID 2988 wrote to memory of 3020	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	32
PID 2988 wrote to memory of 3020	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	32
PID 2988 wrote to memory of 3020	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	32
PID 2988 wrote to memory of 3020	2988	{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe	32
PID 2968 wrote to memory of 2876	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	33
PID 2968 wrote to memory of 2876	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	33
PID 2968 wrote to memory of 2876	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	33
PID 2968 wrote to memory of 2876	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	33
PID 2968 wrote to memory of 2184	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	34
PID 2968 wrote to memory of 2184	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	34
PID 2968 wrote to memory of 2184	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	34
PID 2968 wrote to memory of 2184	2968	{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe	34
PID 2876 wrote to memory of 2196	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	35
PID 2876 wrote to memory of 2196	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	35
PID 2876 wrote to memory of 2196	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	35
PID 2876 wrote to memory of 2196	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	35
PID 2876 wrote to memory of 2216	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	36
PID 2876 wrote to memory of 2216	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	36
PID 2876 wrote to memory of 2216	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	36
PID 2876 wrote to memory of 2216	2876	{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe	36
PID 2196 wrote to memory of 1920	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	37
PID 2196 wrote to memory of 1920	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	37
PID 2196 wrote to memory of 1920	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	37
PID 2196 wrote to memory of 1920	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	37
PID 2196 wrote to memory of 2240	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	38
PID 2196 wrote to memory of 2240	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	38
PID 2196 wrote to memory of 2240	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	38
PID 2196 wrote to memory of 2240	2196	{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe	38
PID 1920 wrote to memory of 2780	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	39
PID 1920 wrote to memory of 2780	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	39
PID 1920 wrote to memory of 2780	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	39
PID 1920 wrote to memory of 2780	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	39
PID 1920 wrote to memory of 2836	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	40
PID 1920 wrote to memory of 2836	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	40
PID 1920 wrote to memory of 2836	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	40
PID 1920 wrote to memory of 2836	1920	{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe	40
PID 2780 wrote to memory of 2720	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	41
PID 2780 wrote to memory of 2720	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	41
PID 2780 wrote to memory of 2720	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	41
PID 2780 wrote to memory of 2720	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	41
PID 2780 wrote to memory of 2228	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	42
PID 2780 wrote to memory of 2228	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	42
PID 2780 wrote to memory of 2228	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	42
PID 2780 wrote to memory of 2228	2780	{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe	42

C:\Users\Admin\AppData\Local\Temp\5124a6b4e2ffc7exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5124a6b4e2ffc7exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
  C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
    C:\Windows\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
      C:\Windows\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
        
        C:\Windows\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
        
        C:\Windows\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
        
        C:\Windows\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
        
        C:\Windows\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{680F4801-F491-4411-9502-5463ED768A06}.exe
        
        C:\Windows\{680F4801-F491-4411-9502-5463ED768A06}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
        
        C:\Windows\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
        
        C:\Windows\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
        
        C:\Windows\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe
        
        C:\Windows\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe
        
        C:\Windows\{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe
        14⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DABC~1.EXE > nul
        14⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60F8~1.EXE > nul
        13⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77A3C~1.EXE > nul
        12⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1F0~1.EXE > nul
        11⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{680F4~1.EXE > nul
        10⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE285~1.EXE > nul
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2BC6~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C682C~1.EXE > nul
        7⤵
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{412EB~1.EXE > nul
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E58F~1.EXE > nul
        5⤵
        
        PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88DFB~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E726~1.EXE > nul
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5124A6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe

Filesize
168KB

MD5
db57c5304fee39659d9bbfe57106e9ca

SHA1
6a47ecb5fbbb56b27ec641808943a110b36604ce

SHA256
5e5b86ec1649d87cb7a8ced9d7e3fb164105c786a4278632aa249ef396203ef9

SHA512
bbbc37f1b0efca9cedd4c58453ad2debea262d8241723bba6636609072c2091380d70191a76e67f075e8c276ba2e9e3de5d395d30c3227c1a4773aaa1238f5d2

Download Submit
C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe

Filesize
168KB

MD5
db57c5304fee39659d9bbfe57106e9ca

SHA1
6a47ecb5fbbb56b27ec641808943a110b36604ce

SHA256
5e5b86ec1649d87cb7a8ced9d7e3fb164105c786a4278632aa249ef396203ef9

SHA512
bbbc37f1b0efca9cedd4c58453ad2debea262d8241723bba6636609072c2091380d70191a76e67f075e8c276ba2e9e3de5d395d30c3227c1a4773aaa1238f5d2

Download Submit
C:\Windows\{3E726804-DE38-4a2d-A930-75AD53953C51}.exe

Filesize
168KB

MD5
db57c5304fee39659d9bbfe57106e9ca

SHA1
6a47ecb5fbbb56b27ec641808943a110b36604ce

SHA256
5e5b86ec1649d87cb7a8ced9d7e3fb164105c786a4278632aa249ef396203ef9

SHA512
bbbc37f1b0efca9cedd4c58453ad2debea262d8241723bba6636609072c2091380d70191a76e67f075e8c276ba2e9e3de5d395d30c3227c1a4773aaa1238f5d2

Download Submit
C:\Windows\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe

Filesize
168KB

MD5
43ce4c8f510c54633839fc4c89ce1998

SHA1
1b2df0fa0f96178e088318719e83d33464254176

SHA256
8ebb1b12758a71798773ff2be75123df699d521cdfc7f19b4b75264002a927fc

SHA512
281066c3c9d2df12ec99e51cf974465b4b867605ae734965c7ca648c5427efa27a3bbaa45533252ee5e165e99d773a704df371ea8a32b478bd9d79937fb30465

Download Submit
C:\Windows\{412EB9B7-6386-4bc6-97FF-2C5D594AC4E0}.exe

Filesize
168KB

MD5
43ce4c8f510c54633839fc4c89ce1998

SHA1
1b2df0fa0f96178e088318719e83d33464254176

SHA256
8ebb1b12758a71798773ff2be75123df699d521cdfc7f19b4b75264002a927fc

SHA512
281066c3c9d2df12ec99e51cf974465b4b867605ae734965c7ca648c5427efa27a3bbaa45533252ee5e165e99d773a704df371ea8a32b478bd9d79937fb30465

Download Submit
C:\Windows\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe

Filesize
168KB

MD5
1e468e6ae2ad21332968d24bd6c3be43

SHA1
80ac78a96327a8366fb1fbf8cbd25faa72173cbf

SHA256
98ba5c8fd7b2919f867718e41584d842fdb74c9105e6fc33f616a8545a99df9b

SHA512
528dc0dd7a6ee465bc2d5b356e6d838c49e5c703a7692d8bee72d492aeb09746078dc46c75dfb1926f57a35e2c3729a6896dd77e31f0d687cb7edbdbd4e89073

Download Submit
C:\Windows\{4E58F620-2DE2-4969-AF47-464A63ADF745}.exe

Filesize
168KB

MD5
1e468e6ae2ad21332968d24bd6c3be43

SHA1
80ac78a96327a8366fb1fbf8cbd25faa72173cbf

SHA256
98ba5c8fd7b2919f867718e41584d842fdb74c9105e6fc33f616a8545a99df9b

SHA512
528dc0dd7a6ee465bc2d5b356e6d838c49e5c703a7692d8bee72d492aeb09746078dc46c75dfb1926f57a35e2c3729a6896dd77e31f0d687cb7edbdbd4e89073

Download Submit
C:\Windows\{680F4801-F491-4411-9502-5463ED768A06}.exe

Filesize
168KB

MD5
1b0bdc6fd96536574ec1aee20b3e43a8

SHA1
5357f9bc51334e4b8848b2fd53bdde368b45b79b

SHA256
306c906906263fc312e43f565f63ff0da6aefb03aa59f9f0fcc292885ee86ab9

SHA512
d2f5196816d5f9a14b00b2689a08b1e14d6a248a1f80d5839b2e956e9d46546685e1714c4d0306494548921ac3b1dd726c3874aa69cdd1e8713a850dea75adc3

Download Submit
C:\Windows\{680F4801-F491-4411-9502-5463ED768A06}.exe

Filesize
168KB

MD5
1b0bdc6fd96536574ec1aee20b3e43a8

SHA1
5357f9bc51334e4b8848b2fd53bdde368b45b79b

SHA256
306c906906263fc312e43f565f63ff0da6aefb03aa59f9f0fcc292885ee86ab9

SHA512
d2f5196816d5f9a14b00b2689a08b1e14d6a248a1f80d5839b2e956e9d46546685e1714c4d0306494548921ac3b1dd726c3874aa69cdd1e8713a850dea75adc3

Download Submit
C:\Windows\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe

Filesize
168KB

MD5
a1809ecd87d7d573ad1c7299011f61b2

SHA1
12f960d1e9b27d6949fbcd191d3fa05b36e1ca37

SHA256
cf755202c42dfab192d638319c49325933355a82dc840a6ea1a3616ee7da4be7

SHA512
f03f423d07c3987f50fd26773c97c033b787a3c9d544c30acc4955f89a0e7e8ce4c698e3b63fd2f24d9886ddcbb35007a4c2c76ede6b58e17c8f09006a277615

Download Submit
C:\Windows\{77A3CD62-A2E7-4af6-AA37-322EDB50CEA7}.exe

Filesize
168KB

MD5
a1809ecd87d7d573ad1c7299011f61b2

SHA1
12f960d1e9b27d6949fbcd191d3fa05b36e1ca37

SHA256
cf755202c42dfab192d638319c49325933355a82dc840a6ea1a3616ee7da4be7

SHA512
f03f423d07c3987f50fd26773c97c033b787a3c9d544c30acc4955f89a0e7e8ce4c698e3b63fd2f24d9886ddcbb35007a4c2c76ede6b58e17c8f09006a277615

Download Submit
C:\Windows\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe

Filesize
168KB

MD5
540366cab794b28f2452de18271d41f4

SHA1
7eb33a6d26d26403c26c115236851e6541a5f6ed

SHA256
f7e5abce192bb5c84c720e920411850c10b9b19750fb126077b89b123d9c22bf

SHA512
14c21733c76b5f22d32af0d31975b2926a96e46b81d6fdea9a968f4b3067ca07f7608bbe1bbaa562b69558aa256a066d39c849a55a72f700a38e95256cdf754f

Download Submit
C:\Windows\{88DFB1A5-6944-40a6-942B-053BEDAC032B}.exe

Filesize
168KB

MD5
540366cab794b28f2452de18271d41f4

SHA1
7eb33a6d26d26403c26c115236851e6541a5f6ed

SHA256
f7e5abce192bb5c84c720e920411850c10b9b19750fb126077b89b123d9c22bf

SHA512
14c21733c76b5f22d32af0d31975b2926a96e46b81d6fdea9a968f4b3067ca07f7608bbe1bbaa562b69558aa256a066d39c849a55a72f700a38e95256cdf754f

Download Submit
C:\Windows\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe

Filesize
168KB

MD5
51722f9389b423b5d87e3fb0c2c1272b

SHA1
b9866f6ef58d465aa80415fdf6777981f9fb24ed

SHA256
7df246b5c94c17f30406a110b774f3fbf4157af838fe10c682657c767ce4c982

SHA512
4f20c2adba3a05e82fc45648070bd160a04705d36633deaea7d510dab0bd54f1b450b929544924d45592cf1a754f0e059159a5d966b9ad78d35b2d6cbce9fe58

Download Submit
C:\Windows\{9DABC887-8E0B-45a2-ACD0-D0C16C030125}.exe

Filesize
168KB

MD5
51722f9389b423b5d87e3fb0c2c1272b

SHA1
b9866f6ef58d465aa80415fdf6777981f9fb24ed

SHA256
7df246b5c94c17f30406a110b774f3fbf4157af838fe10c682657c767ce4c982

SHA512
4f20c2adba3a05e82fc45648070bd160a04705d36633deaea7d510dab0bd54f1b450b929544924d45592cf1a754f0e059159a5d966b9ad78d35b2d6cbce9fe58

Download Submit
C:\Windows\{A0E159D7-060D-4974-86A6-BD3778A934EF}.exe

Filesize
168KB

MD5
2f7b2b3910f21c6ce6700ce9b589fd7c

SHA1
135b4ed571190ef55125a5eaea74ee245dde4712

SHA256
aa336cbfce9217c8c6b5a9d038b1d9dc385f9ac3cc598a676c7de8defaeb58c8

SHA512
dabb86b666aefcb4be3e22d8193ccbe90266995b318c12d6d4beb4884d8b785b3831c94c3e06a1cad1df97f9eb19fe24289e91516e48d0ab059e37afcafd1c5f

Download Submit
C:\Windows\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe

Filesize
168KB

MD5
2e85d04bc4f46d44e8c534bfe64b4b5b

SHA1
8382272be51a592a8beb948a73503f6782fa8079

SHA256
db9982cbed69a879bb78b2e08f7cd6232cc822226d90dd8485d27cb31af092af

SHA512
79315675a044f2a52977c42c796b60c33380f98e383ccd5947f2f5a499e4895c57506cac142f0ce585eb1972e72fa4dcc6bad478fe33600b43393aaa58570bea

Download Submit
C:\Windows\{B2BC67DE-6439-464c-8A4C-5941EBCADF3E}.exe

Filesize
168KB

MD5
2e85d04bc4f46d44e8c534bfe64b4b5b

SHA1
8382272be51a592a8beb948a73503f6782fa8079

SHA256
db9982cbed69a879bb78b2e08f7cd6232cc822226d90dd8485d27cb31af092af

SHA512
79315675a044f2a52977c42c796b60c33380f98e383ccd5947f2f5a499e4895c57506cac142f0ce585eb1972e72fa4dcc6bad478fe33600b43393aaa58570bea

Download Submit
C:\Windows\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe

Filesize
168KB

MD5
b1bd75e2abba4469ee9b13f39b31dba3

SHA1
b707e456b762c3acc09ad52056dcccbda52cd559

SHA256
a40e3397e7668f5d2d6d5311331c20077bc93b23a3ebed8e819cb574a645a599

SHA512
a44b88dabb4675932b918607733644f4d965526b31f7ca574f5433715cdcb520bc29358a82b5366851a3e685c004e977c8d4c6e2b5c8e01d588deb2e3de17dbd

Download Submit
C:\Windows\{B60F8A54-F5A2-4cb2-8510-740B2802C7C6}.exe

Filesize
168KB

MD5
b1bd75e2abba4469ee9b13f39b31dba3

SHA1
b707e456b762c3acc09ad52056dcccbda52cd559

SHA256
a40e3397e7668f5d2d6d5311331c20077bc93b23a3ebed8e819cb574a645a599

SHA512
a44b88dabb4675932b918607733644f4d965526b31f7ca574f5433715cdcb520bc29358a82b5366851a3e685c004e977c8d4c6e2b5c8e01d588deb2e3de17dbd

Download Submit
C:\Windows\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe

Filesize
168KB

MD5
a519299d03afd497daaaad116178bf17

SHA1
f0fa4c7e409241fc1dc3727f820c1d1e6257c61b

SHA256
7076a287f790739950a2b29753500c17579793a4d459f183f1c1118800ecd279

SHA512
5fc8cb01be866ef26c9471d536387fc3ad5cccb3ac4a2572dabb8dc199f46188be07888ce5d87ef001dcc640d20d49195f1f88a526f057494a20be444a6fd0ba

Download Submit
C:\Windows\{BE285A39-EA1C-4e81-B0D4-70A0D27377D2}.exe

Filesize
168KB

MD5
a519299d03afd497daaaad116178bf17

SHA1
f0fa4c7e409241fc1dc3727f820c1d1e6257c61b

SHA256
7076a287f790739950a2b29753500c17579793a4d459f183f1c1118800ecd279

SHA512
5fc8cb01be866ef26c9471d536387fc3ad5cccb3ac4a2572dabb8dc199f46188be07888ce5d87ef001dcc640d20d49195f1f88a526f057494a20be444a6fd0ba

Download Submit
C:\Windows\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe

Filesize
168KB

MD5
b2c005d5e618d080099d7b891e7e0c98

SHA1
706cf07d5255fd7b3554e1c04285a1d3a8e7dc29

SHA256
618c8c59ed3b7f31056908d3e9ccff533afad5a1d284cca7df25342985aded61

SHA512
85d5886ce7b7e2665a826153e409117389cfbdcef1c83ed53dc59e609202307030eb0860f1142c50b35aaeb0f86befb6fc14f7b3ed6ff1481590db41f04aa489

Download Submit
C:\Windows\{C682CA2A-6218-4baf-947C-31956D9B3F0C}.exe

Filesize
168KB

MD5
b2c005d5e618d080099d7b891e7e0c98

SHA1
706cf07d5255fd7b3554e1c04285a1d3a8e7dc29

SHA256
618c8c59ed3b7f31056908d3e9ccff533afad5a1d284cca7df25342985aded61

SHA512
85d5886ce7b7e2665a826153e409117389cfbdcef1c83ed53dc59e609202307030eb0860f1142c50b35aaeb0f86befb6fc14f7b3ed6ff1481590db41f04aa489

Download Submit
C:\Windows\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe

Filesize
168KB

MD5
d2268a7526394bd4ba7082da6b8b37f6

SHA1
3702320281a000048e65bc9a659ee81209b8397f

SHA256
97417149a183801ceedbf668eae725e5a7a943ee455c7f1608d63fc4cc1ed615

SHA512
11697c9a3c53a0fa26724e2a0258018c66cdb1a21e480219137b7dc54405ead30cb196ca022b1561614dd1800bf7ffc94274f214c4f62c22e227e8e7ca0a923e

Download Submit
C:\Windows\{EC1F0502-8813-4fa2-980E-777CCCFC3B1E}.exe

Filesize
168KB

MD5
d2268a7526394bd4ba7082da6b8b37f6

SHA1
3702320281a000048e65bc9a659ee81209b8397f

SHA256
97417149a183801ceedbf668eae725e5a7a943ee455c7f1608d63fc4cc1ed615

SHA512
11697c9a3c53a0fa26724e2a0258018c66cdb1a21e480219137b7dc54405ead30cb196ca022b1561614dd1800bf7ffc94274f214c4f62c22e227e8e7ca0a923e

Download Submit