8cf99a3fced8d2a867c0b35ac20f50c1eea6629bc35ae030e9d3124f8dc9e326

Analysis

max time kernel
150s
max time network
78s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52860e02e9f115exeexeexeex.exe
Size

168KB
MD5

52860e02e9f115c7318dbb0b94158348
SHA1

356f78344218bbada962127765e31530b59bf187
SHA256

8cf99a3fced8d2a867c0b35ac20f50c1eea6629bc35ae030e9d3124f8dc9e326
SHA512

b39c45a633a5f7a3f8ebe5ded0cd03e5b699d29afbbcbca097593e47168d987de9b1e9488c8f0e098a7a17daa128ec07c0c086b7eb806f8f5ed2db96a556e513
SSDEEP

1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}	52860e02e9f115exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714FE317-F6E2-4e1b-BD43-10D583138A4A}	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}\stubpath = "C:\\Windows\\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe"	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}	{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}\stubpath = "C:\\Windows\\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe"	{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F47077-EE27-4b68-A2A6-588302D49DD0}\stubpath = "C:\\Windows\\{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe"	{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6010347-3C7E-4314-8DC7-A9A718A43B46}\stubpath = "C:\\Windows\\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe"	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}\stubpath = "C:\\Windows\\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe"	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3826EC3A-30E4-4051-9159-26E15156127B}\stubpath = "C:\\Windows\\{3826EC3A-30E4-4051-9159-26E15156127B}.exe"	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA522E2-83C2-40ce-8278-C769508C815C}	{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA522E2-83C2-40ce-8278-C769508C815C}\stubpath = "C:\\Windows\\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe"	{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED08B042-59E3-4d36-94EE-946DED971131}	{3826EC3A-30E4-4051-9159-26E15156127B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD139AB6-1418-4b9d-96DE-E75E2F392625}\stubpath = "C:\\Windows\\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe"	{ED08B042-59E3-4d36-94EE-946DED971131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}\stubpath = "C:\\Windows\\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe"	52860e02e9f115exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714FE317-F6E2-4e1b-BD43-10D583138A4A}\stubpath = "C:\\Windows\\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe"	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}\stubpath = "C:\\Windows\\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe"	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3826EC3A-30E4-4051-9159-26E15156127B}	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}	{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}\stubpath = "C:\\Windows\\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe"	{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F47077-EE27-4b68-A2A6-588302D49DD0}	{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6010347-3C7E-4314-8DC7-A9A718A43B46}	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED08B042-59E3-4d36-94EE-946DED971131}\stubpath = "C:\\Windows\\{ED08B042-59E3-4d36-94EE-946DED971131}.exe"	{3826EC3A-30E4-4051-9159-26E15156127B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD139AB6-1418-4b9d-96DE-E75E2F392625}	{ED08B042-59E3-4d36-94EE-946DED971131}.exe

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe
2996	{ED08B042-59E3-4d36-94EE-946DED971131}.exe
2520	{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
2640	{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
2636	{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
2648	{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
2152	{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
File created	C:\Windows\{3826EC3A-30E4-4051-9159-26E15156127B}.exe	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
File created	C:\Windows\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe	{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
File created	C:\Windows\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe	{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
File created	C:\Windows\{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe	{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
File created	C:\Windows\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
File created	C:\Windows\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
File created	C:\Windows\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
File created	C:\Windows\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
File created	C:\Windows\{ED08B042-59E3-4d36-94EE-946DED971131}.exe	{3826EC3A-30E4-4051-9159-26E15156127B}.exe
File created	C:\Windows\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe	{ED08B042-59E3-4d36-94EE-946DED971131}.exe
File created	C:\Windows\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe	{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
File created	C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	52860e02e9f115exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	52860e02e9f115exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
Token: SeIncBasePriorityPrivilege	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
Token: SeIncBasePriorityPrivilege	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
Token: SeIncBasePriorityPrivilege	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
Token: SeIncBasePriorityPrivilege	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
Token: SeIncBasePriorityPrivilege	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
Token: SeIncBasePriorityPrivilege	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe
Token: SeIncBasePriorityPrivilege	2996	{ED08B042-59E3-4d36-94EE-946DED971131}.exe
Token: SeIncBasePriorityPrivilege	2520	{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
Token: SeIncBasePriorityPrivilege	2640	{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
Token: SeIncBasePriorityPrivilege	2636	{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
Token: SeIncBasePriorityPrivilege	2648	{EAA522E2-83C2-40ce-8278-C769508C815C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2816	2364	52860e02e9f115exeexeexeex.exe	27
PID 2364 wrote to memory of 2816	2364	52860e02e9f115exeexeexeex.exe	27
PID 2364 wrote to memory of 2816	2364	52860e02e9f115exeexeexeex.exe	27
PID 2364 wrote to memory of 2816	2364	52860e02e9f115exeexeexeex.exe	27
PID 2364 wrote to memory of 2884	2364	52860e02e9f115exeexeexeex.exe	28
PID 2364 wrote to memory of 2884	2364	52860e02e9f115exeexeexeex.exe	28
PID 2364 wrote to memory of 2884	2364	52860e02e9f115exeexeexeex.exe	28
PID 2364 wrote to memory of 2884	2364	52860e02e9f115exeexeexeex.exe	28
PID 2816 wrote to memory of 2952	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	29
PID 2816 wrote to memory of 2952	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	29
PID 2816 wrote to memory of 2952	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	29
PID 2816 wrote to memory of 2952	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	29
PID 2816 wrote to memory of 1960	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	30
PID 2816 wrote to memory of 1960	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	30
PID 2816 wrote to memory of 1960	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	30
PID 2816 wrote to memory of 1960	2816	{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe	30
PID 2952 wrote to memory of 2084	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	31
PID 2952 wrote to memory of 2084	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	31
PID 2952 wrote to memory of 2084	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	31
PID 2952 wrote to memory of 2084	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	31
PID 2952 wrote to memory of 2200	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	32
PID 2952 wrote to memory of 2200	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	32
PID 2952 wrote to memory of 2200	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	32
PID 2952 wrote to memory of 2200	2952	{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe	32
PID 2084 wrote to memory of 1340	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	33
PID 2084 wrote to memory of 1340	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	33
PID 2084 wrote to memory of 1340	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	33
PID 2084 wrote to memory of 1340	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	33
PID 2084 wrote to memory of 1392	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	34
PID 2084 wrote to memory of 1392	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	34
PID 2084 wrote to memory of 1392	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	34
PID 2084 wrote to memory of 1392	2084	{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe	34
PID 1340 wrote to memory of 2808	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	35
PID 1340 wrote to memory of 2808	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	35
PID 1340 wrote to memory of 2808	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	35
PID 1340 wrote to memory of 2808	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	35
PID 1340 wrote to memory of 1516	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	36
PID 1340 wrote to memory of 1516	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	36
PID 1340 wrote to memory of 1516	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	36
PID 1340 wrote to memory of 1516	1340	{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe	36
PID 2808 wrote to memory of 1076	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	38
PID 2808 wrote to memory of 1076	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	38
PID 2808 wrote to memory of 1076	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	38
PID 2808 wrote to memory of 1076	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	38
PID 2808 wrote to memory of 2236	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	37
PID 2808 wrote to memory of 2236	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	37
PID 2808 wrote to memory of 2236	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	37
PID 2808 wrote to memory of 2236	2808	{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe	37
PID 1076 wrote to memory of 1352	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	40
PID 1076 wrote to memory of 1352	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	40
PID 1076 wrote to memory of 1352	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	40
PID 1076 wrote to memory of 1352	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	40
PID 1076 wrote to memory of 1520	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	39
PID 1076 wrote to memory of 1520	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	39
PID 1076 wrote to memory of 1520	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	39
PID 1076 wrote to memory of 1520	1076	{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe	39
PID 1352 wrote to memory of 2996	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	41
PID 1352 wrote to memory of 2996	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	41
PID 1352 wrote to memory of 2996	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	41
PID 1352 wrote to memory of 2996	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	41
PID 1352 wrote to memory of 2112	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	42
PID 1352 wrote to memory of 2112	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	42
PID 1352 wrote to memory of 2112	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	42
PID 1352 wrote to memory of 2112	1352	{3826EC3A-30E4-4051-9159-26E15156127B}.exe	42

C:\Users\Admin\AppData\Local\Temp\52860e02e9f115exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\52860e02e9f115exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
  C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
    C:\Windows\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
      C:\Windows\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
        
        C:\Windows\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
        
        C:\Windows\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E12~1.EXE > nul
        7⤵
        
        PID:2236
        
        C:\Windows\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
        
        C:\Windows\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{431A7~1.EXE > nul
        8⤵
        
        PID:1520
        
        C:\Windows\{3826EC3A-30E4-4051-9159-26E15156127B}.exe
        
        C:\Windows\{3826EC3A-30E4-4051-9159-26E15156127B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{ED08B042-59E3-4d36-94EE-946DED971131}.exe
        
        C:\Windows\{ED08B042-59E3-4d36-94EE-946DED971131}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
        
        C:\Windows\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
        
        C:\Windows\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
        
        C:\Windows\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
        
        C:\Windows\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA52~1.EXE > nul
        14⤵
        
        PID:2524
        
        C:\Windows\{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe
        
        C:\Windows\{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe
        14⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D56~1.EXE > nul
        13⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E1B3~1.EXE > nul
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD139~1.EXE > nul
        11⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED08B~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3826E~1.EXE > nul
        9⤵
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0127~1.EXE > nul
        6⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6010~1.EXE > nul
        5⤵
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{714FE~1.EXE > nul
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B91B~1.EXE > nul
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\52860E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe

Filesize
168KB

MD5
90086e15b04d008309388e366e9e1396

SHA1
0a7b41295cda19ee30ba8aa96fdbb7199a71b180

SHA256
945536e34e6f72ecd792a854bd70b2ecb495cfe968f876c8cb5fcd259e9f38b9

SHA512
de621b1f50eec87f64175bfa1dc8f7fa2f552be2ee5a2694da99f0226cd6c0a7425e7d5e413e7fb0cc70931ac98d030ad698e0dc6385db658623cf445a5d573f

Download Submit
C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe

Filesize
168KB

MD5
90086e15b04d008309388e366e9e1396

SHA1
0a7b41295cda19ee30ba8aa96fdbb7199a71b180

SHA256
945536e34e6f72ecd792a854bd70b2ecb495cfe968f876c8cb5fcd259e9f38b9

SHA512
de621b1f50eec87f64175bfa1dc8f7fa2f552be2ee5a2694da99f0226cd6c0a7425e7d5e413e7fb0cc70931ac98d030ad698e0dc6385db658623cf445a5d573f

Download Submit
C:\Windows\{2B91B2C8-AA7F-4942-8453-8BDDBD92FCC6}.exe

Filesize
168KB

MD5
90086e15b04d008309388e366e9e1396

SHA1
0a7b41295cda19ee30ba8aa96fdbb7199a71b180

SHA256
945536e34e6f72ecd792a854bd70b2ecb495cfe968f876c8cb5fcd259e9f38b9

SHA512
de621b1f50eec87f64175bfa1dc8f7fa2f552be2ee5a2694da99f0226cd6c0a7425e7d5e413e7fb0cc70931ac98d030ad698e0dc6385db658623cf445a5d573f

Download Submit
C:\Windows\{3826EC3A-30E4-4051-9159-26E15156127B}.exe

Filesize
168KB

MD5
25b70acf38cf339bbe68efa0ec902d86

SHA1
1f9c79d452669e2fae1a2b1ca63ef22048354698

SHA256
f07c5ecc8eb40f9762d235272896ff34ac549b99b7248f83532b8a529fa0126d

SHA512
2304ca0d8be003cd16231831539c4a3813bf658c7d64f8d448394f5f0f20a8f045038f22ff42970fdba2e2cca75913d375e4ddb2985620f95199a45db4cf56f5

Download Submit
C:\Windows\{3826EC3A-30E4-4051-9159-26E15156127B}.exe

Filesize
168KB

MD5
25b70acf38cf339bbe68efa0ec902d86

SHA1
1f9c79d452669e2fae1a2b1ca63ef22048354698

SHA256
f07c5ecc8eb40f9762d235272896ff34ac549b99b7248f83532b8a529fa0126d

SHA512
2304ca0d8be003cd16231831539c4a3813bf658c7d64f8d448394f5f0f20a8f045038f22ff42970fdba2e2cca75913d375e4ddb2985620f95199a45db4cf56f5

Download Submit
C:\Windows\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe

Filesize
168KB

MD5
d3e0289ae77b160f93b4b09606202a56

SHA1
20561f8439bd9e7454a63679da475f61e52d5980

SHA256
8fb03d8183429225d0183ecb35f6e7644255a82cf3365c0d8cc499c1d883f9f4

SHA512
3f9ebb36d4da6e9a49d738ccddf760fc0afe7284a9737fa931b1be0a19744504819fadb82b178e0549c6e583203bd1ac578fb11b826b3c590a359663245e5af1

Download Submit
C:\Windows\{431A7AF9-7A2F-445c-8A5A-3079373C3F54}.exe

Filesize
168KB

MD5
d3e0289ae77b160f93b4b09606202a56

SHA1
20561f8439bd9e7454a63679da475f61e52d5980

SHA256
8fb03d8183429225d0183ecb35f6e7644255a82cf3365c0d8cc499c1d883f9f4

SHA512
3f9ebb36d4da6e9a49d738ccddf760fc0afe7284a9737fa931b1be0a19744504819fadb82b178e0549c6e583203bd1ac578fb11b826b3c590a359663245e5af1

Download Submit
C:\Windows\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe

Filesize
168KB

MD5
310f78f68b9d5b4011ed5c38031907b7

SHA1
a1d9be34afd48e4591d64d269d0aca7e98dd3b05

SHA256
103c057225279ab47818b26b2bc4d3515d4c23c7b4940d91d683a05f76406158

SHA512
368a51b19ba16e4cc415f09edadf76064f9ce6a8b50759d4f5a396c80c4d3dd84a848db36013dbe5f1226122139f6a91e7fdd02e0875efe327c8e4c4db21c30a

Download Submit
C:\Windows\{4E1B3A2E-6E9E-429d-B36A-494E175DAFCA}.exe

Filesize
168KB

MD5
310f78f68b9d5b4011ed5c38031907b7

SHA1
a1d9be34afd48e4591d64d269d0aca7e98dd3b05

SHA256
103c057225279ab47818b26b2bc4d3515d4c23c7b4940d91d683a05f76406158

SHA512
368a51b19ba16e4cc415f09edadf76064f9ce6a8b50759d4f5a396c80c4d3dd84a848db36013dbe5f1226122139f6a91e7fdd02e0875efe327c8e4c4db21c30a

Download Submit
C:\Windows\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe

Filesize
168KB

MD5
fdc7c742b9b5439a598db9f2b7196d7d

SHA1
cbc0d8bed409518187c10d6948901b98f3d74ac0

SHA256
550ad62b35ba22080b914641a07daf3b452941c2d3b29e68c507052a3d825bde

SHA512
3713f2d15ddb1b95a52e1dca35d56615edc3ae87514845ed6dbc902562578002597701a2685f7a2dddbc2da5df4bdea25a139dd9f3ccf00cbb2afca97f1696b5

Download Submit
C:\Windows\{714FE317-F6E2-4e1b-BD43-10D583138A4A}.exe

Filesize
168KB

MD5
fdc7c742b9b5439a598db9f2b7196d7d

SHA1
cbc0d8bed409518187c10d6948901b98f3d74ac0

SHA256
550ad62b35ba22080b914641a07daf3b452941c2d3b29e68c507052a3d825bde

SHA512
3713f2d15ddb1b95a52e1dca35d56615edc3ae87514845ed6dbc902562578002597701a2685f7a2dddbc2da5df4bdea25a139dd9f3ccf00cbb2afca97f1696b5

Download Submit
C:\Windows\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe

Filesize
168KB

MD5
9b8b852a59b25a9ff1b3bcdc0d473744

SHA1
f3a3c59787362f892b974dd4687d851a8af44f3a

SHA256
0f508abb9f849437f807fc8b060a18b60369cd3838827f4f78bf416244373c2c

SHA512
1ad2343630b42ecddb8964d20148b7dacae3d4a2c6ad707ba20aea35c94efa713532c781f2d87a505d03c21d723aa1f567d141434d20d84fd2b903fa76764fc9

Download Submit
C:\Windows\{B7D56E20-C3D7-437c-835E-5FF98A8A01B0}.exe

Filesize
168KB

MD5
9b8b852a59b25a9ff1b3bcdc0d473744

SHA1
f3a3c59787362f892b974dd4687d851a8af44f3a

SHA256
0f508abb9f849437f807fc8b060a18b60369cd3838827f4f78bf416244373c2c

SHA512
1ad2343630b42ecddb8964d20148b7dacae3d4a2c6ad707ba20aea35c94efa713532c781f2d87a505d03c21d723aa1f567d141434d20d84fd2b903fa76764fc9

Download Submit
C:\Windows\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe

Filesize
168KB

MD5
94fb21ca28083bb3afcdcb55a783353c

SHA1
4cb6689b6641e190528009b6e15cea059ac46975

SHA256
9fa60461f48e60bd06d2aa81a189a6acf069520e140c90df0a7ec42a7b14bc13

SHA512
11625a8c13996d75fe05e515ac0785eb578107fe1c5ee957d976232bf66f265ffdb970189f7f84e001cad77fa10b9c70938ab9c9768ed4353a4c99541c739fe1

Download Submit
C:\Windows\{BD139AB6-1418-4b9d-96DE-E75E2F392625}.exe

Filesize
168KB

MD5
94fb21ca28083bb3afcdcb55a783353c

SHA1
4cb6689b6641e190528009b6e15cea059ac46975

SHA256
9fa60461f48e60bd06d2aa81a189a6acf069520e140c90df0a7ec42a7b14bc13

SHA512
11625a8c13996d75fe05e515ac0785eb578107fe1c5ee957d976232bf66f265ffdb970189f7f84e001cad77fa10b9c70938ab9c9768ed4353a4c99541c739fe1

Download Submit
C:\Windows\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe

Filesize
168KB

MD5
a51895d6b33253c56c0a17c387fd8e98

SHA1
73642384e6a0c6690624b92638f49315f091b000

SHA256
9d5ac883e69687908600a9bc2b6c6b1c73b66a76ea8dd55b1242369a9fd90fec

SHA512
8cd2a6699637142630005ea8146f9cb667404fece395c933b60a251aac5aa01e2830b5ee6910c6ff1cde6c06023c89910220836bc509bb895aeadf7bce34e69c

Download Submit
C:\Windows\{C0127666-4F48-4d3a-BBBD-8D39915BD9B0}.exe

Filesize
168KB

MD5
a51895d6b33253c56c0a17c387fd8e98

SHA1
73642384e6a0c6690624b92638f49315f091b000

SHA256
9d5ac883e69687908600a9bc2b6c6b1c73b66a76ea8dd55b1242369a9fd90fec

SHA512
8cd2a6699637142630005ea8146f9cb667404fece395c933b60a251aac5aa01e2830b5ee6910c6ff1cde6c06023c89910220836bc509bb895aeadf7bce34e69c

Download Submit
C:\Windows\{C3F47077-EE27-4b68-A2A6-588302D49DD0}.exe

Filesize
168KB

MD5
db8b3b97d1299274d27e16e746e6ad51

SHA1
24f455ed1d6788894a6b7010ecfee072846fee71

SHA256
9847fe91fa11c4156a3a9ab8221ead4d8d9697bbb78108aae950f0ce4a063d0b

SHA512
d23086614c787226b0af18664ee3ac074e195f4f49b7f9dceab82ffe3ec0399da5c43dd10e485982fbafb0aa87e6b053e025aefe40452fac2efefc5e9a06b47a

Download Submit
C:\Windows\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe

Filesize
168KB

MD5
c2b4989ac693b62936263af1b65e2937

SHA1
a8be138ef0cb0ae5ce50df0e0fc6021660d7d9f2

SHA256
cd85fdc9f53840d7fa49a60c4bc0d53788318e4209394099bc3e22302f127de1

SHA512
f5fd58fd2ce8b6efaa8a1afeeebdcb855e89e7ccbd03f3fc22f68ea76bd6a1bc0614dcfbbed813364b15a54502fc5dad39a88cdd75a5e5987bb20d07fd2d92ae

Download Submit
C:\Windows\{E4E12CB6-D479-4ba3-8CC5-4ECDE8999C9F}.exe

Filesize
168KB

MD5
c2b4989ac693b62936263af1b65e2937

SHA1
a8be138ef0cb0ae5ce50df0e0fc6021660d7d9f2

SHA256
cd85fdc9f53840d7fa49a60c4bc0d53788318e4209394099bc3e22302f127de1

SHA512
f5fd58fd2ce8b6efaa8a1afeeebdcb855e89e7ccbd03f3fc22f68ea76bd6a1bc0614dcfbbed813364b15a54502fc5dad39a88cdd75a5e5987bb20d07fd2d92ae

Download Submit
C:\Windows\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe

Filesize
168KB

MD5
6363ac6e2d250255cd5840a34aca9fb8

SHA1
4a3cf2bd41ecca7d029c9a43d313496c56947e13

SHA256
4cdea24b64601e818e28face2104c1e6a0ed86cde506410c1d412243669260ef

SHA512
b9720f70da21318b5681468b77782414bda8dbf79c0594aba3551c293f57f993321ab756ba1419d54472762d90c37635f0bb6d991ce93a0b2e1b101f5e153693

Download Submit
C:\Windows\{E6010347-3C7E-4314-8DC7-A9A718A43B46}.exe

Filesize
168KB

MD5
6363ac6e2d250255cd5840a34aca9fb8

SHA1
4a3cf2bd41ecca7d029c9a43d313496c56947e13

SHA256
4cdea24b64601e818e28face2104c1e6a0ed86cde506410c1d412243669260ef

SHA512
b9720f70da21318b5681468b77782414bda8dbf79c0594aba3551c293f57f993321ab756ba1419d54472762d90c37635f0bb6d991ce93a0b2e1b101f5e153693

Download Submit
C:\Windows\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe

Filesize
168KB

MD5
84ec6d9a729bdb972dfec87350380d1a

SHA1
607560308f49fa94d31ced8ef0c61c5820ab4bf5

SHA256
0711e8eda99fe122d8340a15a648f1c0a80efc805c833b2409214323cb74acfc

SHA512
bb6882abd5f7582fe7abceb3bf457aacf99a51b28b154a1efd2c3c7ab7f42f329164443d867ef289829663c63c3de209edc77af54247c5a78f62b4e649ed4312

Download Submit
C:\Windows\{EAA522E2-83C2-40ce-8278-C769508C815C}.exe

Filesize
168KB

MD5
84ec6d9a729bdb972dfec87350380d1a

SHA1
607560308f49fa94d31ced8ef0c61c5820ab4bf5

SHA256
0711e8eda99fe122d8340a15a648f1c0a80efc805c833b2409214323cb74acfc

SHA512
bb6882abd5f7582fe7abceb3bf457aacf99a51b28b154a1efd2c3c7ab7f42f329164443d867ef289829663c63c3de209edc77af54247c5a78f62b4e649ed4312

Download Submit
C:\Windows\{ED08B042-59E3-4d36-94EE-946DED971131}.exe

Filesize
168KB

MD5
8b5c254e7a530b5e02a86cf9e232070f

SHA1
8622ff6f7ac83d4952adf405bb19214182b1704d

SHA256
2f4205c3a0641a090b07e808a32a90b6e57ed4983c3386e6ce7667dc296e6998

SHA512
d74b63f34223fa491012a2b90a22f1334b3003d801a0e66ce6f49426debc4f8e4d78d006b1bcb25c6258b99585e06a51ff9f9ec65561a22be0bc3e805f2be9f9

Download Submit
C:\Windows\{ED08B042-59E3-4d36-94EE-946DED971131}.exe

Filesize
168KB

MD5
8b5c254e7a530b5e02a86cf9e232070f

SHA1
8622ff6f7ac83d4952adf405bb19214182b1704d

SHA256
2f4205c3a0641a090b07e808a32a90b6e57ed4983c3386e6ce7667dc296e6998

SHA512
d74b63f34223fa491012a2b90a22f1334b3003d801a0e66ce6f49426debc4f8e4d78d006b1bcb25c6258b99585e06a51ff9f9ec65561a22be0bc3e805f2be9f9

Download Submit