34ce7c27d797b359b3ce74b3c633e190e90eff98dcb30f19f86335b5ce5e0915

Analysis

max time kernel
145s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e358c968729bexeexeexeex.exe
Size

168KB
MD5

52e358c968729bb33b8664278ab4479a
SHA1

f80c9cda8a637916dfa2d6c4192eed4c8278163c
SHA256

34ce7c27d797b359b3ce74b3c633e190e90eff98dcb30f19f86335b5ce5e0915
SHA512

4991716167a0d9bb178bee351e518a410d48ab85efdc2d83458bf050e6cc675152870fb98a72fb7be785270e648302fb3759a1f3cbb76a1d41634983dad8b7a7
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8E7FC1-4138-405e-84CE-119DE87004BD}	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8E7FC1-4138-405e-84CE-119DE87004BD}\stubpath = "C:\\Windows\\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe"	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBE089B-B922-4397-BB74-F331B00E7B02}	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{584D8A28-7E1E-4564-9522-41665A4A201E}	{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}	{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF9298F0-37E7-467d-92BF-17FEC7397D68}	{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF9298F0-37E7-467d-92BF-17FEC7397D68}\stubpath = "C:\\Windows\\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe"	{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}	{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153C1F46-A0DF-471c-A2B0-B043FF154874}	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBE089B-B922-4397-BB74-F331B00E7B02}\stubpath = "C:\\Windows\\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe"	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA839E-498B-42d0-A915-0E15408318AC}	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA839E-498B-42d0-A915-0E15408318AC}\stubpath = "C:\\Windows\\{64EA839E-498B-42d0-A915-0E15408318AC}.exe"	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}\stubpath = "C:\\Windows\\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe"	{64EA839E-498B-42d0-A915-0E15408318AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}\stubpath = "C:\\Windows\\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe"	{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}\stubpath = "C:\\Windows\\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe"	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}	{64EA839E-498B-42d0-A915-0E15408318AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48A71F1-0390-453e-9810-750C85A3BAF5}\stubpath = "C:\\Windows\\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe"	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{584D8A28-7E1E-4564-9522-41665A4A201E}\stubpath = "C:\\Windows\\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe"	{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}	52e358c968729bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}\stubpath = "C:\\Windows\\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe"	52e358c968729bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{153C1F46-A0DF-471c-A2B0-B043FF154874}\stubpath = "C:\\Windows\\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe"	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}\stubpath = "C:\\Windows\\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe"	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48A71F1-0390-453e-9810-750C85A3BAF5}	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}\stubpath = "C:\\Windows\\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe"	{584D8A28-7E1E-4564-9522-41665A4A201E}.exe

Deletes itself 1 IoCs

pid	Process
1040	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
616	{64EA839E-498B-42d0-A915-0E15408318AC}.exe
2708	{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
2640	{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
2400	{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
2672	{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
2612	{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
File created	C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
File created	C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
File created	C:\Windows\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe	{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
File created	C:\Windows\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe	{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
File created	C:\Windows\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe	{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
File created	C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	52e358c968729bexeexeexeex.exe
File created	C:\Windows\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
File created	C:\Windows\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
File created	C:\Windows\{64EA839E-498B-42d0-A915-0E15408318AC}.exe	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
File created	C:\Windows\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe	{64EA839E-498B-42d0-A915-0E15408318AC}.exe
File created	C:\Windows\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe	{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
File created	C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	52e358c968729bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
Token: SeIncBasePriorityPrivilege	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
Token: SeIncBasePriorityPrivilege	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
Token: SeIncBasePriorityPrivilege	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
Token: SeIncBasePriorityPrivilege	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
Token: SeIncBasePriorityPrivilege	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
Token: SeIncBasePriorityPrivilege	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
Token: SeIncBasePriorityPrivilege	616	{64EA839E-498B-42d0-A915-0E15408318AC}.exe
Token: SeIncBasePriorityPrivilege	2708	{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
Token: SeIncBasePriorityPrivilege	2640	{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
Token: SeIncBasePriorityPrivilege	2400	{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
Token: SeIncBasePriorityPrivilege	2672	{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1156	1628	52e358c968729bexeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	52e358c968729bexeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	52e358c968729bexeexeexeex.exe	28
PID 1628 wrote to memory of 1156	1628	52e358c968729bexeexeexeex.exe	28
PID 1628 wrote to memory of 1040	1628	52e358c968729bexeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	52e358c968729bexeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	52e358c968729bexeexeexeex.exe	29
PID 1628 wrote to memory of 1040	1628	52e358c968729bexeexeexeex.exe	29
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 1244	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	30
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1156 wrote to memory of 2132	1156	{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe	31
PID 1244 wrote to memory of 2172	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 2172	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 2172	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 2172	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	33
PID 1244 wrote to memory of 1820	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1820	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1820	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 1244 wrote to memory of 1820	1244	{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe	32
PID 2172 wrote to memory of 2908	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 2172 wrote to memory of 2908	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 2172 wrote to memory of 2908	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 2172 wrote to memory of 2908	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	34
PID 2172 wrote to memory of 2776	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 2172 wrote to memory of 2776	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 2172 wrote to memory of 2776	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 2172 wrote to memory of 2776	2172	{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe	35
PID 2908 wrote to memory of 2916	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2916	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2916	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2916	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	37
PID 2908 wrote to memory of 2924	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2924	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2924	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2908 wrote to memory of 2924	2908	{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe	36
PID 2916 wrote to memory of 2072	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2916 wrote to memory of 2072	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2916 wrote to memory of 2072	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2916 wrote to memory of 2072	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	39
PID 2916 wrote to memory of 2288	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2916 wrote to memory of 2288	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2916 wrote to memory of 2288	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2916 wrote to memory of 2288	2916	{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe	38
PID 2072 wrote to memory of 1516	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	41
PID 2072 wrote to memory of 1516	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	41
PID 2072 wrote to memory of 1516	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	41
PID 2072 wrote to memory of 1516	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	41
PID 2072 wrote to memory of 2860	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	40
PID 2072 wrote to memory of 2860	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	40
PID 2072 wrote to memory of 2860	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	40
PID 2072 wrote to memory of 2860	2072	{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe	40
PID 1516 wrote to memory of 616	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	43
PID 1516 wrote to memory of 616	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	43
PID 1516 wrote to memory of 616	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	43
PID 1516 wrote to memory of 616	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	43
PID 1516 wrote to memory of 1264	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	42
PID 1516 wrote to memory of 1264	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	42
PID 1516 wrote to memory of 1264	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	42
PID 1516 wrote to memory of 1264	1516	{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe	42

C:\Users\Admin\AppData\Local\Temp\52e358c968729bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\52e358c968729bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
  C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
    C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E1BA~1.EXE > nul
      4⤵
      PID:1820
  - - C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
      C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
        
        C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8E7~1.EXE > nul
        6⤵
        
        PID:2924
      - C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
        
        C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A6E2~1.EXE > nul
        7⤵
        
        PID:2288
        
        C:\Windows\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
        
        C:\Windows\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B48A7~1.EXE > nul
        8⤵
        
        PID:2860
        
        C:\Windows\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
        
        C:\Windows\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDBE0~1.EXE > nul
        9⤵
        
        PID:1264
        
        C:\Windows\{64EA839E-498B-42d0-A915-0E15408318AC}.exe
        
        C:\Windows\{64EA839E-498B-42d0-A915-0E15408318AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64EA8~1.EXE > nul
        10⤵
        
        PID:2760
        
        C:\Windows\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
        
        C:\Windows\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
        
        C:\Windows\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
        
        C:\Windows\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
        
        C:\Windows\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe
        
        C:\Windows\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe
        14⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF929~1.EXE > nul
        14⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A45~1.EXE > nul
        13⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{584D8~1.EXE > nul
        12⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36B1B~1.EXE > nul
        11⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{153C1~1.EXE > nul
        5⤵
        
        PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AFCD3~1.EXE > nul
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\52E358~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe

Filesize
168KB

MD5
e93b6e385278e2ef6927a1c0465428b9

SHA1
b0d2545ed0c69dbe6579d3493befe04e6633963b

SHA256
e525071c7fd473fbcc18794e4cfa7df79ae3ba229a9034d856aee7595a94a1a8

SHA512
57f9b240525d35a1b34647038d74c2df5d8b8acec58a38e9c5d6bf1ac7547f03730450b352374acd4e64ae98d57b133b8c8df96218c9040394649bd8f7306b6b

Download Submit
C:\Windows\{153C1F46-A0DF-471c-A2B0-B043FF154874}.exe

Filesize
168KB

MD5
e93b6e385278e2ef6927a1c0465428b9

SHA1
b0d2545ed0c69dbe6579d3493befe04e6633963b

SHA256
e525071c7fd473fbcc18794e4cfa7df79ae3ba229a9034d856aee7595a94a1a8

SHA512
57f9b240525d35a1b34647038d74c2df5d8b8acec58a38e9c5d6bf1ac7547f03730450b352374acd4e64ae98d57b133b8c8df96218c9040394649bd8f7306b6b

Download Submit
C:\Windows\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe

Filesize
168KB

MD5
effad6fbcea13052ee75028e0e291ff3

SHA1
2454aca78f0ad3d081928c7095582917f5591339

SHA256
8fdfceea4bcc3ccd4e4035ab7a0df7509a6255f2e697337d017a299c2eaa1277

SHA512
939625c16a7ee9ce5f7552cf1ffcc565d01a4b9b8ccc900f3b2b57a39f1bdb5222ec6220223e71b9daef8efb97c0e7887fec920635ec151701a998c8803a0a84

Download Submit
C:\Windows\{36B1B10C-AC40-49ff-9CCD-43FAC9C11932}.exe

Filesize
168KB

MD5
effad6fbcea13052ee75028e0e291ff3

SHA1
2454aca78f0ad3d081928c7095582917f5591339

SHA256
8fdfceea4bcc3ccd4e4035ab7a0df7509a6255f2e697337d017a299c2eaa1277

SHA512
939625c16a7ee9ce5f7552cf1ffcc565d01a4b9b8ccc900f3b2b57a39f1bdb5222ec6220223e71b9daef8efb97c0e7887fec920635ec151701a998c8803a0a84

Download Submit
C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe

Filesize
168KB

MD5
91c3959030d388024c85a00061890735

SHA1
429299a4fb2c3c3305fccdd2942ccf8012fcccdd

SHA256
6126d5955c60d07c27b342d3435cec592e4c2d0441bd34fbe3bc3b4163776837

SHA512
af819ba22d938a9693e4f5e3d5cc6b02cf097d721c23e7029ae63101b1ae13966e81f3c3fb96ae96d640384c5ab98f61f21c59ac113c72d80f74ce2971d71523

Download Submit
C:\Windows\{3E1BAEAD-F8B4-4fd6-BBB6-D347B615CF54}.exe

Filesize
168KB

MD5
91c3959030d388024c85a00061890735

SHA1
429299a4fb2c3c3305fccdd2942ccf8012fcccdd

SHA256
6126d5955c60d07c27b342d3435cec592e4c2d0441bd34fbe3bc3b4163776837

SHA512
af819ba22d938a9693e4f5e3d5cc6b02cf097d721c23e7029ae63101b1ae13966e81f3c3fb96ae96d640384c5ab98f61f21c59ac113c72d80f74ce2971d71523

Download Submit
C:\Windows\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe

Filesize
168KB

MD5
6f27ab73dfb7497ef55247c27d10a9c4

SHA1
907f7a10de26d35bf59c4ff3e7617b06d31ac3d5

SHA256
b3ef41168200e888477ba7d52e8507d8d9a50fbb5fff51dd9edc27d2ba3de2d4

SHA512
36afaaa29ee0cc242aba027d510df527156b698695234e6ec63e8486c8cab386caa8a7337a00f0038ec518cd1b6ac53aa013ca2527bde1b631b38071e591f735

Download Submit
C:\Windows\{48A45A37-D3EB-4c66-AF09-4D2997A9F83A}.exe

Filesize
168KB

MD5
6f27ab73dfb7497ef55247c27d10a9c4

SHA1
907f7a10de26d35bf59c4ff3e7617b06d31ac3d5

SHA256
b3ef41168200e888477ba7d52e8507d8d9a50fbb5fff51dd9edc27d2ba3de2d4

SHA512
36afaaa29ee0cc242aba027d510df527156b698695234e6ec63e8486c8cab386caa8a7337a00f0038ec518cd1b6ac53aa013ca2527bde1b631b38071e591f735

Download Submit
C:\Windows\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe

Filesize
168KB

MD5
a8199d791314cb3578d74e860018eabd

SHA1
c022fe997c54f816a773bbfc165cb579741ed01a

SHA256
bafd56cd1406fb868ea92b04bb55cd0c397994a147c500e33a8cf587898368ce

SHA512
6d760e074a88b36162f09976127e9ad36747854a00e4ef286a8219dedb4b5c3f35f2a13377951e150345740f41853393b407b693698232834a8e19fd158d96b2

Download Submit
C:\Windows\{584D8A28-7E1E-4564-9522-41665A4A201E}.exe

Filesize
168KB

MD5
a8199d791314cb3578d74e860018eabd

SHA1
c022fe997c54f816a773bbfc165cb579741ed01a

SHA256
bafd56cd1406fb868ea92b04bb55cd0c397994a147c500e33a8cf587898368ce

SHA512
6d760e074a88b36162f09976127e9ad36747854a00e4ef286a8219dedb4b5c3f35f2a13377951e150345740f41853393b407b693698232834a8e19fd158d96b2

Download Submit
C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe

Filesize
168KB

MD5
9695e3fcce57de187828d228e33972ae

SHA1
fd1a195c95615fc6bf8f1ee355e2bc5eb6da3b93

SHA256
992d36ee30687ee2ee79f95a549a1979a637e6f8b9ec5a17e6e0fc805d1fcdf0

SHA512
68dae7f9418277dfdf5e80c818b0a8889cf04723d0cd16dcebf53d6b1d341e76f9b1886704074d3cfd07a6271553e98e3ea07270f08e57a5d0e508284ee67aaf

Download Submit
C:\Windows\{5E8E7FC1-4138-405e-84CE-119DE87004BD}.exe

Filesize
168KB

MD5
9695e3fcce57de187828d228e33972ae

SHA1
fd1a195c95615fc6bf8f1ee355e2bc5eb6da3b93

SHA256
992d36ee30687ee2ee79f95a549a1979a637e6f8b9ec5a17e6e0fc805d1fcdf0

SHA512
68dae7f9418277dfdf5e80c818b0a8889cf04723d0cd16dcebf53d6b1d341e76f9b1886704074d3cfd07a6271553e98e3ea07270f08e57a5d0e508284ee67aaf

Download Submit
C:\Windows\{64EA839E-498B-42d0-A915-0E15408318AC}.exe

Filesize
168KB

MD5
8c84e73d888007c135fc0c4dd6fddfcd

SHA1
606a20f8ef15a4be0f85a908419a165feaf3f8e6

SHA256
5807dd865b0a98a40d188877bd790e9fdd740e3780d2157edf11fb957364aabc

SHA512
7753eb54e0274388036bb2dbc6383be7be5f968a8e3b78436a7b5f3845e52f570c58cb24d030b63bbcfc4d3cb71230629e936539cedaffdd6dbdd63654b7fa0a

Download Submit
C:\Windows\{64EA839E-498B-42d0-A915-0E15408318AC}.exe

Filesize
168KB

MD5
8c84e73d888007c135fc0c4dd6fddfcd

SHA1
606a20f8ef15a4be0f85a908419a165feaf3f8e6

SHA256
5807dd865b0a98a40d188877bd790e9fdd740e3780d2157edf11fb957364aabc

SHA512
7753eb54e0274388036bb2dbc6383be7be5f968a8e3b78436a7b5f3845e52f570c58cb24d030b63bbcfc4d3cb71230629e936539cedaffdd6dbdd63654b7fa0a

Download Submit
C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe

Filesize
168KB

MD5
fb0fb453693c898380c049aee9b10a53

SHA1
9caa8252dc8ac036dbc074b21092f751475b9d4b

SHA256
6f910876938c44bcbaad57864efce44640c6e92e7b8118797cc30abba68ab414

SHA512
36fdfdd61f2ccc4d3b71fbe5769e78ecb367c016199f6a6454c1f0da5d2c0853565f3a77995b60c612aba91fc532788fb73d6edc03a1b89192392c94d62705ac

Download Submit
C:\Windows\{7A6E2432-57FA-43e0-AD51-3F492C7C31F7}.exe

Filesize
168KB

MD5
fb0fb453693c898380c049aee9b10a53

SHA1
9caa8252dc8ac036dbc074b21092f751475b9d4b

SHA256
6f910876938c44bcbaad57864efce44640c6e92e7b8118797cc30abba68ab414

SHA512
36fdfdd61f2ccc4d3b71fbe5769e78ecb367c016199f6a6454c1f0da5d2c0853565f3a77995b60c612aba91fc532788fb73d6edc03a1b89192392c94d62705ac

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
168KB

MD5
a0155fa1420637178193912c0225998e

SHA1
a73e42c2a725ef9b2c4651ea0361cf5c604bb371

SHA256
4f60a1ac367823a98419e7addbb8c3ec2806dc5210c79b6efca75ac589371047

SHA512
b58e9e8bd20eccd21899ad4e3515f12d1e741856bf69e7f43a455dbee681adc47c4d35d2b7a6a80445490007ff703ecd891d91c899eb56e517b48d147b110a45

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
168KB

MD5
a0155fa1420637178193912c0225998e

SHA1
a73e42c2a725ef9b2c4651ea0361cf5c604bb371

SHA256
4f60a1ac367823a98419e7addbb8c3ec2806dc5210c79b6efca75ac589371047

SHA512
b58e9e8bd20eccd21899ad4e3515f12d1e741856bf69e7f43a455dbee681adc47c4d35d2b7a6a80445490007ff703ecd891d91c899eb56e517b48d147b110a45

Download Submit
C:\Windows\{AFCD3FBD-52A3-43d0-AF98-2C2014CBB8D2}.exe

Filesize
168KB

MD5
a0155fa1420637178193912c0225998e

SHA1
a73e42c2a725ef9b2c4651ea0361cf5c604bb371

SHA256
4f60a1ac367823a98419e7addbb8c3ec2806dc5210c79b6efca75ac589371047

SHA512
b58e9e8bd20eccd21899ad4e3515f12d1e741856bf69e7f43a455dbee681adc47c4d35d2b7a6a80445490007ff703ecd891d91c899eb56e517b48d147b110a45

Download Submit
C:\Windows\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe

Filesize
168KB

MD5
22dbd2cc3f2768ccbeb8827fe38a066a

SHA1
9bd9d31ec0d52c4d3b482e4a5b3ad825827094a9

SHA256
9077b66ca5c6c4bf35cef97c9aa706ba6a8f2e5c77571b632a36f9779d396f31

SHA512
b61c3e1843e4a48028a2a0f860e519b387086ab7a4f7e884d4719a0c9c526777fe049842f4f9e73d4cd50cdb45c6c11386080c4e4fe1e460b213317f5e080686

Download Submit
C:\Windows\{B48A71F1-0390-453e-9810-750C85A3BAF5}.exe

Filesize
168KB

MD5
22dbd2cc3f2768ccbeb8827fe38a066a

SHA1
9bd9d31ec0d52c4d3b482e4a5b3ad825827094a9

SHA256
9077b66ca5c6c4bf35cef97c9aa706ba6a8f2e5c77571b632a36f9779d396f31

SHA512
b61c3e1843e4a48028a2a0f860e519b387086ab7a4f7e884d4719a0c9c526777fe049842f4f9e73d4cd50cdb45c6c11386080c4e4fe1e460b213317f5e080686

Download Submit
C:\Windows\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe

Filesize
168KB

MD5
2f0835912cd23c2ea652a4b059ac40a0

SHA1
fe442c3a97f8b8585b929d38986e3239c0429d7b

SHA256
438deeef9e259aca532023b08c6a66c96824b401b690243010151db40d457c36

SHA512
4ed46d3527759b0a71674b3481701335eb1d266461f013b96d0f815b43818ceeaf64eb13c5995efd97983c270551e693c0254040342834548261883d1804fe8c

Download Submit
C:\Windows\{BF9298F0-37E7-467d-92BF-17FEC7397D68}.exe

Filesize
168KB

MD5
2f0835912cd23c2ea652a4b059ac40a0

SHA1
fe442c3a97f8b8585b929d38986e3239c0429d7b

SHA256
438deeef9e259aca532023b08c6a66c96824b401b690243010151db40d457c36

SHA512
4ed46d3527759b0a71674b3481701335eb1d266461f013b96d0f815b43818ceeaf64eb13c5995efd97983c270551e693c0254040342834548261883d1804fe8c

Download Submit
C:\Windows\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe

Filesize
168KB

MD5
412cb0121cb7d575132e795a06667b68

SHA1
d09682f655abac7cc32e898cf7eb80b57aa4b084

SHA256
6eddebec1da26fc126ef57e999d68f7883f7f7ae611d20240f2c764ee3bac257

SHA512
9d28bd2b1552e0e353591d181ace410930e36a9a3e2c99e3c92800eb79ac2c1561ac3f9c96862cb43a4750250d790197f39ca62c57b718aba7bc29e91eb4a974

Download Submit
C:\Windows\{EDBE089B-B922-4397-BB74-F331B00E7B02}.exe

Filesize
168KB

MD5
412cb0121cb7d575132e795a06667b68

SHA1
d09682f655abac7cc32e898cf7eb80b57aa4b084

SHA256
6eddebec1da26fc126ef57e999d68f7883f7f7ae611d20240f2c764ee3bac257

SHA512
9d28bd2b1552e0e353591d181ace410930e36a9a3e2c99e3c92800eb79ac2c1561ac3f9c96862cb43a4750250d790197f39ca62c57b718aba7bc29e91eb4a974

Download Submit
C:\Windows\{F1C28FAC-ED7D-472c-83CD-AD03FE21627E}.exe

Filesize
168KB

MD5
a3149cf8ef7330d23e40c0c6b8968826

SHA1
813814043f0d3522edf8fe2196e5c9d2bc9e508f

SHA256
be00ad0a2e2d69286a8d5620bcd9d44545adcf376a37f2437de0af6e7d260b39

SHA512
b2800093c47f042f5d1ea975ef4b21425b30be4be1f6f1dafa6eee7c142603a72be30978f29486f03091c4c3092cbb4dfab34d9ffdd92f97ef73d2849d090296

Download Submit