34ce7c27d797b359b3ce74b3c633e190e90eff98dcb30f19f86335b5ce5e0915

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e358c968729bexeexeexeex.exe
Size

168KB
MD5

52e358c968729bb33b8664278ab4479a
SHA1

f80c9cda8a637916dfa2d6c4192eed4c8278163c
SHA256

34ce7c27d797b359b3ce74b3c633e190e90eff98dcb30f19f86335b5ce5e0915
SHA512

4991716167a0d9bb178bee351e518a410d48ab85efdc2d83458bf050e6cc675152870fb98a72fb7be785270e648302fb3759a1f3cbb76a1d41634983dad8b7a7
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}\stubpath = "C:\\Windows\\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe"	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}\stubpath = "C:\\Windows\\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe"	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65531BF-E02D-4a61-AC87-914174794593}\stubpath = "C:\\Windows\\{A65531BF-E02D-4a61-AC87-914174794593}.exe"	52e358c968729bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0730D4-9924-4cce-9046-C4303EF34819}\stubpath = "C:\\Windows\\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe"	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}\stubpath = "C:\\Windows\\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe"	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0730D4-9924-4cce-9046-C4303EF34819}	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0026116-407E-4c5f-A548-DB72AE90B769}	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0026116-407E-4c5f-A548-DB72AE90B769}\stubpath = "C:\\Windows\\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe"	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B76656F-54B1-4963-8502-E2141A1A09BB}	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B76656F-54B1-4963-8502-E2141A1A09BB}\stubpath = "C:\\Windows\\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe"	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}	{4DBCC804-1E84-4476-9202-BD30E000F962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}\stubpath = "C:\\Windows\\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe"	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DBCC804-1E84-4476-9202-BD30E000F962}\stubpath = "C:\\Windows\\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe"	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65531BF-E02D-4a61-AC87-914174794593}	52e358c968729bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}	{A65531BF-E02D-4a61-AC87-914174794593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DBCC804-1E84-4476-9202-BD30E000F962}	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}\stubpath = "C:\\Windows\\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe"	{4DBCC804-1E84-4476-9202-BD30E000F962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}\stubpath = "C:\\Windows\\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe"	{A65531BF-E02D-4a61-AC87-914174794593}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}\stubpath = "C:\\Windows\\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe"	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe

Executes dropped EXE 12 IoCs

pid	Process
4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe
4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
1412	{4DBCC804-1E84-4476-9202-BD30E000F962}.exe
4904	{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
File created	C:\Windows\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
File created	C:\Windows\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	{A65531BF-E02D-4a61-AC87-914174794593}.exe
File created	C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
File created	C:\Windows\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
File created	C:\Windows\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
File created	C:\Windows\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
File created	C:\Windows\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
File created	C:\Windows\{A65531BF-E02D-4a61-AC87-914174794593}.exe	52e358c968729bexeexeexeex.exe
File created	C:\Windows\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
File created	C:\Windows\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
File created	C:\Windows\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe	{4DBCC804-1E84-4476-9202-BD30E000F962}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5048	52e358c968729bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe
Token: SeIncBasePriorityPrivilege	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
Token: SeIncBasePriorityPrivilege	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
Token: SeIncBasePriorityPrivilege	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
Token: SeIncBasePriorityPrivilege	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
Token: SeIncBasePriorityPrivilege	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
Token: SeIncBasePriorityPrivilege	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
Token: SeIncBasePriorityPrivilege	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
Token: SeIncBasePriorityPrivilege	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
Token: SeIncBasePriorityPrivilege	3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
Token: SeIncBasePriorityPrivilege	1412	{4DBCC804-1E84-4476-9202-BD30E000F962}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4312	5048	52e358c968729bexeexeexeex.exe	84
PID 5048 wrote to memory of 4312	5048	52e358c968729bexeexeexeex.exe	84
PID 5048 wrote to memory of 4312	5048	52e358c968729bexeexeexeex.exe	84
PID 5048 wrote to memory of 1748	5048	52e358c968729bexeexeexeex.exe	85
PID 5048 wrote to memory of 1748	5048	52e358c968729bexeexeexeex.exe	85
PID 5048 wrote to memory of 1748	5048	52e358c968729bexeexeexeex.exe	85
PID 4312 wrote to memory of 4304	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	86
PID 4312 wrote to memory of 4304	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	86
PID 4312 wrote to memory of 4304	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	86
PID 4312 wrote to memory of 4044	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	87
PID 4312 wrote to memory of 4044	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	87
PID 4312 wrote to memory of 4044	4312	{A65531BF-E02D-4a61-AC87-914174794593}.exe	87
PID 4304 wrote to memory of 208	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	92
PID 4304 wrote to memory of 208	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	92
PID 4304 wrote to memory of 208	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	92
PID 4304 wrote to memory of 2268	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	91
PID 4304 wrote to memory of 2268	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	91
PID 4304 wrote to memory of 2268	4304	{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe	91
PID 208 wrote to memory of 1480	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	93
PID 208 wrote to memory of 1480	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	93
PID 208 wrote to memory of 1480	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	93
PID 208 wrote to memory of 3504	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	94
PID 208 wrote to memory of 3504	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	94
PID 208 wrote to memory of 3504	208	{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe	94
PID 1480 wrote to memory of 2340	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	95
PID 1480 wrote to memory of 2340	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	95
PID 1480 wrote to memory of 2340	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	95
PID 1480 wrote to memory of 4452	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	96
PID 1480 wrote to memory of 4452	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	96
PID 1480 wrote to memory of 4452	1480	{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe	96
PID 2340 wrote to memory of 4948	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	97
PID 2340 wrote to memory of 4948	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	97
PID 2340 wrote to memory of 4948	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	97
PID 2340 wrote to memory of 3104	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	98
PID 2340 wrote to memory of 3104	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	98
PID 2340 wrote to memory of 3104	2340	{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe	98
PID 4948 wrote to memory of 1284	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	99
PID 4948 wrote to memory of 1284	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	99
PID 4948 wrote to memory of 1284	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	99
PID 4948 wrote to memory of 400	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	100
PID 4948 wrote to memory of 400	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	100
PID 4948 wrote to memory of 400	4948	{BD0730D4-9924-4cce-9046-C4303EF34819}.exe	100
PID 1284 wrote to memory of 1428	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	101
PID 1284 wrote to memory of 1428	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	101
PID 1284 wrote to memory of 1428	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	101
PID 1284 wrote to memory of 1396	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	102
PID 1284 wrote to memory of 1396	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	102
PID 1284 wrote to memory of 1396	1284	{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe	102
PID 1428 wrote to memory of 756	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	103
PID 1428 wrote to memory of 756	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	103
PID 1428 wrote to memory of 756	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	103
PID 1428 wrote to memory of 4900	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	104
PID 1428 wrote to memory of 4900	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	104
PID 1428 wrote to memory of 4900	1428	{B0026116-407E-4c5f-A548-DB72AE90B769}.exe	104
PID 756 wrote to memory of 3660	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	105
PID 756 wrote to memory of 3660	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	105
PID 756 wrote to memory of 3660	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	105
PID 756 wrote to memory of 1936	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	106
PID 756 wrote to memory of 1936	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	106
PID 756 wrote to memory of 1936	756	{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe	106
PID 3660 wrote to memory of 1412	3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe	107
PID 3660 wrote to memory of 1412	3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe	107
PID 3660 wrote to memory of 1412	3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe	107
PID 3660 wrote to memory of 3612	3660	{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe	108

C:\Users\Admin\AppData\Local\Temp\52e358c968729bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\52e358c968729bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\{A65531BF-E02D-4a61-AC87-914174794593}.exe
  C:\Windows\{A65531BF-E02D-4a61-AC87-914174794593}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
    C:\Windows\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB80~1.EXE > nul
      4⤵
      PID:2268
  - - C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
      C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
        
        C:\Windows\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
        
        C:\Windows\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
        
        C:\Windows\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
        
        C:\Windows\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
        
        C:\Windows\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
        
        C:\Windows\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
        
        C:\Windows\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe
        
        C:\Windows\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe
        
        C:\Windows\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DBCC~1.EXE > nul
        13⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B766~1.EXE > nul
        12⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFEA1~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0026~1.EXE > nul
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB65~1.EXE > nul
        9⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD073~1.EXE > nul
        8⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7D5~1.EXE > nul
        7⤵
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EDF7~1.EXE > nul
        6⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B395~1.EXE > nul
        5⤵
        
        PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6553~1.EXE > nul
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\52E358~1.EXE > nul
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe

Filesize
168KB

MD5
dc9b86a3cb12ec7b44fd7aa6baf4aab7

SHA1
73415b4873e1bc7b00f6bc47c9a084736285458f

SHA256
b131cd8ba38c71260faf3717df99cbdde60db3169420d7211880f068fa15e698

SHA512
0078466a6772320f7fd5edc5c396ed441177a47080da6bec188a06a394ba60086d2f73b71b8e8a3072ec7a3180a1f37d7468d377bf77d5d34c0dd0790c4ebf39

Download Submit
C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe

Filesize
168KB

MD5
dc9b86a3cb12ec7b44fd7aa6baf4aab7

SHA1
73415b4873e1bc7b00f6bc47c9a084736285458f

SHA256
b131cd8ba38c71260faf3717df99cbdde60db3169420d7211880f068fa15e698

SHA512
0078466a6772320f7fd5edc5c396ed441177a47080da6bec188a06a394ba60086d2f73b71b8e8a3072ec7a3180a1f37d7468d377bf77d5d34c0dd0790c4ebf39

Download Submit
C:\Windows\{1B395DFF-BCA5-43d1-B454-FEF673AEFE70}.exe

Filesize
168KB

MD5
dc9b86a3cb12ec7b44fd7aa6baf4aab7

SHA1
73415b4873e1bc7b00f6bc47c9a084736285458f

SHA256
b131cd8ba38c71260faf3717df99cbdde60db3169420d7211880f068fa15e698

SHA512
0078466a6772320f7fd5edc5c396ed441177a47080da6bec188a06a394ba60086d2f73b71b8e8a3072ec7a3180a1f37d7468d377bf77d5d34c0dd0790c4ebf39

Download Submit
C:\Windows\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe

Filesize
168KB

MD5
e32ca7c3faa2c9459669ada3778eee6c

SHA1
9e0367e529b646a4d2e5f11b8297dcc14f3e2b5f

SHA256
4210fa3c2c5d34a89ba9ead7243f223a2c67943a09fd75fbd5cd034f57875466

SHA512
1384a46f3ceb2e1e2774b10a7d1e0350d7a68d6208fa48e0da8d2eb09d58e2000c971f1b6f95441e5b468b7f8a9f1e2b28c3dd65ea6d2d33c0c169b3f83f6f1c

Download Submit
C:\Windows\{4DBCC804-1E84-4476-9202-BD30E000F962}.exe

Filesize
168KB

MD5
e32ca7c3faa2c9459669ada3778eee6c

SHA1
9e0367e529b646a4d2e5f11b8297dcc14f3e2b5f

SHA256
4210fa3c2c5d34a89ba9ead7243f223a2c67943a09fd75fbd5cd034f57875466

SHA512
1384a46f3ceb2e1e2774b10a7d1e0350d7a68d6208fa48e0da8d2eb09d58e2000c971f1b6f95441e5b468b7f8a9f1e2b28c3dd65ea6d2d33c0c169b3f83f6f1c

Download Submit
C:\Windows\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe

Filesize
168KB

MD5
d94f7eeca2940eb0856ba1acadbe23ed

SHA1
7cdd8d9d955e2d31756709b5e25470f548b1cd67

SHA256
14ddc313173c5c7297bbd2c06a307ebca9b87c65ead3ab230b814ff84141d844

SHA512
3449282a30347aacaa877d59a1c06c82d2e7207fdd20ccc3074af3ef1666290fd9884d328dc2d952569c66f620d46664e08b35ace0a3e56682dcbd1c60367e87

Download Submit
C:\Windows\{4EDF7E9A-9380-4887-8AE4-2697B47E2DC0}.exe

Filesize
168KB

MD5
d94f7eeca2940eb0856ba1acadbe23ed

SHA1
7cdd8d9d955e2d31756709b5e25470f548b1cd67

SHA256
14ddc313173c5c7297bbd2c06a307ebca9b87c65ead3ab230b814ff84141d844

SHA512
3449282a30347aacaa877d59a1c06c82d2e7207fdd20ccc3074af3ef1666290fd9884d328dc2d952569c66f620d46664e08b35ace0a3e56682dcbd1c60367e87

Download Submit
C:\Windows\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe

Filesize
168KB

MD5
352ab7bb95ea580eef18e97bc5954822

SHA1
4af650f5e93749bb6a8ee59572f36a3c4b5664af

SHA256
671fd645a992c102059df4023b794ccc41bd31a1c75ee91a35ab7fb65cd664c2

SHA512
0d50bda1ef7a645f3219f5f693402ecd1aaf05560e45b2bddafb6c7373019fad3137623290c2ecfee7079d6a4806c5921b8b0469d0ea02c7b60756572c0c8746

Download Submit
C:\Windows\{6B76656F-54B1-4963-8502-E2141A1A09BB}.exe

Filesize
168KB

MD5
352ab7bb95ea580eef18e97bc5954822

SHA1
4af650f5e93749bb6a8ee59572f36a3c4b5664af

SHA256
671fd645a992c102059df4023b794ccc41bd31a1c75ee91a35ab7fb65cd664c2

SHA512
0d50bda1ef7a645f3219f5f693402ecd1aaf05560e45b2bddafb6c7373019fad3137623290c2ecfee7079d6a4806c5921b8b0469d0ea02c7b60756572c0c8746

Download Submit
C:\Windows\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe

Filesize
168KB

MD5
a8a0f188f3ef072d962e18498ff59571

SHA1
a021dd7f9b4e6065587e42674b5770be91cda267

SHA256
dcf53d4c7b70abf43a97f478939a2fc210f8721eef2a4b7e5407b6740e973d44

SHA512
0d738fa4b6dd8c894f8041e5ee50f70390878305390265c482f24be20fdd2e028e06ed7299998df989efed2dfe8449fb5c473a77a2953da92c990a657e1229d6

Download Submit
C:\Windows\{8AB65EFC-D9D1-4752-A6A7-D56D1ADEA360}.exe

Filesize
168KB

MD5
a8a0f188f3ef072d962e18498ff59571

SHA1
a021dd7f9b4e6065587e42674b5770be91cda267

SHA256
dcf53d4c7b70abf43a97f478939a2fc210f8721eef2a4b7e5407b6740e973d44

SHA512
0d738fa4b6dd8c894f8041e5ee50f70390878305390265c482f24be20fdd2e028e06ed7299998df989efed2dfe8449fb5c473a77a2953da92c990a657e1229d6

Download Submit
C:\Windows\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe

Filesize
168KB

MD5
3cf3a06a7e094ed083069db9d0e32cfa

SHA1
ce3eb0a35ad2553271ff26b69473932637954add

SHA256
81dbda00ed825cb176ad94068d6aac032215b81306fbb2ff293f513471b0227d

SHA512
7007a430b90ad445891c5a72a9f76ea8c3775d9b9832db7a4e775098a9ea1a2c3b2c977d868cff5cd9a2aa9f98c398fa8c07ad726d7b9c38dd1069313963aa1f

Download Submit
C:\Windows\{8AB80EBB-D3A7-497a-9124-5AF35F82D7CC}.exe

Filesize
168KB

MD5
3cf3a06a7e094ed083069db9d0e32cfa

SHA1
ce3eb0a35ad2553271ff26b69473932637954add

SHA256
81dbda00ed825cb176ad94068d6aac032215b81306fbb2ff293f513471b0227d

SHA512
7007a430b90ad445891c5a72a9f76ea8c3775d9b9832db7a4e775098a9ea1a2c3b2c977d868cff5cd9a2aa9f98c398fa8c07ad726d7b9c38dd1069313963aa1f

Download Submit
C:\Windows\{A65531BF-E02D-4a61-AC87-914174794593}.exe

Filesize
168KB

MD5
aed3d85c4833e0d9b21d8dca266b8126

SHA1
7ec8b812cc4da38e4bbe2d7ef234ca312fe27cd9

SHA256
e6eb14d4d69863c2ba6a2df16289481ebe92662f21ac1d76fdff02f54f14d3d2

SHA512
0e5e3aa54cc6858a462a648de34f3036becfad8865440baa560700fe190162d2c963769a8b5abed8889552f67938cfa0ff197e6c7ca1140da84864441214996f

Download Submit
C:\Windows\{A65531BF-E02D-4a61-AC87-914174794593}.exe

Filesize
168KB

MD5
aed3d85c4833e0d9b21d8dca266b8126

SHA1
7ec8b812cc4da38e4bbe2d7ef234ca312fe27cd9

SHA256
e6eb14d4d69863c2ba6a2df16289481ebe92662f21ac1d76fdff02f54f14d3d2

SHA512
0e5e3aa54cc6858a462a648de34f3036becfad8865440baa560700fe190162d2c963769a8b5abed8889552f67938cfa0ff197e6c7ca1140da84864441214996f

Download Submit
C:\Windows\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe

Filesize
168KB

MD5
4fdff046b0e1e7eaf0d0309eb5099dfa

SHA1
76b912a97920188db740451829f8cce1b4e8e7b2

SHA256
73d6235a9ad0ee5375cc0b2579aad5d5bc5ede5351cbb6b487786d7a3bf4d263

SHA512
6cb51c947c4be67bfb24e4f9ce95c68fad1c2ff891969c14caf622a9e7f749ef7a7edeee748559670ce61d4672019ec37e96219f931c4f436929eaea54a9d871

Download Submit
C:\Windows\{AE7D57FA-BE28-4558-AE9F-8A7372E3C6DE}.exe

Filesize
168KB

MD5
4fdff046b0e1e7eaf0d0309eb5099dfa

SHA1
76b912a97920188db740451829f8cce1b4e8e7b2

SHA256
73d6235a9ad0ee5375cc0b2579aad5d5bc5ede5351cbb6b487786d7a3bf4d263

SHA512
6cb51c947c4be67bfb24e4f9ce95c68fad1c2ff891969c14caf622a9e7f749ef7a7edeee748559670ce61d4672019ec37e96219f931c4f436929eaea54a9d871

Download Submit
C:\Windows\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe

Filesize
168KB

MD5
fffb9d2c6d3d57450215ce9a2d8ceee0

SHA1
0e1f8c96d2afc5895cabb7b281e5d4f51001eea9

SHA256
189ed075e21f28904c5968294790e11ad09f7824d5cd5adc4bdbe89489969617

SHA512
72732c3a3daebe0e21159cebd4bbf40031c8765421e448c7f4faea42e652823e9904b984eec583daeb0a59ecb79903165df452ce237c865fec5e241012eb18ab

Download Submit
C:\Windows\{B0026116-407E-4c5f-A548-DB72AE90B769}.exe

Filesize
168KB

MD5
fffb9d2c6d3d57450215ce9a2d8ceee0

SHA1
0e1f8c96d2afc5895cabb7b281e5d4f51001eea9

SHA256
189ed075e21f28904c5968294790e11ad09f7824d5cd5adc4bdbe89489969617

SHA512
72732c3a3daebe0e21159cebd4bbf40031c8765421e448c7f4faea42e652823e9904b984eec583daeb0a59ecb79903165df452ce237c865fec5e241012eb18ab

Download Submit
C:\Windows\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe

Filesize
168KB

MD5
7ffe16b87d1f7be47d385ccb75da89cc

SHA1
bedeb858b0068967c3c84ef6ab20e7b62d333d04

SHA256
8cc1bc8986aa2cb9837b324b16137fc9d3d5ab6666eb62d451253a8035a98fd1

SHA512
d348270519eedb8e260db1efa77005ac201729586ad6a058956a41fde4d79ef177feb17fdbf11a68ef7137e3c0479fb1d6fc01c73ed5c7d4315b20d15818229e

Download Submit
C:\Windows\{BD0730D4-9924-4cce-9046-C4303EF34819}.exe

Filesize
168KB

MD5
7ffe16b87d1f7be47d385ccb75da89cc

SHA1
bedeb858b0068967c3c84ef6ab20e7b62d333d04

SHA256
8cc1bc8986aa2cb9837b324b16137fc9d3d5ab6666eb62d451253a8035a98fd1

SHA512
d348270519eedb8e260db1efa77005ac201729586ad6a058956a41fde4d79ef177feb17fdbf11a68ef7137e3c0479fb1d6fc01c73ed5c7d4315b20d15818229e

Download Submit
C:\Windows\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe

Filesize
168KB

MD5
2825ed6fca8a88787ea253101794807d

SHA1
123e0b6651f4e338164b0496267a86ea76c9822f

SHA256
8fca3fafd4cc180553f68bf673896c17e68bc6703710ee2a6cd15f3c6e925f27

SHA512
9540434fedaf129c7e4b664bf3c566d6fbfd3395a92d8bc672462b260ed97f3e857ba23647183cacd5638337839113cc41e2708091ece7ddee0b3d7f15376980

Download Submit
C:\Windows\{DFF4D577-94AA-4388-9272-3AA8DF5E71EA}.exe

Filesize
168KB

MD5
2825ed6fca8a88787ea253101794807d

SHA1
123e0b6651f4e338164b0496267a86ea76c9822f

SHA256
8fca3fafd4cc180553f68bf673896c17e68bc6703710ee2a6cd15f3c6e925f27

SHA512
9540434fedaf129c7e4b664bf3c566d6fbfd3395a92d8bc672462b260ed97f3e857ba23647183cacd5638337839113cc41e2708091ece7ddee0b3d7f15376980

Download Submit
C:\Windows\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe

Filesize
168KB

MD5
4ec1eb3140d4036c24a7a8b35355bf17

SHA1
ab02feb0c04454f81382ea1f7127a86a4ebb99fe

SHA256
0cf3d7bea2fbb4b87619114154840bd283ffc49388062d01abd8f229b5c7bde3

SHA512
924571eaa62cabb39b97cc4546add75abbf405a7fa36c8870f2e87575c3a03161f7d3efa4b912993813412f18e646a655a3dc2a65c1c4bb19d37ccb6e7ba70d8

Download Submit
C:\Windows\{EFEA1CBA-FACF-44fa-A6A3-A65A76A603E8}.exe

Filesize
168KB

MD5
4ec1eb3140d4036c24a7a8b35355bf17

SHA1
ab02feb0c04454f81382ea1f7127a86a4ebb99fe

SHA256
0cf3d7bea2fbb4b87619114154840bd283ffc49388062d01abd8f229b5c7bde3

SHA512
924571eaa62cabb39b97cc4546add75abbf405a7fa36c8870f2e87575c3a03161f7d3efa4b912993813412f18e646a655a3dc2a65c1c4bb19d37ccb6e7ba70d8

Download Submit