e27821a4605d1837c104e3d055f9952dad8c9db0af55b01fd570ffe6473a4a86

Analysis

max time kernel
149s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d98faa800af1exeexeexeex.exe
Size

168KB
MD5

53d98faa800af137ec93ce8a004ae16e
SHA1

240ab04a5c120f19861921686aea59e12178ac10
SHA256

e27821a4605d1837c104e3d055f9952dad8c9db0af55b01fd570ffe6473a4a86
SHA512

011ac5c27ad39c2d851b2459f1ef45f1147bd15853220a4bc5443efe0011d7e032deed3317c1dd2e015768a3623a5c61bd21731195b8c9699f610cac9c228edc
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}	{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CCF511-2986-4513-937B-77EFCABAD79D}	{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB0E0836-A5F1-46b8-B057-82F4164450B8}	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}	53d98faa800af1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}\stubpath = "C:\\Windows\\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe"	53d98faa800af1exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5D50E24-1686-4396-B11F-CABCB1C712EC}\stubpath = "C:\\Windows\\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe"	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}\stubpath = "C:\\Windows\\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe"	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4044E14A-37CA-440a-B649-2A223540AFB3}\stubpath = "C:\\Windows\\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe"	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9490F8-DECD-403c-91D9-168451BE8AEF}	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB0E0836-A5F1-46b8-B057-82F4164450B8}\stubpath = "C:\\Windows\\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe"	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}	{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}\stubpath = "C:\\Windows\\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe"	{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5D50E24-1686-4396-B11F-CABCB1C712EC}	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4044E14A-37CA-440a-B649-2A223540AFB3}	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9490F8-DECD-403c-91D9-168451BE8AEF}\stubpath = "C:\\Windows\\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe"	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}	{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0D1A46-0398-40ec-8497-8F509A345D25}	{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}\stubpath = "C:\\Windows\\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe"	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}\stubpath = "C:\\Windows\\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe"	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}\stubpath = "C:\\Windows\\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe"	{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CCF511-2986-4513-937B-77EFCABAD79D}\stubpath = "C:\\Windows\\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe"	{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}\stubpath = "C:\\Windows\\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe"	{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0D1A46-0398-40ec-8497-8F509A345D25}\stubpath = "C:\\Windows\\{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe"	{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe

Deletes itself 1 IoCs

pid	Process
1220	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
3068	{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
2612	{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
2660	{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
2728	{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
2492	{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe
2652	{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
File created	C:\Windows\{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe	{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe
File created	C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	53d98faa800af1exeexeexeex.exe
File created	C:\Windows\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
File created	C:\Windows\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
File created	C:\Windows\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
File created	C:\Windows\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe	{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
File created	C:\Windows\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe	{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
File created	C:\Windows\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe	{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
File created	C:\Windows\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe	{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
File created	C:\Windows\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
File created	C:\Windows\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
File created	C:\Windows\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1536	53d98faa800af1exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
Token: SeIncBasePriorityPrivilege	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
Token: SeIncBasePriorityPrivilege	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
Token: SeIncBasePriorityPrivilege	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
Token: SeIncBasePriorityPrivilege	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
Token: SeIncBasePriorityPrivilege	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
Token: SeIncBasePriorityPrivilege	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
Token: SeIncBasePriorityPrivilege	3068	{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
Token: SeIncBasePriorityPrivilege	2612	{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
Token: SeIncBasePriorityPrivilege	2660	{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
Token: SeIncBasePriorityPrivilege	2728	{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
Token: SeIncBasePriorityPrivilege	2492	{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2368	1536	53d98faa800af1exeexeexeex.exe	29
PID 1536 wrote to memory of 2368	1536	53d98faa800af1exeexeexeex.exe	29
PID 1536 wrote to memory of 2368	1536	53d98faa800af1exeexeexeex.exe	29
PID 1536 wrote to memory of 2368	1536	53d98faa800af1exeexeexeex.exe	29
PID 1536 wrote to memory of 1220	1536	53d98faa800af1exeexeexeex.exe	30
PID 1536 wrote to memory of 1220	1536	53d98faa800af1exeexeexeex.exe	30
PID 1536 wrote to memory of 1220	1536	53d98faa800af1exeexeexeex.exe	30
PID 1536 wrote to memory of 1220	1536	53d98faa800af1exeexeexeex.exe	30
PID 2368 wrote to memory of 2932	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	31
PID 2368 wrote to memory of 2932	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	31
PID 2368 wrote to memory of 2932	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	31
PID 2368 wrote to memory of 2932	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	31
PID 2368 wrote to memory of 2952	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	32
PID 2368 wrote to memory of 2952	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	32
PID 2368 wrote to memory of 2952	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	32
PID 2368 wrote to memory of 2952	2368	{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe	32
PID 2932 wrote to memory of 1348	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	33
PID 2932 wrote to memory of 1348	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	33
PID 2932 wrote to memory of 1348	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	33
PID 2932 wrote to memory of 1348	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	33
PID 2932 wrote to memory of 1984	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	34
PID 2932 wrote to memory of 1984	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	34
PID 2932 wrote to memory of 1984	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	34
PID 2932 wrote to memory of 1984	2932	{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe	34
PID 1348 wrote to memory of 2292	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	35
PID 1348 wrote to memory of 2292	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	35
PID 1348 wrote to memory of 2292	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	35
PID 1348 wrote to memory of 2292	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	35
PID 1348 wrote to memory of 2120	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	36
PID 1348 wrote to memory of 2120	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	36
PID 1348 wrote to memory of 2120	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	36
PID 1348 wrote to memory of 2120	1348	{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe	36
PID 2292 wrote to memory of 268	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	37
PID 2292 wrote to memory of 268	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	37
PID 2292 wrote to memory of 268	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	37
PID 2292 wrote to memory of 268	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	37
PID 2292 wrote to memory of 2148	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	38
PID 2292 wrote to memory of 2148	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	38
PID 2292 wrote to memory of 2148	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	38
PID 2292 wrote to memory of 2148	2292	{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe	38
PID 268 wrote to memory of 1792	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	39
PID 268 wrote to memory of 1792	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	39
PID 268 wrote to memory of 1792	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	39
PID 268 wrote to memory of 1792	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	39
PID 268 wrote to memory of 1360	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	40
PID 268 wrote to memory of 1360	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	40
PID 268 wrote to memory of 1360	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	40
PID 268 wrote to memory of 1360	268	{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe	40
PID 1792 wrote to memory of 2100	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	42
PID 1792 wrote to memory of 2100	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	42
PID 1792 wrote to memory of 2100	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	42
PID 1792 wrote to memory of 2100	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	42
PID 1792 wrote to memory of 2256	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	41
PID 1792 wrote to memory of 2256	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	41
PID 1792 wrote to memory of 2256	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	41
PID 1792 wrote to memory of 2256	1792	{4044E14A-37CA-440a-B649-2A223540AFB3}.exe	41
PID 2100 wrote to memory of 3068	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	43
PID 2100 wrote to memory of 3068	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	43
PID 2100 wrote to memory of 3068	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	43
PID 2100 wrote to memory of 3068	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	43
PID 2100 wrote to memory of 2548	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	44
PID 2100 wrote to memory of 2548	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	44
PID 2100 wrote to memory of 2548	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	44
PID 2100 wrote to memory of 2548	2100	{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe	44

C:\Users\Admin\AppData\Local\Temp\53d98faa800af1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\53d98faa800af1exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
  C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
    C:\Windows\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
      C:\Windows\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
        
        C:\Windows\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
        
        C:\Windows\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
        
        C:\Windows\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4044E~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
        
        C:\Windows\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
        
        C:\Windows\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
        
        C:\Windows\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
        
        C:\Windows\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
        
        C:\Windows\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98CCF~1.EXE > nul
        13⤵
        
        PID:2440
        
        C:\Windows\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe
        
        C:\Windows\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB4D~1.EXE > nul
        14⤵
        
        PID:2480
        
        C:\Windows\{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe
        
        C:\Windows\{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe
        14⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F24E3~1.EXE > nul
        12⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51943~1.EXE > nul
        11⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0E0~1.EXE > nul
        10⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA949~1.EXE > nul
        9⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06BA1~1.EXE > nul
        7⤵
        
        PID:1360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9910~1.EXE > nul
        6⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03FF3~1.EXE > nul
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5D50~1.EXE > nul
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A7FC~1.EXE > nul
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\53D98F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe

Filesize
168KB

MD5
987ce2b95e92c3531dc1392fb3b2d2c0

SHA1
9bb8d9ac478ad37d81bfbd9a3df841ff44ab52d9

SHA256
1b558111a95879a3112cc7f02525799cb7488b84abc1af99723b9f68b58ae0ed

SHA512
11d40d0f84eceb677b7a0dfac502fdf8d43bae7b1489f601d0f50ec3ba13af19e3487480e02574b67177c9556f451a39e07eb1942986ce0fa0493700863419ad

Download Submit
C:\Windows\{03FF3AB3-77F2-488a-8302-C628C4D01ED7}.exe

Filesize
168KB

MD5
987ce2b95e92c3531dc1392fb3b2d2c0

SHA1
9bb8d9ac478ad37d81bfbd9a3df841ff44ab52d9

SHA256
1b558111a95879a3112cc7f02525799cb7488b84abc1af99723b9f68b58ae0ed

SHA512
11d40d0f84eceb677b7a0dfac502fdf8d43bae7b1489f601d0f50ec3ba13af19e3487480e02574b67177c9556f451a39e07eb1942986ce0fa0493700863419ad

Download Submit
C:\Windows\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe

Filesize
168KB

MD5
9daeade1c5903304fb28d1fd70a88a89

SHA1
70e93e51d5f0067ac478cbeac7b728300f524476

SHA256
7a8a5fef94f9ce19132925eccbebe351649366dedaa2a9d619e519ec62e4740c

SHA512
0b0fc0f501400a88279e769fba5ceb184e43d2c4b1714429b8f93b84e7f8bfdd2a2f6ddebed54e96c0511a1a42a5926b0d8814389d3ffc8a2a994e81eee82f8b

Download Submit
C:\Windows\{06BA10CD-4EBE-419d-BA8E-90A191EE5CF2}.exe

Filesize
168KB

MD5
9daeade1c5903304fb28d1fd70a88a89

SHA1
70e93e51d5f0067ac478cbeac7b728300f524476

SHA256
7a8a5fef94f9ce19132925eccbebe351649366dedaa2a9d619e519ec62e4740c

SHA512
0b0fc0f501400a88279e769fba5ceb184e43d2c4b1714429b8f93b84e7f8bfdd2a2f6ddebed54e96c0511a1a42a5926b0d8814389d3ffc8a2a994e81eee82f8b

Download Submit
C:\Windows\{2F0D1A46-0398-40ec-8497-8F509A345D25}.exe

Filesize
168KB

MD5
1dfe486b50fde554bc332e88c579e126

SHA1
bfcb93aa1282bd6a77bb5eaa7bad94332a04846f

SHA256
75bb762377330fcd9323d854dbde7fbb6b9b52f18cd54d312d387f94268d433f

SHA512
9e348a70e1d5ad438ad273e8e9c049017a532cb959a291f43e0a61591e93c882b637d428896827bcc4c5e43fda5e0e3168b0692975f2055fcafee7e2a56385b4

Download Submit
C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe

Filesize
168KB

MD5
658af9f7e3e154b163ecfd368c2691bf

SHA1
c5e98ab9976e67bab083ab2ba8ca6f8ce3cad4c7

SHA256
81948eb87f80101dd9b5c22869a2a14aa2db4db915c52003298703496fac41e4

SHA512
7e9782f7f1f5b7ac4d3430c1dcd2c0858d4a8639660df4a6ecd747f184d872e654c59fdeaa9fd95d85ee4b576160eec2b53cb8105fe1a2ad3316c83ae1d05078

Download Submit
C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe

Filesize
168KB

MD5
658af9f7e3e154b163ecfd368c2691bf

SHA1
c5e98ab9976e67bab083ab2ba8ca6f8ce3cad4c7

SHA256
81948eb87f80101dd9b5c22869a2a14aa2db4db915c52003298703496fac41e4

SHA512
7e9782f7f1f5b7ac4d3430c1dcd2c0858d4a8639660df4a6ecd747f184d872e654c59fdeaa9fd95d85ee4b576160eec2b53cb8105fe1a2ad3316c83ae1d05078

Download Submit
C:\Windows\{3A7FCBB0-AB1C-4033-AE6C-2A0B27248447}.exe

Filesize
168KB

MD5
658af9f7e3e154b163ecfd368c2691bf

SHA1
c5e98ab9976e67bab083ab2ba8ca6f8ce3cad4c7

SHA256
81948eb87f80101dd9b5c22869a2a14aa2db4db915c52003298703496fac41e4

SHA512
7e9782f7f1f5b7ac4d3430c1dcd2c0858d4a8639660df4a6ecd747f184d872e654c59fdeaa9fd95d85ee4b576160eec2b53cb8105fe1a2ad3316c83ae1d05078

Download Submit
C:\Windows\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe

Filesize
168KB

MD5
05d01509cf8a4d0c5047ec6fe269f63b

SHA1
a43e6660dd3ac20a2d05214a682007ac7ea05953

SHA256
c3827ac8eed72e8fe32e20e5a3e3df584ae0539072650f8180bd216c3a82dbfd

SHA512
e9c9cdc3d24e4d20ea9e5bfe48fd7e24beb293e6990f2194f5366e8fa9acc7c8500abe67e7a56e979396a693eee75db57285e4ede7fe472deca96a84a977d52c

Download Submit
C:\Windows\{3EB4DD5F-AC70-47d2-AE17-D93518C1DF91}.exe

Filesize
168KB

MD5
05d01509cf8a4d0c5047ec6fe269f63b

SHA1
a43e6660dd3ac20a2d05214a682007ac7ea05953

SHA256
c3827ac8eed72e8fe32e20e5a3e3df584ae0539072650f8180bd216c3a82dbfd

SHA512
e9c9cdc3d24e4d20ea9e5bfe48fd7e24beb293e6990f2194f5366e8fa9acc7c8500abe67e7a56e979396a693eee75db57285e4ede7fe472deca96a84a977d52c

Download Submit
C:\Windows\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe

Filesize
168KB

MD5
d1fc2e6cf24586d42d8ab703d12b29f0

SHA1
def6b4043f7aeaad74ea66d7bd9b267ec047e8a3

SHA256
8d330c3b9a12f42819e99cdc0584285857fc5ea58fb7faaa9e0f149a434ac1a9

SHA512
33751cd80f090552771ef78238f95370418f7d13e69d0bfd266196b67256f9aa8cf3057aa28a10432c2a9d7b4884f1c4bfaf184b26a7b182a032453f32827edb

Download Submit
C:\Windows\{4044E14A-37CA-440a-B649-2A223540AFB3}.exe

Filesize
168KB

MD5
d1fc2e6cf24586d42d8ab703d12b29f0

SHA1
def6b4043f7aeaad74ea66d7bd9b267ec047e8a3

SHA256
8d330c3b9a12f42819e99cdc0584285857fc5ea58fb7faaa9e0f149a434ac1a9

SHA512
33751cd80f090552771ef78238f95370418f7d13e69d0bfd266196b67256f9aa8cf3057aa28a10432c2a9d7b4884f1c4bfaf184b26a7b182a032453f32827edb

Download Submit
C:\Windows\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe

Filesize
168KB

MD5
c6febdb87f15413ab89014a693b0e97b

SHA1
7e75e8abcde51e1ea9a122acf59fa0d4b354ddf2

SHA256
dfe333a192e7b031a9d17223ec79204eddad761734e3f3a3feea6afc7af5bf31

SHA512
38c66580d06d46f113587997b420ee6f16f5e4635f8922917d7d4dfb7adf863f7afec1c1abb4289824f0983fac87f9a76cd352b70bbb2a9cdd7254baff7f06d1

Download Submit
C:\Windows\{5194333B-82E6-48a7-9BCB-0DC574D3E3B3}.exe

Filesize
168KB

MD5
c6febdb87f15413ab89014a693b0e97b

SHA1
7e75e8abcde51e1ea9a122acf59fa0d4b354ddf2

SHA256
dfe333a192e7b031a9d17223ec79204eddad761734e3f3a3feea6afc7af5bf31

SHA512
38c66580d06d46f113587997b420ee6f16f5e4635f8922917d7d4dfb7adf863f7afec1c1abb4289824f0983fac87f9a76cd352b70bbb2a9cdd7254baff7f06d1

Download Submit
C:\Windows\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe

Filesize
168KB

MD5
c092c8ab8fc3d8f57dc74a162b6d93b3

SHA1
b5d01e5face064ff292283d3336173fb545ffe91

SHA256
e0ca8d381af29ba5fc79df2814bd2d52bc81d68d7936e637900e969bbcb3f59b

SHA512
0d8bdadb582304e1afdf2bfc94cbfc4e923b701b65ff225c170e22c7110aee08552b51ea9cb2f651f9c791d1af2b5a54a4280bf68782f6837c8ab0255a3bbfd6

Download Submit
C:\Windows\{98CCF511-2986-4513-937B-77EFCABAD79D}.exe

Filesize
168KB

MD5
c092c8ab8fc3d8f57dc74a162b6d93b3

SHA1
b5d01e5face064ff292283d3336173fb545ffe91

SHA256
e0ca8d381af29ba5fc79df2814bd2d52bc81d68d7936e637900e969bbcb3f59b

SHA512
0d8bdadb582304e1afdf2bfc94cbfc4e923b701b65ff225c170e22c7110aee08552b51ea9cb2f651f9c791d1af2b5a54a4280bf68782f6837c8ab0255a3bbfd6

Download Submit
C:\Windows\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe

Filesize
168KB

MD5
56a3bf66123c210b5f7a85732f6aa871

SHA1
d6010bf4df5532162ada0123bdee6c629ff48994

SHA256
b7853985e676828841af9bf859dc7ade2fa3e37251cf5eed0aa3d2dac05a38f4

SHA512
cf39b783a529b8368816b46271cd00a06330390ce82bf648fb191e41f00d5a113664020b1f655188abbd1e910802fda6054575c8b2a0c5d9e91ad678c6893329

Download Submit
C:\Windows\{BA9490F8-DECD-403c-91D9-168451BE8AEF}.exe

Filesize
168KB

MD5
56a3bf66123c210b5f7a85732f6aa871

SHA1
d6010bf4df5532162ada0123bdee6c629ff48994

SHA256
b7853985e676828841af9bf859dc7ade2fa3e37251cf5eed0aa3d2dac05a38f4

SHA512
cf39b783a529b8368816b46271cd00a06330390ce82bf648fb191e41f00d5a113664020b1f655188abbd1e910802fda6054575c8b2a0c5d9e91ad678c6893329

Download Submit
C:\Windows\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe

Filesize
168KB

MD5
01ec14d9b6b5ff334b3e26f830732f85

SHA1
67fea184f4fe4405abbf4b1a01146f615750223b

SHA256
7c2567be85e8e2372a1e845e21d8cae28a4d45f2477f8ecb2d5a0329da5c15a4

SHA512
0c24a23883f01c31aad08d5bd655b7212d80b2f4f8c27f1c2137d8b589752aa92b1cd8f0fbd53a0eef68e3dc4359807e8a6096564e556e7e3baca698e0a68f61

Download Submit
C:\Windows\{C9910B0E-6D11-4d97-94F4-1C2C7158E4F2}.exe

Filesize
168KB

MD5
01ec14d9b6b5ff334b3e26f830732f85

SHA1
67fea184f4fe4405abbf4b1a01146f615750223b

SHA256
7c2567be85e8e2372a1e845e21d8cae28a4d45f2477f8ecb2d5a0329da5c15a4

SHA512
0c24a23883f01c31aad08d5bd655b7212d80b2f4f8c27f1c2137d8b589752aa92b1cd8f0fbd53a0eef68e3dc4359807e8a6096564e556e7e3baca698e0a68f61

Download Submit
C:\Windows\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe

Filesize
168KB

MD5
7a4de354176f4f623d3ac5aa1cf4892c

SHA1
f1580ae48f7f0454f23792aa94a19b2fa0888d86

SHA256
a5044d07da45183eefd4f1cf24840244de6b8c05af54e24674fa4a52c6285a3a

SHA512
9c1b4f5719571eaa49ce7cfb16d56967f541bc3221fc951ff3a56831f36269e3b7e2c147720186204704cdbe8169a02200a6b62215ce5a1a4f8254307a446718

Download Submit
C:\Windows\{CB0E0836-A5F1-46b8-B057-82F4164450B8}.exe

Filesize
168KB

MD5
7a4de354176f4f623d3ac5aa1cf4892c

SHA1
f1580ae48f7f0454f23792aa94a19b2fa0888d86

SHA256
a5044d07da45183eefd4f1cf24840244de6b8c05af54e24674fa4a52c6285a3a

SHA512
9c1b4f5719571eaa49ce7cfb16d56967f541bc3221fc951ff3a56831f36269e3b7e2c147720186204704cdbe8169a02200a6b62215ce5a1a4f8254307a446718

Download Submit
C:\Windows\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe

Filesize
168KB

MD5
f00b91bcadd3cec14fa29247a43f8196

SHA1
497e0af8b9862a596c9aee4146183027a3fa5ffd

SHA256
15b4e433589d4a6ea113a5de5d53be9be3be22f38756c14c5d1a06ed361837a4

SHA512
d415f04d0661cf1c46f57a44e183aeebb075efbf89a9993086068452aae69b24befde014c372a3b882f20bd1c25b31acfe1e2435dfbaaa79c1eaa7f693355921

Download Submit
C:\Windows\{E5D50E24-1686-4396-B11F-CABCB1C712EC}.exe

Filesize
168KB

MD5
f00b91bcadd3cec14fa29247a43f8196

SHA1
497e0af8b9862a596c9aee4146183027a3fa5ffd

SHA256
15b4e433589d4a6ea113a5de5d53be9be3be22f38756c14c5d1a06ed361837a4

SHA512
d415f04d0661cf1c46f57a44e183aeebb075efbf89a9993086068452aae69b24befde014c372a3b882f20bd1c25b31acfe1e2435dfbaaa79c1eaa7f693355921

Download Submit
C:\Windows\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe

Filesize
168KB

MD5
27c162ba8a01c814b6c2b26b539e1489

SHA1
27cc8ea636635269315642d77f3f7d29a38886c5

SHA256
c8e1fdd1c2f24557a15a314b6421721f0e2e6af4ca3684fdb49d17e1fb656468

SHA512
3a739a87f94fc7933d42224362e4722e41be2c402e849033de840759bf23d2ba917bb6d2339c28b379d734e8616f6f1a48588ced3e188e0c70c3e4ce49d2862b

Download Submit
C:\Windows\{F24E30DE-7A66-4dae-80E3-C6BF0E34368C}.exe

Filesize
168KB

MD5
27c162ba8a01c814b6c2b26b539e1489

SHA1
27cc8ea636635269315642d77f3f7d29a38886c5

SHA256
c8e1fdd1c2f24557a15a314b6421721f0e2e6af4ca3684fdb49d17e1fb656468

SHA512
3a739a87f94fc7933d42224362e4722e41be2c402e849033de840759bf23d2ba917bb6d2339c28b379d734e8616f6f1a48588ced3e188e0c70c3e4ce49d2862b

Download Submit