b48753f4096ddd2c3cd081f3b0db7802b45dda33928d6bfcdebaa57d916ec5f2

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

648f59f55106bfexeexeexeex.exe
Size

372KB
MD5

648f59f55106bf1b368410679f564582
SHA1

2b49fada5b5b89de293aff17025bf6e823277b30
SHA256

b48753f4096ddd2c3cd081f3b0db7802b45dda33928d6bfcdebaa57d916ec5f2
SHA512

d5ec5adaca3480cdec4a4470c8d6d46e6bddba714e14385f0ff62050d7627fa51493808eb5c452e2958e2c70872414f89c618078c24aa90aa84bc5a9ca07a1c2
SSDEEP

3072:CEGh0ofmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG8l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7CC863-3281-4157-9684-6AB02B5E787B}\stubpath = "C:\\Windows\\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe"	{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F26141-1422-458f-9801-6FDD7950C591}	{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}\stubpath = "C:\\Windows\\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe"	{34F26141-1422-458f-9801-6FDD7950C591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1577C65-2B77-48a6-B3E3-02E355997526}\stubpath = "C:\\Windows\\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe"	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}\stubpath = "C:\\Windows\\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe"	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{430724F5-490B-4985-8DB9-4EFC343E929C}	{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{430724F5-490B-4985-8DB9-4EFC343E929C}\stubpath = "C:\\Windows\\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe"	{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95DD4CF5-7F32-420e-A89C-8783158A2E23}	{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F26141-1422-458f-9801-6FDD7950C591}\stubpath = "C:\\Windows\\{34F26141-1422-458f-9801-6FDD7950C591}.exe"	{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}\stubpath = "C:\\Windows\\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe"	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1577C65-2B77-48a6-B3E3-02E355997526}	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7814E053-4697-42f5-8B19-AAB40E28AB74}\stubpath = "C:\\Windows\\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe"	{3E502786-8673-404d-B284-9A05314CFEC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7814E053-4697-42f5-8B19-AAB40E28AB74}	{3E502786-8673-404d-B284-9A05314CFEC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7CC863-3281-4157-9684-6AB02B5E787B}	{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}\stubpath = "C:\\Windows\\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe"	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2353500-75B9-4b6d-B527-4B140825A444}	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2353500-75B9-4b6d-B527-4B140825A444}\stubpath = "C:\\Windows\\{E2353500-75B9-4b6d-B527-4B140825A444}.exe"	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E502786-8673-404d-B284-9A05314CFEC4}\stubpath = "C:\\Windows\\{3E502786-8673-404d-B284-9A05314CFEC4}.exe"	{E2353500-75B9-4b6d-B527-4B140825A444}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}	{34F26141-1422-458f-9801-6FDD7950C591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F278D488-5DB3-4c01-862B-7678ED966684}	648f59f55106bfexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F278D488-5DB3-4c01-862B-7678ED966684}\stubpath = "C:\\Windows\\{F278D488-5DB3-4c01-862B-7678ED966684}.exe"	648f59f55106bfexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E502786-8673-404d-B284-9A05314CFEC4}	{E2353500-75B9-4b6d-B527-4B140825A444}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95DD4CF5-7F32-420e-A89C-8783158A2E23}\stubpath = "C:\\Windows\\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe"	{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe

Deletes itself 1 IoCs

pid	Process
532	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe
2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe
752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
1576	{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
1452	{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
2912	{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
2776	{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
2612	{34F26141-1422-458f-9801-6FDD7950C591}.exe
2452	{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
File created	C:\Windows\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
File created	C:\Windows\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	{3E502786-8673-404d-B284-9A05314CFEC4}.exe
File created	C:\Windows\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
File created	C:\Windows\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe	{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
File created	C:\Windows\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe	{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
File created	C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe	648f59f55106bfexeexeexeex.exe
File created	C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
File created	C:\Windows\{34F26141-1422-458f-9801-6FDD7950C591}.exe	{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
File created	C:\Windows\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe	{34F26141-1422-458f-9801-6FDD7950C591}.exe
File created	C:\Windows\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe	{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
File created	C:\Windows\{E2353500-75B9-4b6d-B527-4B140825A444}.exe	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
File created	C:\Windows\{3E502786-8673-404d-B284-9A05314CFEC4}.exe	{E2353500-75B9-4b6d-B527-4B140825A444}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	648f59f55106bfexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe
Token: SeIncBasePriorityPrivilege	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
Token: SeIncBasePriorityPrivilege	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
Token: SeIncBasePriorityPrivilege	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
Token: SeIncBasePriorityPrivilege	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe
Token: SeIncBasePriorityPrivilege	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe
Token: SeIncBasePriorityPrivilege	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
Token: SeIncBasePriorityPrivilege	1576	{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
Token: SeIncBasePriorityPrivilege	1452	{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
Token: SeIncBasePriorityPrivilege	2912	{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
Token: SeIncBasePriorityPrivilege	2776	{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
Token: SeIncBasePriorityPrivilege	2612	{34F26141-1422-458f-9801-6FDD7950C591}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1036	2120	648f59f55106bfexeexeexeex.exe	27
PID 2120 wrote to memory of 1036	2120	648f59f55106bfexeexeexeex.exe	27
PID 2120 wrote to memory of 1036	2120	648f59f55106bfexeexeexeex.exe	27
PID 2120 wrote to memory of 1036	2120	648f59f55106bfexeexeexeex.exe	27
PID 2120 wrote to memory of 532	2120	648f59f55106bfexeexeexeex.exe	28
PID 2120 wrote to memory of 532	2120	648f59f55106bfexeexeexeex.exe	28
PID 2120 wrote to memory of 532	2120	648f59f55106bfexeexeexeex.exe	28
PID 2120 wrote to memory of 532	2120	648f59f55106bfexeexeexeex.exe	28
PID 1036 wrote to memory of 2932	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 1036 wrote to memory of 2932	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 1036 wrote to memory of 2932	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 1036 wrote to memory of 2932	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	29
PID 1036 wrote to memory of 3008	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 1036 wrote to memory of 3008	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 1036 wrote to memory of 3008	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 1036 wrote to memory of 3008	1036	{F278D488-5DB3-4c01-862B-7678ED966684}.exe	30
PID 2932 wrote to memory of 2072	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2932 wrote to memory of 2072	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2932 wrote to memory of 2072	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2932 wrote to memory of 2072	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	31
PID 2932 wrote to memory of 432	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2932 wrote to memory of 432	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2932 wrote to memory of 432	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2932 wrote to memory of 432	2932	{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe	32
PID 2072 wrote to memory of 2868	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	33
PID 2072 wrote to memory of 2868	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	33
PID 2072 wrote to memory of 2868	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	33
PID 2072 wrote to memory of 2868	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	33
PID 2072 wrote to memory of 2324	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	34
PID 2072 wrote to memory of 2324	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	34
PID 2072 wrote to memory of 2324	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	34
PID 2072 wrote to memory of 2324	2072	{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe	34
PID 2868 wrote to memory of 2212	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	35
PID 2868 wrote to memory of 2212	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	35
PID 2868 wrote to memory of 2212	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	35
PID 2868 wrote to memory of 2212	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	35
PID 2868 wrote to memory of 1296	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	36
PID 2868 wrote to memory of 1296	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	36
PID 2868 wrote to memory of 1296	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	36
PID 2868 wrote to memory of 1296	2868	{B1577C65-2B77-48a6-B3E3-02E355997526}.exe	36
PID 2212 wrote to memory of 2988	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	37
PID 2212 wrote to memory of 2988	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	37
PID 2212 wrote to memory of 2988	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	37
PID 2212 wrote to memory of 2988	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	37
PID 2212 wrote to memory of 2980	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	38
PID 2212 wrote to memory of 2980	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	38
PID 2212 wrote to memory of 2980	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	38
PID 2212 wrote to memory of 2980	2212	{E2353500-75B9-4b6d-B527-4B140825A444}.exe	38
PID 2988 wrote to memory of 752	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	39
PID 2988 wrote to memory of 752	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	39
PID 2988 wrote to memory of 752	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	39
PID 2988 wrote to memory of 752	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	39
PID 2988 wrote to memory of 816	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	40
PID 2988 wrote to memory of 816	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	40
PID 2988 wrote to memory of 816	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	40
PID 2988 wrote to memory of 816	2988	{3E502786-8673-404d-B284-9A05314CFEC4}.exe	40
PID 752 wrote to memory of 1576	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	41
PID 752 wrote to memory of 1576	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	41
PID 752 wrote to memory of 1576	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	41
PID 752 wrote to memory of 1576	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	41
PID 752 wrote to memory of 1776	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	42
PID 752 wrote to memory of 1776	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	42
PID 752 wrote to memory of 1776	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	42
PID 752 wrote to memory of 1776	752	{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe	42

C:\Users\Admin\AppData\Local\Temp\648f59f55106bfexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\648f59f55106bfexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe
  C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
    C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
      C:\Windows\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
        
        C:\Windows\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{E2353500-75B9-4b6d-B527-4B140825A444}.exe
        
        C:\Windows\{E2353500-75B9-4b6d-B527-4B140825A444}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{3E502786-8673-404d-B284-9A05314CFEC4}.exe
        
        C:\Windows\{3E502786-8673-404d-B284-9A05314CFEC4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
        
        C:\Windows\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
        
        C:\Windows\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
        
        C:\Windows\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
        
        C:\Windows\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
        
        C:\Windows\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{34F26141-1422-458f-9801-6FDD7950C591}.exe
        
        C:\Windows\{34F26141-1422-458f-9801-6FDD7950C591}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe
        
        C:\Windows\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe
        14⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F26~1.EXE > nul
        14⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95DD4~1.EXE > nul
        13⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7CC~1.EXE > nul
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43072~1.EXE > nul
        11⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF0F~1.EXE > nul
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7814E~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E502~1.EXE > nul
        8⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2353~1.EXE > nul
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1577~1.EXE > nul
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91C2E~1.EXE > nul
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D647~1.EXE > nul
      4⤵
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F278D~1.EXE > nul
    3⤵
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\648F59~1.EXE > nul
  2⤵
  - Deletes itself
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34F26141-1422-458f-9801-6FDD7950C591}.exe

Filesize
372KB

MD5
7f0c38f788795a4ab71034652deb99a6

SHA1
0afebf0034c8e97b103f2826b70732daef18cfdd

SHA256
a7e4728ad4b83ee426c2de1f52b1fd1f07c18078b55dedc06e4e6c1ca8cb857d

SHA512
7309d7e8493b3636d6bd1f431f38af5f62329618f4550a51be0794ea93c0adc667ba783b8e6f5b54ecea447cd9eb74b00c012e423bfc022160580ef6e67df5ed

Download Submit
C:\Windows\{34F26141-1422-458f-9801-6FDD7950C591}.exe

Filesize
372KB

MD5
7f0c38f788795a4ab71034652deb99a6

SHA1
0afebf0034c8e97b103f2826b70732daef18cfdd

SHA256
a7e4728ad4b83ee426c2de1f52b1fd1f07c18078b55dedc06e4e6c1ca8cb857d

SHA512
7309d7e8493b3636d6bd1f431f38af5f62329618f4550a51be0794ea93c0adc667ba783b8e6f5b54ecea447cd9eb74b00c012e423bfc022160580ef6e67df5ed

Download Submit
C:\Windows\{3E502786-8673-404d-B284-9A05314CFEC4}.exe

Filesize
372KB

MD5
9d81552266239fe50e2283e2fbd12f06

SHA1
84eb3a351cb2f0792dbfd495c44debe99d3a501d

SHA256
edfe3885eeae807c3974c361d876a09d1cdcb9f842857c3941e40928512f1db5

SHA512
b79f086bc658ef3a523392e731a36076cfd77e0aed7834ee5dcd9c82b6137e2ca80fd80c87ec9f63423e17852523f4727e71708a7bdaaca84d68876f34657c60

Download Submit
C:\Windows\{3E502786-8673-404d-B284-9A05314CFEC4}.exe

Filesize
372KB

MD5
9d81552266239fe50e2283e2fbd12f06

SHA1
84eb3a351cb2f0792dbfd495c44debe99d3a501d

SHA256
edfe3885eeae807c3974c361d876a09d1cdcb9f842857c3941e40928512f1db5

SHA512
b79f086bc658ef3a523392e731a36076cfd77e0aed7834ee5dcd9c82b6137e2ca80fd80c87ec9f63423e17852523f4727e71708a7bdaaca84d68876f34657c60

Download Submit
C:\Windows\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe

Filesize
372KB

MD5
217d58dea813b8f36e0aa9064c3e9978

SHA1
28e833fcea4e36a7c00b642168a087fe9c766d3e

SHA256
fbf5ed254f981aad959223f5fc54db296c4d68f5a6de343075d838e1f829db56

SHA512
26893c627e15f0fa65875a547194b73d8d18a9f2e8062631dc273c3af27ae1ca7827e7390eb7ae962001f407dd849bdb4746a9f9d1c13c5c36a5a6ff4cf98d28

Download Submit
C:\Windows\{430724F5-490B-4985-8DB9-4EFC343E929C}.exe

Filesize
372KB

MD5
217d58dea813b8f36e0aa9064c3e9978

SHA1
28e833fcea4e36a7c00b642168a087fe9c766d3e

SHA256
fbf5ed254f981aad959223f5fc54db296c4d68f5a6de343075d838e1f829db56

SHA512
26893c627e15f0fa65875a547194b73d8d18a9f2e8062631dc273c3af27ae1ca7827e7390eb7ae962001f407dd849bdb4746a9f9d1c13c5c36a5a6ff4cf98d28

Download Submit
C:\Windows\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe

Filesize
372KB

MD5
240a03f119302214f69e7a67be7e733e

SHA1
7c30993153160522ac3cf3dc6cfd5d8473af1eb9

SHA256
f33a2ea1bf7664771cc68cd543edb0a7ed302e9b4af72a413e43c5f163e1292f

SHA512
76a705b2b124b4dcfeda7338103d64183c2b178c3b8e6b1ba9111f28fa135eb5c8bd7e36154ed2d94c19eb81471b6367f5ea0c169e2f48e3a8267576bbc887ab

Download Submit
C:\Windows\{7814E053-4697-42f5-8B19-AAB40E28AB74}.exe

Filesize
372KB

MD5
240a03f119302214f69e7a67be7e733e

SHA1
7c30993153160522ac3cf3dc6cfd5d8473af1eb9

SHA256
f33a2ea1bf7664771cc68cd543edb0a7ed302e9b4af72a413e43c5f163e1292f

SHA512
76a705b2b124b4dcfeda7338103d64183c2b178c3b8e6b1ba9111f28fa135eb5c8bd7e36154ed2d94c19eb81471b6367f5ea0c169e2f48e3a8267576bbc887ab

Download Submit
C:\Windows\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe

Filesize
372KB

MD5
e251a5ab1485cf7683fe1f1533ec84c4

SHA1
6072aa7310491e8bf3c0e005d329d4268109c026

SHA256
8d22df389bfdd52cb949aed10860a363cc91eca825e3cd472cf2b682b762a8d6

SHA512
e4bb8df67fe4c8f4038d5af4cff04944f96175e61927868506f440479c1c1b34be4844a8d8c20a4f7698012914919f2489bc6ae53dd7bc86af796d01dec1d1e6

Download Submit
C:\Windows\{8F7CC863-3281-4157-9684-6AB02B5E787B}.exe

Filesize
372KB

MD5
e251a5ab1485cf7683fe1f1533ec84c4

SHA1
6072aa7310491e8bf3c0e005d329d4268109c026

SHA256
8d22df389bfdd52cb949aed10860a363cc91eca825e3cd472cf2b682b762a8d6

SHA512
e4bb8df67fe4c8f4038d5af4cff04944f96175e61927868506f440479c1c1b34be4844a8d8c20a4f7698012914919f2489bc6ae53dd7bc86af796d01dec1d1e6

Download Submit
C:\Windows\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe

Filesize
372KB

MD5
ccd19039ea729ada6e5b0781db534c04

SHA1
994913ebf71d54f17df41083bfdf5c28711dcdca

SHA256
4f8d0737ec9bf234c77ac6e8b20e88633167c03753e16789cb8b95129b2f63e6

SHA512
6df1234c566a0ef184c7c3f35b23eccc242ad66e5032f51fb11adf101e0b510da7df8003a8266aaffe7c6584422e855bd25fc3b8aefbbdf77ecff36e0ed1d8ce

Download Submit
C:\Windows\{91C2ECD5-D773-46ad-85CF-8EDDA4144CB6}.exe

Filesize
372KB

MD5
ccd19039ea729ada6e5b0781db534c04

SHA1
994913ebf71d54f17df41083bfdf5c28711dcdca

SHA256
4f8d0737ec9bf234c77ac6e8b20e88633167c03753e16789cb8b95129b2f63e6

SHA512
6df1234c566a0ef184c7c3f35b23eccc242ad66e5032f51fb11adf101e0b510da7df8003a8266aaffe7c6584422e855bd25fc3b8aefbbdf77ecff36e0ed1d8ce

Download Submit
C:\Windows\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe

Filesize
372KB

MD5
931c166fadf2ea764c82bb54a1e61f7c

SHA1
4a63ced34b1bbb77e9f808b8976fb62ba2a21e65

SHA256
6c0d42f9255ada665c7fc54f24b3fecb9ecf2039ff184d44d1890c1d6e82a42f

SHA512
a930cc8586df519c989bb01bd2314f62493abdbda82c4521e58851d987931b3ac95e2509b781df538c81dc93b67a7272c7fcad4c2e2fd5882b134cd183f9f4cb

Download Submit
C:\Windows\{95DD4CF5-7F32-420e-A89C-8783158A2E23}.exe

Filesize
372KB

MD5
931c166fadf2ea764c82bb54a1e61f7c

SHA1
4a63ced34b1bbb77e9f808b8976fb62ba2a21e65

SHA256
6c0d42f9255ada665c7fc54f24b3fecb9ecf2039ff184d44d1890c1d6e82a42f

SHA512
a930cc8586df519c989bb01bd2314f62493abdbda82c4521e58851d987931b3ac95e2509b781df538c81dc93b67a7272c7fcad4c2e2fd5882b134cd183f9f4cb

Download Submit
C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe

Filesize
372KB

MD5
13ba5189fbeeeab2aa82125bb2a958a0

SHA1
674b122f21a23cec10fd3be2bf47d2106be9eb7e

SHA256
55da88d788cb454320245e49749cb2281f4d4fe89ffd1efd3bb4c9e594911ea4

SHA512
6873edb561e25f48c50e96094d607c017a0e7dfe327d5c488f1928aeece601da759bd2c679c3ee41d116e410ea0aacc7a34175eb4d56afb07db6eb514e5bc756

Download Submit
C:\Windows\{9D6477FB-43B0-4c99-99A4-D813C39F93A6}.exe

Filesize
372KB

MD5
13ba5189fbeeeab2aa82125bb2a958a0

SHA1
674b122f21a23cec10fd3be2bf47d2106be9eb7e

SHA256
55da88d788cb454320245e49749cb2281f4d4fe89ffd1efd3bb4c9e594911ea4

SHA512
6873edb561e25f48c50e96094d607c017a0e7dfe327d5c488f1928aeece601da759bd2c679c3ee41d116e410ea0aacc7a34175eb4d56afb07db6eb514e5bc756

Download Submit
C:\Windows\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe

Filesize
372KB

MD5
cda76a0aafdd160a4b98bed17d465b20

SHA1
ae7c3cacf228b80e89bc1dbe884d401950e7548b

SHA256
0ddb3121d0c65ce3fdb8dcf60531673eeb072f4c1247ae168b0f718cc7d5ed43

SHA512
c8baee2a776a9f62e3a422bb7068fdd411f8cd7604b601100b0fcbf34b4280e3c893aa8eba4f3decd1fdc587085a9f39459175166507a650a2fd8ebd7856c6a4

Download Submit
C:\Windows\{9DF0F593-CBAC-4717-A036-AF5AE78B4FB3}.exe

Filesize
372KB

MD5
cda76a0aafdd160a4b98bed17d465b20

SHA1
ae7c3cacf228b80e89bc1dbe884d401950e7548b

SHA256
0ddb3121d0c65ce3fdb8dcf60531673eeb072f4c1247ae168b0f718cc7d5ed43

SHA512
c8baee2a776a9f62e3a422bb7068fdd411f8cd7604b601100b0fcbf34b4280e3c893aa8eba4f3decd1fdc587085a9f39459175166507a650a2fd8ebd7856c6a4

Download Submit
C:\Windows\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe

Filesize
372KB

MD5
6efa3fc5ba31df4d5770eb1f5c4269f5

SHA1
600e0082695ec2a6e4e409de5da82512cc524a7f

SHA256
7b8be9ca489e23b352d16112c1d68ee3cdadb0c18bf91a2af6c50d86733e198e

SHA512
8ca37694e390f38043032fa1041db0fe0c8b5352f6159142e5e82904492dab81ab80be2b3a76652255f3a1bc2a67481d242ec8407adef7e63804f0e0f564b01e

Download Submit
C:\Windows\{B1577C65-2B77-48a6-B3E3-02E355997526}.exe

Filesize
372KB

MD5
6efa3fc5ba31df4d5770eb1f5c4269f5

SHA1
600e0082695ec2a6e4e409de5da82512cc524a7f

SHA256
7b8be9ca489e23b352d16112c1d68ee3cdadb0c18bf91a2af6c50d86733e198e

SHA512
8ca37694e390f38043032fa1041db0fe0c8b5352f6159142e5e82904492dab81ab80be2b3a76652255f3a1bc2a67481d242ec8407adef7e63804f0e0f564b01e

Download Submit
C:\Windows\{E2353500-75B9-4b6d-B527-4B140825A444}.exe

Filesize
372KB

MD5
ff824cf1199cd4b29357baf09a520f0b

SHA1
1c15f99d2bcc6e2dc22d9a9847317842fbb69491

SHA256
4cda9836e60c621cba3370c02297cc7b8a31992ad81ca2d3e47352ae581bc0ae

SHA512
c5369a3700cb0e042c1d06e7ed576e3cf7bab232436e5dda76d81e315cef3b2c5cd422eb283d9630e21eabb0f666f59f3857e9b366f8b26a74b84953d76bc93c

Download Submit
C:\Windows\{E2353500-75B9-4b6d-B527-4B140825A444}.exe

Filesize
372KB

MD5
ff824cf1199cd4b29357baf09a520f0b

SHA1
1c15f99d2bcc6e2dc22d9a9847317842fbb69491

SHA256
4cda9836e60c621cba3370c02297cc7b8a31992ad81ca2d3e47352ae581bc0ae

SHA512
c5369a3700cb0e042c1d06e7ed576e3cf7bab232436e5dda76d81e315cef3b2c5cd422eb283d9630e21eabb0f666f59f3857e9b366f8b26a74b84953d76bc93c

Download Submit
C:\Windows\{EAAD1C18-6849-40e6-BE3B-69EA59D279CF}.exe

Filesize
372KB

MD5
2920be2198d1152bb0d12d72aec12af2

SHA1
5825a3e7b281da7a1deafa91a155eeaa9e76e61a

SHA256
753d865f6ef44eacdad50f06a79d62c3bb2b5eb2d8e6c942afaadddcceb0ae1e

SHA512
efac92abd58e656f18bb82b512483507c3d9e132070de3caf63d89edb29435ceadebed5f3c7b1e3c94b2fd4d6533be07e70cfdb5c4bcd6faed97b59d75db735e

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
372KB

MD5
2fea713720a6f7f90e82b35c0d2e4fbb

SHA1
90d60e87d856dca35c4a87e9dc51e1136d36c8bd

SHA256
d9814c3412a4474a8b884cf2d28b442dbd903df0ee2f27fecd67e2eb0cdbe7cc

SHA512
5b2a7f514171676b238d6237aa0eb0827b79a44c3a82d3cb47239553d550ba61d3698579d8686b6c484767eb9a946b8156c5b58cdfa6464da0779e7ae7d94ec9

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
372KB

MD5
2fea713720a6f7f90e82b35c0d2e4fbb

SHA1
90d60e87d856dca35c4a87e9dc51e1136d36c8bd

SHA256
d9814c3412a4474a8b884cf2d28b442dbd903df0ee2f27fecd67e2eb0cdbe7cc

SHA512
5b2a7f514171676b238d6237aa0eb0827b79a44c3a82d3cb47239553d550ba61d3698579d8686b6c484767eb9a946b8156c5b58cdfa6464da0779e7ae7d94ec9

Download Submit
C:\Windows\{F278D488-5DB3-4c01-862B-7678ED966684}.exe

Filesize
372KB

MD5
2fea713720a6f7f90e82b35c0d2e4fbb

SHA1
90d60e87d856dca35c4a87e9dc51e1136d36c8bd

SHA256
d9814c3412a4474a8b884cf2d28b442dbd903df0ee2f27fecd67e2eb0cdbe7cc

SHA512
5b2a7f514171676b238d6237aa0eb0827b79a44c3a82d3cb47239553d550ba61d3698579d8686b6c484767eb9a946b8156c5b58cdfa6464da0779e7ae7d94ec9

Download Submit